Presentation is loading. Please wait.

Presentation is loading. Please wait.

PCI DSS Readiness Presented By: Paul Grégoire, CISSP, QSA, PA-QSA

Published byKellie Goodman Modified over 8 years ago

Similar presentations

Presentation on theme: "PCI DSS Readiness Presented By: Paul Grégoire, CISSP, QSA, PA-QSA"— Presentation transcript:

1 PCI DSS Readiness Presented By: Paul Grégoire, CISSP, QSA, PA-QSA

2 PCI DSS Program Overview
PCI Standards Council Payment Industry Terminology What Level Are We? (Levels) It’s Not Just IT !! Myths & Reality…. Why Do We Need To Focus On The DSS PGSecure Can Help (QSA, only 1800 Certified Worldwide)

3 PCI DSS Program Overview
An independent industry standards body providing oversight of the development and management of Payment Card Industry Security Standards on a global basis Founding Brand Members American Express Discover Financial JCB MasterCard Worldwide Visa Inc.

4 Payment Industry Terminology
Cardholder Customer purchasing goods either as a “Card Present” or “Card Not Present” transaction Receives the payment card and bills from the issuer Issuer Bank or other organization issuing a payment card on behalf of a Payment Brand Payment Brand issuing a payment card directly (Amex, Discover, JCB) Merchant Organization accepting the payment card for payment during a purchase QSAC - QSA QSA’s are only certified and Valid if working for a Qualified Security Assessor Company

5 Provide authorization, clearing and settlement services to merchants
Payment Industry Terminology Acquirer Bank or entity the merchant uses to process their payment card transactions Receive authorization request from merchant and forward to Issuer for approval Provide authorization, clearing and settlement services to merchants Determines and advises the Merchant Level (1-4) of all merchants. Acquirer is also called: Merchant Bank ISO

6 Payment Industry Terminology
The merchant will incur any liability that may result as a non compliance with payment brand compliance programs Merchant are not compliant until all requirements have been met and validated Acquirer is responsible for providing merchant status to the payment brands Acquirer is responsible for merchant compliance Ensure that their merchants understand PCI DSS Compliance requirements and track compliance efforts Manage merchant communications Merchant Levels are: Defined by the Payment Brand Determined by the Acquirer based on transaction volume of each card brand

7 Payment Industry Levels 1 to 4
Amex Discover JCB MC Visa (*) 1 2.5M > or any merchant that is deemed L1 6M > or any merchant that is deemed L1 or merchant required by other brand as level 1 1M > or any compromised merchants 6M > MasterCard or Maestro transactions or Merchants that have experienced an account data compromise or merchant required by other brand as level 1 (*) 6M > (all channels) or any merchant required by other brand as level 1 2 50K to 2.5M or any merchant that is deem L1 1 to 6M or or merchant required by other brand as level 2 <1M annually >1M < 6M MasterCard or Maestro transactions >1M < 6M Visa transactions (all channels) 3 < 50K 20K to 1M card not present or merchant required by other brand as level 3 N/A >20K combined MasterCard and Maestro e-commerce transactions <1M 20K to 1M e-commerce transactions Visa transactions annually 4 All other Discover merchants All other Merchants 20K e-commerce transactions and all other merchants processing up to 1M Visa transactions annually Canada - Mandatory signoff by a QSA for all SAQ’s

8 PCI just does not apply to us, because…
It’s Not just IT – Myths Vs. Reality ? Myth # 1 PCI just does not apply to us, because… We are to small, a small Company or Non Profit Org., only do some e-commerce or POS, we outsourced “everything”… Reality: PCI DSS DOES apply to you if you “accept, capture, store, transmit or process credit card holder data,” no exceptions! The organization must be compliant not just IT !

9 Myth : PCI is easy: just have to “say Yes” on SAQ and “get scanned”
It’s Not just IT – Myths Vs. Reality ? Myth # 2 Myth : PCI is easy: just have to “say Yes” on SAQ and “get scanned” Reality: Not exactly – you need to: A) Get a scan 4 times a year and resolve the vulnerabilities found – Need 4 clean scans per year. B)Really do the things the questions refer to – and Prove It!! C) Keep doing it – forever! D) SAQ Signoff by a Qualified Security Assessor working for a QSAC

10 Myth : My tools are PCI compliant, my network and apps are too!!
It’s Not just IT – Myths Vs. Reality ? Myth # 3 Myth : My tools are PCI compliant, my network and apps are too!! Reality: there is no such thing as “PCI compliant tools or networks: Fact – The PCI DSS applies to the organization as a whole. PCI DSS combines technical AND process, policy, management issues; awareness and practices as well. Example: An application may be compliant however this is only 1 element of the standard in overall compliancy.

