Payment Card Industry Data Security Standards

Similar documents
Thoughts on PCI DSS 3.0. D. Timothy Hartzell CISSP, CISM, QSA, PA-QSA Associate Director

Thoughts on PCI DSS 3.0. September, 2014

PCI Compliance Overview

Project Title slide Project: PCI. Are You At Risk?

PCI-DSS: A Step-by-Step Payment Card Security Approach. Amy Mushahwar & Mason Weisz

Josiah Wilkinson Internal Security Assessor. Nationwide

How To Protect Your Business From A Hacker Attack

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase

Are You Ready For PCI v 3.0. Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014

PCI Compliance: How to ensure customer cardholder data is handled with care

PCI Data Security Standards

SecurityMetrics Introduction to PCI Compliance

PCI DSS. Payment Card Industry Data Security Standard.

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

Becoming PCI Compliant

PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions. Version 5.0 (April 2011)

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

PCI Compliance. Top 10 Questions & Answers

PCI Compliance Top 10 Questions and Answers

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

PCI DSS Payment Card Industry Data Security Standard. Merchant compliance guidelines for level 4 merchants

How To Protect Visa Account Information

Your Compliance Classification Level and What it Means

PCI Security Standards Council

How To Protect Your Credit Card Information From Being Stolen

Merchant guide to PCI DSS

Adyen PCI DSS 3.0 Compliance Guide

WHITE PAPER. PCI Basics: What it Takes to Be Compliant

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

Data Security Basics for Small Merchants

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

Why Is Compliance with PCI DSS Important?

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

Introduction to PCI DSS

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May cliftonlarsonallen.com CliftonLarsonAllen LLP

Data Security Standard (DSS) Compliance. SIFMA June 13, 2012

The PCI DSS Compliance Guide For Small Business

PCI DATA SECURITY STANDARD OVERVIEW

Continuous compliance through good governance

Data Security & PCI Compliance & PCI Compliance Securing Your Contact Center Securing Your Contact Session Name :

University of Sunderland Business Assurance PCI Security Policy

PCI Standards: A Banking Perspective

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

Payment Card Industry Compliance Overview

Property of CampusGuard. Compliance With The PCI DSS

PCI DSS Compliance Information Pack for Merchants

Payment Card Industry Data Security Standards.

An article on PCI Compliance for the Not-For-Profit Sector

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry Data Security Standards Compliance

Credit Card Processing, Point of Sale, ecommerce

Case 2:13-cv ES-JAD Document Filed 12/09/15 Page 1 of 116 PageID: Appendix A

La règlementation VisaCard, MasterCard PCI-DSS

PCI Security Compliance

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

Payment Card Industry (PCI) Data Security Standard

So you want to take Credit Cards!

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

PCI DSS. CollectorSolutions, Incorporated

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

Varonis Systems & The Payment Card Industry Data Security Standard (PCI DSS)

Need to be PCI DSS compliant and reduce the risk of fraud?

Payment Card Industry Security Standards PCI DSS, PCI-PTS and PA-DSS

TNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business

PAI Secure Program Guide

Achieving Compliance with the PCI Data Security Standard

CREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 5/25/2011

Payment Card Industry (PCI) Data Security Standard

COLORADO STATE UNIVERSITY Financial Procedure Statements FPI 6-6

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October cliftonlarsonallen.com CliftonLarsonAllen LLP

Payment Card Industry Data Security Standard

A PCI Journey with Wichita State University

PCI Compliance at The University of South Carolina. Failure is not an option. Rick Lambert PMP University of South Carolina

Payment Card Industry Data Security Standard (PCI DSS) v1.2

Payment Card Industry (PCI) Data Security Standard

PCI Compliance for Healthcare

Protecting Your Customers' Card Data. Presented By: Oliver Pinson-Roxburgh

Payment Card Industry (PCI) Data Security Standard

IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER

SecurityMetrics. PCI Starter Kit

Payment Card Industry (PCI) Data Security Standard

North Carolina Office of the State Controller Technology Meeting

PCI DSS Gap Analysis Briefing

Transcription:

Payment Card Industry Data Security Standards

Discussion Objectives Agenda Introduction PCI Overview and History The Protiviti Difference Questions and Discussion 2 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

PCI DSS Overview and History

Global Payment Card Statistics Need for the Payment Card Industry Data Security Standard (PCI DSS) Source: http://www.nilsonreport.com/publication_chart_and_graphs_archive.php Issuers, merchants, and acquirers of credit, debit, and prepaid general purpose and private label payment cards worldwide experienced gross fraud losses of $11.27 billion in 2012, up 14.6% over the prior year, according to The Nilson Report, a leading payment industry newsletter. Of that $11.27 billion, card issuers lost 63% and merchants and acquirers lost the other 37%. Fraud as percentage of total volume was lowest for PIN-based debit networks worldwide at 1.10 per $100 in total volume. The global brand cards Visa, MasterCard, American Express, UnionPay, Diners Club, and JCB averaged fraud losses of 6.13 for every $100 in total volume. Card issuer losses occur mainly at the point of sale from counterfeit cards. Issuers bear the fraud loss if they give merchants authorization to accept the payment. Merchant and acquirer losses occur mainly on card-not-present (CNP) transactions on the Web, at a call center, or through mail order because issuers can chargeback fraudulent transactions. 4 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

