Presentation is loading. Please wait.

Presentation is loading. Please wait.

BUSINESS CLARITY ™ PCI – The Pathway to Compliance.

Published byElinor Tucker Modified over 8 years ago

Similar presentations

Presentation on theme: "BUSINESS CLARITY ™ PCI – The Pathway to Compliance."— Presentation transcript:

1 BUSINESS CLARITY ™ PCI – The Pathway to Compliance

2 BUSINESS CLARITY ™ 2 Proprietary and Confidential – Do Not Distribute Agenda What is PCI? Why PCI is Different From Everything Else Who Must Comply With PCI? Costs of a Data Breach How Do We Become Compliant? Tools to Help Get You There

3 BUSINESS CLARITY ™ 3 Proprietary and Confidential – Do Not Distribute What is PCI? The major credit card issuers created PCI (Payment Card Industry) compliance standards to protect personal information and ensure security when transactions are processed using a payment card. The PCI standards are divided into six categories:  Maintain a secure network  Protect cardholder data  Maintain a vulnerability management program  Implement strong access control measures  Regularly monitor and test networks  Maintain an Information Security Policy

4 BUSINESS CLARITY ™ 4 Proprietary and Confidential – Do Not Distribute What is PCI?(cont.) There are four PCI merchant levels, based on the number of transactions processed per year:  Level 1 merchants process over 6 million transactions  Level 2 merchants process between 1 million to 6 million  Level 3 merchants process between 20,000 to 1 million  Level 4 merchants process less than 20,000 Compliance validation requirements vary based on a business’s merchant level, with level 1 requiring a report on compliance by a Qualified Security Assessor, and all other levels completing a Self- Assessment Questionnaire Level 2 and 3 merchants also require quarterly network scans by an Approved Scan Vendor and a completed Attestation of Compliance Form.

5 BUSINESS CLARITY ™ 5 Proprietary and Confidential – Do Not Distribute Why is PCI Different From Everything Else? PCI is not risk-based like SOX – it is a prescriptive-based approach to security  PCI requires security patches applied every 30 days, where SOX let’s the company determine how frequently to patch  PCI does not leave much wiggle room for companies PCI does not accommodate risk acceptance  All security deficiencies must be addressed and remedied  Management cannot determine that a low or medium level of risk is acceptable to the company PCI does not recognize compensating controls  In risk-based security, strengths in one area can make up for low level deficiencies in others; this is not the case with PCI

6 BUSINESS CLARITY ™ 6 Proprietary and Confidential – Do Not Distribute Who Must Comply With PCI? All members of the payment card industry (financial institutions, credit card companies, and merchants) must comply with these standards if they want to access credit cards. Failure to meet the standards can result in fines from banks and credit card companies, and the loss of credit card processing privileges.

7 BUSINESS CLARITY ™ 7 Proprietary and Confidential – Do Not Distribute What Could a Data Breach Cost Us? Largest consumer credit card data theft: TJ Maxx lost over 45 million customer credit card records. The company had to set aside $250,000,000 to cover losses, but researchers have determined that they could be on the hook for over $1 billion.  All it took was a laptop and a directional antenna, and thieves were able to crack the security on the WiFi at a single store. From there, they were able to get enough data to compromise the central customer database. Hannaford, a grocery chain, had data stolen on 4.2 million credit card accounts by malware that their attackers installed on more than 300 company servers in at least six states.  Within 3 weeks of reporting the breach over 1,800 cases of fraud had been linked to the data theft, averaging exposure of over $100k per case.  In addition, 2 class action lawsuits are pending against the company. Damages in class action suits are not limited.

8 BUSINESS CLARITY ™ 8 Proprietary and Confidential – Do Not Distribute How Do We Get Compliant? Determine the security validation requirements based on your merchant level Determine what types of credit card information you capture, how long it is kept, and compare to actual business needs Make certain you have a very technical, security-focused auditor on your PCI compliance team  A CPA or non-technical IT auditor will typically find PCI compliance difficult, because of the extremely technical requirements Walk through the Self-Assessment Questionnaire fearlessly and with eyes wide open Get top-level management/Board of Directors on board from the outset, to ensure funding and support for the compliance initiative

9 BUSINESS CLARITY ™ 9 Proprietary and Confidential – Do Not Distribute Tools To Help You Get There: The PCI Compliance Checklist

10 BUSINESS CLARITY ™ 10 Proprietary and Confidential – Do Not Distribute Our Blue-Chip Customer Base

11 BUSINESS CLARITY ™ 11 Proprietary and Confidential – Do Not Distribute Thank You www.forwardhindsight.com www.forwardhindsight.com

Download ppt "BUSINESS CLARITY ™ PCI – The Pathway to Compliance."

Similar presentations

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.

Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.
What we all need to know. Approval Date: April 30, 2012 Approved by: President's Council.

What we all need to know. Approval Date: April 30, 2012 Approved by: President's Council.
National Bank of Dominica Ltd. 2011 Merchant Seminar Facilitator: Janiere Frank Fraud & Compliance Analyst June 16, 2011.

National Bank of Dominica Ltd Merchant Seminar Facilitator: Janiere Frank Fraud & Compliance Analyst June 16, 2011.
Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.

Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.
.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.

.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.
PCI DSS for Retail Industry

PCI DSS for Retail Industry
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.

PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
New PCI Credit Card Security Requirements An in depth look at how to apply the new standards and protect your institution.

New PCI Credit Card Security Requirements An in depth look at how to apply the new standards and protect your institution.
PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.

PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.
This refresher course will:

This refresher course will:
Navigating Compliance Requirements DCM 6.2 Regs and Codes linford & co llp.

Navigating Compliance Requirements DCM 6.2 Regs and Codes linford & co llp.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Session 4: Data Privacy and Fraud Moderator: Bill Houck, Director, Risk Management, UATP Panelist: Peter Warner, EVP, Retail Decisions Cherie Lauretta,

Session 4: Data Privacy and Fraud Moderator: Bill Houck, Director, Risk Management, UATP Panelist: Peter Warner, EVP, Retail Decisions Cherie Lauretta,
Information Security Jim Cusson, CISSP. Largest Breaches 110,000 2009-11-27 NorthgateArinso, Verity Trustees 6,400 2009-11-25 Aurora St. Luke's Medical.

Information Security Jim Cusson, CISSP. Largest Breaches 110, NorthgateArinso, Verity Trustees 6, Aurora St. Luke's Medical.
Smart Payment Processing ™ 800-846-4472 www.MercuryPay.com Protecting Your Business from Card Data Theft Presenter: Lucas Zaichkowsky.

Smart Payment Processing ™ Protecting Your Business from Card Data Theft Presenter: Lucas Zaichkowsky.
Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.

Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.
JARED BIRD Nagios: Providing Value Throughout the Organization.

JARED BIRD Nagios: Providing Value Throughout the Organization.
Visa Europe Implementing PCI DSS Requirements Within Your Organisation September 2008 Simon Breeden.

Visa Europe Implementing PCI DSS Requirements Within Your Organisation September 2008 Simon Breeden.

Similar presentations

Ads by Google