SlideShare a Scribd company logo

Payment System Risk. Visa

Internet Security Auditors
Internet Security Auditors

En este presentación Andrew Mulvenna, de VISA, desgranó algunos puntos básicos de las normativas PCI DSS y PA DSS como por ejemplo las novedades de las versiones 2.0, el nuevo ciclo de vida de las normas, la aproximación a PCI DSS basada en una priorización de riesgos o la importancia del cifrado y la tokenización en las nuevas arquitecturas de los medios de pago.

TechnologyEconomy & Finance
1 of 20
Download to read offline
Visa Europe Public Payment System Risk Andrew Mulvenna 10th November 2010
Visa Europe Public Agenda • PCI DSS & PA-DSS v2.0 – What’s new? • Visa Europe’s PCI Compliance Programme • Vulnerability Guidance • Encryption and Tokenisation • Questions and Answers 2
Visa Europe Public PCI DSS & PA-DSS v2.0 – What’s new? • Mainly clarifications to existing requirements. • Certain requirements will be based more on risk assessment rather than being overly perspective. • The standards will be moving to a three year standard lifecycle.
Visa Europe Public The New Life-cycle
Visa Europe Public Agenda • PCI DSS & PA-DSS v2.0 – What’s new? • Visa Europe’s PCI Compliance Programme • Vulnerability Guidance • Encryption and Tokenisation • Questions and Answers 5
Visa Europe Public The Current Environment • Knowledge of cardholder and account data is (largely) considered proof of ownership. Consequently, cardholder data is inherently valuable to a criminal. • Many retailers believe that there is a disproportionate onus on them to protect data. • What if we could make data less valuable such that it needs less protection? =
Visa Europe Public Storing cardholder data Basic principles: • If you don’t need it don’t store it • Delete sensitive authentication data after authorisation • If you store cardholder data you must do one or more of the following: – Truncate – Hash – Encrypt 7Retail Fraud Conference 20 April 2010
Visa Europe Public Merchant Levels and Validation Requirements Level Definition Validation requirements 1 Merchants processing more than six million Visa transactions annually via all channels or global merchants identified as level one by any Visa region.** ** Where merchants operate in more than one country or region, if they meet level one criteria in any Visa country or region, they are considered a global Level one merchant. An exception may apply to global merchants if there is no common infrastructure and if Visa data is not aggregated across borders. In such cases merchants are validated according to regional levels. Annual Report on Compliance (ROC) to follow an on- site audit by either a Qualified Security Assessor or qualified internal security resource Quarterly network scan by Approved Scan Vendor (ASV) Attestation of Compliance form 2 Merchants processing one million to six million Visa transactions annually via all channels. Annual Self-Assessment Questionnaire (SAQ) Quarterly network scan by ASV Attestation of Compliance form
Visa Europe Public Merchant Levels and Validation Requirements (2) Level Definition Validation requirements 3 Merchants processing 20,000 to one million Visa e- commerce transactions annually. Use a service provider that has certified PCI DSS compliance to process, store and transmit card and account data. OR Have certified their own PCI DSS compliance to the acquirer, who must, on request, be able to validate that compliance to Visa Europe 4 E-commerce merchants only Merchants processing fewer than 20,000 Visa e- commerce transactions annually. Use a service provider that has certified PCI DSS compliance to process, store and transmit card and account data OR Have certified their own PCI DSS compliance to the acquirer, who must, on request, be able to validate that compliance to Visa Europe 4 Non e-commerce merchants processing up to one million Visa transactions annually. Annual SAQ Quarterly network scan by an ASV Attestation of Compliance form
Visa Europe Public PCI DSS Prioritised Risk Based Approach Phase PCI DSS Objective (defined by PCI SSC) 1 Remove Sensitive Authentication Data and Limit Data Retention 2 Protect the Perimeter, Internal, and Wireless Networks 3 Secure Applications 4 Protect Through Monitoring and Access Control 5 Render Cardholder Data Unreadable 6 Achieve Final Compliance and Maintenance of PCI DSS Required Validation Merchant Discretion / Safe Harbour
Visa Europe Public Agenda • PCI DSS & PA-DSS v2.0 – What’s new? • Visa Europe’s PCI Compliance Programme • Vulnerability Guidance • Encryption And Tokenisation •Questions and Answers 11
Visa Europe Public Guidance Supplements
Visa Europe Public Agenda • PCI DSS & PA-DSS v2.0 – What’s new? • Visa Europe’s PCI Compliance Programme • Vulnerability Guidance • Encryption and Tokenisation • Questions and Answers 13
Visa Europe Public New Payment Architectures Encrypting Registers Segmenting Device PCI Compliant Zone Internal or Public Network Point of Decryption PCI Compliant Zone Segmenting Device Encrypting PEDs
Visa Europe Public The industry’s first specification for Data Field Encryption – A compressive guidance document describing the key management practices that would be necessary to support encryption solutions – Based on 5 key security objectives – Aimed at consolidating industry best practice 15
Visa Europe Public SRED – Secure Read and Exchange of Data • A new optional module within PCI PTS PoI v3. • Describes security requirements for the protection of account data originating from a secure PED.
Visa Europe Public What is Tokenisation? • Tokenisation defines a process through which PANs are replaced with surrogate values known as “tokens”. • The security of an individual token relies on the properties of uniqueness and the infeasibility to determine the original PAN knowing only the surrogate value.
Visa Europe Public Agenda • PCI DSS & PA-DSS v2.0 – What’s new? • Visa Europe’s PCI Compliance Programme • Vulnerability Guidance • Encryption and Tokenisation •Questions and Answers 18
Visa Europe Public Questions?
Visa Europe Public Thank you

