PCI DSS Erin Carrick.

Slides:



Advertisements
Similar presentations
Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Advertisements

Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.
Session 4: Data Privacy and Fraud Moderator: Bill Houck, Director, Risk Management, UATP Panelist: Peter Warner, EVP, Retail Decisions Cherie Lauretta,
ISACA January 8, IT Auditor at Cintas Corporation Internal Audit Department Internal Security Assessor (ISA) Certification September 2010 Annual.
National Bank of Dominica Ltd Merchant Seminar Facilitator: Janiere Frank Fraud & Compliance Analyst June 16, 2011.
Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.
.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.
PCI DSS for Retail Industry
Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
1 Presented By: David Kidd, Director of Compliance, Peak 10 & Brian Herman, VP of Managed Security Sales, Still Secure.
Smart Payment Processing ™ Protecting Your Business from Card Data Theft Presenter: Lucas Zaichkowsky.
Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.
© Vendor Safe Technologies 2008 B REACHES BY M ERCHANT T YPE 70% 1% 9% 20% Data provided by Visa Approved QIRA November 2008 from 475 Forensic Audits.
Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?
Visa Cemea Account Information Security (AIS) Programme
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
Copyright Security-Assessment.com 2005 Payment Card Industry Digital Security Standards Presented By Carl Grayson.
GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.
Why Comply with PCI Security Standards?
Northern KY University Merchant Training
Payment Card Industry (PCI) Data Security Standards (DSS) Fundamentals
Disclaimer Copyright Michael Chapple and Jane Drews, This work is the intellectual property of the authors. Permission is granted for this material.
Payment Card Industry Data Security Standard (PCI DSS) By Roni Argetsinger
The ABC’s of PCI DSS Eric Beschinski Relationship Manager Utility Payment Conference Kay Limbaugh Specialist, Electronic Bills & Payments &
PCI DSS Managed Service Solution October 18, 2011.
Protecting Your Credit Card Security Environment (PCI) September 26, 2012 Jacob Arthur, CPA, QSA, CEH Timothy Agee, CISA, CGEIT, QSA FDH Consulting Frasier,
An Introduction to PCI Compliance. Data Breach Trends About PCI-SSC 12 Requirements of PCI-DSS Establishing Your Validation Level PCI Basics Benefits.
The Payment Card Industry (PCI) Data Security Standard: What it is and why you might find it useful Fred Hopper, CISSP TASK - 27 March 2007.
PCI requirements in business language What can happen with the cardholder data?
Managing Risk in Cloud Computing Contracts Henry Ward and Todd Taylor April 30, 2015.
DATE: 3/28/2014 GETTING STARTED WITH THE INTEGRITY EASY PCI PROGRAM Presenter : Integrity Payment Systems Title: Easy PCI Program.
PCI DSS Readiness Presented By: Paul Grégoire, CISSP, QSA, PA-QSA
Payment Card PCI DSS Compliance SAQ-A Training Accounts Receivable Services, Controller’s Office 7/1/2012.
Introduction to Payment Card Industry Data Security Standard
Identity Protection (Red Flag/PCI Compliance/SSN Remediation) SACUBO Fall Workshop Savannah, GA November 3, 2009.
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
Data Security and Payment Card Acceptance Presented by: Brian Ridder Senior Vice President First National September 10, 2009.
Payment Card PCI DSS Compliance SAQ-B Training Accounts Receivable Services, Controller’s Office 7/1/2012.
ThankQ Solutions Pty Ltd Tech Forum 2013 PCI Compliance.
1 Payment Card Industry (PCI) Security Standard Developed by the PCI Security Council formed by major card issuers: Visa, MasterCard, American Express,
The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad.
VeriShield Protect Revolutionary technology that simplifies PCI DSS compliance with no system upgrades Now available on V x Solutions!
BUSINESS CLARITY ™ PCI – The Pathway to Compliance.
Standards in Use. EMV June 16Caribbean Electronic Payments LLC2.
By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit.
WHAT NEW, WHAT NEXT IN PAYMENT PROCESSING. EMV WHAT IS EMV? 3  An acronym created by Europay ®, MasterCard ® and Visa ®  The global standard for the.
Credit Card Compliance
MARTA’s Road to PCI Compliance
Payment Card Industry Data Security Standards
PCI-DSS Security Awareness
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Payment card industry data security standards
2013 PCI:DSS Meeting OSU Business Affairs
Internet Payment.
Breaches by Merchant Type
Session 11 Other Assurance Services
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
PCI Compliance : Whys and wherefores
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Payment Card Industry (PCI)
MARTA’s Road to PCI Compliance
Utility Payment Conference
Presented by: Jeff Soukup
Online Payment Options for Government
Presentation transcript:

