Presentation is loading. Please wait.

Presentation is loading. Please wait.

Payment Card Industry (PCI)

Published byNeil Preston Modified over 5 years ago

Similar presentations

Presentation on theme: "Payment Card Industry (PCI)"— Presentation transcript:

1 Payment Card Industry (PCI)
11/18/2018 Payment Card Industry (PCI) Cary Lynch – Engagement Manager To replace the title / subtitle with your own: Click on the title block -> select all the text by pressing Ctrl+A -> press Delete key -> type your own text 11/18/2018

2 My Role Cary Lynch – West Engagement Manager (Security Services).
Engagement Management of PCI projects in region Facilitation of Merchant / Acquirer Bank communication throughout remediation effort Certified QSA to conduct PCI Assessments 11/18/2018

3 Agenda – PCI and Limited Budgets
IBM ISS Overview PCI Overview PCI History PCI Assessment Criteria Consequences of No Action The Reality of Limited Budgets Where to Start? What to Do? How to Stay Compliant 11/18/2018

4 The reality of limited budgets
PCI compliance does not = good information security Good information security can lead to PCI compliance Becoming PCI compliant (or staying PCI compliant) requires a budget but… There are ways to become (or stay) PCI compliant without breaking the bank What to do with a limited budget? Where to start on a limited budget? So, The Question Becomes…. 11/18/2018

5 PCI History Visa first developed the Cardholder Information Security Program (CISP) MasterCard and others started to develop separate criteria – all slight variations of each other In 04/05, Visa and MasterCard formally agreed to combine efforts and created the Payment Card Industry (PCI) assessment criteria Visa’s heavy policy emphasis MasterCard’s technical scanning requirements In 09/06, all payment card providers joined forces to establish the PCI Security Standards Council (PCISSC) Founders include: American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International. Several releases of PCI data security standards: PCI v1.2 released Oct. 2008 11/18/2018

6 An information security standard that includes:
What is the PCI DSS An information security standard that includes: Objectives Requirements Controls Created to assist organizations in protecting cardholder data. 11/18/2018

7 PCI Requirements – The “Digital Dozen”
Install and maintain a firewall configuration to protect data Do not user vendor supplied defaults for system passwords and other security parameters Protect stored cardholder data Encrypt transmission of cardholder data sent across open, public networks Use and regularly update anti-virus software Develop and maintain secure systems and applications Restrict access to cardholder data by “need to know” Assign unique IDs to each person with access Restrict physical access to information Track and monitor all access to network resources and cardholder data Regularly test security systems and processes Implement an information security policy 11/18/2018

8 Who is required to be PCI compliant?
Any merchant or service provider that stores, processes, or transmits cardholder data! 11/18/2018

9 When are you required to be PCI compliant?
Initial PCI compliance deadlines for merchants and service providers has passed. 11/18/2018

10 Merchant Criteria Risk Prioritized Validation
Level Annual Transaction Volume Level 1 6 Million or more Any merchant that has suffered an attack Level 2 1 Million to 6 Million Level 3 20,000 – 1 Million transactions Level 4 All other merchants Visa 11/18/2018

11 Compliance Requirements for Merchants
Validation Priority Validation Action Required Scope of Validation Validation by: Level 1 Annual On-site Audit (Report On Compliance) Quarterly Network Scan Any systems storing, processing, or transmitting Visa cardholder data. Internet Facing Perimeter Systems Independent Assessor or Internal Audit if signed by Officer of the company. Approved Scan Vendor Level 2 Annual PCI Self Assessment Questionnaire Merchant Level 3 Level 4 Annual PCI Self Assessment Questionnaire recommended Quarterly Network Scan recommended Visa 11/18/2018

12 Service Provider Criteria Risk Prioritized Validation
Validation Priority Annual Transaction Volume Level 1 All VisaNet Processors (Member and non-Member) All Payment Gateways Any service provider that stores, processes or transmits over 300,00 transactions annually Level 2 Service Providers not in Level 1 that stores, processes or transmits less than 300,00 transactions annually Visa 11/18/2018

13 Compliance Requirements for Service Providers
Validation Priority Validation Action Required Scope of Validation Validation by: Level 1 Annual On-site Security Audit Quarterly Network Scan Included on Visa Inc’s List of PCI DSS Complaint Service Providers Any systems storing, processing, or transmitting Visa cardholder data. Internet Facing Perimeter Systems Qualified Independent Security Assessor Approved Scan Vendor Level 2 Not included on Visa Inc’s List of PCI DSS Complaint Service Providers Visa 11/18/2018

14 PCI Process To be an approved 3rd party PCI assessor:
Participate in PCI training (and pass the exam) Obtain CPE Credits on a 3 year cycle Individual background checks Both the organization and individual must be certified Qualified Security Assessor Company (QSAC) Approved Scan Vendor (ASV) Qualified Security Assessor (QSA) Qualified Payment Application Security Professional (PA-DSS) Must also already be a QSAC All assessors must follow the Data Security Standards (DSS) and generate an approved Report on Compliance (ROC) to meet documentation requirements All quarterly scanning must utilize the same software, and approved PCI scan policy 11/18/2018

15 Consequences of NO Action
Acquirers may be levied fines of $5000-$100,000 a month for non-compliance. This may be passed down to you. Increased Transaction fees Potential Termination of relationship Ultimately up to your acquiring bank’s discretion…. 11/18/2018

16 PCI non-compliance and a Breach (or suspicion of a breach)
Brand name damage should a breach occur Loss of existing and new customers Potential forensic analysis costs Cost of dealing with a breach Detection Notification Follow-up 11/18/2018

