Presentation is loading. Please wait.

Presentation is loading. Please wait.

Visa Europe Implementing PCI DSS Requirements Within Your Organisation September 2008 Simon Breeden.

Published byElwin Bryant Modified over 9 years ago

Similar presentations

Presentation on theme: "Visa Europe Implementing PCI DSS Requirements Within Your Organisation September 2008 Simon Breeden."— Presentation transcript:

1 Visa Europe Implementing PCI DSS Requirements Within Your Organisation September 2008 Simon Breeden

2 Presentation Identifier.2 Information Classification as Needed Visa Europe Tel Aviv - !8 th September 2008 2 Data security and your brand How much would your brand be worth if you lose your customers trust? Would your customers’ stay with you

3 Presentation Identifier.3 Information Classification as Needed Visa Europe Tel Aviv - !8 th September 2008 3 Your brand needs security! Compromises do happen everyday, everywhere In the customer’s view, consumers, card schemes and merchants share responsibility for protecting their card data Yet… 63% of customers views merchants as the weakest link when it comes to protecting their data…¹ ¹Source: Javelin Strategy and Research 2007

4 Presentation Identifier.4 Information Classification as Needed Visa Europe Tel Aviv - !8 th September 2008 4 In customers’ eyes we all share responsibility to prevent fraud

5 Presentation Identifier.5 Information Classification as Needed Visa Europe Tel Aviv - !8 th September 2008 5 Merchants as the weakest link

6 Presentation Identifier.6 Information Classification as Needed Visa Europe Tel Aviv - !8 th September 2008 6 Customer confidence seriously impacted by a data breach In the case of a breach…. 49% of customers believe merchants to be the most likely source of the data breach 3 out of 4 customers won’t shop again at a compromised merchant 84% of customers want to shop at merchants who are security market leaders Investing in PCI DSS should be part of your customer retention plans

7 Presentation Identifier.7 Information Classification as Needed Visa Europe Tel Aviv - !8 th September 2008 7 Media and regulators are watching us… -National and European Government are showing increasing interest in the area of account information security The European Commission is considering legislation on the duty to notify (suspicion of breach and actual compromise) – already adopted in California, Minnesota and Texas -Media increasingly questioning industry compliance and progress…..

8 Presentation Identifier.8 Information Classification as Needed Visa Europe Tel Aviv - !8 th September 2008 8 Is PCI DSS mandated for everybody? PCI DSS is mandated for all merchants and other entities with access to card data No access to data = no need for compliance validation In the future, more companies may consider not handling data directly, rather than going through the cost and risk of securing them

9 Presentation Identifier.9 Information Classification as Needed Visa Europe Tel Aviv - !8 th September 2008 9 What is it for ? Protecting customer confidence Mitigating against fraud and other losses Protecting against reputational damage Avoiding further regulatory control

10 Presentation Identifier.10 Information Classification as Needed Visa Europe Tel Aviv - !8 th September 2008 10 PCI DSS part of overall Visa Security POS Environment Online e-commBack office Chip & PIN Verified by VisaPCI DSS

11 Visa Europe DATA What is important about ‘data’ ?

12 Presentation Identifier.12 Information Classification as Needed Visa Europe Tel Aviv - !8 th September 2008 12 Card number Chip Expiry date Magnetic Stripe CVV2 The card account number, plus a three-digit made up of “Track 1” Card Verification Value 2 (CVV2) is indent-printed and Track 2” data on the signature panel Track data and CVV2 should never be stored after authorisation

13 Presentation Identifier.13 Information Classification as Needed Visa Europe Tel Aviv - !8 th September 2008 13 You are only as safe as the least safe link in the chain Processor Acquiring bank Internet payment gateway Merchant Web hosting company

14 Presentation Identifier.14 Information Classification as Needed Visa Europe Tel Aviv - !8 th September 2008 14 Data Theft is…………… Organised Multi-national Increasing in frequency Very, very lucrative Easy Almost risk-free