Recommended

PCI DSS
PCI DSSPCI DSS
PCI DSS
Duy Do Phan
 
PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...
John Baines
 
Visa Compliance Mark National Certification
Visa Compliance Mark National CertificationVisa Compliance Mark National Certification
Visa Compliance Mark National Certification
Mark Pollard
 
04 regulations-impact-on-finance-sector
04 regulations-impact-on-finance-sector04 regulations-impact-on-finance-sector
04 regulations-impact-on-finance-sector
innov-acts-ltd
 
[WSO2 Open Banking & Security Forum Mexico 2019] API-Driven World
[WSO2 Open Banking & Security Forum Mexico 2019] API-Driven World[WSO2 Open Banking & Security Forum Mexico 2019] API-Driven World
[WSO2 Open Banking & Security Forum Mexico 2019] API-Driven World
WSO2
 
AxiaMed_6 facts about P2PE
AxiaMed_6 facts about P2PEAxiaMed_6 facts about P2PE
AxiaMed_6 facts about P2PE
cklacking
 
6 Facts About P2PE That You Need To Know
6 Facts About P2PE That You Need To Know6 Facts About P2PE That You Need To Know
6 Facts About P2PE That You Need To Know
cklacking
 
PCI Compliance: What You Need to Know
PCI Compliance: What You Need to KnowPCI Compliance: What You Need to Know
PCI Compliance: What You Need to Know
Sasha Nunke
 

Recommended

PCI DSS
PCI DSSPCI DSS
PCI DSS
Duy Do Phan
 
PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...
John Baines
 
Visa Compliance Mark National Certification
Visa Compliance Mark National CertificationVisa Compliance Mark National Certification
Visa Compliance Mark National Certification
Mark Pollard
 
04 regulations-impact-on-finance-sector
04 regulations-impact-on-finance-sector04 regulations-impact-on-finance-sector
04 regulations-impact-on-finance-sector
innov-acts-ltd
 
[WSO2 Open Banking & Security Forum Mexico 2019] API-Driven World
[WSO2 Open Banking & Security Forum Mexico 2019] API-Driven World[WSO2 Open Banking & Security Forum Mexico 2019] API-Driven World
[WSO2 Open Banking & Security Forum Mexico 2019] API-Driven World
WSO2
 
AxiaMed_6 facts about P2PE
AxiaMed_6 facts about P2PEAxiaMed_6 facts about P2PE
AxiaMed_6 facts about P2PE
cklacking
 
6 Facts About P2PE That You Need To Know
6 Facts About P2PE That You Need To Know6 Facts About P2PE That You Need To Know
6 Facts About P2PE That You Need To Know
cklacking
 
PCI Compliance: What You Need to Know
PCI Compliance: What You Need to KnowPCI Compliance: What You Need to Know
PCI Compliance: What You Need to Know
Sasha Nunke
 
