SlideShare une entreprise Scribd logo

Understanding Your PCI DSS Guidelines: Successes and Failures

- Mark - Fullbright
- Mark - Fullbright
FormationTechnologie
1  sur  13
Télécharger pour lire hors ligne
▲ E-Guide UNDERSTANDING YOUR PCI DSS GUIDELINES: SUCCESSES AND FAILURES
UNDERSTANDING YOUR PCI DSS GUIDELINES: SUCCESSES AND FAILURES Home PCI validation: Requirements for merchants covered by PCI DSS PCI DSS review: Assessing the PCI standard nine years later I E-G uide , SearchSecurity.com expert Mike Chapple details the PCI validation requirements for merchants covered by PCI DSS and reviews PCI’s successes and failures. As the industry preps for PCI DSS 3.0 learn what needs to be improved upon and what has remained effective. PA G E 2 O F 1 3 n this SPONSORED BY
UNDERSTANDING YOUR PCI DSS GUIDELINES: SUCCESSES AND FAILURES PCI VALIDATION: REQUIREMENTS FOR MERCHANTS COVERED BY PCI DSS Home PCI validation: Requirements for merchants covered by PCI DSS PCI DSS review: Assessing the PCI standard nine years later Mike Chapple, Enterprise Compliance Organizations subject to the Payment Card Industry Data Security Standard (PCI DSS) must meet a laundry list of PCI validation requirements on a regular basis to certify its compliance to their merchant banks. These requirements include the need for periodic reports on compliance (ROCs), vulnerability scans, penetration testing and Web application testing. In this tip, we examine these requirements to provide a detailed outline of what is needed to remain PCI DSS-compliant. REPORTING COMPLIANCE: SAQS AND ROCS Perhaps the most significant PCI requirement is that all but the smallest merchants (those who process fewer than 20,000 e-commerce transactions and less than 1 million total transactions per year) must submit annual compliance validation reports to their merchant bank. The scope of these reports and the qualifications of the individuals performing the assessment vary depending PA G E 3 O F 1 3 SPONSORED BY
UNDERSTANDING YOUR PCI DSS GUIDELINES: SUCCESSES AND FAILURES Home PCI validation: Requirements for merchants covered by PCI DSS PCI DSS review: Assessing the PCI standard nine years later upon where an organization falls within the PCI DSS merchant levels. The largest merchants (those with over 6 million transactions per year) are classified as Level 1 merchants and must have an independent audit performed on an annual basis. This audit may be performed by either a Qualified Security Assessor (QSA) or the firm's internal audit group if the audit is signed by an officer of the company. In those cases, the QSA or internal auditors complete an ROC for submission to the merchant bank. Level 2 and 3 merchants may conduct the assessment using their own IT and business staff and document the results on one of the self-assessment questionnaires (SAQ). The scope of the audit depends upon the characteristics of the merchant's cardholder data environment -- essentially, the more complex the environment, the greater the scope of the audit. The possibilities are as follows: SAQ A, the simplest form, is reserved for those merchants that have out sourced all card processing responsibilities. SAQ B contains the requirements for imprint-only or standalone dial out terminal users that do not store any cardholder data electronically. PA G E 4 O F 1 3 SPONSORED BY
UNDERSTANDING YOUR PCI DSS GUIDELINES: SUCCESSES AND FAILURES Home PCI validation: Requirements for merchants covered by PCI DSS PCI DSS review: Assessing the PCI standard nine years later SAQ C is used in cases where merchants have payment application sys tems that are connected to the Internet but do not store cardholder data. There is a separate version of SAQ C for those merchants using virtual terminals. SAQ D, the most complex form, is required for all merchants that are not eligible to fill out one of the shorter SAQs. This includes merchants with systems that store cardholder information. Of course, it's in every merchant's best interest to move as far down the SAQ chain as possible. Don't fill out the lengthy SAQ D if your organization is eligible to complete the brief SAQ A! VULNERABILITY SCANS All merchants with externally facing (public) IP addresses must also complete quarterly external network vulnerability scans and provide those results to their merchant bank. The PCI DSS standard requires organizations to perform the scans through any of theirApproved Scanning Vendors (ASVs), but the organization's merchant bank may require that it use a specific ASV. Many PA G E 5 O F 1 3 SPONSORED BY
UNDERSTANDING YOUR PCI DSS GUIDELINES: SUCCESSES AND FAILURES Home PCI validation: Requirements for merchants covered by PCI DSS PCI DSS review: Assessing the PCI standard nine years later merchant banks require the use of a single ASV partner who, in turn, provides the bank with direct access to consolidated reports, easing the administrative burden on their end. Of course, simply performing the scan is not sufficient -- companies must actually pass the scan to be able to assert PCI DSS compliance. For this reason, it's a good idea to run regular compliance scans for the company's own purposes to validate that it will pass before running the official scan that will be reported to its merchant bank. SECURITY TESTING Two additional requirements apply to organizations with infrastructures that process cardholder data: penetration testing and Web application assessment. Organizations must perform annual internal and external penetration testing of its cardholder data environment, including both network and application layer tests. Similarly, organizations with Web applications must perform Web application assessments on an annual basis and after any significant changes. Both of these tests must be performed either by a qualified security consultant or by qualified employees of the merchant, provided that the employees performing the tests are organizationally independent from those maintaining PA G E 6 O F 1 3 SPONSORED BY
UNDERSTANDING YOUR PCI DSS GUIDELINES: SUCCESSES AND FAILURES Home PCI validation: Requirements for merchants covered by PCI DSS PCI DSS review: Assessing the PCI standard nine years later the systems. As companies build their PCI DSS compliance program, it is increasingly important to keep all of these requirements in mind. It's a good idea to plan an annual calendar of assessments and tests so that the company doesn't miss a deadline or wind up rushing to complete all of its PCI validation requirements at the end of the year. Finally, be sure to retain documentation of all of the company's assessments so that its compliance can be demonstrated to an auditor. MIKE CHAPPLE, Ph. D., CISA, CISSP, is an IT security manager at the University of Notre Dame. He previously served as an information security researcher at the National Security Agency and the U.S. Air Force. Chapple is a frequent contributor to SearchSecurity.com and serves as its resident expert on enterprise compliance, frameworks and standards for the Ask the Experts panel. He is a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated. PA G E 7 O F 1 3 SPONSORED BY
