Presentation is loading. Please wait.

Presentation is loading. Please wait.

PCI Compliance: What’s All the Fuss? Bob Russo November 7, 2008.

Published byDwain Crawford Modified over 9 years ago

Similar presentations

Presentation on theme: "PCI Compliance: What’s All the Fuss? Bob Russo November 7, 2008."— Presentation transcript:

1 PCI Compliance: What’s All the Fuss? Bob Russo November 7, 2008

2 5/11/20152 The PCI Security Standards Council An open global forum, launched in 2006, responsible for the development, management, education, and awareness of the PCI Security Standards, including: –Data Security Standard (DSS) –Payment Application Data Security Standard (PA-DSS) –Pin-Entry Device (PED) PCI PED PCI PA-DSS PCI DSS

3 5/11/20153 3 PCI SSC - The Standards

4 5/11/20154 The PCI Security Standards Council Founders

5 5/11/20155 PCI DSS Drivers PCI Data Security Standard Industry Best Practices Community Meeting Security Scans Self- Assessment Questionnaire On-Site Audits ADC Forensics Results Proactive feedback from POs and Assessor Community Advisory Board Approved Scanning Vendors (ASVs) and Qualified Security Assessors (QSAs)

6 5/11/20156 Notable Successes Over 500 Participating Organizations around the world Successful Community Meetings with over 700 attendees from around the world Board of Advisors driving special interest groups - Wireless - Pre-authorization 164 current QSA Companies, of these 74 are also ASV Companies Total QSAs (individuals) trained to date is 1,063 Additional devices added to PED Standard Implemented two-year lifecycle process for DSS & SAQ PCI SSC participated in 33 events worldwide Assessor Servicing Markets per Region Asia Pacific: 29 Canada: 16 CEMEA: 28 Latin America & Caribbean: 27 United States: 87 Europe: 57

7 5/11/20157 Roles and Responsibilities of the Council Is an Independent Industry Standard Manages the technical and business requirements for how payment data should be stored and protected Maintains List of Qualified PCI Assessor Community –QSAs, ASVs, PA-QSA and PED Labs PCI SSC….PCI SSC Does Not… Manage or Drive Compliance –Each brand continues to maintain its own compliance programs Identifies stakeholders that need to validate compliance Definitions of Validation Levels Fines and Fees

8 5/11/20158 Resources Provided by Council Security standards and supporting documents Frequently asked questions List of approved QSAs, ASVs, PA-QSAs, PED Labs Education and outreach programs -Webinars -Newsletters/bulletins Council appeared in almost 300 pieces of coverage globally since January Searchable FAQ tool for all standards-related questions Participating organization membership, community meetings, qualifications standards feedback One global voice for the industry

9 PCI SSC Standards

10 5/11/201510 Risky Behavior –81% store payment card numbers –73% store payment card expiration dates –53% store customer data from magnetic stripe on card –16% store other personal data Threat Landscape Implementing the standard is a Journey… Not a Destination Source: Forrester Consulting, Sept. 2007

11 The Cost of Complying Three Categories of Compliance How much does this cost your organization? For merchants with complex or older systems, it may cost millions “PCI Compliance Cost Analysis: A Justified Expense.” A joint analysis conducted by Solidcore Systems, Emagined Security and Fortrex. Jan. 2008 [This study utilized data from several sources including level 1 and level 2 merchants with 2,000 – 2,500 retail locations.] The Cost of Not Complying Same study estimated non-compliance costs significantly higher, including “Crisis” cost upgrades Repeat assessments Notification costs Brand reputation Shareholder and consumer lawsuits The cost of a breach can easily be 20 times the cost of PCI Compliance Upgrading Payments Systems and Security Verifying Compliance (Assessment) Sustaining Compliance 5/11/201511

12 5/11/201512 Forensics Statistics Consumer data: Payment card information -Credit / Debit -Card-present / CNP Personal Check information Identity-related data: Name, address, email Social security, Social insurance IRS / tax return information Company-proprietary: Financial records HR / employee data Product strategy & roadmap Trade secrets & technology Inside Jobs vs. Intrusions 17% Inside ~77% are partial insiders Incident Detection >75% via allegation of compromise Findings Percentages 92% Confirmed Security Breach >60% Confirmed Data Compromise Case Commonalities 19% SQL injection 45% POS systems 10% Wireless infrastructure ~50% Via 3rd party connections Breach Sources ~13% Inside U.S. Vulnerability Scanning SQL Injection cases: 71% had commercial scanning 63% detected SQL vulnerability 15% in scan reports for 1 year + > 60% Payment Cards vs. Others Law Enforcement Involvement 87% of cases Incident Detection >75% via allegation of compromise

