Josiah Wilkinson Internal Security Assessor. Nationwide



Similar documents
Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

Becoming PCI Compliant

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

Introduction to PCI DSS

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

Frequently Asked Questions

PCI Data Security Standards

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October cliftonlarsonallen.com CliftonLarsonAllen LLP

PCI Security Compliance

La règlementation VisaCard, MasterCard PCI-DSS

PCI Compliance Top 10 Questions and Answers

PCI Compliance. Top 10 Questions & Answers

Presented By: Bryan Miller CCIE, CISSP

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

A MERCHANTS GUIDE TO THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS)

TNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May cliftonlarsonallen.com CliftonLarsonAllen LLP

Your Compliance Classification Level and What it Means

Adyen PCI DSS 3.0 Compliance Guide

University of Sunderland Business Assurance PCI Security Policy

PCI DSS Requirements - Security Controls and Processes

Varonis Systems & The Payment Card Industry Data Security Standard (PCI DSS)

Payment Card Industry Data Security Standard Explained

WHITE PAPER. PCI Basics: What it Takes to Be Compliant

Project Title slide Project: PCI. Are You At Risk?

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

SecurityMetrics Introduction to PCI Compliance

PCI Standards: A Banking Perspective

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

The Cost of Payment Card Data Theft and Your Business. Aaron Lego Director of Business Development

Case 2:13-cv ES-JAD Document Filed 12/09/15 Page 1 of 116 PageID: Appendix A

PCI DSS Presentation University of Cincinnati

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

1/18/10. Walt Conway. PCI DSS in Context. Some History The Digital Dozen Key Players Cardholder Data Outsourcing Conclusions. PCI in Higher Education

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

Why Is Compliance with PCI DSS Important?

Credit Card Processing Overview

Achieving Compliance with the PCI Data Security Standard

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

Credit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600

PCI DATA SECURITY STANDARD OVERVIEW

PDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.1)

Security Breaches and Vulnerability Experiences Overview of PCI DSS Initiative and CISP Payment Application Best Practices Questions and Comments

PCI DSS. CollectorSolutions, Incorporated

Payment Card Industry Data Security Standard

PCI Data Security and Classification Standards Summary

Payment Card Industry Security Standards PCI DSS, PCI-PTS and PA-DSS

Introduction to PCI DSS Compliance. May 18, :15 p.m. 2:15 p.m.

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

PLACE GROUP UK LONDON STUDENT HOUSING GROUP PAYMENT CARD INDUSTRY DATA SECURITY STANDARD COMPLIANCE STATEMENT PCI DSS (09) VERSION: 2009PCIDSSP4S01

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

Enforcing PCI Data Security Standard Compliance

Preventing. Payment Card Fraud. Is your business protected?

How To Comply With The Pci Ds.S.A.S

PCI DSS Compliance for Cloud-Based Contact Centers Mitigating Liability through the Standardization of Processes for cloud-based contact centers.

How To Protect Your Credit Card Information From Being Stolen

And Take a Step on the IG Career Path

Payment Card Industry Data Security Standards

How To Protect Visa Account Information

CREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 5/25/2011

PAI Secure Program Guide

PCI Compliance Overview

CardControl. Credit Card Processing 101. Overview. Contents

Accepting Payment Cards and ecommerce Payments

A PCI Journey with Wichita State University

Strategies To Effective PCI Scoping ISACA Columbus Chapter Presentation October 2008

What s New in PCI DSS Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 1

Two Approaches to PCI-DSS Compliance

PCI DSS. Payment Card Industry Data Security Standard.

How To Protect Your Business From A Hacker Attack

GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY

It Won t Happen To Me! A Network and PCI Security Webinar Presented By FMS and VendorSafe

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions. Version 5.0 (April 2011)

Appendix 1 Payment Card Industry Data Security Standards Program

Thoughts on PCI DSS 3.0. September, 2014

PCI DSS Compliance Guide

Payment Card Industry - Achieving PCI Compliance Steps Steps

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

GFI White Paper PCI-DSS compliance and GFI Software products

PCI DSS Payment Card Industry Data Security Standard. Merchant compliance guidelines for level 4 merchants

Transcription:

Josiah Wilkinson Internal Security Assessor Nationwide

Payment Card Industry Overview PCI Governance/Enforcement Agenda PCI Data Security Standard Penalties for Non-Compliance Keys to Compliance Challenges Nationwide 2

Overview The Payment Card Industry (PCI) Data Security Standard (DSS) is a set of security requirements for companies who accept credit cards, as defined by VISA and MasterCard and endorsed by other major credit cards. The PCI DSS applies to all merchants and service providers who store, transmit, or process the primary account number (PAN) of credit card transactions. The level of auditing and control required depends upon the annual number of transactions processed. Nationwide 3