UNDERSTANDING YOUR PCI DSS GUIDELINES: SUCCESSES AND FAILURES PCI DSS REVIEW: ASSESSING THE PCI STANDARD NINE YEARS LATER Home PCI validation: Requirements for merchants covered by PCI DSS PCI DSS review: Assessing the PCI standard nine years later Mike Chapple, Enterprise Compliance Nine years ago, the major payment card brands came together and quietly released the first version of the Payment Card Industry Data Security Standard (PCI DSS), consolidating the confusing set of overlapping requirements previously promulgated by the card brands. Almost a decade later, the industry now awaits the third major PCI DSS release as the council prepares to issue PCI DSS 3.0. Now is an excellent opportunity for the industry to reflect upon the standard's successes and failures, and that's what we'll do here in this PCI DSS review. COMPLIANCE VS. SECURITY: WHERE ARE WE? Of course, the goal of the PCI DSS is to improve the security of payment card information and reduce the cost of fraud to the sponsoring institutions. It's no secret, however, that the goal of most organizations subject to PCI DSS is simply to pass their assessments and be able to certify compliance for another year. PA G E 8 O F 1 3 SPONSORED BY
UNDERSTANDING YOUR PCI DSS GUIDELINES: SUCCESSES AND FAILURES Home PCI validation: Requirements for merchants covered by PCI DSS PCI DSS review: Assessing the PCI standard nine years later This is an age-old discussion in the world of compliance: How much of what we do actually improves security, and how much is simply bureaucratic overhead? There's no doubt that PCI DSS, as with any regulatory obligation, requires us to perform some tasks that don't contribute to the security of our information. For example, none of us want to spend time filling out self-assessment questionnaires or documenting the results of an account review. However, the vast majority of PCI DSS requirements do have a legitimate basis in information security dogma, and while some wish the standard raised the bar higher, most security professionals freely admit that the requirements indeed reflect industry standard best practices. Has the state of security improved since the release of PCI DSS? I contend that, indeed, it has. While organizations that have always had strong security programs may have only seen marginal improvements in their security, it is indisputable that many organizations only considered payment card security for the first time when faced with this compliance mandate. The cause of most payment card breaches can be traced back to basic security controls that were lacking, and the PCI DSS has helped build awareness around the need for fundamental information security practices. PA G E 9 O F 1 3 SPONSORED BY
UNDERSTANDING YOUR PCI DSS GUIDELINES: SUCCESSES AND FAILURES CONSISTENCY OF ASSESSMENTS Home PCI validation: Requirements for merchants covered by PCI DSS PCI DSS review: Assessing the PCI standard nine years later One of the early complaints among merchants and service providers regulated by PCI DSS was that the standard contained a number of vague requirements that were inconsistently enforced by the Qualified Security Assessors (QSAs) certified by the PCI Security Standards Council to conduct PCI DSS validation assessments. This led to confusion within the regulated industry and some degree of shopping around for a QSA that would provide organizations with the results that it wanted to hear. Thankfully, this situation has improved. The PCI SSC heard this feedback and put a tremendous amount of effort into building a community of QSAs who consistently interpret the standards. To achieve this task, the council moved from a standard document that simply listed requirements to one that incorporates the precise audit procedures that QSAs are to follow when validating compliance. For example, requirement 9.1.1 involving the use of video cameras and access control mechanisms now has three specific procedures: 9.1.1 a Verify that video cameras and/or access control mechanisms are in place to monitor the entry/exit points to sensitive areas. PA G E 1 0 O F 1 3 SPONSORED BY
UNDERSTANDING YOUR PCI DSS GUIDELINES: SUCCESSES AND FAILURES 9 .1.1 b Verify that video cameras and/or access control mechanisms are protected from tampering or disabling. Home PCI validation: Requirements for merchants covered by PCI DSS PCI DSS review: Assessing the PCI standard nine years later 9 .1.1 c Verify that video cameras and/or access control mechanisms are monitored and that data from cameras or other mechanisms is stored for at least three months. With this new degree of precision, merchants and service providers now go into assessments with a reasonable understanding of the procedures that QSAs will perform when conducting assessments. PREPARING FOR PCI DSS 3.0 As we approach the third release of PCI DSS, many organizations now have a degree of confidence borne from experience that simply was not there in the past. While compliance managers should certainly review the PCI DSS Version 3.0 Change Highlights issued by the SSC, there is plenty of time to prepare before the standard goes into effect in January 2014. Take the time provided to you during this grace period to review the new standard and implement any changes that might be necessary in your cardholder environment to remain PA G E 1 1 O F 1 3 SPONSORED BY
UNDERSTANDING YOUR PCI DSS GUIDELINES: SUCCESSES AND FAILURES Home PCI validation: Requirements for merchants covered by PCI DSS PCI DSS review: Assessing the PCI standard nine years later compliant in the coming year. The bottom line? In my opinion, the PCI DSS compliance field has matured significantly over the past decade and evolved from a confusing, feared set of technical requirements to a well-understood standard that is now often used as the gold standard of security even in unregulated fields. MIKE CHAPPLE, Ph. D., CISA, CISSP, is an IT security manager with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Chapple is a frequent contributor to SearchSecurity.com and serves as its resident expert on enterprise compliance, frameworks and standards for its Ask the Experts panel. He previously served as site expert on network security, is a technical editor forInformation Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated. PA G E 1 2 O F 1 3 SPONSORED BY
UNDERSTANDING YOUR PCI DSS GUIDELINES: SUCCESSES AND FAILURES FREE RESOURCES FOR TECHNOLOGY PROFESSIONALS Home PCI validation: Requirements for merchants covered by PCI DSS PCI DSS review: Assessing the PCI standard nine years later TechTarget publishes targeted technology media that address your need for information and resources for researching products, developing strategy and making cost-effective purchase decisions. Our network of technology-specific Web sites gives you access to industry experts, independent content and analysis and the Web’s largest library of vendor-provided white papers, webcasts, podcasts, videos, virtual trade shows, research reports and more —drawing on the rich RD resources of technology providers to address market trends, challenges and solutions. Our live events and virtual seminars give you access to vendor neutral, expert commentary and advice on the issues and challenges you face daily. Our social community IT Knowledge Exchange allows you to share real world information in real time with peers and experts. WHAT MAKES TECHTARGET UNIQUE? TechTarget is squarely focused on the enterprise IT space. Our team of editors and network of industry experts provide the richest, most relevant content to IT professionals and management. We leverage the immediacy of the Web, the networking and face-to-face opportunities of events and virtual events, and the ability to interact with peers—all to create compelling and actionable information for enterprise IT professionals across all industries and markets. PA G E 1 3 O F 1 3 SPONSORED BY

