SlideShare une entreprise Scribd logo

PCI DSS

Duy Do Phan
Duy Do Phan
1  sur  29
PCI-DSS INTRODUCTION Nguyen Ngo, Ninh Dang
Agenda PCI-DSS Fundamental  What is PCI-DSS • Why are the PCI Security Standards Important? • Key Definitions  PCI Standards Boundary  Recommended Understanding Instruction  Determine PCI-Level  Validate Requirement  Choose SAQ Implementation  Principles  PCI-DSS-Requirements  PA-DSS Requirements  Self Assessment Questionnaire  Report
PCI-DSS Fundamental
Payment Card Data Issues 4
What is PCI ??? PCI stands for the Payment Card Industry and is used to refer to: The PCI Security Standards Council ™(PCI SSC), an industry body founded by the major card brands to protect cardholder data. Founders: The global Security Standards created and maintained by the PCI SSC to protect cardholder payment data. • Key Learning Point: Compliance with PCI Security Standards is mandatory for merchants and their service providers, and is enforced by the major card brands who established the PCI SSC 5
What is PCI DSS? “The PCI Data Security Standard represents a common set of industry tools and measurements to help ensure the safe handling of sensitive information…the standard provides an actionable framework for developing a robust account data security process - including preventing, detecting and reacting to security incidents.” – PCI Standards Council –
Why are the PCI Security Standards Important? The Standards are important because they: Protect cardholder data in order to help prevent data compromises and subsequent fraud activity… • Customers expect merchants and their acquirers to keep their card account data safe • Data compromises can result in significant fines and losses for merchants and can damage the merchant’s reputation with customers • The number of data compromise incidents is increasing annually – organized criminal enterprises are targeting vulnerable merchants 7
PCI-DSS Object
Key Definitions Data definitions • Cardholder data: PAN (Primary Account Number), Cardholder Name, Service Code. Expiration Code. • Sensitive authentication data: Full Magnetic Stripe Data, CCV, PIN (Personal identification number). Keywords • PCI-DSS: Payment Card Industry Data Security Standards • PA-DSS : Payment Applications Data Security Standards • PTS: PIN Transaction Security • QSA: Qualified Security Assessor • SAQ: Self Assessment Questionnaire • ASV: Approved Scanning Vendor 9
PCI Standards Boundary • The PCI Data Security Standard (PCI DSS) If a business accepts or processes payment cards, it must comply with the PCI DSS. It is the standard merchants, processors, and service providers must meet for the complete protection of payment cardholder data. • The Payment Application-Data Security Standard (PA-DSS) and PIN Transaction Security (PTS) (previously known as PIN Entry Device (PED)) security requirements support the overall implementation of PCI DSS by allowing merchants to choose from Council certified payment application software and PIN entry devices. 10
Recommended Understanding PCI DSS tells you what you need to do; what standards you need to meet to be compliant PCI DSS does not tell you how to become compliant. That is individual to your situation and your environment - Your system - Your processes - Your vendors - Your customers Being compliant does necessary make you secure Being secure leads to compliance – not the other way around 11
Instructions
Instruction •Determining your PCI Level •Validation requirements •Selecting the SAQ that Best Applies to Your Organization 13
Determining your PCI Level You need to assess where you are on the scale of risk: Level 1 All Channels 6MM Visa or MC transactions per year Level 2 All Channels 1MM - 6MM Visa or MC transactions per year E-Commerce - >150,000 - 6 MM MC transactions per year Level 3 20,000 - 150,000 e-commerce MC transactions per year 20,000 - 999,999 e-commerce Visa transactions per year Level 4 <20,000 Visa or MC e-commerce transactions per year <1MM non-e-commerce Visa or MC transactions per year 14
Validation requirements Level 1 Merchants Complete an Annual On-Site PCI Data Security Assessment in accordance with PCI Audit Procedures (Visa website). You can use this template for your Report on Compliance (ROC). Engage a Visa-approved Qualified Data Security Company to complete your ROC. Validate the ROC by the due date (preferably sooner in case issues arise in the ROC. This will help eliminate assessment of fines.) Provide the ROC to Bank of America Merchant Services. Merchant’s internal auditor may prepare the ROC, which must be accompanied by a letter signed by an executive-level officer of Merchant’s organization validating the ROC. Complete quarterly network scans to check your systems for vulnerabilities. Complete annual penetration testing to test that your systems are hacker-resistant. Ensure that these security scans are performed by a qualified independent scan vendor. Level 2, 3 and 4 Merchants Complete and validate an Annual PCI Self-Assessment Questionnaire. Complete Quarterly Network Scans to check your systems for vulnerabilities. Complete annual penetration testing to test that your systems are hacker-resistant. Ensure that these security scans are performed by a qualified independent scan vendor. 15