Merchant Level Level Description Validation Action Validated By 1 *Any merchant-regardless of acceptance channelprocessing over 6,000,000 payment card transactions of a single card brand per year. *Any merchant that has suffered a hack or an attack that resulted in an account data compromise. *Any merchant that the payment card company, at its sole discretion, determines should meet the Level 1 merchant requirements. *Any merchant identified by any other payment card brand as Level 1. 2 *Any merchant-regardless of acceptance channelprocessing 1,000,000 to 6,000,000 payment card transactions of a single card brand per year. Annual on-site PCI data security assessment Pass Quarterly Network Scans Annual on-site PCI data security assessment Qualified Security Assessor or Internal Audit if certified as qualified by the PCI Council and signed by Officer of the company Approved Scanning Vendor Qualified Security Assessor or Internal Audit if certified as qualified by the PCI Council and signed by Officer of the company 3 *Any merchant processing 20,000 to 1,000,000 payment card e-commerce transactions per year. 4 *Any merchant processing fewer than 20,000 payment card e-commerce transactions per year, and all other merchants-regardless of acceptance channelprocessing up to 1,000,000 payment card transactions per year. Pass Quarterly Network Scans Annual PCI Self Assessment Questionnaire Pass Quarterly Network Scans Annual PCI Self Assessment Questionnaire Pass Quarterly Network Scans Approved Scanning Vendor Merchant Approved Scanning Vendor Merchant Approved Scanning Vendor Nationwide 4

Governance/Enforcement PCI Security Standards Council Credit Card Brands - Enforce Card Processors VISA Mastercard Provide Standards Credit Card Payment Processors Enforce Merchants Provide Standards Merchants Includes Nationwide and Affiliates JCB (Diner s Club) PCI DSS PCI DSS Discover AMEX Nationwide 5

Data Security Standard (DSS) The PCI DSS is a set of granular security requirements based on the following control objectives and subcategories: Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect Stored Cardholder Data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications Implement Strong Access Control Methods 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security Nationwide 6

Scope Requirements apply to all System Components (network component, server, or application) connected to cardholder data environment: v v v Network firewall, switch, router, wireless access points, etc. Server web, database, authentication, mail, proxy, domain name Application all purchased and custom applications Version 2.0 is the current standard released in October of 2010 PCI DSS v 2.0 includes approximately 240 control requirements Nationwide 7

Example Requirements 3.4 - Render PAN, at minimum, unreadable anywhere it is stored (including on portable digital media, backup media, and in logs). 3.5 - Protect any keys used to secure cardholder data against disclosure and misuse. 6.5 - Develop applications based on secure coding guidelines. Prevent common coding vulnerabilities in software development processes. 8.3 - Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties. 10 - Track and monitor all access to network resources and cardholder data. 11.5 - Deploy file-integrity monitoring tools to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly. Nationwide 8

Network Segmentation Network segmentation of, or isolating (segmenting), the cardholder data environment from the remainder of the corporate network is not a PCI DSS requirement. However, it is recommended as a method that may reduce: The scope of the PCI DSS assessment The cost of the PCI DSS assessment The cost and difficulty of implementing and maintaining PCI DSS controls The risk to an organization (reduced by consolidating cardholder data into fewer, more controlled locations) Network segmentation can be achieved through internal network firewalls, routers with strong access control lists or other technology that restricts access to a particular segment of a network. Nationwide 9

Penalties for Non-Compliance VISA fines reported as $5,000/month MasterCard fines reported as $25,000 for non-compliance for the first quarter followed by fines of $50,000, $100,000 and $200,000 for each successive quarter In the event that credit card data is breached, $500,000 fine from VISA and $350,000 fine from MasterCard (other fines have not been published/shared) Any breach will instantly move Merchant into Level 1 status and require on-site review by PCI forensic investigators, which must be paid for by the merchant Nationwide 10

Keys to Compliance Do not store, transmit or process cardholder data if there is not a valid business need If storage is required, hash or encrypt the credit card as soon as possible in the system Limit your scope through segmenting your cardholder data environment (CDE) 1234 5678 9876 5432 12/08 Expiration 1234 5678 9876 5432 12/08 Expiration CARDHOLDER DATA ENVIRONMENT Storage of the magnetic stripe, CVV or PIN data is prohibited Magnetic Stripe 1234 56XX XXXX 5432 12/08 Expiration Nationwide 11

Nationwide s Approach Established Strong Leadership Support: v PCI Governance and Leadership Team v Legal and Information Risk Management co-sponsors Established Strong External Relationships v Qualified Security Assessor (QSA) v Processor/Acquirer Established Multiple Methods to Detect Credit Card Processes v Quarterly executive certifications v Security Reviews v Firewall Requests v Data Loss Prevention Technology v Business and IT partners Established Method to Reduce Scope Nationwide 12

Network Segmentation and Tokenization 13

Challenges Non-XML/Web data v Call Recording v IVR Cleanup v Mitigation v New processes Physical security v Badges v QSA visit Nationwide 14

Payment Card Industry Overview PCI Governance/Enforcement Recap PCI Data Security Standard Penalties for Non-Compliance Keys to Compliance Challenges Nationwide 15

Questions? Nationwide 16

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information