Recommandé

ECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantMelanie Beam
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperShaun O'keeffe
 
PCI_Presentation_OASIS
PCI_Presentation_OASISPCI_Presentation_OASIS
PCI_Presentation_OASISDermot Clarke
 
Verizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance ReportVerizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance Report- Mark - Fullbright
 
Verizon 2014 pci compliance report
Verizon 2014 pci compliance reportVerizon 2014 pci compliance report
Verizon 2014 pci compliance reportBee_Ware
 
PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...John Baines
 
PCI-DSS for IDRBT
PCI-DSS for IDRBTPCI-DSS for IDRBT
PCI-DSS for IDRBTShanmugavel Sankaran
 
Pcidss qr gv3_1
Pcidss qr gv3_1Pcidss qr gv3_1
Pcidss qr gv3_1leon bonilla
 

Recommandé

ECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantMelanie Beam
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperShaun O'keeffe
 
PCI_Presentation_OASIS
PCI_Presentation_OASISPCI_Presentation_OASIS
PCI_Presentation_OASISDermot Clarke
 
Verizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance ReportVerizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance Report- Mark - Fullbright
 
Verizon 2014 pci compliance report
Verizon 2014 pci compliance reportVerizon 2014 pci compliance report
Verizon 2014 pci compliance reportBee_Ware
 
PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...John Baines
 
PCI-DSS for IDRBT
PCI-DSS for IDRBTPCI-DSS for IDRBT
PCI-DSS for IDRBTShanmugavel Sankaran
 
Pcidss qr gv3_1
Pcidss qr gv3_1Pcidss qr gv3_1
Pcidss qr gv3_1leon bonilla
 
P0 Pcidss Overview
P0 Pcidss OverviewP0 Pcidss Overview
P0 Pcidss Overviewb28stu
 
When does a company need to be PCI compliant
When does a company need to be PCI compliantWhen does a company need to be PCI compliant
When does a company need to be PCI compliantDivya Kothari
 
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAININGPCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAININGhimalya sharma
 
PCI DSS Slidecast
PCI DSS SlidecastPCI DSS Slidecast
PCI DSS SlidecastRobertXia
 
How To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and Secure
How To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and SecureHow To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and Secure
How To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and SecurePaymetric, Inc.
 
Don't Handle Sensitive Data. Create A Tokenization Layer Around Your Enterprise.
Don't Handle Sensitive Data. Create A Tokenization Layer Around Your Enterprise.Don't Handle Sensitive Data. Create A Tokenization Layer Around Your Enterprise.
Don't Handle Sensitive Data. Create A Tokenization Layer Around Your Enterprise.Paymetric, Inc.
 
Business Analysis Healthcare Online & Classroom Training
Business Analysis Healthcare Online & Classroom Training Business Analysis Healthcare Online & Classroom Training
Business Analysis Healthcare Online & Classroom Training Vibloo
 
Vera Bradley Chooses Paymetric to Automate Their Payment Processing Needs
Vera Bradley Chooses Paymetric to Automate Their Payment Processing NeedsVera Bradley Chooses Paymetric to Automate Their Payment Processing Needs
Vera Bradley Chooses Paymetric to Automate Their Payment Processing NeedsPaymetric, Inc.
 
Secure Payment Integration for SAP
Secure Payment Integration for SAPSecure Payment Integration for SAP
Secure Payment Integration for SAPPaymetric, Inc.
 
The Smart Approach To Pci DSS Compliance – Braintree White Paper
The Smart Approach To Pci DSS Compliance – Braintree White PaperThe Smart Approach To Pci DSS Compliance – Braintree White Paper
The Smart Approach To Pci DSS Compliance – Braintree White PaperBen Rothke
 
From Bad to Worse: How to Stay Protected from a Mega Data Breach
From Bad to Worse: How to Stay Protected from a Mega Data BreachFrom Bad to Worse: How to Stay Protected from a Mega Data Breach
From Bad to Worse: How to Stay Protected from a Mega Data BreachPaymetric, Inc.
 
Pci dss compliance
Pci dss compliancePci dss compliance
Pci dss compliancepcidss14s
 
6 ways reduce pci dss audit scope tokenizing cardholder data
6 ways reduce pci dss audit scope tokenizing cardholder data6 ways reduce pci dss audit scope tokenizing cardholder data
6 ways reduce pci dss audit scope tokenizing cardholder dataRichard Thompson
 
Falcon debit credit_2909_ps
Falcon debit credit_2909_psFalcon debit credit_2909_ps
Falcon debit credit_2909_pskazemita
 
10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...
10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...
10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...amadhireddy
 
PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011Donald E. Hester
 
Intro to-payment-processing-in-sap
Intro to-payment-processing-in-sapIntro to-payment-processing-in-sap
Intro to-payment-processing-in-sappuppala
 
Falcon 012009
Falcon 012009Falcon 012009
Falcon 012009Northwest Card Association
 
eCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Merchants
 
Payment card industry data security standard
Payment card industry data security standardPayment card industry data security standard
Payment card industry data security standardsallychiu
 
Introduction To SAQ 4 U
Introduction To SAQ 4 UIntroduction To SAQ 4 U
Introduction To SAQ 4 URAlcala65
 
PCI DSS
PCI DSSPCI DSS
PCI DSSDuy Do Phan
 

Contenu connexe

Tendances

P0 Pcidss Overview
P0 Pcidss OverviewP0 Pcidss Overview
P0 Pcidss Overviewb28stu
 
When does a company need to be PCI compliant
When does a company need to be PCI compliantWhen does a company need to be PCI compliant
When does a company need to be PCI compliantDivya Kothari
 
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAININGPCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAININGhimalya sharma
 
PCI DSS Slidecast
PCI DSS SlidecastPCI DSS Slidecast
PCI DSS SlidecastRobertXia
 
How To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and Secure
How To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and SecureHow To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and Secure
How To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and SecurePaymetric, Inc.
 