PCI DSS Erin Carrick

What is PCI DSS? PCI Compliance Payment Card Industry Data Security Standard Also known as: PCI Compliance

History December 2004 Major Players: Visa, MasterCard, American Express, Discover, JCB Each had its own security standards Problem: Credit Card Fraud due to Merchant's failure to secure information Goal: Encourage companies to standardize security measures on a global scale

History Standardization of Credit Card Data Security Essentially a checklist of technical/operational standards Yearly review; Version 2.0 as of October 2010. http://www.youtube.com/watch?v=1boEXDVkKj U&feature=relmfu

Motivation Ideally, if all requirements are met, breaches will be practically impossible. Many security experts believe this to be true. “No compromised entity has been found to be in compliance at the time of the breach.”

Why do we care? 80% of Americans own credit cards 576.4 million credit cards in U.S. Millions of dollars lost each year due to fraud Protecting Personal Information Protecting Others' Information

Overview PCI Requirements Difficulties with Compliance Controversial Issues Does compliance mean security? Is it possible to always be compliant? Is PCI just for credit card company profit?

PCI: A “Simple” 6-Step Security Standardization Process Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy

Slightly more complicated...

...and even more complicated. Example: Step 1 – Install and Maintain Firewall Actually 28 steps total...

Steps to become Compliant Report on Compliance (ROC) Pass vulnerability scans by Approved Scanning Vendor Complete Attestation of Compliance (AOC) Submit all paperwork to the aquirer

Additional Requirements Wireless Card Not Present Compensating Controls

Non-Compliance Too many requirements: 220+ total Terrifying for Merchants Not always computer-savvy Don't always understand motivation behind steps Problems with Scope Confusing Requirements Ambiguous Requirements

Controversial Issues High Cost Huge burden, cost and time Fines even if there is no fraud loss Huge burden, cost and time Confusing Requirements Subjective Enforcement No Validation Requirement for Level 4 Merchants, where most breaches occur.

Compliance = Security At least Visa thinks so. The requirements are pretty comprehensive, so if everything went according to plan, breaches would be highly unlikely. PCI forces companies to think about security, even if they do not meet all requirements. Hannaford Bros. Co. Heartland Payment Systems Global Payments

100% Compliance 24-7? Some validations are not as thorough as others Card Companies do not want to admit problems in their standard Easy to find Non-Compliance, if that is the goal Networks are ever-changing “PCI compliance is like a drivers license. You take and pass the test, but it doesn't mean that you're a good, safe driver all of the time.”

PCI for Profit: Cost of Compliance Upgrading payment systems Level 1 Merchants averaged $2.7 million Level 2 Merchants $1.1 million Verifying compliance (assessments) Level 1 Merchants averaged $237,000 Level 2 Merchants $135,000 Continuing compliance

PCI for Profit: Cost of Non-Compliance Huge Fines Cisero Ristorante and Nightclub Network “might have been compromised” Forensics showed no sign of breaches Found POS stored data in unencrypted form Visa estimated liability $1.33 million Visa fined them $55,000; MasterCard $15,000 $15,000 for fraudulent charges

PCI for Profit: Cost of Non-Compliance Heartland Payment Systems Much-larger scale Agreed to: $60 million – Visa $3.6 million – American Express Forensic Investigation Reputation Damage

Sources https://www.pcisecuritystandards.org/document s/pci_dss_v2.pdf http://www.creditcards.com/credit-card- news/how-a-credit-card-is-processed-1275.php http://www.creditloan.com/infographics/the- american-credit-card-craze/ http://en.wikipedia.org/wiki/Payment_Card_Indu stry_Data_Security_Standard http://www.wired.com/threatlevel/2012/01/pci- lawsuit http://pciguru.wordpress.com/2011/12/04/what- is-in-scope/ http://www.cso.com.au/article/296278/visa_post -breach_criticism_misplaced/?pp=2#closeme http://www.bankinfosecurity.com/blogs.php?pos tID=492 http://www.computerworld.com/s/article/913090 1/PCI_security_standard_gets_ripped_at_Hous e_hearing?intsrc=news_ts_head http://www.computerworld.com/s/article/907805 9/Q_A_Head_of_PCI_council_sees_security_st andard_as_solid_despite_breaches?taxonomyI d=17&pageNumber=2

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.