17 Cost of a Breach Poneman Institute 11/18/2018

18 The reality of limited budgets
PCI compliance does not = good information security Good information security can lead to PCI compliance Becoming PCI compliant (or staying PCI compliant) requires a budget but… There are ways to become (or stay) PCI compliant without breaking the bank What to do with a limited budget? Where to start on a limited budget? So, The Question Becomes…. 11/18/2018

19 What we typically see out there….
Common Findings Lack of network network segmentation Lack of knowledge where all the data is at rest Lack of encryption for data at rest Storing too much data Lack of encryption for s and messaging Lack of segregation of duties Back end operation networks breaking the isolation of PCI networks from other networks Too many firewall rules with no business justification Generic IDs and Shared IDs Insufficient Documented Policies and Procedures 11/18/2018

20 PCI – Where to Start on a limited budget?
Identify where PCI data is stored, processed, and transmitted Map your data flow Who has access to PCI data and systems Evaluate your processes Document your processes (policy, procedures) 11/18/2018

21 PCI - What to do with a limited budget?
Reduce your PCI in scope environment Segmentation Stop/Modify unnecessary processes Ask yourself, is this necessary and required? Limit data retention to only what is necessary Do not store what you do not need. Only allow access to those who require it Ask an Expert Consider compensating controls Document your standards Prioritize Your Approach 11/18/2018

22 Phase I Reduce your PCI in scope environment
Reduce your PCI in scope environment Stop/Modify unnecessary processes Ask yourself, is this necessary and required? Limit data retention to only what is necessary Do not store what you do not need. 11/18/2018

23 Phase 2 Reduce your PCI in scope environment Segmentation
Reduce your PCI in scope environment Segmentation Stop/Modify unnecessary processes Ask yourself, is this necessary and required? 11/18/2018

24 Phase 3 Reduce your PCI in scope environment Segmentation
Reduce your PCI in scope environment Segmentation Stop/Modify unnecessary processes Ask yourself, is this necessary and required? 11/18/2018

25 Phase 4 Reduce your PCI in scope environment
Reduce your PCI in scope environment Stop/Modify unnecessary processes Ask yourself, is this necessary and required? Only allow access to those who require it 11/18/2018

26 Phase 5 Reduce your PCI in scope environment
Reduce your PCI in scope environment Stop/Modify unnecessary processes Ask yourself, is this necessary and required? Limit data retention to only what is necessary Do not store what you do not need. Only allow access to those who require it 11/18/2018

27 Phase 6 Reduce your PCI in scope environment
Reduce your PCI in scope environment Stop/Modify unnecessary processes Ask yourself, is this necessary and required? Limit data retention to only what is necessary Do not store what you do not need Only allow access to those who require it Ask the Expert 11/18/2018

28 Prioritize your approach
11/18/2018

29 Compensating Controls – What is it?
When an entity cannot meet a requirement explicitly due to LEGITIMATE technical or documented business constraints. A compensating control must: Meet the intent and rigor of the requirement Sufficiently offset the risk that the original requirement was designed to defend against. Above and Beyond other PCI requirements. Be commensurate with additional risk imposed by not adhering to the original PCI requirement. Compensating Controls are typically valid for 1 year. PCI SSC 11/18/2018

30 Compensating Controls – Example
An FTP server has been utilized for transferring data including cardholder information. Customer could not implement a secure form of transfer prior to compliance deadline due to documented business constraints. Install the latest, and most updated, version of the FTP daemon on the FTP server. Lock down all directories so that only authorized users can get access to their own directories and no one else's. Disable anonymous access. Enable audit logging to a file in /var/log that logs who transferred what and when. Enable disk quotas at 4GB, so that someone with mal-intent cannot fill up the disk with extraneous data. Lock down network access to the FTP server(s) to specific IP addresses. Enable a strong password policy for each user ID that has access to the FTP server. Enable account lockout after 5 failed attempts and lockout persists until an Administrator unlocks the account. Encrypt any sensitive cardholder data that may be resident on the FTP server(s). Enable TCP wrappers to more closely monitor access. Require the FTP server display a warning banner. 11/18/2018

31 How to stay PCI compliant
PCI compliance is required Executive Sponsorship/Buy-in Evaluate any new business processes to see how it will affect your PCI compliance status/PCI environment. Is it necessary/required? What is the impact? Continue PCI processes – Penetration Testing, Network scans, Internally developed processes. Consider PCI a lifecycle process, not a last minute requirement. 11/18/2018

32 Questions? Thank You! 11/18/2018 11/18/2018
To replace the title / subtitle with your own: Click on the title block -> select all the text by pressing Ctrl+A -> press Delete key -> type your own text 11/18/2018

Download ppt "Payment Card Industry (PCI)"

Similar presentations

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.

Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.
Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.

Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.
.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.

.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.
PCI DSS for Retail Industry

PCI DSS for Retail Industry
Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.

Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.

PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.

PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.
Complying With Payment Card Industry Data Security Standards (PCI DSS)

Complying With Payment Card Industry Data Security Standards (PCI DSS)
2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.

2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Property of CampusGuard Compliance With The PCI DSS.

Property of CampusGuard Compliance With The PCI DSS.
Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.

Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.
© Vendor Safe Technologies 2008 B REACHES BY M ERCHANT T YPE 70% 1% 9% 20% Data provided by Visa Approved QIRA November 2008 from 475 Forensic Audits.

© Vendor Safe Technologies 2008 B REACHES BY M ERCHANT T YPE 70% 1% 9% 20% Data provided by Visa Approved QIRA November 2008 from 475 Forensic Audits.
Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations

Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?

Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?
Jeff Williams Information Security Officer CSU, Sacramento

Jeff Williams Information Security Officer CSU, Sacramento
Visa Cemea Account Information Security (AIS) Programme

Visa Cemea Account Information Security (AIS) Programme
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

Similar presentations

Ads by Google