PCI DSS Compliance - what you need to know

Similar documents
What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

An article on PCI Compliance for the Not-For-Profit Sector

Payment Card Industry Data Security Standard

Merchant guide to PCI DSS

VISA EUROPE ACCOUNT INFORMATION SECURITY (AIS) PROGRAMME FREQUENTLY ASKED QUESTIONS (FAQS)

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

The PCI DSS Compliance Guide For Small Business

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Data Security Standard (DSS) Compliance. SIFMA June 13, 2012

Adyen PCI DSS 3.0 Compliance Guide

PCI DSS Compliance Services January 2016

Payment Card Industry Data Security Standards

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

PCI Compliance Overview

Why Is Compliance with PCI DSS Important?

Internal Audit Activity Update

PCI DSS Compliance Information Pack for Merchants

Protecting Your Customers' Card Data. Presented By: Oliver Pinson-Roxburgh

Appendix 1 Payment Card Industry Data Security Standards Program

A Compliance Overview for the Payment Card Industry (PCI)

American Express Data Security Operating Policy United States

SecurityMetrics Introduction to PCI Compliance

Understanding and Managing PCI DSS

Western Australian Auditor General s Report. Information Systems Audit Report

Your Compliance Classification Level and What it Means

1/18/10. Walt Conway. PCI DSS in Context. Some History The Digital Dozen Key Players Cardholder Data Outsourcing Conclusions. PCI in Higher Education

PCI Compliance: How to ensure customer cardholder data is handled with care

/ BROCHURE / CHECKLIST: PCI/ISO COMPLIANCE. By Melbourne IT Enterprise Services

Introduction to PCI DSS

Payment Card Industry (PCI) Data Security Standard

How To Protect Your Business From A Hacker Attack

Project Title slide Project: PCI. Are You At Risk?

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May cliftonlarsonallen.com CliftonLarsonAllen LLP

Payment Card Industry Compliance Overview

PCI Security Compliance

Payment Card Industry - Achieving PCI Compliance Steps Steps

PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW

Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions

Achieving PCI Compliance for Your Site in Acquia Cloud

Data Security & PCI Compliance & PCI Compliance Securing Your Contact Center Securing Your Contact Session Name :

Brown Smith Wallace, LLC

WHITE PAPER. PCI Basics: What it Takes to Be Compliant

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

Third Party Agent Registration and PCI DSS Compliance Validation Guide

PCI Compliance. Top 10 Questions & Answers

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER

Registration and PCI DSS compliance validation

PCI DSS. CollectorSolutions, Incorporated

PAI Secure Program Guide

Payment Card Industry (PCI) Data Security Standard

2015 PCI DSS Meeting. OSU Business Affairs Projects, Improvement, and Technology (PIT) Robin Whitlock

It is important to note, the payment brands and acquirers are responsible for enforcing compliance, not the PCI council.

FAQ S: TRUSTWAVE TRUSTKEEPER PCI MANAGER

Payment Card Industry Data Security Standards.

PCI Data Security Standards

PCI DSS. Payment Card Industry Data Security Standard.

TNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

June 19, Bobbi McCracken, Associate Vice Chancellor Financial Services. Subject: Internal Audit of PCI Compliance.

White Paper On. PCI DSS Compliance And Voice Recording Implications

How To Protect Visa Account Information

PCI Compliance at The University of South Carolina. Failure is not an option. Rick Lambert PMP University of South Carolina

E Pay. A Case Study in PCI Compliance. Illinois State Treasurer. Dan Rutherford

Varonis Systems & The Payment Card Industry Data Security Standard (PCI DSS)

The Cost of Payment Card Data Theft and Your Business. Aaron Lego Director of Business Development

PCI Standards: A Banking Perspective

PCI DSS and SSC what are these?