15 Presentation Identifier.15 Information Classification as Needed Visa Europe Tel Aviv - !8 th September 2008 15 Most Companies don’t help themselves Track data and CVV2 is the ‘honey pot’ that hackers look for 80%+ of entities that are hacked are storing Track data and CVV2 70-80% of companies compromised go out of business within one year

16 Presentation Identifier.16 Information Classification as Needed Visa Europe Tel Aviv - !8 th September 2008 16 PCI DSS is good business practice Think of it as spring cleaning! PCI DSS is an opportunity to take a fresh look at how your company works and identify any issues with people, processes, and systems; This enables you to Check your house is in order Discard unwanted items Rethink your data storage business needs Fix issues

17 Presentation Identifier.17 Information Classification as Needed Visa Europe Tel Aviv - !8 th September 2008 17 The First Thing! PCI DSS is mandated for all merchants and other entities who store, process and/or transmit card data No data = no need for compliance validation Companies have the option of investing in data security or hire a third party to manage data on their behalf

18 Presentation Identifier.18 Information Classification as Needed Visa Europe Tel Aviv - !8 th September 2008 18 The Second Thing! The key to a successful compliance programme is to: Identify stakeholders - Finance Director, Risk Committee, Information Security Officer, IT Director, Operations Director, … Get business sponsorship - Present PCI DSS and the risk of non-compliance to the Board - Brand image is at stake

19 Presentation Identifier.19 Information Classification as Needed Visa Europe Tel Aviv - !8 th September 2008 19 Making PCI Compliance a Reality Visa’s recommended approach is –Complete data flow analysis early –Complete a comprehensive gap analysis –Define a detailed remediation plan How does PCI relate? Data Flow Analysis Gap Analysis Remediation Plan Compliance Validation Implement Remediation

20 Presentation Identifier.20 Information Classification as Needed Visa Europe Tel Aviv - !8 th September 2008 20 Scoping and Sampling Proper scoping and thorough reviews are critical Beware of: Not scoping and identifying all potential systems that may hold cardholder information Can lead to critical and destructive hacks The data flow mapping exercise should identify all points of storage, processing & transmission

21 Presentation Identifier.21 Information Classification as Needed Visa Europe Tel Aviv - !8 th September 2008 21 PCI DSS Scoping PCI DSS applies to all systems and networks that store, process, and/or transmit cardholder data, and all connected systems Includes networking equipment that transmits cardholder data (i.e. routers, switches, firewalls, wireless access points) Encrypted cardholder data is still within scope

22 Presentation Identifier.22 Information Classification as Needed Visa Europe Tel Aviv - !8 th September 2008 22 Quick Wins Do not store track data or CVV2 post authorisation Delete card data everywhere you can Update security policy Update templates to ensure PCI DSS is included in all new projects Data retention policy & process

23 Presentation Identifier.23 Information Classification as Needed Visa Europe Tel Aviv - !8 th September 2008 23 Advice on Payment Applications PA-DSS is here! Released by PCI SSC on 15 April 2008 Set of comprehensive security standards for use by vendors to ensure their products assist PCI DSS compliance Ensure new applications are PA-DSS compliant Get the comfort of knowing you have an application which, if implemented correctly, helps you to become PCI DSS compliant PA-DSS certified applications do not make you compliant, but they help you get there

24 Presentation Identifier.24 Information Classification as Needed Visa Europe Tel Aviv - !8 th September 2008 24 Merchant Compliance Validation 1.Processing more than 6 million Visa transactions per year, compromised in the last year Annual on-site security audit and quarterly network scan 2.Processing 1 million to 6 million Visa transactions per year Annual self assessment questionnaire audit and quarterly network scan 3.Processing 20,000 to 1 million Visa e-com transactions per year Annual self assessment questionnaire audit and quarterly network scan 4.Processing up to 20,000 Visa e-com transactions per year and all merchants processing up to 1 million Visa transactions per year Recommended annual self assessment questionnaire audit and quarterly network scan

