Visa Europe Implementing PCI DSS Requirements Within Your Organisation September 2008 Simon Breeden.

Slides:



Advertisements
Similar presentations
Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Advertisements

Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.
Session 4: Data Privacy and Fraud Moderator: Bill Houck, Director, Risk Management, UATP Panelist: Peter Warner, EVP, Retail Decisions Cherie Lauretta,
ISACA January 8, IT Auditor at Cintas Corporation Internal Audit Department Internal Security Assessor (ISA) Certification September 2010 Annual.
Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.
.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.
Zenith Visa Web Acquiring A quick over view. Web Acquiring Allows merchants to receive payments for goods and services through the Internet Allows customers.
PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.
Complying With Payment Card Industry Data Security Standards (PCI DSS)
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
1 Presented By: David Kidd, Director of Compliance, Peak 10 & Brian Herman, VP of Managed Security Sales, Still Secure.
Smart Payment Processing ™ Protecting Your Business from Card Data Theft Presenter: Lucas Zaichkowsky.
Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.
© 2012 Presented by: Preparation For EMV Chip Technology Keith Swiat.
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?
Visa Cemea Account Information Security (AIS) Programme
Credit Card Changes that Impact You! Changes to Accounts Receivable, Cash Receipts and Student Billing 7.77 Wanda Mahon & Bucky Wall Corporate Readiness.
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
PCI DSS and MasterCard Site Data Protection Program Payment System Integrity September 2008.
GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Why Comply with PCI Security Standards?
Security & PCI Compliance The Future of Electronic Payments Security & PCI Compliance Greg Grant Vice President – Managed Security Services.
Disclaimer Copyright Michael Chapple and Jane Drews, This work is the intellectual property of the authors. Permission is granted for this material.
Web Advisory Committee June 17,  Implementing E-commerce at UW  Current Status and Future Plans  PCI Data Security Standard  Questions.
PCI DSS The Payment Card Industry (PCI) Data Security Standard (DSS) was developed by the PCI Security Standards Council to encourage and enhance cardholder.
Payment Card Industry Data Security Standard (PCI DSS) By Roni Argetsinger
MasterCard Site Data Protection Program Program Alignment.
PCI DSS Managed Service Solution October 18, 2011.
The influence of PCI upon retail payment design and architectures Ian White QSA Head of UK&I and ME PCI Team September 4, 2013 Weekend Conference 7 & 8.
An Introduction to PCI Compliance. Data Breach Trends About PCI-SSC 12 Requirements of PCI-DSS Establishing Your Validation Level PCI Basics Benefits.
Visa Europe Confidential PCI DSS Protecting your business Lara Fiorani, Visa Europe Basel 25 April, 2006.
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
PCI requirements in business language What can happen with the cardholder data?
Brian Cloud August 06, Overall Digital Security  What is Digital Security  Murphy’s Law Since 2005, over 263M records breeched (privacyreports.com)
Date goes here PCI COMPLIANCE: What’s All the Fuss? Mark Banbury Vice President and CIO, Plan Canada.
DATE: 3/28/2014 GETTING STARTED WITH THE INTEGRITY EASY PCI PROGRAM Presenter : Integrity Payment Systems Title: Easy PCI Program.
PCI DSS Readiness Presented By: Paul Grégoire, CISSP, QSA, PA-QSA
Payment Card PCI DSS Compliance SAQ-A Training Accounts Receivable Services, Controller’s Office 7/1/2012.
Introduction To Plastic Card Industry (PCI) Data Security Standards (DSS) April 28,2012 Cathy Pettis, SVP ICUL Service Corporation.
Smart Payment Processing ™ Recur} Happen again. Persist. Return. Come back. Reappear. Come again.
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
Data Security and Payment Card Acceptance Presented by: Brian Ridder Senior Vice President First National September 10, 2009.
Payment Card PCI DSS Compliance SAQ-B Training Accounts Receivable Services, Controller’s Office 7/1/2012.
What you need to know about PCI-DSS Jane Drews Chief Information Security Officer Information Security & Policy Office
ThankQ Solutions Pty Ltd Tech Forum 2013 PCI Compliance.
Langara College PCI Awareness Training
VeriShield Protect Revolutionary technology that simplifies PCI DSS compliance with no system upgrades Now available on V x Solutions!
BUSINESS CLARITY ™ PCI – The Pathway to Compliance.
EMV: What is it and how will it impact your business.
Standards in Use. EMV June 16Caribbean Electronic Payments LLC2.
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit.
WHAT NEW, WHAT NEXT IN PAYMENT PROCESSING. EMV WHAT IS EMV? 3  An acronym created by Europay ®, MasterCard ® and Visa ®  The global standard for the.
Introduction to PCI DSS
Credit Card Compliance
MARTA’s Road to PCI Compliance
Payment Card Industry (PCI) Rules and Standards
Payment Card Industry (PCI) Rules and Standards
PCI-DSS Security Awareness
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Payment card industry data security standards
Internet Payment.
Payment Card Industry Data Security Compliance
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
PCI Compliance : Whys and wherefores
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Payment Card Industry (PCI)
MARTA’s Road to PCI Compliance
Presented by: Jeff Soukup
Presentation transcript:

