Presentation is loading. Please wait.

Presentation is loading. Please wait.

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The future is mission.

Published byAlexandro Oviatt Modified over 9 years ago

Similar presentations

Presentation on theme: "© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The future is mission."— Presentation transcript:

1 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The future is mission critical Solutions your way

2 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. MphasiS PCI DSS Offerings Bhaskar Maddala Associate Vice President MphasiS Australia Pty Ltd – a HP Company

3 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 3 Agenda What is PCI DSS? What it means for us/ Who gets affected? Meaning for me and who does it affect? How to be compliant? What if not compliant PCI compliance for Non Stop MphasiS PCI service approach and Service offerings Case Studies

4 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 4 The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data. PCI DSS is primarily concerned with the Processing, Storage and Transmission of the Primary Account Number (PAN) on the front of every Debit and Credit Card, and its protection. What is PCI DSS? Joint effort of –VISA International –MasterCard Worldwide –American Express –Discover Financial Services –JCB Includes 12 security requirements (approx 327 sub-requirements) grouped into six control objective. First version (1.0) published in December 2004, second version(1.2) in October 2008. Current version of standard is 2.0 (October 2010)

5 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 5 Primary PCI DSS Role Players

6 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 6 PCI DSS, WHY?  Response to an alarming increase in the theft of payment card data  Several high profile cases in US –TJX Companies (January 2007, +45 million customers affected) –Hannaford Brothers(March 2008, +4 million customers affected)  Payment card processors had security breaches too –Heartland Payment Systems ( January 2009, 100 million transactions per month)  Security breached at small business as well  Limited public information in Australia –RosesOnly (September 2007, 20,000 customers affected) –Bottle Domains (February 2009, 60,000 customers affected) Note: In some of the cases above (Hannaford and Heartland) the comprised entity was PCI DSS Compliant

7 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 7 Benefits of compliance Protect customers’ personal data Boost customer confidence through a higher level of data security Lower exposure to financial losses and remediation costs Maintain customer trust and safeguard the reputation of the brand Provide a complete “health check” for any business that stores or transmit customer information

8 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 8 What are criminals after? Most of bad entities want to obtain the track data : Magnetic Track Data: – PAN – USERNAME – EXPIRY DATE – CVC 1/ CVC 2 And especially the PIN Why this information Multiple stripe cards can be made using the track 2 data, can be used to perform ‘card not present fraud PIN can be used with the counterfeit cards for any transactions (cash withdraw etc…)

9 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 9 Common challenges to become PCI Compliance Fully understand and document the processes and payment environment Tracking and monitoring of access to payments card systems and data Controlling logical access (authentication) to systems containing payment card data Security event monitoring across a disparate environment Limited security capabilities (authentication, monitoring, etc…) of legacy systems Remediation of controls across large (often legacy) distributed environments Encryption of payment card data Putting PCI contractual language in place for third party service providers Obtaining management support to perform remediation

10 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 10 Typical Authorisation/ Clearing and Settlement process

11 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 11 Trends in PCI Compliance market State of compliance: How is the PCI DSS perceived and prioritised in business? Businesses are still not taking data security seriously and are struggling with compliance costs Business units own compliance assessment budgets, but IT security responsible for compliance Few organisations fail compliance, but many rely on mechanisms not prescribed by the PCI DSS Ref: http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/PCIDSSTrends-QSAInsights010310.pdf Achieving compliance: How are businesses living up to PCI DSS requirements? Restricting access to card data is the most important PCI DSS requirement, but also the most difficult to achieve Firewalls and encryption are the most effective technologies for achieving compliance Cost of annual audits averages $225,000 per year for the large merchants Protecting cardholder data: Where is data at risk and how is it being protected? Handling charge backs still requires storage of cardholder data Cardholder data is most at risk traveling across merchant networks and stored in databases Encryption is the favored technology for achieving end-to- end cardholder data protection Controlling access to encryption keys is the most difficult key management task

