Payment Card Industry Compliance Overview



Similar documents
A Compliance Overview for the Payment Card Industry (PCI)

Your Compliance Classification Level and What it Means

PCI Compliance Overview

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions. Version 5.0 (April 2011)

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance

Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions

PCI DSS Compliance Information Pack for Merchants

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October cliftonlarsonallen.com CliftonLarsonAllen LLP

PCI Standards: A Banking Perspective

The PCI DSS Compliance Guide For Small Business

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

Payment Card Industry Data Security Standard

North Carolina Office of the State Controller Technology Meeting

How To Protect Your Business From A Hacker Attack

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May cliftonlarsonallen.com CliftonLarsonAllen LLP

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

Adyen PCI DSS 3.0 Compliance Guide

Securing The Data. Payment System Forum Bank Negara Malaysia. 27 th November Murugesh Krishnan Head of Risk, South & Southeast Asia

SecurityMetrics Introduction to PCI Compliance

What a Processor Needs from a University to Validate Compliance

Payment Card Industry Data Security Standard (PCI DSS)

Project Title slide Project: PCI. Are You At Risk?

Becoming PCI Compliant

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

Are You Ready For PCI v 3.0. Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014

Payment Card Industry - Achieving PCI Compliance Steps Steps

Transitioning from PCI DSS 2.0 to 3.1

Mobile Device Payment Card Processing: How Secure is It? Richard Poworski CISSP, ISP, ITCP, SCF, PCI QSA, PCIP Managing Consultant

Two Approaches to PCI-DSS Compliance

VISA EUROPE ACCOUNT INFORMATION SECURITY (AIS) PROGRAMME FREQUENTLY ASKED QUESTIONS (FAQS)

Data Security Basics for Small Merchants

2015 PCI DSS Meeting. OSU Business Affairs Projects, Improvement, and Technology (PIT) Robin Whitlock

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

PCI DSS. CollectorSolutions, Incorporated

1/18/10. Walt Conway. PCI DSS in Context. Some History The Digital Dozen Key Players Cardholder Data Outsourcing Conclusions. PCI in Higher Education

How To Protect Your Credit Card Information From Being Stolen

It is important to note, the payment brands and acquirers are responsible for enforcing compliance, not the PCI council.

E Pay. A Case Study in PCI Compliance. Illinois State Treasurer. Dan Rutherford

PCI Compliance: How to ensure customer cardholder data is handled with care

FREQUENTLY ASKED QUESTIONS The MasterCard Site Data Protection (SDP) Program

University Policy Accepting Credit Cards to Conduct University Business

Frequently Asked Questions

June 19, Bobbi McCracken, Associate Vice Chancellor Financial Services. Subject: Internal Audit of PCI Compliance.

PCI DSS Gap Analysis Briefing

FREQUENTLY ASKED QUESTIONS The MasterCard Site Data Protection (SDP) Program

Josiah Wilkinson Internal Security Assessor. Nationwide

IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER

HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS

Payment Card Industry Data Security Standards

HOW SECURE IS YOUR PAYMENT CARD DATA?

John Verdeschi Vice President Payment Systems Integrity March 31, and The PCI SSC s Prioritized Approach

PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase

PCI-DSS: A Step-by-Step Payment Card Security Approach. Amy Mushahwar & Mason Weisz

PCI Compliance. Top 10 Questions & Answers

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Why Is Compliance with PCI DSS Important?

Q: What is PCI? Q: To whom does PCI apply? Q: Where can I find the PCI Data Security Standards (PCI DSS)? Q: What are the PCI compliance deadlines?

Merchant guide to PCI DSS

Protecting Your Customers' Card Data. Presented By: Oliver Pinson-Roxburgh

Varonis Systems & The Payment Card Industry Data Security Standard (PCI DSS)

Understanding Payment Card Industry (PCI) Data Security

Payment Card Industry Data Security Standard (PCI DSS) v1.2

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

How To Ensure Account Information Security

* Any merchant that has suffered a hack that resulted in an account data compromise may be escalated to a higher validation level.

Payment Card Industry (PCI) Data Security Standard

PCI DSS. Payment Card Industry Data Security Standard.

Payment Card Security

Credit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600

How To Program A Credit Card Terminal To Be A Pca Compliant (Cpo) Or Not (Pca) Compliant (Dns) (Cisp) (Dhs) (Pci) (Susu) (Usu/

PCI DSS Presentation University of Cincinnati

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

PCI Compliance Top 10 Questions and Answers

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

PROTECTION OF OUR MERCHANTS AND REFERRAL PARTNERS IS OUR FIRST CONCERN

Introduction to PCI DSS

Transcription:

January 31, 2014 11:30am 12:30pm Central Hosted by: Texas.gov Presented by: Jayne Holland Barbara Brinson Payment Card Industry Compliance Overview Securing Government Payments Audio Dial In: 866-740-1260 Passcode: 2345957

Purpose of Payment Card Industry Data Security Standards (PCI-DSS) Set of global security standards and best practices Applies to merchants, processors, acquirers, issuers, providers and those who store, process and transmit cardholder data Comprises minimum set of requirements Developed by the Payment Card Industry Security Standards Council ( the Council ) who is responsible for development, management, education and awareness of the PCI-DSS 2

Suite of Standards Managed by PCI-SSC PCI-PTS: Manufacturers of PIN Entry Devices PCI PA-DSS: Software developers and covers payment applications PCI-DSS: Merchants and service providers to address secure payment processing environments ü Most significant ü In depth security strategy ü Targets different levels of your infrastructure 1/31/14 NIC Webinar Series 3 3