11 Why do we need to focus on the PCI DSS ?

12 Why do we need to focus on the PCI DSS ?

13 Why do we need to focus on the PCI DSS ?

14 Why do we need to focus on the PCI DSS ?
Where do the attacks come from? Most come from foreign soil – very difficult to track and seek legal action against – Most of all loss of reputation is the biggest factor. “Remember the Passport incident?” - NO CHD lost however “Web attacks” compromised many peoples personal information…

15 PCI DSS It Can’t Happen To Me !!!
“Direct correlation to number of employees in a company and breach percentage.”

16 PCI DSS It Can’t Happen To Me !!!
PCI Data Breach Fines and Penalties • Stiff fines and penalties ranging from $10K - $500K per month for non-compliance • $500K fine per credit card data compromise incident if not PCI compliant • $100K fine if Visa is not immediately notified of a suspected data breach • If track data or other sensitive data elements was compromised, the merchant can be assessed the estimated cost of fraud under Visa’s ADCR Program as well as cost of card reissuance (est. $7-$20 per card) • Probable termination of credit card processing privileges for a period of time. Other: • Cost associated with brand damage and lost revenue • Forensics assessment, incident investigation and containment • Identity protection for impacted individuals (~$30 per person) • IT and security remediation and enhancements • Potential lawsuits and liability in the event that privacy data was compromised • Cost of recertification • Cost of Level 1 mandated assessments (75K or more annually) until the acquirer is satisfied to move the merchant back to the true merchant level.

17 Steps in the process… Identify the major gaps and opportunities to improve your current security posture PCI Data Security Readiness Review PCI Data Security Assessment A full Data Security Assessment performed in accordance with the PCI Data Security Standard and Audit Procedures Provide consulting services to help client understand the intent of each requirement in the Self Assessment Questionnaire SAQ Consulting Signoff A consolidation and remediation of gaps found in your cardholder information processing environment after a PCI Security Assessment. PCI Data Security Remediation Service

18 PCI DSS V1.2

19 Why Us ? We have extensive experience working with government and large Canadian cities. (Nomination for Gov of Alberta Award of Excellence) We have local based QSA’s out of the 1800 certified worldwide. We have local based PA-QSA’s out of 350 certified worldwide. We are focused only on Security, Compliance and forensics.

20 Questions ? Paul Grégoire, QSA, PA-QSA
PCI DSS V1.2 Questions ? Paul Grégoire, QSA, PA-QSA Senior Security Architect | Compliance Phone:

21 PCI DSS V1.2 SAQ Definitions

Download ppt "PCI DSS Readiness Presented By: Paul Grégoire, CISSP, QSA, PA-QSA"

Similar presentations

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.

Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.
Session 4: Data Privacy and Fraud Moderator: Bill Houck, Director, Risk Management, UATP Panelist: Peter Warner, EVP, Retail Decisions Cherie Lauretta,

Session 4: Data Privacy and Fraud Moderator: Bill Houck, Director, Risk Management, UATP Panelist: Peter Warner, EVP, Retail Decisions Cherie Lauretta,
ISACA January 8, 2013. IT Auditor at Cintas Corporation Internal Audit Department Internal Security Assessor (ISA) Certification September 2010 Annual.

ISACA January 8, IT Auditor at Cintas Corporation Internal Audit Department Internal Security Assessor (ISA) Certification September 2010 Annual.
National Bank of Dominica Ltd. 2011 Merchant Seminar Facilitator: Janiere Frank Fraud & Compliance Analyst June 16, 2011.

National Bank of Dominica Ltd Merchant Seminar Facilitator: Janiere Frank Fraud & Compliance Analyst June 16, 2011.
Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.

Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.
.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.

.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.
PCI DSS for Retail Industry

PCI DSS for Retail Industry
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.

PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.

PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.
Complying With Payment Card Industry Data Security Standards (PCI DSS)

Complying With Payment Card Industry Data Security Standards (PCI DSS)
This refresher course will:

This refresher course will:
ETA UNIVERSITY MARCH 19, 2015 Deana Rich R ICH C ONSULTING, I NC. Edward A. Marshall A RNALL G OLDEN G REGORY LLP Payments 101: Overview of the Payments.

ETA UNIVERSITY MARCH 19, 2015 Deana Rich R ICH C ONSULTING, I NC. Edward A. Marshall A RNALL G OLDEN G REGORY LLP Payments 101: Overview of the Payments.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
University of Utah Financial and Business Services

University of Utah Financial and Business Services
Property of CampusGuard Compliance With The PCI DSS.

Property of CampusGuard Compliance With The PCI DSS.
1 Credit card operation and the recent CardSystems incident HONG KONG MONETARY AUTHORITY 4 July 2005.

1 Credit card operation and the recent CardSystems incident HONG KONG MONETARY AUTHORITY 4 July 2005.
Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.

Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.
Payment Card PCI DSS Compliance SAQ-D Training Accounts Receivable Services, Controller’s Office 7/1/2012.

Payment Card PCI DSS Compliance SAQ-D Training Accounts Receivable Services, Controller’s Office 7/1/2012.
© Vendor Safe Technologies 2008 B REACHES BY M ERCHANT T YPE 70% 1% 9% 20% Data provided by Visa Approved QIRA November 2008 from 475 Forensic Audits.

© Vendor Safe Technologies 2008 B REACHES BY M ERCHANT T YPE 70% 1% 9% 20% Data provided by Visa Approved QIRA November 2008 from 475 Forensic Audits.

Similar presentations

Ads by Google