12 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 12 PCI = Convergence of Technology, People and Process

13 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 13 12 rules of compliance NEW VENTURES - PAYMENTS Build and Maintain a Secure Network Requirement 1Install and maintain a firewall configuration to protect cardholder data Requirement 2 Do not use vendor supplied defaults for system passwords and other security parameters Protect Cardholder Data Requirement 3Protect stored cardholder data Requirement 4Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Requirement 5Use and regularly update anti-virus software or programs Requirement 6Develop and maintain secure systems and applications Implement Strong Access Control Measures Requirement 7Restrict access to cardholder data by business need to know Requirement 8Assign a unique ID to each person with computer access Requirement 9Restrict physical access to cardholder data Regularly Monitor and Test Networks Requirement 11Track and monitor all access to network resources and cardholder data Requirement 11Regularly test security systems and processes Maintain an Information Security Policy Requirement 12Maintain a policy that addresses information security for all personnel.

14 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 14 The PCI DSS Management Services Offering contains the following packages: MphasiS – PCI Service Approach PCI DSS Integrated Management Services A comprehensive package of base infrastructure related services, ensuring that processes, and overall security controls are in place and that compliance is provided with PCI Data Security Standards. This service covers all requirements related to infrastructure support that can be outsourced by the client. PCI DSS Discrete Management Services A set of standalone security services each addressing a certain set of PCI Data Security Standards that clients can select for addressing specific PCI DSS requirements.

15 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 15 MphasiS GNIS – Service Offerings PCI related services for first time clients –PCI consulting –PCI DSS Pre Compliance Assessment –PCI DSS Gap Analysis –PCI DSS Implementation [Custom solutions, Point Solutions] –Formulating policies in line with PCI requirements –PCI DSS Pre Audit & Audit Preparation –PCI Training –Penetration Testing and Vulnerability assessment PCI related services for already certified customers –Provide continuum services –Ensure that the certifications remains valid –Conduct bi annual mock audits –Help in pre assessment and assessment audits with certified QSA

16 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 16 In Short …. A number of NonStop customers have passed PCI certification audits on their systems! However, there is no standard process or single security product that automatically achieves PCI compliance on any system PCI DSS compliance is achieved by a combination of enforced policies, process and technology Organizations must create and implement appropriate security-related policies and practices for their business Selecting and making proper use of security products can help ensure that policies and best practices are met

17 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 17 Why MphasiS ? An integrated approach which is vendor neutral and with customers interests in mind We have delivered PCI compliance services for several customers successfully An approach that could help meet your Nonstop Security & PCI needs at optimal costs – reusable components and specific methodologies A strong team that has knowledge of some of the world renowned security standards. - 182 Security Consultants; 17 FTEs in PCI COE (SME + Technical team) Strong focus on Payments business unit Provides alternatives that match the security awareness of your organization with a gradual increase in consciousness

18 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 18 Competency MatrixTotal Head Count Certified Information Systems Auditor (CISA)6 Certified Information System Security Professional (CISSP)15 Certified Information Security Manager (CISM)5 Security engineers with Infrastructure /App security development expertise12 Project Management Professionals (PMP)6 IDAM Identity Management and SSO : IMS LM (FIM)CA, IBM Tivoli, Sun, HP, RSA, OIM, CA Etrust,, AD 53 Managed Security Services Professional SIM: NetIQ Security Manager, Arc sight, Net Forensics, eSecurity etc. Endpoint Security: Symantec/Sygate,Cisco CSA, Mcafee Vulnerability Management: NetIQ VM, Symantec VM etc. Critical Component Mgt: Checkpoint, RealSecure IDS, Cisco PIX, Macfee HIPS etc. Content Filtering: SurfControl Web and Email Filter, Trend Micro IMSS (SPS) etc. PKI : Verisign, RSA, Sun, Entrust etc, IDS/IPS : ISS, Cisco, Symantec, McAfee, Enterasys Firewall : Cisco, Checkpoint, Sygate Anti virus : McAfee, Symantec, TrendMicro 156 Technical Workforce182 MphasiS GNIS is operational for 5 years. This team is involved both in developing security capabilities as well as delivering ongoing security services for HP and HP clients. MphasiS ITO GNIS Security team is staffed with: Total 500+ energetic workforce in GNIS Dedicated group of 182+ MS/MBA Security Engineers, Consultants, PM & Analysts in IS Technical members having skills in security engineering and software platforms used in development More than 10 ongoing Security Projects dedicated & Leveraged Security Project Management professionals MphasiS GNIS Infosec and PCI COE Team