Selecting the SAQ that Best Applies to Your Organization SAQ Description A Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to- face merchants. B Imprint Only merchants with no electronic cardholder data storage, or standalone, dial out terminal merchant with no electronic cardholder data storage C-VT Merchant using only web-based virtual terminals, no cardholder data storage C Merchants with payment application systems connected to the internet, no electronic cardholder data storage D All other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by a payment brand as eligible to complete an SAQ 16
Implements
Implement •Determine Scope •Rebuild system base on requirements •Self Assessment Questionnaires •Report 18
Determining Scope – Network Segmented
Determining Scope – Network Segmented
Determining Scope – Network Segmented
Principles SECURE  TRACK  AUDIT • You need to ensure that your data is first secured … both physical and electronically. • You need to ensure you have mechanism in place to track who access your data and when • You need to review your tracking (audit) to look for anomalies 22
PCI DSS – Requirements Six Goals, Twelve Requirements Build and Maintain a 1. Install and maintain a firewall configuration to protect Secure Network cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability 5. Use and regularly update anti-virus software or programs Management Program 6. Develop and maintain secure systems and applications Implement Strong 7. Restrict access to cardholder data by business need-to-know Access Control Measures 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and 10.Track and monitor all access to network resources and Test Networks cardholder data 11.Regularly test security systems and processes Maintain an Information 12.Maintain a policy that addresses information security for Security Policy employees and contractors 23
PA-DSS Introduction Formerly known as -PABP (Payment Application Best Practices) supervised by Visa Goals Develop secure payment applications that do not store prohibited data, such as full magnetic stripe, CVV2 or PIN data Ensure their payment applications support compliance with the PCI DSS The requirements for the PA-DSS are derived from the PCI DSS Why focus on software? Vulnerable payment applications are currently the leading cause of data compromise incidents, particularly for small merchants. 24
PA-DSS Requirements Fourteen Requirements Requirement 1 Do not retain full magnetic stripe, card validation code or value (CAV2, CID, CVC2, CVV2), or PIN block data Requirement 2 Protect stored cardholder data Requirement 3 Provide secure authentication features Requirement 4 Log payment application activity Requirement 5 Develop secure payment applications (5.2 - OWASP Guide, SANS CWE Top 25, CERT Secure Coding) Requirement 6 Protect wireless transmissions Requirement 7 Test payment applications to address vulnerabilities Requirement 8 Facilitate secure network implementation Requirement 9 Cardholder data must never be stored on a server connected to the Internet Requirement 10 Facilitate secure remote software updates Requirement 11 Facilitate secure remote access to payment application Requirement 12 Encrypt sensitive traffic over public networks Requirement 13 Encrypt all non-console administrative access Requirement 14 Maintain instructional documentation and training programs for customers, resellers, and integrators 25
SAQ Objectives Self Assessment Questionnaires • Based on industry feedback • Flexibility for multiple merchant Self-Assessment Questionnaire (SAQ) A types • Providing guidance for the intent and applicability of the underlying requirements 26
Self Assessment Questionnaires SAQ Validatio Description SAQ n Type Card-Not-Present (e-commerce or MO/TO) merchants, all A 1 cardholder data functions outsourced. This would never apply to face-to-face merchants <11 Questions B 2 Imprint-only merchants with no cardholder data storage 21 Questions B Stand alone dial-up terminal merchants, no cardholder data 3 storage 21 Questions C Merchants with payment application systems connected to 4 the Internet, no cardholder data storage 38 Questions All other merchants (not included in descriptions for SAQs A, D 5 B or C above) and all service providers defined by a payment brand as eligible to complete an SAQ Full DSS 27
Reports Regular reports are required for PCI DSS compliance. All merchants, service providers and processors may be required to submit quarterly scan reports, All reports must be performed by a PCI SSC approved ASV 28
THANK YOU