13 5/11/2015135/11/2015 13 It’ll be OK PCI doesn’t introduce any new, alien concepts AngerAnger BargainingBargaining DepressionDepression AcceptanceAcceptance DenialDenial It doesn’t apply to me PCI compliance is mandatory It isn’t fair PCI applies to all parties in the payment process I’ll do some of it Compliance is “pass / fail” I’ll never get there Many merchants already have The Five Stages of Grief

14 5/11/201514 The PCI Data Security Standard The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures This comprehensive standard is intended to help organizations proactively protect customer payment data Payment Card Industry (PCI) Data Security Standard Version 1.2 Release: October 2008

15 5/11/201518 Six Goals, Twelve Requirements The PCI Data Security Standard Build and Maintain a Secure Network 1.Install and maintain a firewall configuration to protect cardholder data 2.Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3.Protect stored cardholder data 4.Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5.Use and regularly update anti-virus software or programs 6.Develop and maintain secure systems and applications Implement Strong Access Control Measures 7.Restrict access to cardholder data by business need-to- know 8.Assign a unique ID to each person with computer access 9.Restrict physical access to cardholder data Regularly Monitor and Test Networks 10.Track and monitor all access to network resources and cardholder data 11.Regularly test security systems and processes Maintain an Information Security Policy 12.Maintain a policy that addresses information security for employees and contractors

16 Summary of PCI Requirements Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks 165/11/2015

17 Summary of PCI Requirements Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data 175/11/2015

18 Summary of PCI Requirements Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security for employees and contractors 185/11/2015

19 Self-Assessment Questionnaire (SAQ) A 5/11/201519 SAQ Objectives Self Assessment Questionnaires Alignment with the PCI DSS v1.2 Based on industry feedback Flexibility for multiple merchant types Providing guidance for the intent and applicability of the underlying requirements

20 5/11/201520 Self Assessment Questionnaire SAQ Validation Type DescriptionSAQ 1 Card-Not-Present (e-commerce or MO/TO) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants A <11 Questions 2Imprint-only merchants with no cardholder data storage B 21 Questions 3 Stand alone dial-up terminal merchants, no cardholder data storage B 21 Questions 4 Merchants with payment application systems connected to the Internet, no cardholder data storage C 38 Questions 5 All other merchants (not included in descriptions for SAQs A, B or C above) and all service providers defined by a payment brand as eligible to complete an SAQ D Full DSS

21 Payment Application (PA-DSS) Data Security Standard 5/11/201521 The Payment Application Data Security Standard Distinct from but aligned with PCI DSS PA-DSS is a comprehensive set of requirements designed for payment application software vendors to facilitate their customers’ PCI DSS compliance This comprehensive standard is intended to help organizations minimize the potential for security breaches due to flawed payment applications, leading to compromise of full magnetic stripe data

22 5/11/201522 The Payment Application Data Security Standard Fourteen Requirements…Protecting Payment Application Transactions Do not retain full magnetic stripe, card validation code or value (CAV2, CID, CVC2, CVV2) or PIN block data Provide secure password features Protect stored cardholder data Log Application Activity Develop Secure Applications Protect wireless transmissions Test Applications to address vulnerabilities Facilitate secure network implementation Cardholder data must never be stored on a server connected to the Internet Facilitate secure remote software updates Facilitate secure remote access to application Encrypt sensitive traffic over public networks Encrypt all non-console administrative access Maintain instructional documentation and training programs for customers, resellers, and integrators

23 5/11/201523 PIN Entry Device Requirements Physical Attributes Logical Attributes Attributes that deter physical Attacks –ex penetration of device to determine key(s) –Planting a PIN disclosing bug within Logical security characteristics include functional capabilities that preclude: –Allowing device to output clear text PIN encryption key The PED Security Requirements are designed to secure personal identification number (PIN)-based transactions globally and applies to devices (attended or unattended) that accept PIN entry for all PIN-based transactions as well as non-cardholder interface devices (hardware security modules)

24 PCI DSS Applicability Information Data Element Storage Permitted Protection Required PCI DSS Req. 3.4 Cardholder Data Primary Account Number (PAN) Yes Cardholder Name [1] YesYes 1 No Service Code 1 YesYes 1 No Expiration Date 1 YesYes 1 No Sensitive Authentication Data [2] Full Magnetic Stripe Data [3] NoN/A CAV2/CVC2/CVV2/CIDNoN/A PIN/PIN BlockNoN/A [1] These data elements must be protected if stored in conjunction with the PAN. This protection should be per PCI DSS requirements for general protection of the cardholder data environment. Additionally, other legislation (e.g., related to consumer personal data protection, privacy, identity theft, or data security) may require specific protection of this data, or proper disclosure of a company's practices if consumer-related personal data is being collected during the course of business. PCI DSS, however, does not apply if PANs are not stored, processed, or transmitted. [2] Sensitive authentication data must not be stored after authorization (even if encrypted). [3] Full track data from the magnetic stripe, magnetic stripe image on the chip, or elsewhere.