25 Presentation Identifier.25 Information Classification as Needed Visa Europe Tel Aviv - !8 th September 2008 25 Service Provider Compliance Validation 1.All VisaNet processors, payment gateways and Internet payment service providers regardless of volumes Annual on-site security audit and quarterly network scan 2.Any service provider not in level 1 and stores, processes or transmits more than 1 million Visa accounts or transactions per year Annual on-site security audit and quarterly network scan 3.Any service provider not in level 1 and stores, processes or transmits less than 1 million Visa accounts or transactions per year Annual self assessment questionnaire audit and quarterly network scan

26 Presentation Identifier.26 Information Classification as Needed Visa Europe Tel Aviv - !8 th September 2008 26 Compliance Management If you do not comply There are levels of fines that are imposed There are fines for data compromise Ultimate Sanction Prohibition by all brands to deal with card and card data

27 Presentation Identifier.27 Information Classification as Needed Visa Europe Tel Aviv - !8 th September 2008 27 However it is a Journey…. No expectation of immediate compliance However….. No open ended deadlines to comply Evidence of commitment to comply Planned approach Compliance is a 24 hour a day activity – not a once a year activity to satisfy an audit

Download ppt "Visa Europe Implementing PCI DSS Requirements Within Your Organisation September 2008 Simon Breeden."

Similar presentations

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.

Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.
Session 4: Data Privacy and Fraud Moderator: Bill Houck, Director, Risk Management, UATP Panelist: Peter Warner, EVP, Retail Decisions Cherie Lauretta,

Session 4: Data Privacy and Fraud Moderator: Bill Houck, Director, Risk Management, UATP Panelist: Peter Warner, EVP, Retail Decisions Cherie Lauretta,
ISACA January 8, 2013. IT Auditor at Cintas Corporation Internal Audit Department Internal Security Assessor (ISA) Certification September 2010 Annual.

ISACA January 8, IT Auditor at Cintas Corporation Internal Audit Department Internal Security Assessor (ISA) Certification September 2010 Annual.
Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.

Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.
.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.

.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.
Zenith Visa Web Acquiring A quick over view. Web Acquiring Allows merchants to receive payments for goods and services through the Internet Allows customers.

Zenith Visa Web Acquiring A quick over view. Web Acquiring Allows merchants to receive payments for goods and services through the Internet Allows customers.
PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.

PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.
Complying With Payment Card Industry Data Security Standards (PCI DSS)

Complying With Payment Card Industry Data Security Standards (PCI DSS)
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
1 Presented By: David Kidd, Director of Compliance, Peak 10 & Brian Herman, VP of Managed Security Sales, Still Secure.

1 Presented By: David Kidd, Director of Compliance, Peak 10 & Brian Herman, VP of Managed Security Sales, Still Secure.
Smart Payment Processing ™ 800-846-4472 www.MercuryPay.com Protecting Your Business from Card Data Theft Presenter: Lucas Zaichkowsky.

Smart Payment Processing ™ Protecting Your Business from Card Data Theft Presenter: Lucas Zaichkowsky.
Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.

Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.
© 2012 Presented by: Preparation For EMV Chip Technology Keith Swiat.

© 2012 Presented by: Preparation For EMV Chip Technology Keith Swiat.
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?

Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?
Visa Cemea Account Information Security (AIS) Programme

Visa Cemea Account Information Security (AIS) Programme
Credit Card Changes that Impact You! Changes to Accounts Receivable, Cash Receipts and Student Billing 7.77 Wanda Mahon & Bucky Wall Corporate Readiness.

Credit Card Changes that Impact You! Changes to Accounts Receivable, Cash Receipts and Student Billing 7.77 Wanda Mahon & Bucky Wall Corporate Readiness.
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
PCI DSS and MasterCard Site Data Protection Program Payment System Integrity September 2008.

PCI DSS and MasterCard Site Data Protection Program Payment System Integrity September 2008.

Similar presentations

Ads by Google