AML Transaction Monitoring Tuning Webinar
AML Transaction Monitoring Tuning WebinarAML Transaction Monitoring Tuning Webinar
AML Transaction Monitoring Tuning Webinar
Idan Tohami
 
BUIDL in France - Understanding the French Crypto-Assets Framework
BUIDL in France - Understanding the French Crypto-Assets FrameworkBUIDL in France - Understanding the French Crypto-Assets Framework
BUIDL in France - Understanding the French Crypto-Assets Framework
Simon Polrot
 
Credit card frauds in hospitality
Credit card frauds in hospitalityCredit card frauds in hospitality
Credit card frauds in hospitality
Vishal Sharma
 
BizDay: The Reality of Infrastructure in the Age of Enthusiasm for Blockchain...
BizDay: The Reality of Infrastructure in the Age of Enthusiasm for Blockchain...BizDay: The Reality of Infrastructure in the Age of Enthusiasm for Blockchain...
BizDay: The Reality of Infrastructure in the Age of Enthusiasm for Blockchain...
R3
 
[WSO2Con EU 2017] Fraud Prevention and Compliance in Financial Sector with WS...
[WSO2Con EU 2017] Fraud Prevention and Compliance in Financial Sector with WS...[WSO2Con EU 2017] Fraud Prevention and Compliance in Financial Sector with WS...
[WSO2Con EU 2017] Fraud Prevention and Compliance in Financial Sector with WS...
WSO2
 
Introducing SWIFT
Introducing SWIFTIntroducing SWIFT
Introducing SWIFT
IFAD International Fund for Agricultural Development
 
Mobile payments and PCI DSS
Mobile payments and PCI DSSMobile payments and PCI DSS
Mobile payments and PCI DSS
Manish Mahapatra
 
LSEG Connectivity Services Overview
LSEG Connectivity Services OverviewLSEG Connectivity Services Overview
LSEG Connectivity Services Overview
Iosif Itkin
 
FAPI / Open Banking Conformance #fapisum - Japan/UK Open Banking and APIs Sum...
FAPI / Open Banking Conformance #fapisum - Japan/UK Open Banking and APIs Sum...FAPI / Open Banking Conformance #fapisum - Japan/UK Open Banking and APIs Sum...
FAPI / Open Banking Conformance #fapisum - Japan/UK Open Banking and APIs Sum...
FinTechLabs.io
 
The rise of fin tech presentation
The rise of fin tech presentationThe rise of fin tech presentation
The rise of fin tech presentation
Bovill
 
FIDO, Strong Authentication and elD in Germany
FIDO, Strong Authentication and elD in GermanyFIDO, Strong Authentication and elD in Germany
FIDO, Strong Authentication and elD in Germany
FIDO Alliance
 
MiFID_MARS_Traing_PPTT_v1.0
MiFID_MARS_Traing_PPTT_v1.0MiFID_MARS_Traing_PPTT_v1.0
MiFID_MARS_Traing_PPTT_v1.0
Shashank Kumar
 
Digital Identification Systems, pune, Security Solutions
Digital Identification Systems, pune, Security SolutionsDigital Identification Systems, pune, Security Solutions
Digital Identification Systems, pune, Security Solutions
IndiaMART InterMESH Limited
 
A practical guides to PCI compliance
A practical guides to PCI complianceA practical guides to PCI compliance
A practical guides to PCI compliance
Jisc
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - Whitepaper
Shaun O'keeffe
 
PruebaJLF.pptx
PruebaJLF.pptxPruebaJLF.pptx
PruebaJLF.pptx
JoseLuna802663
 
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
Melanie Beam
 
eCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain Media
eCommerce Merchants
 
PCI DSS Data Security Compliance Program Overview
PCI DSS Data Security Compliance Program OverviewPCI DSS Data Security Compliance Program Overview
PCI DSS Data Security Compliance Program Overview
- Mark - Fullbright
 
Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptx
gealehegn
 
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
Miminten
 
PCI-DSS for IDRBT
PCI-DSS for IDRBTPCI-DSS for IDRBT
PCI-DSS for IDRBT
Shanmugavel Sankaran
 

