Presentation is loading. Please wait.

Presentation is loading. Please wait.

PCI Compliance : Whys and wherefores

Published byFranklin Wheeler Modified over 5 years ago

Similar presentations

Presentation on theme: "PCI Compliance : Whys and wherefores"— Presentation transcript:

1 PCI Compliance : Whys and wherefores
Colleen Medling SLCO Library Services March17, 2011 PCI Compliance : Whys and wherefores

2 Denials I am not a Qualified Security Assessor (QSA) I am not a lawyer
I am a librarian (and System Administrator) March 17, 2011 Denials SLCoLibrary.org SLCo Library Services Division

3 Who are they and what do they want?
PCI Security Standards - PCI Security Standards Council – Payment Card Industry Standards and procedures created to optimize security of credit/debt card data. All five major payment brands – American Express, Discover, MasterCard, Visa and JBC have agreed to incorporate these requirements into the data security compliance programs Independent organization that develops, manages, educates, and creates awareness of PCI Security Standards Each brand had different, often overlapping requirements. In 2006 the council was created with the 5 major brands all participating. March 17th, 2011 Who are they and what do they want? SLCoLibrary.org SLCo Library Services Division

4 To comply or not to comply
PCI Compliance Not a law (yet) BUT! Failure to comply can result in Loss of reputation Loss of trust Significant fines Lose ability to take credit card payments Many government entities now requiring their organizations to comply Please note that even by being compliant you can STILL get hacked. March 17th , 2011 To comply or not to comply SLCoLibrary.org SLCo Library Services Division

5 You the merchant Merchant Levels March 17th , 2011
Merchant Criteria Validation Requirements 1 Merchants processing over 6 million transactions annually Annual Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”) Quarterly network scan by Approved Scan Vendor (“ASV”) Attestation of Compliance Form 2 Merchants processing 1 million to 6 million transactions annually Annual Self-Assessment Questionnaire (“SAQ”) Quarterly network scan by ASV 3 Merchants processing 20,000 to 1 million e-commerce transactions annually Annual SAQ 4 Merchants processing less than 20,000 e-commerce transactions annually and all other merchants processing up to 1 million transactions annually Annual SAQ recommended Quarterly network scan by ASV if applicable March 17th , 2011 You the merchant SLCoLibrary.org SLCo Library Services Division

6 Filling out an SAQ does not necessarily make you compliant
Self Assessment Questionnaire This is a tool that allows entities to validate their compliance to the PCI Standards Filling out an SAQ does not necessarily make you compliant There are five separate levels, with increasing complex requirements based on number of transactions and how credit card data is held and processed. Even if you a use a PCI Compliant Application YOU still need to complete an SAQ Any moving of paper receipts of media must be approved Any media must be destroyed properly March 17th , 2011 All the SAQs SLCoLibrary.org SLCo Library Services Division

7 The A, B’s SAQ A – 13 requirements SAQ B – 29 requirements
Only to be used for “Card Not Present” entities E-commerce or Mail Order/Telephone Order Merchants Does not store or transmit cardholder data over their systems Requirements Must restrict access to cardholder data Paper receipts must be under lock & key Destroyed properly Maintain an Information Security Policy Policies and procedures to manage service providers SAQ B – 29 requirements Entities use imprint or Dial Up Standalone Terminals No cardholder data is stored electronically Does not store or transmit cardholder data over they network or the Internet In addition to SAQ A Requirements Protect stored cardholder data May not store magnetic strip data Restrict cardholder data on a need to know basis March 17th , 2011 The A, B’s SLCoLibrary.org SLCo Library Services Division

8 C’s SAQ C-VT (virtual terminals) – 51 requirements
New type of SAQ introduce in 2010 Use on web-based virtual terminals Cardholder data is manually entered, data is not read from the card directly Virtual terminal is provided by a third party PCI DSS validated company In addition to SAQ A and SAQ B Must have a firewall Do not use vendor supplied passwords Protect stored cardholder data Encrypt transmission of cardholder data Use anti-virus software and log results Develop and maintain secure systems This includes any wireless networks you may have March 17th , 2011 C’s SLCoLibrary.org SLCo Library Services Division

9 Final C and D SAQ C – 80 requirements SAQ D – 288 requirements
Point of Sale (POS) is connected to the Internet Payment application is not connected to other systems (can be done via network segmentation) LAN is not connected to any other location No sensitive cardholder data is stored electronically In addition to SAQ A, SAQ B and SAQ C-VT Quarterly network scans SAQ D – 288 requirements All other merchants who do not fit under previous categories Merchant stores cardholder data electronically Extremely difficult and costly to attain In addition to SAQ A, SAQ B and SAQ C’s More requirements for each category March 17th , 2011 Final C and D SLCoLibrary.org SLCo Library Services Division