Recommandé

PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overview
sameh Abulfotooh
 
A practical guides to PCI compliance
A practical guides to PCI complianceA practical guides to PCI compliance
A practical guides to PCI compliance
Jisc
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSS
Saumya Vishnoi
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overview
okrantz
 
PCI DSS Compliance Checklist
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance Checklist
ControlCase
 
Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates
VISTA InfoSec
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS Compliance
Saumya Vishnoi
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2
Kimberly Simon MBA
 

Recommandé

PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overview
sameh Abulfotooh
 
A practical guides to PCI compliance
A practical guides to PCI complianceA practical guides to PCI compliance
A practical guides to PCI compliance
Jisc
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSS
Saumya Vishnoi
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overview
okrantz
 
PCI DSS Compliance Checklist
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance Checklist
ControlCase
 
Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates
VISTA InfoSec
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS Compliance
Saumya Vishnoi
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2
Kimberly Simon MBA
 
PCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfPCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdf
ControlCase
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step Guide
AlienVault
 
PCI DSS for Penetration Testing
PCI DSS for Penetration TestingPCI DSS for Penetration Testing
PCI DSS for Penetration Testing
Network Intelligence India
 
Pcidss qr gv3_1
Pcidss qr gv3_1Pcidss qr gv3_1
Pcidss qr gv3_1
leon bonilla
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101
Erick Kish, U.S. Commercial Service
 
Payment Card System Overview
Payment Card System OverviewPayment Card System Overview
Payment Card System Overview
Narudom Roongsiriwong, CISSP
 
EMV Overview
EMV OverviewEMV Overview
EMV Overview
Kona Software Lab Limited.
 
PCI DSS for Pentesting
PCI DSS for PentestingPCI DSS for Pentesting
PCI DSS for Pentesting
n|u - The Open Security Community
 
Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018
Goutama Bachtiar
 
PCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should carePCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should care
Sean D. Goodwin
 
ISO Survey 2022: ISO 27001 certificates (ISMS)
ISO Survey 2022: ISO 27001 certificates (ISMS)ISO Survey 2022: ISO 27001 certificates (ISMS)
ISO Survey 2022: ISO 27001 certificates (ISMS)
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
McKonly & Asbury, LLP
 
Digital Payment and 3-D Secure by Netcetera
Digital Payment and 3-D Secure by NetceteraDigital Payment and 3-D Secure by Netcetera
Digital Payment and 3-D Secure by Netcetera
Netcetera
 
Iso 27001 2013
Iso 27001 2013Iso 27001 2013
Iso 27001 2013
Magda CHELLY, Ph.D, S-CISO, CISSP®
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentation
Midhun Nirmal
 
Identity and Access Management (IAM): Benefits and Best Practices 
Identity and Access Management (IAM): Benefits and Best Practices Identity and Access Management (IAM): Benefits and Best Practices 
Identity and Access Management (IAM): Benefits and Best Practices 
Veritis Group, Inc
 
Top management role to implement ISO 27001
Top management role to implement ISO 27001Top management role to implement ISO 27001
Top management role to implement ISO 27001
PECB
 
Third Party Risk Management
Third Party Risk ManagementThird Party Risk Management
Third Party Risk Management
EC-Council
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
Priyanka Aash
 
Introduction to emv
Introduction to emvIntroduction to emv
Introduction to emv
Anil Chaurasiya
 
PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to Know
AlienVault
 
Twitter Bootstrap Presentation
Twitter Bootstrap PresentationTwitter Bootstrap Presentation
Twitter Bootstrap Presentation
Duy Do Phan
 

Contenu connexe

Tendances

Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
McKonly & Asbury, LLP
 
Top management role to implement ISO 27001
Top management role to implement ISO 27001Top management role to implement ISO 27001
Top management role to implement ISO 27001
PECB
 

Tendances (20)

PCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfPCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdf
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step Guide
 
PCI DSS for Penetration Testing
PCI DSS for Penetration TestingPCI DSS for Penetration Testing
PCI DSS for Penetration Testing
 
Pcidss qr gv3_1
Pcidss qr gv3_1Pcidss qr gv3_1
Pcidss qr gv3_1
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101
 
Payment Card System Overview
Payment Card System OverviewPayment Card System Overview
Payment Card System Overview
 
EMV Overview
EMV OverviewEMV Overview
EMV Overview
 
PCI DSS for Pentesting
PCI DSS for PentestingPCI DSS for Pentesting
PCI DSS for Pentesting
 
Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018
 
PCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should carePCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should care
 