19 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 19 Case Studies (Selective) BNTB – IT Security/Compliance and IT Operations (Completed) Pegasus (Completed ) National City GSN (Completed) HP ECS : HP Enterprise Cloud Services (Ongoing) TOPs Retails Chains (Completed) Luxottica DCNA 2.1 /HSP 3.1 (Assessment Completed)

20 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 20 BNTB – IT Security/Compliance and IT Operations Bank of N.T. Butterfield & Son Limited (BNTB) : The Butterfield Group is a full service community bank and a provider of specialized international financial services. Customer Overview Security Management: A.User Provisioning & De-provisioning B.Centralised management of identity data in a heterogeneous environment of 600+ Servers C.Automated Workflow D.Auditing and reporting E.SRF & Digital Workflow Tool Compliance A: PCI DSS compliant solutions/compartment. Incident Management A.Analysis, Resolution and closure B.Acceptance and responding C.Capture, Logging and routing Problem Management A.Handling escalated Incidents B.Incident trend analysis HP entered into a new agreement with BNTB to transform their security infrastructure to meet the PCI DSS standards/ requirements. MphasiS and HP PCI architects and engineers designed the solution with 2 PCI compartments and drive the process to meet the standards. Project Overview Services Featured

21 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 21 BNTB – Security Office Team Challenges Lack of security policies Customized applications used for card processing Partially automated workflows No Regulation in flow of request Delayed approval of request from role owners Benefits Delivered Significant reduction in cost overhead due to effective best shoring PCI DSS ready solution

22 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Thank you Bhaskar Maddala Associate Vice President MphasiS Australia Pty Ltd – a HP Company Mob: +61 424761703 Bhaskar.Maddala@hp.com, Bhaskar.maddala@mphasis.com Bhaskar.maddala@mphasis.com www.MphasiS.com

Download ppt "© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The future is mission."

Similar presentations

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.

.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.
Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.

Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.

PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.

PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.
Complying With Payment Card Industry Data Security Standards (PCI DSS)

Complying With Payment Card Industry Data Security Standards (PCI DSS)
2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.

2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.
Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server 2008. Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),

Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Property of CampusGuard Compliance With The PCI DSS.

Property of CampusGuard Compliance With The PCI DSS.
Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.

Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.
© Vendor Safe Technologies 2008 B REACHES BY M ERCHANT T YPE 70% 1% 9% 20% Data provided by Visa Approved QIRA November 2008 from 475 Forensic Audits.

© Vendor Safe Technologies 2008 B REACHES BY M ERCHANT T YPE 70% 1% 9% 20% Data provided by Visa Approved QIRA November 2008 from 475 Forensic Audits.
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Jeff Williams Information Security Officer CSU, Sacramento

Jeff Williams Information Security Officer CSU, Sacramento
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.

Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.
Geneva, Switzerland, 4 December 2014 Evolving Payments into The Digital World Richard Smith, Vice President, MasterCard Customer Fraud Management

Geneva, Switzerland, 4 December 2014 Evolving Payments into The Digital World Richard Smith, Vice President, MasterCard Customer Fraud Management
Why Comply with PCI Security Standards?

Why Comply with PCI Security Standards?
Northern KY University Merchant Training

Northern KY University Merchant Training

Similar presentations

Ads by Google