PCI DSS Overview The Payment Card Industry Data Security Standard (PCI DSS) The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that store, process or transmit credit card information maintain a secure environment. About PCI DSS U.S. Purchase Volume - Consumer vs. Commercial Cards The PCI DSS is administered and managed by the PCI Security Standards Council (SSC), an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB.). PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accept, transmit or store any cardholder data. Said another way, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply. Source: http://www.pcicomplianceguide.org/pcifaqs.php#2 5 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

PCI DSS Version 3.0 Build and Maintain a Secure Network and Systems Install and maintain a firewall configuration to protect cardholder data. Do not use vendor-supplied defaults or system passwords and other security parameters. Protect Cardholder Data Protect Stored Cardholder Data. Encrypt transmission of cardholder data across open, public networks. Maintain a Vulnerability Management Program Protect all systems against malware and regularly update anti-virus software or programs. Develop and maintain security systems and applications. 6 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

PCI DSS Version 3.0 Implement Strong Access Control Measures Restrict access to cardholder data by business need to know. Identify and authenticate access to system components. Restrict physical access to cardholder data. Regularly Monitor and Test Networks Track and monitor all access to network resources and cardholder data. Regularly test security systems and processes. Maintain an Information Security Policy Maintain a policy that addresses information security for all personnel 7 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

Merchant Scope Any organization that enters into a Merchant processing agreement with an acquirer will typically be signing a contract requiring that the Merchant fully comply with operating regulations outlined by the Payment Card Brands (Visa, MasterCard etc.). This includes full compliance with all requirements outlined within the PCI DSS and the requirement to report that compliance annually, irrespective of the organization s processing volumes. Failing to comply with the PCI DSS, be it 1 control or many, would therefore be considered a breach of contract and provides the opportunity for the acquirer to levy contract based penalties. This could include fines or termination of the contract. In addition to contractual compliance penalties, the merchant services contract also allows the acquirer to recover costs applied to them by the card brands resulting from a breach of any CHD by the Merchant. These contractual requirements therefore necessitate that Merchants assess and report their compliance as a complete entity for all areas where they collect or process CHD. It does not provide the ability for a Merchant to assess compliance on individual business processes. While Merchants may choose to outsource aspects of their business that relate to the processing of Payment Card transactions or support of IT systems that store, process or transmit CHD, if the organization maintains the acquirer Merchant ID for those transactions, they retain responsibility for compliance with the PCI DSS. 8 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

Service Provider Scope Service Providers are any entity that performs functions on behalf Merchants, Issuers, Acquirers, Card Brands or even other Service Providers related to protection of CHD. This could include the full development, support, maintenance and management of the entire CHD processing environment (such as occurs with Web Development and Hosting providers) It could be as small as providing local or remote support for an application on a desktop that is part of the CDE or performing a process such as User Access Management or Vulnerability Scanning Compliance with the PCI DSS and subsequent reporting by Service Providers is determined by their contracts with their customers. It is up to the customer to determine how to monitor the compliance of their Service Provider. The scope of a Service Provider s PCI DSS compliance assessment is driven by: The CHD they store, process or transmit on behalf of their customer; or The system/process they support on behalf of their customer. Service Providers can assess services or products they provide individually to meet their customer s requirements, rather than perform an entire PCI DSS assessment over their complete environment. 9 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

PCI DSS Version 3.0: Changes Overview The new standard Version 3 has brought with it policy and procedural changes that will impact the security of the entire electronic payment ecosystem. The core 12 security areas remain the same, but the updates include several new sub-requirements that did not exist previously. The updated standards will help organizations not by making the requirements more prescriptive, but by adding more flexibility and guidance for integrating card security into their business-as-usual activities. The changes will provide increased stringency for validating that these controls have been implemented properly, with more rigorous and specific testing procedures that clarify the level of validation the assessor is expected to perform. Overall, the changes are designed to give organizations a strong but flexible security architecture with principles that can be applied to their unique technology, payment, and business environments. Source: Data Security Standard and Payment Application Data Security Standard: Version 3.0 Change Highlights 10 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

PCI DSS Version 3.0: Change Drivers Common challenge areas and drivers for change include: 1 Lack of education and awareness around payment security 2 Weak passwords, authentication Challenge Areas 3 Third-party security challenges 4 Slow self-detection, malware 5 Inconsistency in assessments Source: Data Security Standard and Payment Application Data Security Standard: Version 3.0 Change Highlights 11 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

