PCI COMPLIANCE AND WHAT IT MEANS TO YOU IN ENGLISH

Similar documents
PROTECTION OF OUR MERCHANTS AND REFERRAL PARTNERS IS OUR FIRST CONCERN

* Any merchant that has suffered a hack that resulted in an account data compromise may be escalated to a higher validation level.

Q: What is PCI? Q: To whom does PCI apply? Q: Where can I find the PCI Data Security Standards (PCI DSS)? Q: What are the PCI compliance deadlines?

How To Protect Visa Account Information

Project Title slide Project: PCI. Are You At Risk?

PCI Security Standards Council

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW

SecurityMetrics Introduction to PCI Compliance

PCI Compliance: Protection Against Data Breaches

PCI Compliance Overview

PAYMENT CARD INDUSTRY (PCI) SECURITY STANDARDS COUNCIL

It is important to note, the payment brands and acquirers are responsible for enforcing compliance, not the PCI council.

HOW SECURE IS YOUR PAYMENT CARD DATA?

AIS Webinar. Payment Application Security. Hap Huynh Business Leader Visa Inc. 1 April 2009

How To Protect Your Business From A Hacker Attack

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

PCI Compliance Just the Facts. Rick Dakin President ext. 7001

HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

PAI Secure Program Guide

Understanding Payment Card Industry (PCI) Data Security

PCI DSS. CollectorSolutions, Incorporated

Payment Card Industry Compliance Overview

Payment Card Industry Data Security Standard

Langara College PCI Awareness Training

It Won t Happen To Me! A Network and PCI Security Webinar Presented By FMS and VendorSafe

PCI Security Standards Council

How To Protect Your Credit Card Information From Being Stolen

PCI DSS Compliance Information Pack for Merchants

TNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business

PCI PA-DSS Requirements. For hardware vendors

SecurityMetrics. PCI Starter Kit

PCI Compliance Top 10 Questions and Answers

PCI Compliance. Top 10 Questions & Answers

White Paper September 2013 By Peer1 and CompliancePoint PCI DSS Compliance Clarity Out of Complexity

Franchise Data Compromise Trends and Cardholder. December, 2010

The Cost of Payment Card Data Theft and Your Business. Aaron Lego Director of Business Development

HOW TO PROTECT YOUR BUSINESS AND YOUR CUSTOMERS FROM DATA FRAUD

Data Security Basics for Small Merchants

Payment Methods. The cost of doing business. Michelle Powell - BASYS Processing, Inc.

Payment Card Security

PCI DSS 101 FOR CTOs AND BUSINESS EXECUTIVES

Understanding and Managing PCI DSS

Prepared testimony of W. Joseph Majka Head of Fraud Control and Investigations Visa Inc.

Payment Card Industry Security Standards PCI DSS, PCI-PTS and PA-DSS

GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

Data Security, Fraud Prevention, and Cost Control. Mike Dorland, CPP Regional Marketing Representative Michigan Retailers Association

Introduction to PCI DSS Compliance. May 18, :15 p.m. 2:15 p.m.

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October cliftonlarsonallen.com CliftonLarsonAllen LLP

Western Australian Auditor General s Report. Information Systems Audit Report

PCI (Payment Card Industry) Compliance For Healthcare Offices By Ron Barnett

Bottom line you must be compliant. It s the law. If you aren t compliant, you are leaving yourself open to fines, lawsuits and potentially closure.

WHITE PAPER. PCI Basics: What it Takes to Be Compliant

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

Protecting Cardholder Data Throughout Your Enterprise While Reducing the Costs of PCI Compliance

PCI Compliance for Healthcare

Achieving Compliance with the PCI Data Security Standard

8/17/2010. Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year

Security Breaches and Vulnerability Experiences Overview of PCI DSS Initiative and CISP Payment Application Best Practices Questions and Comments

Visa global Compromised Account

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

V ISA SECURITY ALERT 13 November 2015

Network Security & Privacy Landscape

SecurityMetrics Vision whitepaper

A Compliance Overview for the Payment Card Industry (PCI)

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

Frequently Asked Questions

PCI DSS Gap Analysis Briefing

Achieving Compliance with the PCI Data Security Standard

Encryption and Tokenization: Protecting Customer Data. Your Payments Universally Amplified. Tia D. Ilori Sue Zloth September 18, 2013

Transcription:

PCI COMPLIANCE AND WHAT IT MEANS TO YOU IN ENGLISH

PCI COMPLIANCE AND WHAT IT MEANS TO YOU IN ENGLISH How do I -know if I m compliant? -what do I do to become compliant? -how do I know if the fee(s) I m being charged are protecting me?