Don't Handle Sensitive Data. Create A Tokenization Layer Around Your Enterprise.
Don't Handle Sensitive Data. Create A Tokenization Layer Around Your Enterprise.Don't Handle Sensitive Data. Create A Tokenization Layer Around Your Enterprise.
Don't Handle Sensitive Data. Create A Tokenization Layer Around Your Enterprise.Paymetric, Inc.
 
Business Analysis Healthcare Online & Classroom Training
Business Analysis Healthcare Online & Classroom Training Business Analysis Healthcare Online & Classroom Training
Business Analysis Healthcare Online & Classroom Training Vibloo
 
Vera Bradley Chooses Paymetric to Automate Their Payment Processing Needs
Vera Bradley Chooses Paymetric to Automate Their Payment Processing NeedsVera Bradley Chooses Paymetric to Automate Their Payment Processing Needs
Vera Bradley Chooses Paymetric to Automate Their Payment Processing NeedsPaymetric, Inc.
 
Secure Payment Integration for SAP
Secure Payment Integration for SAPSecure Payment Integration for SAP
Secure Payment Integration for SAPPaymetric, Inc.
 
The Smart Approach To Pci DSS Compliance – Braintree White Paper
The Smart Approach To Pci DSS Compliance – Braintree White PaperThe Smart Approach To Pci DSS Compliance – Braintree White Paper
The Smart Approach To Pci DSS Compliance – Braintree White PaperBen Rothke
 
From Bad to Worse: How to Stay Protected from a Mega Data Breach
From Bad to Worse: How to Stay Protected from a Mega Data BreachFrom Bad to Worse: How to Stay Protected from a Mega Data Breach
From Bad to Worse: How to Stay Protected from a Mega Data BreachPaymetric, Inc.
 
Pci dss compliance
Pci dss compliancePci dss compliance
Pci dss compliancepcidss14s
 
6 ways reduce pci dss audit scope tokenizing cardholder data
6 ways reduce pci dss audit scope tokenizing cardholder data6 ways reduce pci dss audit scope tokenizing cardholder data
6 ways reduce pci dss audit scope tokenizing cardholder dataRichard Thompson
 
Falcon debit credit_2909_ps
Falcon debit credit_2909_psFalcon debit credit_2909_ps
Falcon debit credit_2909_pskazemita
 
10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...
10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...
10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...amadhireddy
 
PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011Donald E. Hester
 
Intro to-payment-processing-in-sap
Intro to-payment-processing-in-sapIntro to-payment-processing-in-sap
Intro to-payment-processing-in-sappuppala
 

Tendances (18)

P0 Pcidss Overview
P0 Pcidss OverviewP0 Pcidss Overview
P0 Pcidss Overview
 
When does a company need to be PCI compliant
When does a company need to be PCI compliantWhen does a company need to be PCI compliant
When does a company need to be PCI compliant
 
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAININGPCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
 
PCI DSS Slidecast
PCI DSS SlidecastPCI DSS Slidecast
PCI DSS Slidecast
 
How To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and Secure
How To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and SecureHow To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and Secure
How To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and Secure
 
Don't Handle Sensitive Data. Create A Tokenization Layer Around Your Enterprise.
Don't Handle Sensitive Data. Create A Tokenization Layer Around Your Enterprise.Don't Handle Sensitive Data. Create A Tokenization Layer Around Your Enterprise.
Don't Handle Sensitive Data. Create A Tokenization Layer Around Your Enterprise.
 
Business Analysis Healthcare Online & Classroom Training
Business Analysis Healthcare Online & Classroom Training Business Analysis Healthcare Online & Classroom Training
Business Analysis Healthcare Online & Classroom Training
 
Vera Bradley Chooses Paymetric to Automate Their Payment Processing Needs
Vera Bradley Chooses Paymetric to Automate Their Payment Processing NeedsVera Bradley Chooses Paymetric to Automate Their Payment Processing Needs
Vera Bradley Chooses Paymetric to Automate Their Payment Processing Needs
 
Secure Payment Integration for SAP
Secure Payment Integration for SAPSecure Payment Integration for SAP
Secure Payment Integration for SAP
 
The Smart Approach To Pci DSS Compliance – Braintree White Paper
The Smart Approach To Pci DSS Compliance – Braintree White PaperThe Smart Approach To Pci DSS Compliance – Braintree White Paper
The Smart Approach To Pci DSS Compliance – Braintree White Paper
 
From Bad to Worse: How to Stay Protected from a Mega Data Breach
From Bad to Worse: How to Stay Protected from a Mega Data BreachFrom Bad to Worse: How to Stay Protected from a Mega Data Breach
From Bad to Worse: How to Stay Protected from a Mega Data Breach
 
Pci dss compliance
Pci dss compliancePci dss compliance
Pci dss compliance
 
6 ways reduce pci dss audit scope tokenizing cardholder data
6 ways reduce pci dss audit scope tokenizing cardholder data6 ways reduce pci dss audit scope tokenizing cardholder data
6 ways reduce pci dss audit scope tokenizing cardholder data
 
Falcon debit credit_2909_ps
Falcon debit credit_2909_psFalcon debit credit_2909_ps
Falcon debit credit_2909_ps
 
10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...
10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...
10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...
 
PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011
 
Intro to-payment-processing-in-sap
Intro to-payment-processing-in-sapIntro to-payment-processing-in-sap
Intro to-payment-processing-in-sap
 
Falcon 012009
Falcon 012009Falcon 012009
Falcon 012009
 

Similaire à Understanding Your PCI DSS Guidelines: Successes and Failures

eCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Merchants
 
Payment card industry data security standard
Payment card industry data security standardPayment card industry data security standard
Payment card industry data security standardsallychiu
 
Introduction To SAQ 4 U
Introduction To SAQ 4 UIntroduction To SAQ 4 U
Introduction To SAQ 4 URAlcala65
 
Payment card industry data security standard 1
Payment card industry data security standard 1Payment card industry data security standard 1
Payment card industry data security standard 1wardell henley
 
Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates VISTA InfoSec
 
Payment Card Industry Introduction CMTA APR 2010
Payment Card Industry Introduction CMTA APR 2010Payment Card Industry Introduction CMTA APR 2010
Payment Card Industry Introduction CMTA APR 2010Donald E. Hester
 
Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxgealehegn
 
A practical guides to PCI compliance
A practical guides to PCI complianceA practical guides to PCI compliance
A practical guides to PCI complianceJisc
 
Webinar - PCI DSS Merchant Levels validations and applicable
Webinar - PCI DSS Merchant Levels validations and applicableWebinar - PCI DSS Merchant Levels validations and applicable
Webinar - PCI DSS Merchant Levels validations and applicableVISTA InfoSec
 
Symbiotic Consulting Group LLC - PCI Compliance Overview
Symbiotic Consulting Group LLC - PCI Compliance OverviewSymbiotic Consulting Group LLC - PCI Compliance Overview
Symbiotic Consulting Group LLC - PCI Compliance OverviewRosy Kaur
 
Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010Donald E. Hester
 
5 Challenges to Continuous PCI DSS Compliance
5 Challenges to Continuous PCI DSS Compliance5 Challenges to Continuous PCI DSS Compliance
5 Challenges to Continuous PCI DSS ComplianceTripwire
 
PCI Compliance for Payment Security
PCI Compliance for Payment SecurityPCI Compliance for Payment Security
PCI Compliance for Payment SecurityPaymentAsia
 
Introduction to the Payment Card Industry Data Security Standard (PCI DSS) - ...
Introduction to the Payment Card Industry Data Security Standard (PCI DSS) - ...Introduction to the Payment Card Industry Data Security Standard (PCI DSS) - ...
Introduction to the Payment Card Industry Data Security Standard (PCI DSS) - ...AtoZ Compliance
 

Similaire à Understanding Your PCI DSS Guidelines: Successes and Failures (20)

eCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain Media
 
Payment card industry data security standard
Payment card industry data security standardPayment card industry data security standard
Payment card industry data security standard
 
Introduction To SAQ 4 U
Introduction To SAQ 4 UIntroduction To SAQ 4 U
Introduction To SAQ 4 U
 
PCI DSS
PCI DSSPCI DSS
PCI DSS
 
Payment card industry data security standard 1
Payment card industry data security standard 1Payment card industry data security standard 1
Payment card industry data security standard 1
 
Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates
 
Payment Card Industry Introduction CMTA APR 2010
Payment Card Industry Introduction CMTA APR 2010Payment Card Industry Introduction CMTA APR 2010
Payment Card Industry Introduction CMTA APR 2010
 
Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptx
 
Evolution Pci For Pod1
Evolution Pci For Pod1Evolution Pci For Pod1
Evolution Pci For Pod1
 
MTBiz May-June 2019
MTBiz May-June 2019 MTBiz May-June 2019
MTBiz May-June 2019
 
PruebaJLF.pptx
PruebaJLF.pptxPruebaJLF.pptx
PruebaJLF.pptx
 
A practical guides to PCI compliance
A practical guides to PCI complianceA practical guides to PCI compliance
A practical guides to PCI compliance
 
Webinar - PCI DSS Merchant Levels validations and applicable
Webinar - PCI DSS Merchant Levels validations and applicableWebinar - PCI DSS Merchant Levels validations and applicable
Webinar - PCI DSS Merchant Levels validations and applicable
 
Symbiotic Consulting Group LLC - PCI Compliance Overview
Symbiotic Consulting Group LLC - PCI Compliance OverviewSymbiotic Consulting Group LLC - PCI Compliance Overview
Symbiotic Consulting Group LLC - PCI Compliance Overview
 
Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010
 
Best practices for PCI compliance
Best practices for PCI compliance Best practices for PCI compliance
Best practices for PCI compliance
 
5 Challenges to Continuous PCI DSS Compliance
5 Challenges to Continuous PCI DSS Compliance5 Challenges to Continuous PCI DSS Compliance
5 Challenges to Continuous PCI DSS Compliance
 
PCI Compliance for Payment Security
PCI Compliance for Payment SecurityPCI Compliance for Payment Security
PCI Compliance for Payment Security
 
Payment System Risk. Visa
Payment System Risk. VisaPayment System Risk. Visa
Payment System Risk. Visa
 
Introduction to the Payment Card Industry Data Security Standard (PCI DSS) - ...
Introduction to the Payment Card Industry Data Security Standard (PCI DSS) - ...Introduction to the Payment Card Industry Data Security Standard (PCI DSS) - ...
Introduction to the Payment Card Industry Data Security Standard (PCI DSS) - ...
 

Plus de - Mark - Fullbright

ISTR Internet Security Threat Report 2019
ISTR Internet Security Threat Report 2019ISTR Internet Security Threat Report 2019
ISTR Internet Security Threat Report 2019- Mark - Fullbright
 
2020 Data Breach Investigations Report (DBIR)
2020 Data Breach Investigations Report (DBIR)2020 Data Breach Investigations Report (DBIR)
2020 Data Breach Investigations Report (DBIR)- Mark - Fullbright
 
Consumer Sentinel Network Data Book 2019
Consumer Sentinel Network Data Book 2019Consumer Sentinel Network Data Book 2019
Consumer Sentinel Network Data Book 2019- Mark - Fullbright
 
CFPB Consumer Reporting Companies 2019
CFPB Consumer Reporting Companies 2019CFPB Consumer Reporting Companies 2019
CFPB Consumer Reporting Companies 2019- Mark - Fullbright
 
Advisory to Financial Institutions on Illicit Financial Schemes and Methods R...
Advisory to Financial Institutions on Illicit Financial Schemes and Methods R...Advisory to Financial Institutions on Illicit Financial Schemes and Methods R...
Advisory to Financial Institutions on Illicit Financial Schemes and Methods R...- Mark - Fullbright
 
2019 Data Breach Investigations Report (DBIR)
2019 Data Breach Investigations Report (DBIR)2019 Data Breach Investigations Report (DBIR)
2019 Data Breach Investigations Report (DBIR)- Mark - Fullbright
 
2018 Privacy & Data Security Report
2018 Privacy & Data Security Report2018 Privacy & Data Security Report
2018 Privacy & Data Security Report- Mark - Fullbright
 
Consumer Sentinel Network Data Book 2018
Consumer Sentinel Network Data Book 2018 Consumer Sentinel Network Data Book 2018
Consumer Sentinel Network Data Book 2018 - Mark - Fullbright
 
