Presentation is loading. Please wait.

Presentation is loading. Please wait.

PCI DSS Erin Carrick.

Published byBrenda Glenn Modified over 5 years ago

Similar presentations

Presentation on theme: "PCI DSS Erin Carrick."— Presentation transcript:

1 PCI DSS Erin Carrick

2 What is PCI DSS? PCI Compliance
Payment Card Industry Data Security Standard Also known as: PCI Compliance

3 History December 2004 Major Players:
Visa, MasterCard, American Express, Discover, JCB Each had its own security standards Problem: Credit Card Fraud due to Merchant's failure to secure information Goal: Encourage companies to standardize security measures on a global scale

4 History Standardization of Credit Card Data Security
Essentially a checklist of technical/operational standards Yearly review; Version 2.0 as of October 2010. U&feature=relmfu

5 Motivation Ideally, if all requirements are met, breaches will be practically impossible. Many security experts believe this to be true. “No compromised entity has been found to be in compliance at the time of the breach.”

6 Why do we care? 80% of Americans own credit cards
576.4 million credit cards in U.S. Millions of dollars lost each year due to fraud Protecting Personal Information Protecting Others' Information

7 Overview PCI Requirements Difficulties with Compliance
Controversial Issues Does compliance mean security? Is it possible to always be compliant? Is PCI just for credit card company profit?

8 PCI: A “Simple” 6-Step Security Standardization Process
Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy

9 Slightly more complicated...

10 ...and even more complicated.
Example: Step 1 – Install and Maintain Firewall Actually 28 steps total...

11

12

13

14 Steps to become Compliant
Report on Compliance (ROC) Pass vulnerability scans by Approved Scanning Vendor Complete Attestation of Compliance (AOC) Submit all paperwork to the aquirer

15 Additional Requirements
Wireless Card Not Present Compensating Controls

16 Non-Compliance Too many requirements: 220+ total
Terrifying for Merchants Not always computer-savvy Don't always understand motivation behind steps Problems with Scope Confusing Requirements Ambiguous Requirements

17 Controversial Issues High Cost Huge burden, cost and time
Fines even if there is no fraud loss Huge burden, cost and time Confusing Requirements Subjective Enforcement No Validation Requirement for Level 4 Merchants, where most breaches occur.

18 Compliance = Security At least Visa thinks so. The requirements are pretty comprehensive, so if everything went according to plan, breaches would be highly unlikely. PCI forces companies to think about security, even if they do not meet all requirements. Hannaford Bros. Co. Heartland Payment Systems Global Payments

19 100% Compliance 24-7? Some validations are not as thorough as others
Card Companies do not want to admit problems in their standard Easy to find Non-Compliance, if that is the goal Networks are ever-changing “PCI compliance is like a drivers license. You take and pass the test, but it doesn't mean that you're a good, safe driver all of the time.”

20 PCI for Profit: Cost of Compliance
Upgrading payment systems Level 1 Merchants averaged $2.7 million Level 2 Merchants $1.1 million Verifying compliance (assessments) Level 1 Merchants averaged $237,000 Level 2 Merchants $135,000 Continuing compliance

21 PCI for Profit: Cost of Non-Compliance
Huge Fines Cisero Ristorante and Nightclub Network “might have been compromised” Forensics showed no sign of breaches Found POS stored data in unencrypted form Visa estimated liability $1.33 million Visa fined them $55,000; MasterCard $15,000 $15,000 for fraudulent charges

22 PCI for Profit: Cost of Non-Compliance
Heartland Payment Systems Much-larger scale Agreed to: $60 million – Visa $3.6 million – American Express Forensic Investigation Reputation Damage

23 Sources https://www.pcisecuritystandards.org/document s/pci_dss_v2.pdf
news/how-a-credit-card-is-processed-1275.php american-credit-card-craze/ stry_Data_Security_Standard lawsuit is-in-scope/ -breach_criticism_misplaced/?pp=2#closeme tID=492 1/PCI_security_standard_gets_ripped_at_Hous e_hearing?intsrc=news_ts_head 9/Q_A_Head_of_PCI_council_sees_security_st andard_as_solid_despite_breaches?taxonomyI d=17&pageNumber=2

Download ppt "PCI DSS Erin Carrick."

Similar presentations

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.

Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.
Session 4: Data Privacy and Fraud Moderator: Bill Houck, Director, Risk Management, UATP Panelist: Peter Warner, EVP, Retail Decisions Cherie Lauretta,

Session 4: Data Privacy and Fraud Moderator: Bill Houck, Director, Risk Management, UATP Panelist: Peter Warner, EVP, Retail Decisions Cherie Lauretta,
ISACA January 8, 2013. IT Auditor at Cintas Corporation Internal Audit Department Internal Security Assessor (ISA) Certification September 2010 Annual.

ISACA January 8, IT Auditor at Cintas Corporation Internal Audit Department Internal Security Assessor (ISA) Certification September 2010 Annual.
National Bank of Dominica Ltd. 2011 Merchant Seminar Facilitator: Janiere Frank Fraud & Compliance Analyst June 16, 2011.

National Bank of Dominica Ltd Merchant Seminar Facilitator: Janiere Frank Fraud & Compliance Analyst June 16, 2011.
Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.

Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.
.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.

.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.
PCI DSS for Retail Industry

PCI DSS for Retail Industry
Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.

Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.

PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.

PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
1 Presented By: David Kidd, Director of Compliance, Peak 10 & Brian Herman, VP of Managed Security Sales, Still Secure.

1 Presented By: David Kidd, Director of Compliance, Peak 10 & Brian Herman, VP of Managed Security Sales, Still Secure.
Smart Payment Processing ™ 800-846-4472 www.MercuryPay.com Protecting Your Business from Card Data Theft Presenter: Lucas Zaichkowsky.

Smart Payment Processing ™ Protecting Your Business from Card Data Theft Presenter: Lucas Zaichkowsky.
Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.

Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.
© Vendor Safe Technologies 2008 B REACHES BY M ERCHANT T YPE 70% 1% 9% 20% Data provided by Visa Approved QIRA November 2008 from 475 Forensic Audits.

© Vendor Safe Technologies 2008 B REACHES BY M ERCHANT T YPE 70% 1% 9% 20% Data provided by Visa Approved QIRA November 2008 from 475 Forensic Audits.
Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations

Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?

Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?
Visa Cemea Account Information Security (AIS) Programme

Visa Cemea Account Information Security (AIS) Programme

Similar presentations

Ads by Google