Presentation is loading. Please wait.

Presentation is loading. Please wait.

Utility Payment Conference

Published byKrastana Doynova Modified over 5 years ago

Similar presentations

Presentation on theme: "Utility Payment Conference"— Presentation transcript:

1 Utility Payment Conference
Eric Beschinski Relationship Manager The ABC’s of PCI DSS & Kay Limbaugh Specialist, Electronic Bills & Payments

2 Awareness Benefits & Consequences

3 What is PCI Compliance? Misnomer… PCI DSS v2.0
Comprehensive security standards QRG is 34 pages Official Document is 75 pages PCI SSC Standards endorsed by the card brands

4 Moving Target Snapshot (point in time) Requires continual monitoring
One minor change could remove the organization from compliance

5 What isn’t PCI Compliance?
Not legislation Not a “one-time-deal” Not just your processor or POS provider’s problem Not a one-size-fits-all scenario Different for each merchant Different for each card brand

6 PCI DSS Overview Goals: Requirements:
Firewall Change all passwords from system defaults Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks (the Internet) Use updated antivirus software Develop and maintain secure systems & applications Build & Maintain a secure Network Protect Cardholder Data Maintain a Vulnerability Management Program

7 PCI DSS Overview Goals: Requirements:
Restrict access to cardholder data by “need-to-know” Assign a unique ID to each person with computer access Restrict physical access to cardholder data Track & monitor all access to network resources and cardholder data Regularly test security systems and processes Maintain a policy that addresses information security for all personnel Implement Strong Access Control Measures Regularly Monitor & Test Networks Maintain an Information Security Policy

8 Big Picture Accountability Best Practices Consumer Safety

9 Steps Assess ↔ Remediate ↔ Report

10 You are not compliant if you don’t…
Complete the SAQ annually ( Have your network scanned for vulnerabilities quarterly by an ASV (for processing via system connected to the internet) QSA or Internal audit

11 Who really knows if you’re compliant?
Only top-level management (and maybe a QSA) NOT… Your processor Your POS provider Your IT company A sales person Nobody without a SAQ

12 Enforcement? Lacking No problem until there’s a problem
Like the Health Dept... From those in authority, it’s enforcement after-the-fact Up to you to be proactively self-enforced to prevent a breach

13 Why be concerned? Investigative fees Fines
Cost to upgrade/fix the problem Lawsuits Blacklist Media Customer confidence Very, very expensive!

14 Another Breach & Counting…
333 breaches as of 8/1 with almost 23M records affected including Sony Epsilon Citigroup Lockheed Martin 603 breaches in 2010 affecting over 12M records Since 2005, over 2600 breaches affecting over 535M records Data provided by PrivacyRights.org

15 Top 10 Breaches TD Ameritrade Holding Corp (2007)
9. Fidelity National Information Services/Certegy Check Services Inc. (2007) 8. Sony, PlayStation Network (PSN), Sony Online Entertainment (SOE) (2011) 7. Bank of New York Mellon (2008) Countrywide Financial Corp. (2008) US Dept. of Veterans Affairs (2006) CardSystems (2005) 3. US Military Veterans (2009) 2. TJ Stores (2007) 1. Heartland (2009)

16 Heartland Certified compliant just weeks before the breach
Security breach discovered in Jan 2009 (had been in place for possibly 6 months prior) De-certified post-breach Hundreds of Millions in fines/fees/lawsuits Bad press

17 Turning it around Re-certified May 2009 Proactive response Good press
National Restaurant Association Launched E3 May 2010 Earnings up Stronger than ever

18 Lessons to be learned from the Heartland breach
PCI DSS is a good minimum standard but will not guarantee safety If your company is big enough you will become a target No security is fail-proof Criminals working continually to break-in

19 Who is most at risk? All merchants Level 1 & 2 (High Value)
Level 3 (High Risk) Level 4 (High Success / Quick Return)

20 Then What Good is PCI DSS?
Ensures that you are not an EASY target (low-hanging fruit) Common sense security measures Possibly some protection from fines/lawsuits Good faith argument Responsible party argument

21 Key Issues for Utility Industry
Applications: Business Procedures Software Recording calls POS Storing card data Antivirus Access Control Firewall Web/Payment Gateway Connection VOIP Hardware Encryption Pin Pads

22 Myths One vendor/product will make us compliant
Outsourcing card processing will make us compliant Compliance is an IT project Compliance will make us secure PCI DSS is unreasonable; it requires too much

23 Myths PCI DSS requires us to hire a QSA
We don’t take enough credit cards to require compliance We completed a SAQ so we’re compliant PCI DSS makes us store cardholder data PCI DSS is too hard

24 In Conclusion Always Be Compliant!

25 Alphabet Soup AOC – Attestation of Compliance
ASV – Approved Scanning Vendor DSS – Data Security Standards ISA – Internal Security Assessor PA-DSS – Payment Application Data Security Standards PAN – Primary Account Number PCI – Payment Card Industry PED – PIN Entry Device PFI – PCI Forensic Investigator PIN – Personal Identification Number PTS – PIN Transaction Security (formerly PED) QRG – Quick Reference Guide QSA – Qualified Security Assessor ROC – Report On Compliance SAQ – Self Assessment Questionnaire SSC – Security Standards Council

26 Q & A eric.beschinski@e-hps.com Kay.Limbaugh@pgn.com Eric Beschinski
Relationship Manager Heartland Payment Systems Kay Limbaugh Specialist, Electronic Bills & Payments Portland General Electric

Download ppt "Utility Payment Conference"

Similar presentations

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.

Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.
Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.

Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.
.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.

.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.
PCI DSS for Retail Industry

PCI DSS for Retail Industry
Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.

Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.
PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.

PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.
Complying With Payment Card Industry Data Security Standards (PCI DSS)

Complying With Payment Card Industry Data Security Standards (PCI DSS)
2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.

2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Property of CampusGuard Compliance With The PCI DSS.

Property of CampusGuard Compliance With The PCI DSS.
Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.

Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.
Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations

Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?

Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?
Jeff Williams Information Security Officer CSU, Sacramento

Jeff Williams Information Security Officer CSU, Sacramento
Visa Cemea Account Information Security (AIS) Programme

Visa Cemea Account Information Security (AIS) Programme
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.

GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.
Why Comply with PCI Security Standards?

Why Comply with PCI Security Standards?

Similar presentations

Ads by Google