Key Takeaways The changes in PCI DSS 3.0 are likely to result in significant additional effort for companies processing credit card payments 1 The bar for Segmentation is raised Point-to-point encryption as a more valuable scope reduction strategy This technology encrypts card data at the point of swipe and maintains that encryption all the way to the processor such that the merchant cannot ever decrypt the data. Use of point-to-point encryption remains one of the most effective ways to reduce PCI scope. 2 Merchants and service providers alike will require time to address these new requirements and expanded scoping. 3 Nevertheless, those entities that are able to implement the new rules effectively can gain competitive advantage and ensure better protection of personal payment information, as well as avoid serious reputational harm caused by unauthorized exposure of customers credit card data. Source: INFORMATION TECHNOLOGY FLASH REPORT-Understanding PCI DSS Version 3.0 Key Changes and New Requirements 12 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

Assessors Role and Obligations Qualified Security Assessors (QSA) are external parties hired by the a Merchant or Service Provider to undertaken an independent assessment of the organization s compliance with the PCI DSS. The assessment and resulting Attestation of Compliance is used by the Merchant or Service Provider to validate to a third party, be it an acquirer, Card Brand, or customer, adherence to the PCI DSS across all components in scope for compliance. While the Merchant or Service Provider engaging the QSA is paying the bill, the Attestation of Compliance legally binds the QSA organization to the third party who receives it. The QSA must therefore be comfortable that their assessment has not been compromised and fairly represents the compliance state of their client. It is therefore imperative that the QSA determines the scope, level of testing required, and validates the compliance of the environment without conceding to the pressures of their customers. 13 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

The Protiviti Difference

About Protiviti Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit. Through our network of more than 70 offices in over 20 countries, we have served more than 35 percent of FORTUNE 1000 and Global 500 companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half International Inc. (NYSE: RHI). Founded in 1948, Robert Half International is a member of the S&P 500 index. 6 th Largest Risk Consulting Firm 2,500+ professionals 1,000+ clients 70+ offices Over 20 countries in Americas, Europe and Asia-Pacific Protiviti is one of the fastest growing consulting firms worldwide. Our revenues have increased from US $15 million in 2002, to US $385.6 million in 2010. 15 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

About Protiviti IT Security Services The Protiviti IT Consulting practice encompasses three broad areas Managing the Business of IT, Managing Applications and data, and Managing IT Security and Privacy. IT Security and Privacy primarily covers Security Strategy & Program Management, and Identity and Access Management In this domain Protiviti has a demonstrated track record of helping companies react to security incidents, establish security programs, manage identity access, and handle industry specific data security and privacy issues, including PCI and HITRUST. Solution Segment Security Strategy & Program Management Identity and Access Management Service Offerings Security Policy & Program Services Security Strategy & Architecture Services Security Implementation & Deployment Services Security Metrics Incident Response Services Awareness and Training Other Security Services Access Management Policy & Standards Services IDAM Design & Implementation Services Identity Credential Selection Services Identity Federation Strategy & Implementation Services 16 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

Protiviti Qualifications Protiviti holds all major PCI related certifications including: PCI DSS Qualified Security Assessor (QSA) Perform PCI DSS Gap Assessments Develop creative, cost effective solutions to address PCI DSS compliance gaps and reduce PCI DSS scope Complete PCI DSS ROC assessments Payment Application Qualified Security Assessor (PA-QSA) Assess payment applications for compliance with the PA-DSS Approved Scanning Vendor (ASV) Perform quarterly external vulnerability scanning PCI Forensic Investigator (PFI) Undertake forensic investigations associated with CHD breaches Advise breached organizations on how to manage the breach Lead the identification, containment, recovery and remediation of breaches Develop plans to reduce the likelihood of future breaches 17 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

Compliance vs. Security Following almost all of the large breaches that have been reported in the last 5 years (especially those that have reported compliance with the PCI DSS), key executives have stated that the PCI DSS does not provide security. In almost every case of these breaches, the entity has: Failed to adequately scope the CDE, missing key systems that store, process or transmit CHD. Assumed that firewall segmentation between those systems that store, process or transmit CHD is adequate to protect those systems from a breach in IT infrastructure that is shared between the less secure corporate environment and the CDE. Systems providing services such as Authentication and Authorization (Active Directory/LDAP etc.), Patch Management, Monitoring and Availability, etc. are often not adequately protected. Assumed that their Service Providers are aligned and adhering with the PCI DSS. Failed to continue to operate integral processes such as user access management, patch management, virus management, threat monitoring etc. across all systems components to maintain the security posture of the CDE. Accepted or convinced their QSA to accept poor or sub standard compensating controls. At Protiviti, we believe that compliance with the PCI DSS can achieve true security for cardholder data if the risk is properly scoped and controls are applied correctly and maintained by the organization. 18 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

Questions 19 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

"This presentation contains confidential material proprietary to Protiviti Inc. ("Protiviti"), a wholly owned subsidiary of Robert Half ("RH"). RHI is a publicly-traded company and as such, the materials, information, ideas, and concepts contained herein are non-public, should be used solely and exclusively to evaluate the capabilities of Protiviti to provide assistance to the "Client", and should not be used in any inappropriate manner or in violation of applicable securities laws. The contents of this presentation are intended for the use of the Client and may not be distributed to third parties. This presentation does not constitute an agreement between Protiviti and the Client. Any services Protiviti may provide to the Client will be governed by the terms of a separate written agreement signed by both Protiviti and Client.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information