ISO Survey 2022: ISO 27001 certificates (ISMS)
ISO Survey 2022: ISO 27001 certificates (ISMS)ISO Survey 2022: ISO 27001 certificates (ISMS)
ISO Survey 2022: ISO 27001 certificates (ISMS)
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
 
Digital Payment and 3-D Secure by Netcetera
Digital Payment and 3-D Secure by NetceteraDigital Payment and 3-D Secure by Netcetera
Digital Payment and 3-D Secure by Netcetera
 
Iso 27001 2013
Iso 27001 2013Iso 27001 2013
Iso 27001 2013
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentation
 
Identity and Access Management (IAM): Benefits and Best Practices 
Identity and Access Management (IAM): Benefits and Best Practices Identity and Access Management (IAM): Benefits and Best Practices 
Identity and Access Management (IAM): Benefits and Best Practices 
 
Top management role to implement ISO 27001
Top management role to implement ISO 27001Top management role to implement ISO 27001
Top management role to implement ISO 27001
 
Third Party Risk Management
Third Party Risk ManagementThird Party Risk Management
Third Party Risk Management
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
 
Introduction to emv
Introduction to emvIntroduction to emv
Introduction to emv
 

En vedette

PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to Know
AlienVault
 
Twitter Bootstrap Presentation
Twitter Bootstrap PresentationTwitter Bootstrap Presentation
Twitter Bootstrap Presentation
Duy Do Phan
 
BlackBerry Basic
BlackBerry BasicBlackBerry Basic
BlackBerry Basic
Duy Do Phan
 

En vedette (18)

PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to Know
 
Twitter Bootstrap Presentation
Twitter Bootstrap PresentationTwitter Bootstrap Presentation
Twitter Bootstrap Presentation
 
WCF
WCFWCF
WCF
 
PCI DSS Essential Guide
PCI DSS Essential GuidePCI DSS Essential Guide
PCI DSS Essential Guide
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as Usual
 
Retail IT 2013: Data Security & PCI Compliance Briefing
Retail IT 2013: Data Security & PCI Compliance BriefingRetail IT 2013: Data Security & PCI Compliance Briefing
Retail IT 2013: Data Security & PCI Compliance Briefing
 
BlackBerry Basic
BlackBerry BasicBlackBerry Basic
BlackBerry Basic
 
SSL
SSLSSL
SSL
 
PCI DSS & PA DSS Version 3.0
PCI DSS & PA DSS Version 3.0PCI DSS & PA DSS Version 3.0
PCI DSS & PA DSS Version 3.0
 
PCI DSS - Payment Card Industry Data Security Standard
PCI DSS - Payment Card Industry Data Security StandardPCI DSS - Payment Card Industry Data Security Standard
PCI DSS - Payment Card Industry Data Security Standard
 
PCI DSS & PA DSS Version 3.0 Changes Webinar
PCI DSS & PA DSS Version 3.0 Changes WebinarPCI DSS & PA DSS Version 3.0 Changes Webinar
PCI DSS & PA DSS Version 3.0 Changes Webinar
 
Using the PDCA model to improve cervical cancer
Using the PDCA model to improve cervical cancerUsing the PDCA model to improve cervical cancer
Using the PDCA model to improve cervical cancer
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
 
Introduction to Tokenization
Introduction to TokenizationIntroduction to Tokenization
Introduction to Tokenization
 
PCI DSS and Logging: What You Need To Know by Dr. Anton Chuvakin
PCI DSS and Logging: What You Need To Know by Dr. Anton ChuvakinPCI DSS and Logging: What You Need To Know by Dr. Anton Chuvakin
PCI DSS and Logging: What You Need To Know by Dr. Anton Chuvakin
 
ISO 27001 2013 A12 Operations Security Part 2 - by Software development compa...
ISO 27001 2013 A12 Operations Security Part 2 - by Software development compa...ISO 27001 2013 A12 Operations Security Part 2 - by Software development compa...
ISO 27001 2013 A12 Operations Security Part 2 - by Software development compa...
 
Iso 27001 2013 clause 6 - planning - by Software development company in india
Iso 27001 2013 clause 6 - planning - by Software development company in indiaIso 27001 2013 clause 6 - planning - by Software development company in india
Iso 27001 2013 clause 6 - planning - by Software development company in india
 
ISO 27001 2013 Clause 4 - context of an organization - by Software developmen...
ISO 27001 2013 Clause 4 - context of an organization - by Software developmen...ISO 27001 2013 Clause 4 - context of an organization - by Software developmen...
ISO 27001 2013 Clause 4 - context of an organization - by Software developmen...
 