The Geography of Medical Identity Theft
The Geography of Medical Identity TheftThe Geography of Medical Identity Theft
The Geography of Medical Identity Theft- Mark - Fullbright
 
Consumer Sentinel Data Book 2017
Consumer Sentinel Data Book 2017Consumer Sentinel Data Book 2017
Consumer Sentinel Data Book 2017- Mark - Fullbright
 
Protecting Personal Information: A Guide for Business
Protecting Personal Information: A Guide for BusinessProtecting Personal Information: A Guide for Business
Protecting Personal Information: A Guide for Business- Mark - Fullbright
 
Data Breach Response: A Guide for Business
Data Breach Response: A Guide for BusinessData Breach Response: A Guide for Business
Data Breach Response: A Guide for Business- Mark - Fullbright
 
2017 Data Breach Investigations Report
2017 Data Breach Investigations Report2017 Data Breach Investigations Report
2017 Data Breach Investigations Report- Mark - Fullbright
 
Consumer Sentinel Network Data Book for January 2016 - December 2016
Consumer Sentinel Network Data Book for January 2016 - December 2016Consumer Sentinel Network Data Book for January 2016 - December 2016
Consumer Sentinel Network Data Book for January 2016 - December 2016- Mark - Fullbright
 
Consumer Sentinel Data Book 2015
Consumer Sentinel Data Book 2015Consumer Sentinel Data Book 2015
Consumer Sentinel Data Book 2015- Mark - Fullbright
 

Plus de - Mark - Fullbright (20)

ISTR Internet Security Threat Report 2019
ISTR Internet Security Threat Report 2019ISTR Internet Security Threat Report 2019
ISTR Internet Security Threat Report 2019
 
IC3 2019 Internet Crime Report
IC3 2019 Internet Crime ReportIC3 2019 Internet Crime Report
IC3 2019 Internet Crime Report
 
Police, Protesters, Press, 2020
Police, Protesters, Press, 2020Police, Protesters, Press, 2020
Police, Protesters, Press, 2020
 
2020 Data Breach Investigations Report (DBIR)
2020 Data Breach Investigations Report (DBIR)2020 Data Breach Investigations Report (DBIR)
2020 Data Breach Investigations Report (DBIR)
 
FCPA Guidance 2020
FCPA Guidance 2020FCPA Guidance 2020
FCPA Guidance 2020
 
Consumer Sentinel Network Data Book 2019
Consumer Sentinel Network Data Book 2019Consumer Sentinel Network Data Book 2019
Consumer Sentinel Network Data Book 2019
 
CFPB Consumer Reporting Companies 2019
CFPB Consumer Reporting Companies 2019CFPB Consumer Reporting Companies 2019
CFPB Consumer Reporting Companies 2019
 
Advisory to Financial Institutions on Illicit Financial Schemes and Methods R...
Advisory to Financial Institutions on Illicit Financial Schemes and Methods R...Advisory to Financial Institutions on Illicit Financial Schemes and Methods R...
Advisory to Financial Institutions on Illicit Financial Schemes and Methods R...
 
2018 IC3 Report
2018 IC3 Report2018 IC3 Report
2018 IC3 Report
 
2019 Data Breach Investigations Report (DBIR)
2019 Data Breach Investigations Report (DBIR)2019 Data Breach Investigations Report (DBIR)
2019 Data Breach Investigations Report (DBIR)
 
2018 Privacy & Data Security Report
2018 Privacy & Data Security Report2018 Privacy & Data Security Report
2018 Privacy & Data Security Report
 
Consumer Sentinel Network Data Book 2018
Consumer Sentinel Network Data Book 2018 Consumer Sentinel Network Data Book 2018
Consumer Sentinel Network Data Book 2018
 
Credit Score Explainer
Credit Score ExplainerCredit Score Explainer
Credit Score Explainer
 
The Geography of Medical Identity Theft
The Geography of Medical Identity TheftThe Geography of Medical Identity Theft
The Geography of Medical Identity Theft
 
Consumer Sentinel Data Book 2017
Consumer Sentinel Data Book 2017Consumer Sentinel Data Book 2017
Consumer Sentinel Data Book 2017
 
Protecting Personal Information: A Guide for Business
Protecting Personal Information: A Guide for BusinessProtecting Personal Information: A Guide for Business
Protecting Personal Information: A Guide for Business
 
Data Breach Response: A Guide for Business
Data Breach Response: A Guide for BusinessData Breach Response: A Guide for Business
Data Breach Response: A Guide for Business
 
2017 Data Breach Investigations Report
2017 Data Breach Investigations Report2017 Data Breach Investigations Report
2017 Data Breach Investigations Report
 
Consumer Sentinel Network Data Book for January 2016 - December 2016
Consumer Sentinel Network Data Book for January 2016 - December 2016Consumer Sentinel Network Data Book for January 2016 - December 2016
Consumer Sentinel Network Data Book for January 2016 - December 2016
 
Consumer Sentinel Data Book 2015
Consumer Sentinel Data Book 2015Consumer Sentinel Data Book 2015
Consumer Sentinel Data Book 2015
 

Dernier

Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfchloefrazer622
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon AUnboundStockton
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxiammrhaywood
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxSayali Powar
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentInMediaRes1
 
MENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docxMENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docxPoojaSen20
 
PSYCHIATRIC History collection FORMAT.pptx
PSYCHIATRIC History collection FORMAT.pptxPSYCHIATRIC History collection FORMAT.pptx
PSYCHIATRIC History collection FORMAT.pptxPoojaSen20
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingTechSoup
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionSafetyChain Software
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxContemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxRoyAbrique
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppCeline George
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdfssuser54595a
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesFatimaKhan178732
 

Dernier (20)

Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdf
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon A
 
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media Component
 
MENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docxMENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docx
 
PSYCHIATRIC History collection FORMAT.pptx
PSYCHIATRIC History collection FORMAT.pptxPSYCHIATRIC History collection FORMAT.pptx
PSYCHIATRIC History collection FORMAT.pptx
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory Inspection
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxContemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website App
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
 
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 
Staff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSDStaff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSD
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and Actinides
 