What does PCI-DSS cover? n Security of the environment: ü System components included in or connected to a merchant or service provider s cardholder data environment ü Any environment that receives account data from payment applications and other sources 4

5 Securing Account Data n Cardholder Data includes: ü Primary Account Number (PAN) ü Cardholder Name ü Expiration Date ü Service Code n Sensitive Authentication Data: ü Full Magnetic strip data or equivalent on a chip ü CAV2/CVC2/CVV2/CID ü PINS/PIN blocks 5

PCI-DSS Administration and Enforcement Each payment brand maintains its own compliance program: American Express: Data Security Operating Policy (DSOP) Discover: Discover Information Security Compliance (DISC) JCB: Data Security Program MasterCard: Site Data Protection (SDP) Visa Inc.: Cardholder Information Security Program (CISP) Visa Europe: Account Information Security (AIS) Program 6

Manage the security standards Define and implement validation requirements Approve companies and employees to perform assessments Maintain lists: ü QSA, PA-QSA and ASV ü Validated payment applications ü Approved PIN transaction devices ü Validated Point to Point Encryption Solutions Review selected reports Provide training to QSA, PA-QSA and ISAs Offer guidance on technologies Promote PCI security globally QSA: Responsibilities of the PCI Security Standards Council PA-QSA: Acronyms Qualified Security Assessor ASV: Approved Scanning Vendor Payment Application Qualified Security Assessor ISA: Internal Security Assessor 7

Develop & enforce compliance programs Assess fines or penalties for non-compliance Responsibilities of Payment Card Brands Endorse QSA, PA-QSA and ASV company qualification criteria Accept validation documentation from approved companies Provide feedback to the Council on performance QSA: PA-QSA: Acronyms Qualified Security Analyst ASV: Approved Scanning Vendor Payment Application Qualified Security Assessor Perform forensic investigations 8

Ensure merchants understand requirements and track compliance efforts Responsibilities of Acquirers Manage communications about PCI Working with merchants to achieve compliance Report compliance to payment brands Liability for non-compliance 9

Time Frame 36 Month Lifecycle - 8 stages 10 10

What changes were made to the PCI-DSS Standard? Clarifications ü Clarified the intent of a requirement Additional Guidance ü Explanation, definition or instruction to increase understanding Evolving Requirement ü Ensuring standards and up to date with emerging threats and changes 11 Version #3 November 2013 11

Any significant changes to Version #3? Effective Jan2014 Enforcement Jan 2015 Penetration Testing ü Formal pen testing methodology ü 12 months threats and vulnerabilities ü Exploitable vulnerabilities remediated and retested ü Operational effectiveness of controls if CDE is separated from other networks Cardholder Data Flow ü Shared Responsibility between 3 rd parties, banks, merchants, businesses, retailers and other entities ü Document requirements and responsibilities POS Devices ü Physical security of the devices ü Restricting access ü Detect/Report tampering 12

Is Government Responsible for PCI? Outsourcing PCI Impossible to completely outsource PCI Need to evaluate how you receive or transmit card information in connection with what is being outsourced 13 1/31/14 13

What does PCI-DSS require you to do? Assess: Identify data, take inventory and analyze Remediate: Fix vulnerabilities Report: Submit records and reports 14

Achieving PCI-DSS Compliance 12 general requirements and 6 milestones Continuous process Fix Vulnerabilities Merchant and Service Provider reporting to acquiring banks and card brands Assess, Remediate and Report Adhering to PCI-DSS Requirements Operationally playing your role 13

How do you demonstrate you are compliant? Depends on how the payment brands define Merchants and Service Level Providers Annual On-Site Audit ü 3 rd party review by Qualified Security Assessor (QSA) utilizing PCI Security Audit Procedures and compliance report filing Annual Self-Assessment ü Internal questionnaire based on the requirements in the PCI-DSS Quarterly Security Scan ü 3 rd Party Approved Scanning Vendor (ASV) performs non-intrusive network scan of Internet-facing perimeter systems **Note: Only the Merchant of Record is required to demonstrate PCI Compliance. 14

Fines, Penalties and Other Costs ü Varies by card brand ü Government fines ü Forensic investigation costs ü Cancelled accounts ü Breach notification costs ü Insurance claims ü Defense costs Reputation ü Loss of Trust and Confidence ü Loss of relationships Acquirer incurs liability ü Merchant non compliance ü Fines are passed down Consequences of failing to comply Consequences of Failing to Comply 1/31/14 NIC Webinar Series 17 17

Government s Challenge Where do you start? PCI SCC Prioritized Approach Document ü Helps expedite ü Demonstrate compliance progress ü Roadmap to address risks ü Quick Wins ü Support with financial and operational planning ü Objective and measurable progress ü Consistency with Assessors 18 16

Recommendations for reviewing PCI-DSS Assess: ü Identify data flow ü Identify cardholder data Remediate: ü Fix Vulnerabilities ü Don t store cardholder data Report ü Remediation validation ü Compliance reports to banks and cards brands 19 19

PCI-DSS Additional Information PCI SSC Website www.pcisecuritystandards.org Website includes the following resources: ü PCI Standards and Supporting Documents ü FAQs, Training Information, News & Events FAQs, Training Information, News & Events 20 20

Questions? Jayne Friedland Holland 913-754-7005 www.egov.com jayne@egov.com 21

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information