Presentation is loading. Please wait.

Presentation is loading. Please wait.

Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.

Published byLuke Landor Modified over 10 years ago

Similar presentations

Presentation on theme: "Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014."— Presentation transcript:

1 Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014

2 Agenda What is PCI? Evolution of PCI What is PCI DSS? Compliance What does this mean to me? Recent Breach of Target Q & A Page 2

3 What is PCI? The Payment Card Industry (PCI) standard is a set of requirements designed to ensure that ALL organizations that store, process, or transmit cardholder data do so in a secure environment. The PCI Security Standards Council Page 3

4 Evolution of PCI PCI Security Standards Council was founded in 2006 by the major card brands: Visa MasterCard Amex Discover JCB Each card brand has input into the guidance provided by the Council. Page 4

5 What is PCI (cont.) A credit card as defined by the Council is any card that is backed by a major card brand, including but not limited to: Credit Debit HSA FSA Payroll Page 5

6 Evolution of PCI (cont.) PCI Security Standard Council is responsible for the oversight of the PCI Standards, which include guidance relative to the following: PCI DSS PA-DSS P2PE PTS Page 6

7 What is PCI DSS? Core set of best security practices Set of 12 requirements broken down into 6 categories, as follows: 1. Build and maintain a secure network 2. Protect cardholder data 3. Maintain a vulnerability management program 4. Implement strong access control measures 5. Monitor and test networks 6. Maintain an information security policy Page 7

8 What is PCI DSS? PCI DSS can include the following depending on the organization: PA-DSS P2PE PTS Page 8

9 Common PCI Myths We dont take enough cards to necessitate compliance We outsource card processing so we are compliant PCI is an IT issue PCI is unreasonable / difficult PCI compliance makes us secure We arent a target Page 9

10 Compliance Compliance is determined based on how your organization stores, processes, and/or transmits cardholder data across your infrastructure Compliance is based on Level and Type Level is based on the number of transactions performed in a 12-month period Type is defined by how your organization takes credit cards Page 10

11 Compliance (cont.) Levels are based on the number of transactions. Visa defines them as follows: Page 11 LevelDescription 1Organizations with over 6M Visa transactions per year OR Any organization that Visa, at its sole discretion, determines should meet the Level 1 requirements to minimize the risk to Visa 2Organization with 1M to 6M Visa transactions per year 3Organization with 20,000 to 1M Visa e-commerce transactions per year 4Organizations with fewer than 20,000 Visa e-commerce transactions per year, and all other merchants - regardless of acceptance channel - processing up to 1M Visa transactions per year

12 Compliance (cont.) Types are defined by how your organization takes credit cards and are broken down as follows: Page 12 TypeDescription ACard-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced; this would never apply to face-to-face merchants BImprint-only merchants with no cardholder data storage OR Stand-alone dial-up terminal merchants, no cardholder data storage CMerchants with payment application systems connected to the Internet, no cardholder data storage C-VTMerchants using only web-based virtual terminals, no electronic cardholder data storage DAll other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by a payment brand as eligible to complete an SAQ

13 What does this mean to me? Based on the volume of transactions, organizations would be required to perform the following: Page 13 LevelVisa Description 1 Annual report on compliance (ROC) to be completed by Qualified Security Assessor (QSA) Quarterly network scan by Approved Scan Vendor (ASV) Attestation of Compliance Form 2 Annual Self-Assessment Questionnaire (SAQ) Quarterly network scan by ASV Attestation of Compliance Form 3 Annual SAQ Quarterly network scan by ASV Attestation of Compliance Form 4 Annual SAQ recommended Quarterly network scan by ASV Compliance validation requirements set by merchant bank

14 What does this mean to me? (cont.) In English: Depending on what Type of organization you are, you will have to address anywhere from 15 to 200 + controls Cost Hardware Software Internal Resources External Resources Page 14

15 Recent Breach of Target What happened: Lost ~40 million credit and debit cards Theft period: November 27 – December 15 Malware on point-of-sale terminals Not detected until December 15 Page 15

16 Recent Breach of Target (cont.) Common Questions 1.How could this happen? 2.Was Target PCI compliant? 3.How do I know if I was affected? Costs? Credit score monitoring Fines, sanctions and lawsuits Reputational damage Page 16

17 Q & A Questions? cwood@bonadio.com (585) 249-2757 Page 17

Download ppt "Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014."

Similar presentations

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.

Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.
ISACA January 8, 2013. IT Auditor at Cintas Corporation Internal Audit Department Internal Security Assessor (ISA) Certification September 2010 Annual.

ISACA January 8, IT Auditor at Cintas Corporation Internal Audit Department Internal Security Assessor (ISA) Certification September 2010 Annual.
National Bank of Dominica Ltd. 2011 Merchant Seminar Facilitator: Janiere Frank Fraud & Compliance Analyst June 16, 2011.

National Bank of Dominica Ltd Merchant Seminar Facilitator: Janiere Frank Fraud & Compliance Analyst June 16, 2011.
.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.

.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.
Mobile Payment Security The Good, the Bad and the Ugly

Mobile Payment Security The Good, the Bad and the Ugly
The Payment Card Industry Data Security Standard (PCI DSS)

The Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS for Retail Industry

PCI DSS for Retail Industry
LESSONS LEARNED ON THE WAY TO PCI COMPLIANCE

LESSONS LEARNED ON THE WAY TO PCI COMPLIANCE
Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.

Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.
UCSB Credit Card Processing and PCI Compliance

UCSB Credit Card Processing and PCI Compliance
Protecting Credit Card Information

Protecting Credit Card Information
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.

PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
PCI Compliance and the Restaurant of the Future October 8, 2013 Presented by WEBINAR Jim Lippard Senior Product Manager Security Products EarthLink Business.

PCI Compliance and the Restaurant of the Future October 8, 2013 Presented by WEBINAR Jim Lippard Senior Product Manager Security Products EarthLink Business.
MARTAs Road to PCI Compliance 1 Presenter: Yolanda Curtis, PMP AFC Project Manager.

MARTAs Road to PCI Compliance 1 Presenter: Yolanda Curtis, PMP AFC Project Manager.
Navigating the New SAQs (Helping the 99% validate PCI compliance)

Navigating the New SAQs (Helping the 99% validate PCI compliance)
PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.

PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.
Complying With Payment Card Industry Data Security Standards (PCI DSS)

Complying With Payment Card Industry Data Security Standards (PCI DSS)
2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.

2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.

Similar presentations

Ads by Google