Visa Europe Implementing PCI DSS Requirements Within Your Organisation September 2008 Simon Breeden

Presentation Identifier.2 Information Classification as Needed Visa Europe Tel Aviv - !8 th September Data security and your brand How much would your brand be worth if you lose your customers trust? Would your customers’ stay with you

Presentation Identifier.3 Information Classification as Needed Visa Europe Tel Aviv - !8 th September Your brand needs security! Compromises do happen everyday, everywhere In the customer’s view, consumers, card schemes and merchants share responsibility for protecting their card data Yet… 63% of customers views merchants as the weakest link when it comes to protecting their data…¹ ¹Source: Javelin Strategy and Research 2007

Presentation Identifier.4 Information Classification as Needed Visa Europe Tel Aviv - !8 th September In customers’ eyes we all share responsibility to prevent fraud

Presentation Identifier.5 Information Classification as Needed Visa Europe Tel Aviv - !8 th September Merchants as the weakest link

Presentation Identifier.6 Information Classification as Needed Visa Europe Tel Aviv - !8 th September Customer confidence seriously impacted by a data breach In the case of a breach…. 49% of customers believe merchants to be the most likely source of the data breach 3 out of 4 customers won’t shop again at a compromised merchant 84% of customers want to shop at merchants who are security market leaders Investing in PCI DSS should be part of your customer retention plans

Presentation Identifier.7 Information Classification as Needed Visa Europe Tel Aviv - !8 th September Media and regulators are watching us… -National and European Government are showing increasing interest in the area of account information security The European Commission is considering legislation on the duty to notify (suspicion of breach and actual compromise) – already adopted in California, Minnesota and Texas -Media increasingly questioning industry compliance and progress…..

Presentation Identifier.8 Information Classification as Needed Visa Europe Tel Aviv - !8 th September Is PCI DSS mandated for everybody? PCI DSS is mandated for all merchants and other entities with access to card data No access to data = no need for compliance validation In the future, more companies may consider not handling data directly, rather than going through the cost and risk of securing them

Presentation Identifier.9 Information Classification as Needed Visa Europe Tel Aviv - !8 th September What is it for ? Protecting customer confidence Mitigating against fraud and other losses Protecting against reputational damage Avoiding further regulatory control

Presentation Identifier.10 Information Classification as Needed Visa Europe Tel Aviv - !8 th September PCI DSS part of overall Visa Security POS Environment Online e-commBack office Chip & PIN Verified by VisaPCI DSS

Visa Europe DATA What is important about ‘data’ ?

Presentation Identifier.12 Information Classification as Needed Visa Europe Tel Aviv - !8 th September Card number Chip Expiry date Magnetic Stripe CVV2 The card account number, plus a three-digit made up of “Track 1” Card Verification Value 2 (CVV2) is indent-printed and Track 2” data on the signature panel Track data and CVV2 should never be stored after authorisation

Presentation Identifier.13 Information Classification as Needed Visa Europe Tel Aviv - !8 th September You are only as safe as the least safe link in the chain Processor Acquiring bank Internet payment gateway Merchant Web hosting company

Presentation Identifier.14 Information Classification as Needed Visa Europe Tel Aviv - !8 th September Data Theft is…………… Organised Multi-national Increasing in frequency Very, very lucrative Easy Almost risk-free

Presentation Identifier.15 Information Classification as Needed Visa Europe Tel Aviv - !8 th September Most Companies don’t help themselves Track data and CVV2 is the ‘honey pot’ that hackers look for 80%+ of entities that are hacked are storing Track data and CVV % of companies compromised go out of business within one year