Similaire à PCI DSS

Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptx
gealehegn
 
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
Miminten
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - Whitepaper
Shaun O'keeffe
 
Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The Essentials
Risk Crew
 
pci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.pptpci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.ppt
gealehegn
 
Visa Compliance Mark National Certification
Visa Compliance Mark National CertificationVisa Compliance Mark National Certification
Visa Compliance Mark National Certification
Mark Pollard
 
PCI_Presentation_OASIS
PCI_Presentation_OASISPCI_Presentation_OASIS
PCI_Presentation_OASIS
Dermot Clarke
 

Similaire à PCI DSS (20)

Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptx
 
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
 
eCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain Media
 
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
 
PruebaJLF.pptx
PruebaJLF.pptxPruebaJLF.pptx
PruebaJLF.pptx
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - Whitepaper
 
Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The Essentials
 
PCI DSS Compliance Readiness
PCI DSS Compliance ReadinessPCI DSS Compliance Readiness
PCI DSS Compliance Readiness
 
pci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.pptpci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.ppt
 
PCI-DSS for IDRBT
PCI-DSS for IDRBTPCI-DSS for IDRBT
PCI-DSS for IDRBT
 
PCI Certification and remediation services
PCI Certification and remediation servicesPCI Certification and remediation services
PCI Certification and remediation services
 
Payment System Risk. Visa
Payment System Risk. VisaPayment System Risk. Visa
Payment System Risk. Visa
 
Pci dss-for-it-providers
Pci dss-for-it-providersPci dss-for-it-providers
Pci dss-for-it-providers
 
Visa Compliance Mark National Certification
Visa Compliance Mark National CertificationVisa Compliance Mark National Certification
Visa Compliance Mark National Certification
 
PCI_Presentation_OASIS
PCI_Presentation_OASISPCI_Presentation_OASIS
PCI_Presentation_OASIS
 
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
 
PCI Compliance: What You Need to Know
PCI Compliance: What You Need to KnowPCI Compliance: What You Need to Know
PCI Compliance: What You Need to Know
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
PCI DSS Data Security Compliance Program Overview
PCI DSS Data Security Compliance Program OverviewPCI DSS Data Security Compliance Program Overview
PCI DSS Data Security Compliance Program Overview
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and review
 

Plus de Duy Do Phan

Location based AR & how it works
Location based AR & how it worksLocation based AR & how it works
Location based AR & how it works
Duy Do Phan
 
Linux Introduction
Linux IntroductionLinux Introduction
Linux Introduction
Duy Do Phan
 
Cryptography Fundamentals
Cryptography FundamentalsCryptography Fundamentals
Cryptography Fundamentals
Duy Do Phan
 
Android Programming Basic
Android Programming BasicAndroid Programming Basic
Android Programming Basic
Duy Do Phan
 
SMS-SMPP-Concepts
SMS-SMPP-ConceptsSMS-SMPP-Concepts
SMS-SMPP-Concepts
Duy Do Phan
 
One minute manager
One minute managerOne minute manager
One minute manager
Duy Do Phan
 
Work life balance
Work life balanceWork life balance
Work life balance
Duy Do Phan
 

Plus de Duy Do Phan (9)

Location based AR & how it works
Location based AR & how it worksLocation based AR & how it works
Location based AR & how it works
 
Linux Introduction
Linux IntroductionLinux Introduction
Linux Introduction
 
Iso8583
Iso8583Iso8583
Iso8583
 
Cryptography Fundamentals
Cryptography FundamentalsCryptography Fundamentals
Cryptography Fundamentals
 
Android Programming Basic
Android Programming BasicAndroid Programming Basic
Android Programming Basic
 