Understanding Your PCI DSS Guidelines: Successes and Failures

  • 2. UNDERSTANDING YOUR PCI DSS GUIDELINES: SUCCESSES AND FAILURES Home PCI validation: Requirements for merchants covered by PCI DSS PCI DSS review: Assessing the PCI standard nine years later I E-G uide , SearchSecurity.com expert Mike Chapple details the PCI validation requirements for merchants covered by PCI DSS and reviews PCI’s successes and failures. As the industry preps for PCI DSS 3.0 learn what needs to be improved upon and what has remained effective. PA G E 2 O F 1 3 n this SPONSORED BY
  • 3. UNDERSTANDING YOUR PCI DSS GUIDELINES: SUCCESSES AND FAILURES PCI VALIDATION: REQUIREMENTS FOR MERCHANTS COVERED BY PCI DSS Home PCI validation: Requirements for merchants covered by PCI DSS PCI DSS review: Assessing the PCI standard nine years later Mike Chapple, Enterprise Compliance Organizations subject to the Payment Card Industry Data Security Standard (PCI DSS) must meet a laundry list of PCI validation requirements on a regular basis to certify its compliance to their merchant banks. These requirements include the need for periodic reports on compliance (ROCs), vulnerability scans, penetration testing and Web application testing. In this tip, we examine these requirements to provide a detailed outline of what is needed to remain PCI DSS-compliant. REPORTING COMPLIANCE: SAQS AND ROCS Perhaps the most significant PCI requirement is that all but the smallest merchants (those who process fewer than 20,000 e-commerce transactions and less than 1 million total transactions per year) must submit annual compliance validation reports to their merchant bank. The scope of these reports and the qualifications of the individuals performing the assessment vary depending PA G E 3 O F 1 3 SPONSORED BY
  • 4. UNDERSTANDING YOUR PCI DSS GUIDELINES: SUCCESSES AND FAILURES Home PCI validation: Requirements for merchants covered by PCI DSS PCI DSS review: Assessing the PCI standard nine years later upon where an organization falls within the PCI DSS merchant levels. The largest merchants (those with over 6 million transactions per year) are classified as Level 1 merchants and must have an independent audit performed on an annual basis. This audit may be performed by either a Qualified Security Assessor (QSA) or the firm's internal audit group if the audit is signed by an officer of the company. In those cases, the QSA or internal auditors complete an ROC for submission to the merchant bank. Level 2 and 3 merchants may conduct the assessment using their own IT and business staff and document the results on one of the self-assessment questionnaires (SAQ). The scope of the audit depends upon the characteristics of the merchant's cardholder data environment -- essentially, the more complex the environment, the greater the scope of the audit. The possibilities are as follows: SAQ A, the simplest form, is reserved for those merchants that have out sourced all card processing responsibilities. SAQ B contains the requirements for imprint-only or standalone dial out terminal users that do not store any cardholder data electronically. PA G E 4 O F 1 3 SPONSORED BY
  • 5. UNDERSTANDING YOUR PCI DSS GUIDELINES: SUCCESSES AND FAILURES Home PCI validation: Requirements for merchants covered by PCI DSS PCI DSS review: Assessing the PCI standard nine years later SAQ C is used in cases where merchants have payment application sys tems that are connected to the Internet but do not store cardholder data. There is a separate version of SAQ C for those merchants using virtual terminals. SAQ D, the most complex form, is required for all merchants that are not eligible to fill out one of the shorter SAQs. This includes merchants with systems that store cardholder information. Of course, it's in every merchant's best interest to move as far down the SAQ chain as possible. Don't fill out the lengthy SAQ D if your organization is eligible to complete the brief SAQ A! VULNERABILITY SCANS All merchants with externally facing (public) IP addresses must also complete quarterly external network vulnerability scans and provide those results to their merchant bank. The PCI DSS standard requires organizations to perform the scans through any of theirApproved Scanning Vendors (ASVs), but the organization's merchant bank may require that it use a specific ASV. Many PA G E 5 O F 1 3 SPONSORED BY
  • 6. UNDERSTANDING YOUR PCI DSS GUIDELINES: SUCCESSES AND FAILURES Home PCI validation: Requirements for merchants covered by PCI DSS PCI DSS review: Assessing the PCI standard nine years later merchant banks require the use of a single ASV partner who, in turn, provides the bank with direct access to consolidated reports, easing the administrative burden on their end. Of course, simply performing the scan is not sufficient -- companies must actually pass the scan to be able to assert PCI DSS compliance. For this reason, it's a good idea to run regular compliance scans for the company's own purposes to validate that it will pass before running the official scan that will be reported to its merchant bank. SECURITY TESTING Two additional requirements apply to organizations with infrastructures that process cardholder data: penetration testing and Web application assessment. Organizations must perform annual internal and external penetration testing of its cardholder data environment, including both network and application layer tests. Similarly, organizations with Web applications must perform Web application assessments on an annual basis and after any significant changes. Both of these tests must be performed either by a qualified security consultant or by qualified employees of the merchant, provided that the employees performing the tests are organizationally independent from those maintaining PA G E 6 O F 1 3 SPONSORED BY
  • 7. UNDERSTANDING YOUR PCI DSS GUIDELINES: SUCCESSES AND FAILURES Home PCI validation: Requirements for merchants covered by PCI DSS PCI DSS review: Assessing the PCI standard nine years later the systems. As companies build their PCI DSS compliance program, it is increasingly important to keep all of these requirements in mind. It's a good idea to plan an annual calendar of assessments and tests so that the company doesn't miss a deadline or wind up rushing to complete all of its PCI validation requirements at the end of the year. Finally, be sure to retain documentation of all of the company's assessments so that its compliance can be demonstrated to an auditor. MIKE CHAPPLE, Ph. D., CISA, CISSP, is an IT security manager at the University of Notre Dame. He previously served as an information security researcher at the National Security Agency and the U.S. Air Force. Chapple is a frequent contributor to SearchSecurity.com and serves as its resident expert on enterprise compliance, frameworks and standards for the Ask the Experts panel. He is a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated. PA G E 7 O F 1 3 SPONSORED BY