TOP 10 IDENTITY THEFTS WHAT STARTED ALL THIS? -Heartland Payment Systems -- 2009 -TJX Companies 2007 -U.S. Department of Veterans Affairs 2009 -Card Systems -- 2005 -Veterans Laptop With Personal Data Stolen 2006 -Bank of New York Mellon 2008 -Certegy 2007 -TD Ameritrade 2007 -CheckFree 2008 -Hannaford Bros. Chain 2009 11.1 million adults victims in 2009 (up 12%) $54 billion lost (up 12.5%)

A program like PCI is very hard to implement; it asks busy people to do difficult, inconvenient things for obscure reasons, all in the middle of tough economic times.

Say What? -CISP means Cardholder Information Security Program -PCI means Payment Card Industry -DSS means Data Security Standard -PCI-ASV means PCI Approved Scanning Vendor -PA-DDS means Payment Application Vendor (software, etc.) -PCI-SSC means PCI Security Council -PCI-PED means PIN Entry Debit -P2PE means point to point encryption -SPVA means Secure POS Vendor Alliance

Lifecycle for Changes to PCI DSS and PA-DSS The standard is managed by the PCI Security Standards Council (PCI SSC). Changes to the PCI standards follow a defined 36-month lifecycle with eight stages Stage 1: Standards Published -occurs in October of Year 1 after the Council s annual Community Meetings Stage 2: Standards Effective- occurs on January 1 of Year 1. Stage 3: Market Implementation -occurs throughout Year 1 Stage 4: Feedback Begins -occurs during November to March of Year 2. Stage 5: Old Standards Retired -occurs on December 31 of Year 2. Stage 6: Feedback Review -occurs during April through August of Year 2. Stage 7: Draft Revisions -occurs during November through April of Year 3. Stage 8: Final Review -occurs during May through July of Year 3.

PCI SECURITY STANDARDS COUNCIL ENTERS NEXT PHASE OF DATA SECURITY STANDARDS DEVELOPMENT Version 2.0 of PCI DSS and PA-DSS effective January 1, 2011 WAKEFIELD, Mass., January 05, 2011 The PCI Security Standards Council (PCI SSC), a global, open industry standards body providing management of the Payment Card Industry Data Security Standard (PCI DSS), PIN Transaction Security (PTS) requirements and the Payment Application Data Security Standard (PA-DSS) today announced the start of phase two of the standards development lifecycle, with version 2.0 of the PCI DSS and PA-DSS formally made effective on January 1, 2011. Stakeholders may begin using version 2.0 as the basis for their payment security programs as of this date.

Don t let your IT person, CPA or Attorney tell you that you don t need PCI! Don t worry I got everything under control! Oh-yeah you gonna sign a P.G?

Card Compromise Trends Over 1,000 breach events reported in 2008, resulting in over 285 million compromised records. Stolen laptops, tapes, servers, etc. Most notable in 08 - Hannaford Grocery Chain: 4.2 million records compromised resulting in over 1,800 reported cases of fraud. Employee error and sloppy internal handling of sensitive information are substantial causes of security breaches Source: www.infosecurityanalysis.com Source: Verizon Business Data Breach Report* ControlScan, Inc. 2010 Proprietary and Confidential

Card Compromise Trends Criminals are becoming more organized and sophisticated A new brand of criminals, known as Carders Carding Forum Websites, dedicated to the resale of large volumes of sensitive data, creating a new black market Organized crime was responsible for over 90% of the 285 million records compromised in 2008* Former Carding Forum Tutorials and hacking tools Postings to buy/sell stolen data Downloadable code for phishing attacks Source: Verizon Business Data Breach Report Source: DOJ Data Breaches: What the Underground World of Carding Reveals ControlScan, Inc. 2010 Proprietary and Confidential