Presentation Identifier.16 Information Classification as Needed Visa Europe Tel Aviv - !8 th September PCI DSS is good business practice Think of it as spring cleaning! PCI DSS is an opportunity to take a fresh look at how your company works and identify any issues with people, processes, and systems; This enables you to Check your house is in order Discard unwanted items Rethink your data storage business needs Fix issues

Presentation Identifier.17 Information Classification as Needed Visa Europe Tel Aviv - !8 th September The First Thing! PCI DSS is mandated for all merchants and other entities who store, process and/or transmit card data No data = no need for compliance validation Companies have the option of investing in data security or hire a third party to manage data on their behalf

Presentation Identifier.18 Information Classification as Needed Visa Europe Tel Aviv - !8 th September The Second Thing! The key to a successful compliance programme is to: Identify stakeholders - Finance Director, Risk Committee, Information Security Officer, IT Director, Operations Director, … Get business sponsorship - Present PCI DSS and the risk of non-compliance to the Board - Brand image is at stake

Presentation Identifier.19 Information Classification as Needed Visa Europe Tel Aviv - !8 th September Making PCI Compliance a Reality Visa’s recommended approach is –Complete data flow analysis early –Complete a comprehensive gap analysis –Define a detailed remediation plan How does PCI relate? Data Flow Analysis Gap Analysis Remediation Plan Compliance Validation Implement Remediation

Presentation Identifier.20 Information Classification as Needed Visa Europe Tel Aviv - !8 th September Scoping and Sampling Proper scoping and thorough reviews are critical Beware of: Not scoping and identifying all potential systems that may hold cardholder information Can lead to critical and destructive hacks The data flow mapping exercise should identify all points of storage, processing & transmission

Presentation Identifier.21 Information Classification as Needed Visa Europe Tel Aviv - !8 th September PCI DSS Scoping PCI DSS applies to all systems and networks that store, process, and/or transmit cardholder data, and all connected systems Includes networking equipment that transmits cardholder data (i.e. routers, switches, firewalls, wireless access points) Encrypted cardholder data is still within scope

Presentation Identifier.22 Information Classification as Needed Visa Europe Tel Aviv - !8 th September Quick Wins Do not store track data or CVV2 post authorisation Delete card data everywhere you can Update security policy Update templates to ensure PCI DSS is included in all new projects Data retention policy & process

Presentation Identifier.23 Information Classification as Needed Visa Europe Tel Aviv - !8 th September Advice on Payment Applications PA-DSS is here! Released by PCI SSC on 15 April 2008 Set of comprehensive security standards for use by vendors to ensure their products assist PCI DSS compliance Ensure new applications are PA-DSS compliant Get the comfort of knowing you have an application which, if implemented correctly, helps you to become PCI DSS compliant PA-DSS certified applications do not make you compliant, but they help you get there

Presentation Identifier.24 Information Classification as Needed Visa Europe Tel Aviv - !8 th September Merchant Compliance Validation 1.Processing more than 6 million Visa transactions per year, compromised in the last year Annual on-site security audit and quarterly network scan 2.Processing 1 million to 6 million Visa transactions per year Annual self assessment questionnaire audit and quarterly network scan 3.Processing 20,000 to 1 million Visa e-com transactions per year Annual self assessment questionnaire audit and quarterly network scan 4.Processing up to 20,000 Visa e-com transactions per year and all merchants processing up to 1 million Visa transactions per year Recommended annual self assessment questionnaire audit and quarterly network scan

Presentation Identifier.25 Information Classification as Needed Visa Europe Tel Aviv - !8 th September Service Provider Compliance Validation 1.All VisaNet processors, payment gateways and Internet payment service providers regardless of volumes Annual on-site security audit and quarterly network scan 2.Any service provider not in level 1 and stores, processes or transmits more than 1 million Visa accounts or transactions per year Annual on-site security audit and quarterly network scan 3.Any service provider not in level 1 and stores, processes or transmits less than 1 million Visa accounts or transactions per year Annual self assessment questionnaire audit and quarterly network scan

Presentation Identifier.26 Information Classification as Needed Visa Europe Tel Aviv - !8 th September Compliance Management If you do not comply There are levels of fines that are imposed There are fines for data compromise Ultimate Sanction Prohibition by all brands to deal with card and card data

Presentation Identifier.27 Information Classification as Needed Visa Europe Tel Aviv - !8 th September However it is a Journey…. No expectation of immediate compliance However….. No open ended deadlines to comply Evidence of commitment to comply Planned approach Compliance is a 24 hour a day activity – not a once a year activity to satisfy an audit

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.