  • 8. UNDERSTANDING YOUR PCI DSS GUIDELINES: SUCCESSES AND FAILURES PCI DSS REVIEW: ASSESSING THE PCI STANDARD NINE YEARS LATER Home PCI validation: Requirements for merchants covered by PCI DSS PCI DSS review: Assessing the PCI standard nine years later Mike Chapple, Enterprise Compliance Nine years ago, the major payment card brands came together and quietly released the first version of the Payment Card Industry Data Security Standard (PCI DSS), consolidating the confusing set of overlapping requirements previously promulgated by the card brands. Almost a decade later, the industry now awaits the third major PCI DSS release as the council prepares to issue PCI DSS 3.0. Now is an excellent opportunity for the industry to reflect upon the standard's successes and failures, and that's what we'll do here in this PCI DSS review. COMPLIANCE VS. SECURITY: WHERE ARE WE? Of course, the goal of the PCI DSS is to improve the security of payment card information and reduce the cost of fraud to the sponsoring institutions. It's no secret, however, that the goal of most organizations subject to PCI DSS is simply to pass their assessments and be able to certify compliance for another year. PA G E 8 O F 1 3 SPONSORED BY
  • 9. UNDERSTANDING YOUR PCI DSS GUIDELINES: SUCCESSES AND FAILURES Home PCI validation: Requirements for merchants covered by PCI DSS PCI DSS review: Assessing the PCI standard nine years later This is an age-old discussion in the world of compliance: How much of what we do actually improves security, and how much is simply bureaucratic overhead? There's no doubt that PCI DSS, as with any regulatory obligation, requires us to perform some tasks that don't contribute to the security of our information. For example, none of us want to spend time filling out self-assessment questionnaires or documenting the results of an account review. However, the vast majority of PCI DSS requirements do have a legitimate basis in information security dogma, and while some wish the standard raised the bar higher, most security professionals freely admit that the requirements indeed reflect industry standard best practices. Has the state of security improved since the release of PCI DSS? I contend that, indeed, it has. While organizations that have always had strong security programs may have only seen marginal improvements in their security, it is indisputable that many organizations only considered payment card security for the first time when faced with this compliance mandate. The cause of most payment card breaches can be traced back to basic security controls that were lacking, and the PCI DSS has helped build awareness around the need for fundamental information security practices. PA G E 9 O F 1 3 SPONSORED BY
  • 10. UNDERSTANDING YOUR PCI DSS GUIDELINES: SUCCESSES AND FAILURES CONSISTENCY OF ASSESSMENTS Home PCI validation: Requirements for merchants covered by PCI DSS PCI DSS review: Assessing the PCI standard nine years later One of the early complaints among merchants and service providers regulated by PCI DSS was that the standard contained a number of vague requirements that were inconsistently enforced by the Qualified Security Assessors (QSAs) certified by the PCI Security Standards Council to conduct PCI DSS validation assessments. This led to confusion within the regulated industry and some degree of shopping around for a QSA that would provide organizations with the results that it wanted to hear. Thankfully, this situation has improved. The PCI SSC heard this feedback and put a tremendous amount of effort into building a community of QSAs who consistently interpret the standards. To achieve this task, the council moved from a standard document that simply listed requirements to one that incorporates the precise audit procedures that QSAs are to follow when validating compliance. For example, requirement 9.1.1 involving the use of video cameras and access control mechanisms now has three specific procedures: 9.1.1 a Verify that video cameras and/or access control mechanisms are in place to monitor the entry/exit points to sensitive areas. PA G E 1 0 O F 1 3 SPONSORED BY
  • 11. UNDERSTANDING YOUR PCI DSS GUIDELINES: SUCCESSES AND FAILURES 9 .1.1 b Verify that video cameras and/or access control mechanisms are protected from tampering or disabling. Home PCI validation: Requirements for merchants covered by PCI DSS PCI DSS review: Assessing the PCI standard nine years later 9 .1.1 c Verify that video cameras and/or access control mechanisms are monitored and that data from cameras or other mechanisms is stored for at least three months. With this new degree of precision, merchants and service providers now go into assessments with a reasonable understanding of the procedures that QSAs will perform when conducting assessments. PREPARING FOR PCI DSS 3.0 As we approach the third release of PCI DSS, many organizations now have a degree of confidence borne from experience that simply was not there in the past. While compliance managers should certainly review the PCI DSS Version 3.0 Change Highlights issued by the SSC, there is plenty of time to prepare before the standard goes into effect in January 2014. Take the time provided to you during this grace period to review the new standard and implement any changes that might be necessary in your cardholder environment to remain PA G E 1 1 O F 1 3 SPONSORED BY
  • 12. UNDERSTANDING YOUR PCI DSS GUIDELINES: SUCCESSES AND FAILURES Home PCI validation: Requirements for merchants covered by PCI DSS PCI DSS review: Assessing the PCI standard nine years later compliant in the coming year. The bottom line? In my opinion, the PCI DSS compliance field has matured significantly over the past decade and evolved from a confusing, feared set of technical requirements to a well-understood standard that is now often used as the gold standard of security even in unregulated fields. MIKE CHAPPLE, Ph. D., CISA, CISSP, is an IT security manager with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Chapple is a frequent contributor to SearchSecurity.com and serves as its resident expert on enterprise compliance, frameworks and standards for its Ask the Experts panel. He previously served as site expert on network security, is a technical editor forInformation Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated. PA G E 1 2 O F 1 3 SPONSORED BY
  • 13. UNDERSTANDING YOUR PCI DSS GUIDELINES: SUCCESSES AND FAILURES FREE RESOURCES FOR TECHNOLOGY PROFESSIONALS Home PCI validation: Requirements for merchants covered by PCI DSS PCI DSS review: Assessing the PCI standard nine years later TechTarget publishes targeted technology media that address your need for information and resources for researching products, developing strategy and making cost-effective purchase decisions. Our network of technology-specific Web sites gives you access to industry experts, independent content and analysis and the Web’s largest library of vendor-provided white papers, webcasts, podcasts, videos, virtual trade shows, research reports and more —drawing on the rich RD resources of technology providers to address market trends, challenges and solutions. Our live events and virtual seminars give you access to vendor neutral, expert commentary and advice on the issues and challenges you face daily. Our social community IT Knowledge Exchange allows you to share real world information in real time with peers and experts. WHAT MAKES TECHTARGET UNIQUE? TechTarget is squarely focused on the enterprise IT space. Our team of editors and network of industry experts provide the richest, most relevant content to IT professionals and management. We leverage the immediacy of the Web, the networking and face-to-face opportunities of events and virtual events, and the ability to interact with peers—all to create compelling and actionable information for enterprise IT professionals across all industries and markets. PA G E 1 3 O F 1 3 SPONSORED BY