iOS Basic
iOS BasiciOS Basic
iOS Basic
 
SMS-SMPP-Concepts
SMS-SMPP-ConceptsSMS-SMPP-Concepts
SMS-SMPP-Concepts
 
One minute manager
One minute managerOne minute manager
One minute manager
 
Work life balance
Work life balanceWork life balance
Work life balance
 

PCI DSS

  • 2. Agenda PCI-DSS Fundamental  What is PCI-DSS • Why are the PCI Security Standards Important? • Key Definitions  PCI Standards Boundary  Recommended Understanding Instruction  Determine PCI-Level  Validate Requirement  Choose SAQ Implementation  Principles  PCI-DSS-Requirements  PA-DSS Requirements  Self Assessment Questionnaire  Report
  • 4. Payment Card Data Issues 4
  • 5. What is PCI ??? PCI stands for the Payment Card Industry and is used to refer to: The PCI Security Standards Council ™(PCI SSC), an industry body founded by the major card brands to protect cardholder data. Founders: The global Security Standards created and maintained by the PCI SSC to protect cardholder payment data. • Key Learning Point: Compliance with PCI Security Standards is mandatory for merchants and their service providers, and is enforced by the major card brands who established the PCI SSC 5
  • 6. What is PCI DSS? “The PCI Data Security Standard represents a common set of industry tools and measurements to help ensure the safe handling of sensitive information…the standard provides an actionable framework for developing a robust account data security process - including preventing, detecting and reacting to security incidents.” – PCI Standards Council –
  • 7. Why are the PCI Security Standards Important? The Standards are important because they: Protect cardholder data in order to help prevent data compromises and subsequent fraud activity… • Customers expect merchants and their acquirers to keep their card account data safe • Data compromises can result in significant fines and losses for merchants and can damage the merchant’s reputation with customers • The number of data compromise incidents is increasing annually – organized criminal enterprises are targeting vulnerable merchants 7
  • 9. Key Definitions Data definitions • Cardholder data: PAN (Primary Account Number), Cardholder Name, Service Code. Expiration Code. • Sensitive authentication data: Full Magnetic Stripe Data, CCV, PIN (Personal identification number). Keywords • PCI-DSS: Payment Card Industry Data Security Standards • PA-DSS : Payment Applications Data Security Standards • PTS: PIN Transaction Security • QSA: Qualified Security Assessor • SAQ: Self Assessment Questionnaire • ASV: Approved Scanning Vendor 9
  • 10. PCI Standards Boundary • The PCI Data Security Standard (PCI DSS) If a business accepts or processes payment cards, it must comply with the PCI DSS. It is the standard merchants, processors, and service providers must meet for the complete protection of payment cardholder data. • The Payment Application-Data Security Standard (PA-DSS) and PIN Transaction Security (PTS) (previously known as PIN Entry Device (PED)) security requirements support the overall implementation of PCI DSS by allowing merchants to choose from Council certified payment application software and PIN entry devices. 10
  • 11. Recommended Understanding PCI DSS tells you what you need to do; what standards you need to meet to be compliant PCI DSS does not tell you how to become compliant. That is individual to your situation and your environment - Your system - Your processes - Your vendors - Your customers Being compliant does necessary make you secure Being secure leads to compliance – not the other way around 11
  • 13. Instruction •Determining your PCI Level •Validation requirements •Selecting the SAQ that Best Applies to Your Organization 13
  • 14. Determining your PCI Level You need to assess where you are on the scale of risk: Level 1 All Channels 6MM Visa or MC transactions per year Level 2 All Channels 1MM - 6MM Visa or MC transactions per year E-Commerce - >150,000 - 6 MM MC transactions per year Level 3 20,000 - 150,000 e-commerce MC transactions per year 20,000 - 999,999 e-commerce Visa transactions per year Level 4 <20,000 Visa or MC e-commerce transactions per year <1MM non-e-commerce Visa or MC transactions per year 14
  • 15. Validation requirements Level 1 Merchants Complete an Annual On-Site PCI Data Security Assessment in accordance with PCI Audit Procedures (Visa website). You can use this template for your Report on Compliance (ROC). Engage a Visa-approved Qualified Data Security Company to complete your ROC. Validate the ROC by the due date (preferably sooner in case issues arise in the ROC. This will help eliminate assessment of fines.) Provide the ROC to Bank of America Merchant Services. Merchant’s internal auditor may prepare the ROC, which must be accompanied by a letter signed by an executive-level officer of Merchant’s organization validating the ROC. Complete quarterly network scans to check your systems for vulnerabilities. Complete annual penetration testing to test that your systems are hacker-resistant. Ensure that these security scans are performed by a qualified independent scan vendor. Level 2, 3 and 4 Merchants Complete and validate an Annual PCI Self-Assessment Questionnaire. Complete Quarterly Network Scans to check your systems for vulnerabilities. Complete annual penetration testing to test that your systems are hacker-resistant. Ensure that these security scans are performed by a qualified independent scan vendor. 15