More Related Content

What's hot

AML Transaction Monitoring Tuning Webinar
AML Transaction Monitoring Tuning WebinarAML Transaction Monitoring Tuning Webinar
AML Transaction Monitoring Tuning Webinar
Idan Tohami
 
MiFID_MARS_Traing_PPTT_v1.0
MiFID_MARS_Traing_PPTT_v1.0MiFID_MARS_Traing_PPTT_v1.0
MiFID_MARS_Traing_PPTT_v1.0
Shashank Kumar
 

What's hot (13)

AML Transaction Monitoring Tuning Webinar
AML Transaction Monitoring Tuning WebinarAML Transaction Monitoring Tuning Webinar
AML Transaction Monitoring Tuning Webinar
 
BUIDL in France - Understanding the French Crypto-Assets Framework
BUIDL in France - Understanding the French Crypto-Assets FrameworkBUIDL in France - Understanding the French Crypto-Assets Framework
BUIDL in France - Understanding the French Crypto-Assets Framework
 
Credit card frauds in hospitality
Credit card frauds in hospitalityCredit card frauds in hospitality
Credit card frauds in hospitality
 
BizDay: The Reality of Infrastructure in the Age of Enthusiasm for Blockchain...
BizDay: The Reality of Infrastructure in the Age of Enthusiasm for Blockchain...BizDay: The Reality of Infrastructure in the Age of Enthusiasm for Blockchain...
BizDay: The Reality of Infrastructure in the Age of Enthusiasm for Blockchain...
 
[WSO2Con EU 2017] Fraud Prevention and Compliance in Financial Sector with WS...
[WSO2Con EU 2017] Fraud Prevention and Compliance in Financial Sector with WS...[WSO2Con EU 2017] Fraud Prevention and Compliance in Financial Sector with WS...
[WSO2Con EU 2017] Fraud Prevention and Compliance in Financial Sector with WS...
 
Introducing SWIFT
Introducing SWIFTIntroducing SWIFT
Introducing SWIFT
 
Mobile payments and PCI DSS
Mobile payments and PCI DSSMobile payments and PCI DSS
Mobile payments and PCI DSS
 
LSEG Connectivity Services Overview
LSEG Connectivity Services OverviewLSEG Connectivity Services Overview
LSEG Connectivity Services Overview
 
FAPI / Open Banking Conformance #fapisum - Japan/UK Open Banking and APIs Sum...
FAPI / Open Banking Conformance #fapisum - Japan/UK Open Banking and APIs Sum...FAPI / Open Banking Conformance #fapisum - Japan/UK Open Banking and APIs Sum...
FAPI / Open Banking Conformance #fapisum - Japan/UK Open Banking and APIs Sum...
 
The rise of fin tech presentation
The rise of fin tech presentationThe rise of fin tech presentation
The rise of fin tech presentation
 
FIDO, Strong Authentication and elD in Germany
FIDO, Strong Authentication and elD in GermanyFIDO, Strong Authentication and elD in Germany
FIDO, Strong Authentication and elD in Germany
 
MiFID_MARS_Traing_PPTT_v1.0
MiFID_MARS_Traing_PPTT_v1.0MiFID_MARS_Traing_PPTT_v1.0
MiFID_MARS_Traing_PPTT_v1.0
 
Digital Identification Systems, pune, Security Solutions
Digital Identification Systems, pune, Security SolutionsDigital Identification Systems, pune, Security Solutions
Digital Identification Systems, pune, Security Solutions
 

Similar to Payment System Risk. Visa

A practical guides to PCI compliance
A practical guides to PCI complianceA practical guides to PCI compliance
A practical guides to PCI compliance
Jisc
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - Whitepaper
Shaun O'keeffe
 
Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptx
gealehegn
 
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
Miminten
 
PCI_Presentation_OASIS
PCI_Presentation_OASISPCI_Presentation_OASIS
PCI_Presentation_OASIS
Dermot Clarke
 
Payment card industry data security standard 1
Payment card industry data security standard 1Payment card industry data security standard 1
Payment card industry data security standard 1
wardell henley
 
Payment card industry data security standard
Payment card industry data security standardPayment card industry data security standard
Payment card industry data security standard
sallychiu
 
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdfpci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
ssuserbcc088
 

Similar to Payment System Risk. Visa (20)