10 Getting started down the road
Scope – determine what components are governed Report Assess – examine current compliance level Compensating Controls – QSA validates alternative technologies or processes Scope – determine what system components are governed by PCI DSS Assess – examine the compliance of system components in scope Controls – assessor validates alternative control technologies/processes Report – assessor and/or entity submits required documentation March 17th , 2011 Getting started down the road SLCoLibrary.org SLCo Library Services Division

11 You are not alone Find a Qualified Security Assessor – QSA
There may be one in your organization already List available at QSA Offers support and suggestions Verifies technical information Evaluates compensating controls Samples systems involved in scope of the work Produces the final report March 17th, 2011 You are not alone SLCoLibrary.org SLCo Library Services Division

12 Alone 2 Choose an Approved Scanning Vendor (ASV)
Scans network for external vulnerabilities List can be found at : SLCO uses CoalFire’s Navis System March 17th , 2011 Alone 2 SLCoLibrary.org SLCo Library Services Division

13 Tips Never, ever store sensitive cardholder data Segment your network
Magnetic Stripe Data Primary Account Data (PAN) If you have to store the data Get rid of it as soon as possible Segment your network March 17th , 2011 Tips SLCoLibrary.org SLCo Library Services Division

14 What to do, what to do Utahgovpay PayPal Comprise Technologies
Would need to develop an interface between our library database. Charges $.75 per transaction regardless of amount 50% of transactions under $10.00 PayPal Would have to develop interface Fee per transaction Would have to host system internally Comprise Technologies Currently use for internal credit card transactions Understands specialized library protocol Online system required us to store cardholder data and Primary Account Number (PAN) Higher level of PCI Compliance March 17th , 2011 What to do, what to do SLCoLibrary.org SLCo Library Services Division

15 Host it! Another option - PCI Compliant Web-hosting facility
Credit cardholder data would not be stored on our network Already PCI SAQ D Compliant Lowers the Library’s level of compliance to SAQ C Hosted solution is an annual subscription – NO per transaction fee Beta tested new service for Comprise Technologies RackSpace hosting facility March 17th , 2011 Host it! SLCoLibrary.org SLCo Library Services Division

16 March 17th , 2011 SLCO Option SLCoLibrary.org SLCo Library Services Division

17 We host the entry form only – no cardholder data
Rest of the application resides on RackSpace Over $142,000 collected since July 2010 79% SAQ C compliant March 17th , 2011 SLCoLibrary.org SLCo Library Services Division

18 Questions Questions? Additional Resources
Data Security Standard Requirements for Security Assessment Procedures –  PCI Forms- PCI Security Standards Council Quick Reference Guide - CISP list of PCI DSS compliant service providers - PCI SSC’s list of Qualified Security Assessors (QSAs) - Approved Scanning Vendors - Navigating PCI DSS : understanding the intent of the requirements PCI Security Standards Council - March 17th , 2011 Questions SLCoLibrary.org SLCo Library Services Division

Download ppt "PCI Compliance : Whys and wherefores"

Similar presentations

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.

Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.
Session 4: Data Privacy and Fraud Moderator: Bill Houck, Director, Risk Management, UATP Panelist: Peter Warner, EVP, Retail Decisions Cherie Lauretta,

Session 4: Data Privacy and Fraud Moderator: Bill Houck, Director, Risk Management, UATP Panelist: Peter Warner, EVP, Retail Decisions Cherie Lauretta,
National Bank of Dominica Ltd. 2011 Merchant Seminar Facilitator: Janiere Frank Fraud & Compliance Analyst June 16, 2011.

National Bank of Dominica Ltd Merchant Seminar Facilitator: Janiere Frank Fraud & Compliance Analyst June 16, 2011.
Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.

Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.
.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.

.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.
Mobile Payment Security The Good, the Bad and the Ugly

Mobile Payment Security The Good, the Bad and the Ugly
PCI DSS for Retail Industry

PCI DSS for Retail Industry
Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.

Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.
MARTAs Road to PCI Compliance 1 Presenter: Yolanda Curtis, PMP AFC Project Manager.

MARTAs Road to PCI Compliance 1 Presenter: Yolanda Curtis, PMP AFC Project Manager.
Navigating the New SAQs (Helping the 99% validate PCI compliance)

Navigating the New SAQs (Helping the 99% validate PCI compliance)
PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.

PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.
Complying With Payment Card Industry Data Security Standards (PCI DSS)

Complying With Payment Card Industry Data Security Standards (PCI DSS)
2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.

2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
1 Presented By: David Kidd, Director of Compliance, Peak 10 & Brian Herman, VP of Managed Security Sales, Still Secure.

1 Presented By: David Kidd, Director of Compliance, Peak 10 & Brian Herman, VP of Managed Security Sales, Still Secure.
Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.

Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.
Payment Card PCI DSS Compliance SAQ-D Training Accounts Receivable Services, Controller’s Office 7/1/2012.

Payment Card PCI DSS Compliance SAQ-D Training Accounts Receivable Services, Controller’s Office 7/1/2012.
Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations

Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

Similar presentations

Ads by Google