Presentation is loading. Please wait.

Presentation is loading. Please wait.

PCI requirements in business language What can happen with the cardholder data?

Published byGodwin Fleming Modified over 8 years ago

Similar presentations

Presentation on theme: "PCI requirements in business language What can happen with the cardholder data?"— Presentation transcript:

1 PCI requirements in business language What can happen with the cardholder data?

2 Partneri Medijski pokrovitelji

3 Sadržaj predavanja What is PCI DSS? Who must comply with PCI DSS? The PCI DSS requirements Steps of the PCI DSS assessment? Compliance level Incidents Background of an incident Typical example

4 What is PCI DSS? Payment Card Industry Data Security Standard Developed by: Founding payment brands Main principles Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy

5 Who must comply with PCI DSS? Covered Not covered Issuer & Service Provider (s) Cardholder Acquirer & Service Provider (s) Merchant & Service Provider (s)

6 The PCI DSS requirements Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: No use of vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks

7 The PCI DSS requirements Maintain a Vulnerability Management program Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to- know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data

8 The PCI DSS requirements Regularly Monitor and Test Networks Requirement 10: Track & monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security

9 Steps of the PCI assessment Preparation for the assessment Perform penetration testing Perform vulnerability scanning Perform security awareness training Establish testing procedures regarding hosting providers Develop data retention and disposal policy and procedures …

10 Steps of the PCI assessment Type of the assessment Qualified Security Assessors onsite review Self assessment Network security scan Depends on Number of transactions Special request from certain payment brand

11 Compliance Level Definitions - Merchants Compliance Validation LevelQSA Onsite Review Self Assessment Network Security Scan Level 1 - Any merchant - regardless of channel >6M transactions) Any merchant that has suffered a hack. Any merchant identified by any payment card brand as Level 1 Required (annually) Not requiredRequired (quarterly) Level 2 - Any merchant - regardless of channel 1M to 6M transactions Not requiredRequired (annually) Required (quarterly) Level 3 - 20K-1M e-commerce transactions Not requiredRequired (annually) Required (quarterly) Level 4 - <20,000 e-commerce transactions <1M non-ecommerce transactions Not requiredRecommended (annually) Recommended (annually)

12 Compliance Level Definition – Service Providers Compliance Validation LevelQSA onsite review Self assessment Network Security Scan Level 1 - VisaNet connection; All Payment Gateways; TPP and DSE that handle data for Level 1 & 2 Merchants Required (annually) Not requiredRequired (quarterly) Level 2 - Not Level 1 w/ >1M transactions; DSE that handle data for Level 3 Merchants Required (annually) for MasterCard Required (annually) for Visa Required (quarterly) Level 3 - <1M transactions; all other DSEs Not requiredRequired (annually) Required (quarterly)

13 Incidents Heartland Payment System (2009) Hannaford Brothers and Sweetbay (2008) TJX (2007) Cardsystem Solution Inc. (2005)

14 Background of an incident CardSystem Solutions Inc. Credit card processing company Purposes of managing data „research” 40 million card accounts (name, bank account number) Attack Breached security protocol Virus Sensitive data stored in clear

15 Background of an incident Data removal process Contractually obligated to delete Inappropriate data removal process Use of information Sold on a Russian website Affected a number of high-profile companies

16 Typical example PCI DSS 6.1 “Ensure that all system components and software have the latest vendor-supplied security patches.”

17 Typical example We have Windows based system We use WSUS (Windows Server Update Services), therefore all of our servers and workstations are patched Are we compliant?

18 Typical example How does a client PC look like? – Adobe FLASH – Adobe Acrobat – JRE – … and many more These software versions and patches are typically not managed centrally

19 Typical example IDDescription APSB09-15Security Advisory for Adobe Reader and Acrobat APSB09-10Security Updates available for Adobe Flash Player, Adobe Reader and Acrobat APSA09-03Security Advisory for Adobe Reader, Acrobat and Flash Player APSB09-07Security Updates available for Adobe Reader and Acrobat APSB09-06Security Updates available for Adobe Reader and Acrobat APSA09-02Buffer overflow issues in Adobe Reader and Acrobat APSB09-04Security Update available for Adobe Reader and Acrobat APSB09-03Security Update available for Adobe Reader 9 and Acrobat 9 APSA09-01Buffer overflow issue in versions 9.0 and earlier of Adobe Reader and Acrobat Source: http://www.adobe.com/support/security/

20 Typical example …and of course they are exploited in the wild Easy to use tools for PDF mangling – Metasploit – Origami – …

21 Typical example

22

23

24

25 Hvala

Download ppt "PCI requirements in business language What can happen with the cardholder data?"

Similar presentations

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.

Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.
Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.

Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.
The Payment Card Industry Data Security Standard (PCI DSS)

The Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS for Retail Industry

PCI DSS for Retail Industry
Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.

Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.

PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security.

Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security.
PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.

PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.
Complying With Payment Card Industry Data Security Standards (PCI DSS)

Complying With Payment Card Industry Data Security Standards (PCI DSS)
2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.

2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Property of CampusGuard Compliance With The PCI DSS.

Property of CampusGuard Compliance With The PCI DSS.
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?

Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?
Jeff Williams Information Security Officer CSU, Sacramento

Jeff Williams Information Security Officer CSU, Sacramento
Property of the University of Notre Dame Navigating the Regulatory Maze: Notre Dame’s PCI DSS Solution EDUCAUSE Midwest Regional Conference March 17, 2008.

Property of the University of Notre Dame Navigating the Regulatory Maze: Notre Dame’s PCI DSS Solution EDUCAUSE Midwest Regional Conference March 17, 2008.
Visa Cemea Account Information Security (AIS) Programme

Visa Cemea Account Information Security (AIS) Programme
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
Copyright Security-Assessment.com 2005 Payment Card Industry Digital Security Standards Presented By Carl Grayson.

Copyright Security-Assessment.com 2005 Payment Card Industry Digital Security Standards Presented By Carl Grayson.

Similar presentations

Ads by Google