Payment Card Industry (PCI) Data Security Standard. Attestation of Compliance for Self-Assessment Questionnaire C-VT. Version 2.0

Strategies To Effective PCI Scoping ISACA Columbus Chapter Presentation October 2008

Payment Card Industry Data Security Standard

PCI on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for PCI on AWS

Are You Ready For PCI v 3.0. Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase

PCI Compliance Top 10 Questions and Answers

Mobile Device Payment Card Processing: How Secure is It? Richard Poworski CISSP, ISP, ITCP, SCF, PCI QSA, PCIP Managing Consultant

Security Breaches and Vulnerability Experiences Overview of PCI DSS Initiative and CISP Payment Application Best Practices Questions and Comments

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions. Version 5.0 (April 2011)

Frequently Asked Questions

FAQ s. SaferPayments. Be smart. Be compliant. Be protected. The benefits of compliance SaferPayments Non-compliance fees

Case 2:13-cv ES-JAD Document Filed 12/09/15 Page 1 of 116 PageID: Appendix A

Transcription:

PCI DSS Compliance - what you need to know

What is PCI DSS? PCI DSS Payment Card Industry Data Security Standard A set of rules laid out by the PCI Security Standards Council to protect card holder data (CHD) from unauthorised access We have Ofcom and ICO compliance standards, but there is no certification process, so why do we need PCI DSS Certification? Trust but Verify is phrase that has been used in various industries and political situations It is highly apt when you think of the PCI DSS regulations There is Trust that organisations are complying with PCI DSS To Verify to a third party that organisation is complying, there are a mixture of self-assessment and independent assessment processes

So what difference does it make if I m not certified? Business request proof that their service providers are certified Service providers often use their clients Merchant account Increasingly a pre-requisite on tenders Acquiring Banks are already required to ensure that their clients are complaint and they can only do this through certification Acquiring banks can withdraw services if they choose New applications refused without certification

Why is PCI DSS necessary? Key drivers for regulation and compliance Protecting consumers from payment card fraud Protecting organisations from exposure to liability Protecting brand reputation Protecting banking institutions Compliance with the PCI DSS standards should mean IT systems are secure and customer data, including the data provided when making payments also is secure

How do you gain certification? External Certification Compliance statuses are labelled Levels The criteria for these levels are determined by the supplying Merchant card provider External certification by a QSA (Qualified Security Assessor) Onerous Time consuming Expensive ASV = Approved Scanning Vendor

Types of certification External certification by a QSA Time consuming Costly So why would anyone do it?

Types of certification Self-Certification PCI DSS self-assessment process enables companies to formally declare their compliance status to anyone that asks Document known as Attestation of Compliance AoC Consists of a series of declarations about a business s card processing activities, their infrastructure and processes, and how they meet the PCI DSS standards Multiple Categories of Self Assessment Some more onerous than others Quicker Can be significantly less expensive Same PCI DSS standards need to be maintained!

Self-certification process

PCI DSS self-assessment categories

In the event of a card data loss, what difference would it make if I had achieved certification? What happens if a breach of card data occurs? Reputational loss Liability for the breach o Cost of the PCI forensic investigation o Fine by Merchant provider o Ultimate sanction removal of card processing facility o Cost of the fraud carried out on the breached cards Certification DOES provide Customer confidence Mandatory documentation for Merchant Provider and Business clients Certification DOES NOT provide Liability Protection

In the event of a card data loss, what difference would it make if I had achieved certification? Certification DOES NOT provide Liability Protection Self -certification does not shift liability away from the contact centre in any way. The liability to the merchant bank cannot be moved, but it can be covered by; External certification from a QSA who contractually offer indemnity Outsourcing the card data processing to a supplier that has themselves been Externally certified, and thus can provide an enforceable contract covering the liability

What is the easiest route to certification? Reduce the Scope of what needs to be evaluated for Certification Self-Certification Easiest process is SAQA if eligible Outsource entire card processing procedure Service provider must have achieved Level1 certification (Externally certified) Ensure liability is covered by the service provider contract

Why is scope so important? Scope generally refers to the Card Data Environment (CDE) Everything and everybody that comes into contact with the card data PCI DSS controls within the card data environment are very strict so reducing the scope is highly beneficial to the process and is inherently more secure

Understanding Scope Mandatory the CVV data not to be recorded Compensating Controls Redaction Encryption Not acceptable

What is the easiest route to certification? Certification can be achieved by moving the entire card collection process outside of the business, managed by an externally certified third party, then SAQA becomes a viable option

Conclusion Achieving PCI DSS certification is not a straight forward process, it takes time and investment, but it is a necessity. The work involved with meeting the standards is costly. The benefits far outweigh the cost of a breach. Certification is relatively inexpensive for most. Working with PCI DSS certified service providers enables businesses to give end customers the confidence that their financial information is being protected, employees the reassurance that they are not being inadvertently exposed to customer data, and organisations the ability to demonstrate that they care about customer experience and compliance

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information