25 How To Get Involved

26 5/11/201526 Global Participation & Representation More than 500 organizations have been accepted North America: 411 Asia Pacific: 12 Europe: 78Latin America / Caribbean: 6 Central Europe / Middle East / Africa: 14

27 5/11/201527 Participating Organizations Categories

28 5/11/201528 Board Representation & Special Interest Groups A Seat at the Table… Financial institutions –Merchants –Gateways –Processors –Service providers –EFT networks –Associations –Vendors

29 5/11/201529 Participating Organization Privileges Vote and run for Participating Organization Board of Advisors Comment on DSS, SAQ, PED, PA-DSS and on other PCI SSC documentation, prior to public release Attend Community Meetings Attend Webinar meetings Recommend new initiatives and standards Early updates on upcoming press releases Monthly bulletin from SSC General Manager Coming soon: Exclusive private Web site for PO and assessor community Reserve Your Seat at the Table

30 5/11/201530 Community Meeting Merchants Approved Scanning Vendors Service Providers Qualified Security Assessors Acquirers Brands CommunityMeeting

31 5/11/201531 Participating Organizations For a full list: www.pcisecuritystandards.org/join/participating_organizations.htmwww.pcisecuritystandards.org/join/participating_organizations.htm Associations For a full list: www.pcisecuritystandards.org/join/participating_organizations.htmwww.pcisecuritystandards.org/join/participating_organizations.htm Financial Institutions For a full list: www.pcisecuritystandards.org/join/participating_organizations.htmwww.pcisecuritystandards.org/join/participating_organizations.htm Other For a full list: www.pcisecuritystandards.org/join/participating_organizations.htmwww.pcisecuritystandards.org/join/participating_organizations.htm Other For a full list: www.pcisecuritystandards.org/join/participating_organizations.htmwww.pcisecuritystandards.org/join/participating_organizations.htm Other For a full list: www.pcisecuritystandards.org/join/participating_organizations.htmwww.pcisecuritystandards.org/join/participating_organizations.htm POS Vendors For a full list: www.pcisecuritystandards.org/join/participating_organizations.htmwww.pcisecuritystandards.org/join/participating_organizations.htm Processors For a full list: www.pcisecuritystandards.org/join/participating_organizations.htmwww.pcisecuritystandards.org/join/participating_organizations.htm Processors For a full list: www.pcisecuritystandards.org/join/participating_organizations.htmwww.pcisecuritystandards.org/join/participating_organizations.htm Merchants For a full list: www.pcisecuritystandards.org/join/participating_organizations.htmwww.pcisecuritystandards.org/join/participating_organizations.htm Merchants For a full list: www.pcisecuritystandards.org/join/participating_organizations.htmwww.pcisecuritystandards.org/join/participating_organizations.htm Merchants For a full list: www.pcisecuritystandards.org/join/participating_organizations.htm

32 5/11/201532 Need More Information?

33 Thank You!

Download ppt "PCI Compliance: What’s All the Fuss? Bob Russo November 7, 2008."

Similar presentations

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.

Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.
Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.

Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.
.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.

.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.
The Payment Card Industry Data Security Standard (PCI DSS)

The Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS for Retail Industry

PCI DSS for Retail Industry
Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.

Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.

PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.

PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.
Complying With Payment Card Industry Data Security Standards (PCI DSS)

Complying With Payment Card Industry Data Security Standards (PCI DSS)
2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.

2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Property of CampusGuard Compliance With The PCI DSS.

Property of CampusGuard Compliance With The PCI DSS.
Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.

Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.
Payment Card PCI DSS Compliance SAQ-D Training Accounts Receivable Services, Controller’s Office 7/1/2012.

Payment Card PCI DSS Compliance SAQ-D Training Accounts Receivable Services, Controller’s Office 7/1/2012.
© Vendor Safe Technologies 2008 B REACHES BY M ERCHANT T YPE 70% 1% 9% 20% Data provided by Visa Approved QIRA November 2008 from 475 Forensic Audits.

© Vendor Safe Technologies 2008 B REACHES BY M ERCHANT T YPE 70% 1% 9% 20% Data provided by Visa Approved QIRA November 2008 from 475 Forensic Audits.
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?

Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?
Jeff Williams Information Security Officer CSU, Sacramento

Jeff Williams Information Security Officer CSU, Sacramento
Visa Cemea Account Information Security (AIS) Programme

Visa Cemea Account Information Security (AIS) Programme

Similar presentations

Ads by Google