A practical guides to PCI compliance
A practical guides to PCI complianceA practical guides to PCI compliance
A practical guides to PCI compliance
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - Whitepaper
 
PruebaJLF.pptx
PruebaJLF.pptxPruebaJLF.pptx
PruebaJLF.pptx
 
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
 
eCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain Media
 
PCI DSS Data Security Compliance Program Overview
PCI DSS Data Security Compliance Program OverviewPCI DSS Data Security Compliance Program Overview
PCI DSS Data Security Compliance Program Overview
 
Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptx
 
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
 
PCI-DSS for IDRBT
PCI-DSS for IDRBTPCI-DSS for IDRBT
PCI-DSS for IDRBT
 
PCI DSS Compliance Readiness
PCI DSS Compliance ReadinessPCI DSS Compliance Readiness
PCI DSS Compliance Readiness
 
PCI_Presentation_OASIS
PCI_Presentation_OASISPCI_Presentation_OASIS
PCI_Presentation_OASIS
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overview
 
Evolution Pci For Pod1
Evolution Pci For Pod1Evolution Pci For Pod1
Evolution Pci For Pod1
 
Payment card industry data security standard 1
Payment card industry data security standard 1Payment card industry data security standard 1
Payment card industry data security standard 1
 
PCI at the POS / What’s New, What’s Next, and What Merchants Can Do to Simpl...
PCI at the POS / What’s New, What’s Next, and What Merchants Can Do to Simpl...PCI at the POS / What’s New, What’s Next, and What Merchants Can Do to Simpl...
PCI at the POS / What’s New, What’s Next, and What Merchants Can Do to Simpl...
 
PCI DSS: Update on the evolution of the standard. MasterCard WorldWide
PCI DSS: Update on the evolution of the standard. MasterCard WorldWidePCI DSS: Update on the evolution of the standard. MasterCard WorldWide
PCI DSS: Update on the evolution of the standard. MasterCard WorldWide
 
Payment card industry data security standard
Payment card industry data security standardPayment card industry data security standard
Payment card industry data security standard
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guide
 
PCI DSS Certification
PCI DSS CertificationPCI DSS Certification
PCI DSS Certification
 
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdfpci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
 

More from Internet Security Auditors

XIII Jornadas STIC CCN-CERT. OSINT de la información a la inteligencia
XIII Jornadas STIC CCN-CERT. OSINT de la información a la inteligenciaXIII Jornadas STIC CCN-CERT. OSINT de la información a la inteligencia
XIII Jornadas STIC CCN-CERT. OSINT de la información a la inteligencia
Internet Security Auditors
 
Proceso de implementación de los sistemas de gestión ISO 27001 e ISO 22301
Proceso de implementación de los sistemas de gestión ISO 27001 e ISO 22301Proceso de implementación de los sistemas de gestión ISO 27001 e ISO 22301
Proceso de implementación de los sistemas de gestión ISO 27001 e ISO 22301
Internet Security Auditors
 
PCI DSS en el Cloud: Transferencia Internacional Datos
PCI DSS en el Cloud: Transferencia Internacional DatosPCI DSS en el Cloud: Transferencia Internacional Datos
PCI DSS en el Cloud: Transferencia Internacional Datos
Internet Security Auditors
 
Proteccion de Datos Personales: Conceptos, Sanciones, Metodologia
Proteccion de Datos Personales: Conceptos, Sanciones, MetodologiaProteccion de Datos Personales: Conceptos, Sanciones, Metodologia
Proteccion de Datos Personales: Conceptos, Sanciones, Metodologia
Internet Security Auditors
 
GigaTIC 2017 - Más allá del futuro: Negocio, tecnología y robótica. (Abril 2017)
GigaTIC 2017 - Más allá del futuro: Negocio, tecnología y robótica. (Abril 2017)GigaTIC 2017 - Más allá del futuro: Negocio, tecnología y robótica. (Abril 2017)
GigaTIC 2017 - Más allá del futuro: Negocio, tecnología y robótica. (Abril 2017)
Internet Security Auditors
 
RootedCon 2017 - Workshop: IoT Insecurity of Things?
RootedCon 2017 - Workshop: IoT Insecurity of Things?RootedCon 2017 - Workshop: IoT Insecurity of Things?
RootedCon 2017 - Workshop: IoT Insecurity of Things?
Internet Security Auditors
 