Card Compromise Trends Hackers had another big year in 2009, continuing to attack business of all sizes. ControlScan, Inc. 2010 Proprietary and Confidential

Card Compromise Trends Basic vigilance can combat many of the common vulnerabilities Storage of prohibited data Poorly coded Web applications (Gartner reports two-thirds of Web apps contain exploitable vulnerabilities) Unpatched systems Mis-configured firewalls and remote access applications Lack of security awareness sloppy handling of sensitive data ControlScan, Inc. 2010 Proprietary and Confidential

Merchant Levels Level / Tier Merchant Criteria 1 Merchants processing over 6 million Visa transactions annually (all channels) or Global merchants identified as Level 1 by any Visa region 2 Merchants processing 1 million to 6 million Visa transactions annually (all channels) 3 Merchants processing 20,000 to 1 million Visa e- commerce transactions annually 4 Merchants processing less than 20,000 Visa e- commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually ControlScan, Inc. 2010 Proprietary and Confidential

Characteristics of Level 4 Merchants All Merchants are Not Created Equal Highly vulnerable: Level 4 merchants account for over 85% of compromise events Underserved: 6,000,000+ Level 4 merchants compared to 326 Level 1 merchants Most have little or no technical expertise: No IT or security staff available to manage the compliance process Lack of education Minimal security awareness training Susceptible to social engineering attacks ControlScan, Inc. 2010 Proprietary and Confidential

The Consequences A Level 4 Data Breach typically has a significant financial and operational impact on a small merchant. In some cases, it could shut down a small business. Costs may include: Forensics audit costs: $8,000 to $20,000 Card replacement costs: generally between $3 and $10 per card Brand damage: Hard to quantify but at the end of the day, this could be the most damaging consequence to a business Compliance fines: Currently range from $5,000 to $250,000 depending on the size of the breach and the nature of the offense that led to the compromise ControlScan, Inc. 2010 Proprietary and Confidential

The Good News For B2B Merchants is MOTO Merchants Suffer Less Then 3% of CC Security Breaches

If a salesperson calls or stops in your office and tells you that your cc terminal, POS, gateway, etc. is non compliant show them the door! Almost all equipment is compliant especially dialup terminals which can t be hacked for identity theft

Fines and Fees When are fines typically levied? Not meeting PCI Compliance by the specified date Cardholder data compromise when not PCI compliant CREDIT CARD COMPANIES ACQUIRER (MERCHANT BANK) SERVICE PROVIDER (PROCESSOR/ISO) MERCHANT ControlScan, Inc. 2010 Proprietary and Confidential

Come on wid me-yah won t have to pay nuttin extra!

Common Merchant Objections Can I switch to a new processor who doesn t require compliance? All Acquirers are responsible for ensuring that all of their merchants comply with the PCI Data Security Standard (DSS) requirements; therefore, all processors are required by the card brands to implement a PCI compliance program. What happens if I do not comply? Merchants that do not comply with PCI DSS may be subject to fines, card replacement costs, costly forensic audits, brand damage, etc., should a breach event occur. Many acquiring banks are issuing fines for merchants who do not comply with PCI. For a little upfront effort and cost to comply with PCI, you greatly help reduce your risk of facing these extremely unpleasant and costly consequences. Why haven t I heard anything from the card brands regarding PCI compliance? The individual card brands are requiring that the Merchant Banks/Processors implement individual PCI compliance programs to educate merchants on compliance and ensure that they meet PCI compliance requirements. They require that all Merchant Banks/Processors have a plan in place to ensure their merchants obtain and maintain compliance with the standard. Most of the breaches you hear of in the news are large retailers, but many people do not realize that over 80% of compromises occur at small merchant locations. ControlScan, Inc. 2010 Proprietary and Confidential

Oh No! Scan my Computer? They re going to look at all my stuff?

For More Info Go To https://www.pcisecuritystandards. org/index.php

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information