Presentation is loading. Please wait.

Presentation is loading. Please wait.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Published byColten Jacobi Modified over 10 years ago

Similar presentations

Presentation on theme: "Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board."— Presentation transcript:

1 Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board

2 Agenda Overview of the Payment Card Industry Data Security Standard (PCI DSS) PCI DSS requirements Merchant levels Requirements of Self-Assessment The ASV conflict. Questions

3 Protecting card data Why its important causes hardship for our customers loss of customer confidence required by PCI DSS state laws on disposal and notice State breach law notification requirements

4 Overview of PCI DSS The basis is - cloned cards must never again be capable of being created from stored data, through compromise or eavesdrop One can store elements of the Track II i.e. a card number, expiry date, when required for particular cards. ( front of card information ONLY) In no circumstances should the CVV or the PIN verification value data elements be store

5 Overview of PCI DSS Applies to all merchants that store, process, or transmit cardholder data ( if you accept one credit card payment a year you must be compliant) all payment (acceptance) channels, including brick-and- mortar, mail, telephone, e-commerce (Internet) Includes 12 requirements, based on administrative controls (policies, procedures, etc.) physical security (locks, physical barriers, etc.) technical security (passwords, encryption, etc.)

6 Shared Network Resources A network that is shared by other services cannot be considered secure. … whatever we think of our wider network, we cannot fully trust it

7 Merchant levels Merchant levels are based on yearly transaction volume of merchant Specific criteria for placement in merchant levels varies across card companies All merchants, regardless of level, must adhere to PCI DSS requirements Level into which merchant is placed determines PCI DSS compliance validation (and ultimately cost) Lets take a quick look at Visas levels…

8 Merchant levels - Visa Level 2: merchants, regardless of acceptance channel, processing 1,000,000 to 6,000,000 Visa transactions Level 3: any merchant processing 20,000 to 1,000,000 Visa e-commerce (Internet) transactions

9 Merchant levels - Visa Level 4: any merchant processing fewer than 20,000 Visa e-commerce (Internet) transactions all other merchants, regardless of acceptance channel, processing up to 1,000,000 Visa transactions

10 PCI DSS compliance validation Level 2 and 3 merchants self-assessment questionnaire quarterly network security scan by approved scan vendor (ASV)

11 PCI DSS compliance validation Level 4 merchants self-assessment questionnaire if required by acquirer quarterly network security scan by approved scan vendor if required by acquirer

12 PCI DSS compliance validation 5 levels of self assessment 4 self assessment questionnaires

13 Self Assessment Questionnaire Type 1 Card-not-present (e-commerce or mail/telephone- order) merchants, all cardholder data functions outsourced. This would never apply to face-to- face merchants. Use questionnaire A Type 2 Imprint-only merchants with no electronic cardholder data storage. Use Questionnaire B

14 Self Assessment Questionnaire Type 3 Stand-alone terminal merchants, no electronic cardholder data storage Use questionnaire B Type 4 Merchants with POS systems connected to the Internet, no electronic cardholder data storage. Use Questionnaire C

15 Self Assessment Questionnaire Type 5 All other merchants (not included in Types 1-4 above) and all service providers defined by a payment brand as eligible to complete an SAQ. May be required to perform full Self-Assessment form as opposed to short forms A through C)

16 Authorized Scanning Vendors External ASV scan may be required for self assessment. Not all ASV's are created equal ASV's must be approved by PCI and on the PCI authorized scanning vendor list DO NOT automatically use the recommended ASV of your card processor!!!

17 PCI DSS requirements First step is to document the FULL path of credit card data through your company. This is electronic as well and procedural If you do not know the path you cannot self- assess!!!!! Card Environment MUST be isolated...

18 PCI DSS requirements Best Practice to be applied! Each requirement has many sub-requirements! 1. Install and maintain a firewall configuration to protect data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored data

19 PCI DSS requirements 1. Encrypt transmission of cardholder data and sensitive information across public networks 2. Use and regularly update anti-virus software 3. Develop and maintain secure systems and applications 4. Restrict access to data by business need- to-know

20 PCI DSS requirements 1. Assign a unique ID to each person with computer access 2. Restrict physical access to cardholder data 3. Track and monitor all access to network resources and cardholder data 4. Regularly test security systems and processes 5. Maintain a policy that addresses information security

21 Resources PCI DSS self assessment guidelines https://www.pcisecuritystandards.org/saq/instr uctions.shtml The PCI DSS guidance document https://www.pcisecuritystandards.org/security_ standards/pci_dss.shtml

22 Questions???

Download ppt "Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board."

Similar presentations

Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.

Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.
Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.

Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.
.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.

.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.
The Payment Card Industry Data Security Standard (PCI DSS)

The Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS for Retail Industry

PCI DSS for Retail Industry
Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.

Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.
UCSB Credit Card Processing and PCI Compliance

UCSB Credit Card Processing and PCI Compliance
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.

PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.

Navigating the New SAQs (Helping the 99% validate PCI compliance)

Navigating the New SAQs (Helping the 99% validate PCI compliance)
PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.

PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.
Complying With Payment Card Industry Data Security Standards (PCI DSS)

Complying With Payment Card Industry Data Security Standards (PCI DSS)
2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.

2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Property of CampusGuard Compliance With The PCI DSS.

Property of CampusGuard Compliance With The PCI DSS.
Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.

Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.
Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations

Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations
Visa Europe Implementing PCI DSS Requirements Within Your Organisation September 2008 Simon Breeden.

Visa Europe Implementing PCI DSS Requirements Within Your Organisation September 2008 Simon Breeden.
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?

Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?

Similar presentations

Ads by Google