  • 16. Selecting the SAQ that Best Applies to Your Organization SAQ Description A Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to- face merchants. B Imprint Only merchants with no electronic cardholder data storage, or standalone, dial out terminal merchant with no electronic cardholder data storage C-VT Merchant using only web-based virtual terminals, no cardholder data storage C Merchants with payment application systems connected to the internet, no electronic cardholder data storage D All other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by a payment brand as eligible to complete an SAQ 16
  • 18. Implement •Determine Scope •Rebuild system base on requirements •Self Assessment Questionnaires •Report 18
  • 19. Determining Scope – Network Segmented
  • 20. Determining Scope – Network Segmented
  • 21. Determining Scope – Network Segmented
  • 22. Principles SECURE  TRACK  AUDIT • You need to ensure that your data is first secured … both physical and electronically. • You need to ensure you have mechanism in place to track who access your data and when • You need to review your tracking (audit) to look for anomalies 22
  • 23. PCI DSS – Requirements Six Goals, Twelve Requirements Build and Maintain a 1. Install and maintain a firewall configuration to protect Secure Network cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability 5. Use and regularly update anti-virus software or programs Management Program 6. Develop and maintain secure systems and applications Implement Strong 7. Restrict access to cardholder data by business need-to-know Access Control Measures 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and 10.Track and monitor all access to network resources and Test Networks cardholder data 11.Regularly test security systems and processes Maintain an Information 12.Maintain a policy that addresses information security for Security Policy employees and contractors 23
  • 24. PA-DSS Introduction Formerly known as -PABP (Payment Application Best Practices) supervised by Visa Goals Develop secure payment applications that do not store prohibited data, such as full magnetic stripe, CVV2 or PIN data Ensure their payment applications support compliance with the PCI DSS The requirements for the PA-DSS are derived from the PCI DSS Why focus on software? Vulnerable payment applications are currently the leading cause of data compromise incidents, particularly for small merchants. 24
  • 25. PA-DSS Requirements Fourteen Requirements Requirement 1 Do not retain full magnetic stripe, card validation code or value (CAV2, CID, CVC2, CVV2), or PIN block data Requirement 2 Protect stored cardholder data Requirement 3 Provide secure authentication features Requirement 4 Log payment application activity Requirement 5 Develop secure payment applications (5.2 - OWASP Guide, SANS CWE Top 25, CERT Secure Coding) Requirement 6 Protect wireless transmissions Requirement 7 Test payment applications to address vulnerabilities Requirement 8 Facilitate secure network implementation Requirement 9 Cardholder data must never be stored on a server connected to the Internet Requirement 10 Facilitate secure remote software updates Requirement 11 Facilitate secure remote access to payment application Requirement 12 Encrypt sensitive traffic over public networks Requirement 13 Encrypt all non-console administrative access Requirement 14 Maintain instructional documentation and training programs for customers, resellers, and integrators 25
  • 26. SAQ Objectives Self Assessment Questionnaires • Based on industry feedback • Flexibility for multiple merchant Self-Assessment Questionnaire (SAQ) A types • Providing guidance for the intent and applicability of the underlying requirements 26
  • 27. Self Assessment Questionnaires SAQ Validatio Description SAQ n Type Card-Not-Present (e-commerce or MO/TO) merchants, all A 1 cardholder data functions outsourced. This would never apply to face-to-face merchants <11 Questions B 2 Imprint-only merchants with no cardholder data storage 21 Questions B Stand alone dial-up terminal merchants, no cardholder data 3 storage 21 Questions C Merchants with payment application systems connected to 4 the Internet, no cardholder data storage 38 Questions All other merchants (not included in descriptions for SAQs A, D 5 B or C above) and all service providers defined by a payment brand as eligible to complete an SAQ Full DSS 27
  • 28. Reports Regular reports are required for PCI DSS compliance. All merchants, service providers and processors may be required to submit quarterly scan reports, All reports must be performed by a PCI SSC approved ASV 28

Notes de l'éditeur

  1. Section divider 1
  2. Slide text 2
  3. Section divider 1
  4. Key Learning Point: Using PCI compliant equipment and software can support merchant efforts to become PCI DSS compliant, but does not make a merchant PCI DSS compliant. The PCI DSS covers all aspects of how a merchant protects cardholder data, which goes beyond using secure equipment and software.
  5. Section divider 1
  6. Key Learning Point : Not all PCI DSS requirements apply to all merchants. Merchants must review each requirement to determine applicability to the merchant’s card payment acceptance systems and business processes.
  7. Section divider 2