Cambios de las versiones 3.2, Cuestionarios y Ecosistema de Normas PCI
Cambios de las versiones 3.2, Cuestionarios y Ecosistema de Normas PCICambios de las versiones 3.2, Cuestionarios y Ecosistema de Normas PCI
Cambios de las versiones 3.2, Cuestionarios y Ecosistema de Normas PCI
Internet Security Auditors
 
Conferencia sobre Protección de Datos (Bogotá): Errores comunes en la identif...
Conferencia sobre Protección de Datos (Bogotá): Errores comunes en la identif...Conferencia sobre Protección de Datos (Bogotá): Errores comunes en la identif...
Conferencia sobre Protección de Datos (Bogotá): Errores comunes en la identif...
Internet Security Auditors
 
CIBERSEG'16. Técnicas #OSINT
CIBERSEG'16. Técnicas #OSINTCIBERSEG'16. Técnicas #OSINT
CIBERSEG'16. Técnicas #OSINT
Internet Security Auditors
 
VI Foro Evidencias Electrónicas en la Investigación Policial. Análisis forens...
VI Foro Evidencias Electrónicas en la Investigación Policial. Análisis forens...VI Foro Evidencias Electrónicas en la Investigación Policial. Análisis forens...
VI Foro Evidencias Electrónicas en la Investigación Policial. Análisis forens...
Internet Security Auditors
 

More from Internet Security Auditors (20)

Explotando los datos como materia prima del conocimiento
Explotando los datos como materia prima del conocimientoExplotando los datos como materia prima del conocimiento
Explotando los datos como materia prima del conocimiento
 
XIII Jornadas STIC CCN-CERT. OSINT de la información a la inteligencia
XIII Jornadas STIC CCN-CERT. OSINT de la información a la inteligenciaXIII Jornadas STIC CCN-CERT. OSINT de la información a la inteligencia
XIII Jornadas STIC CCN-CERT. OSINT de la información a la inteligencia
 
Proceso de implementación de los sistemas de gestión ISO 27001 e ISO 22301
Proceso de implementación de los sistemas de gestión ISO 27001 e ISO 22301Proceso de implementación de los sistemas de gestión ISO 27001 e ISO 22301
Proceso de implementación de los sistemas de gestión ISO 27001 e ISO 22301
 
Problemática de implementación de un SGSI o un SGCN en contact centers y BPOs
Problemática de implementación de un SGSI o un SGCN en contact centers y BPOsProblemática de implementación de un SGSI o un SGCN en contact centers y BPOs
Problemática de implementación de un SGSI o un SGCN en contact centers y BPOs
 
PCI DSS en el Cloud: Transferencia Internacional Datos
PCI DSS en el Cloud: Transferencia Internacional DatosPCI DSS en el Cloud: Transferencia Internacional Datos
PCI DSS en el Cloud: Transferencia Internacional Datos
 
Problematicas de PCI DSS en Contact Centers & BPO
Problematicas de PCI DSS en Contact Centers & BPOProblematicas de PCI DSS en Contact Centers & BPO
Problematicas de PCI DSS en Contact Centers & BPO
 
PCI DSS: Justificacion del Cumplimiento
PCI DSS: Justificacion del CumplimientoPCI DSS: Justificacion del Cumplimiento
PCI DSS: Justificacion del Cumplimiento
 
Proteccion de Datos Personales: Conceptos, Sanciones, Metodologia
Proteccion de Datos Personales: Conceptos, Sanciones, MetodologiaProteccion de Datos Personales: Conceptos, Sanciones, Metodologia
Proteccion de Datos Personales: Conceptos, Sanciones, Metodologia
 
GigaTIC 2017 - Más allá del futuro: Negocio, tecnología y robótica. (Abril 2017)
GigaTIC 2017 - Más allá del futuro: Negocio, tecnología y robótica. (Abril 2017)GigaTIC 2017 - Más allá del futuro: Negocio, tecnología y robótica. (Abril 2017)
GigaTIC 2017 - Más allá del futuro: Negocio, tecnología y robótica. (Abril 2017)
 
RootedCon 2017 - Workshop: IoT Insecurity of Things?
RootedCon 2017 - Workshop: IoT Insecurity of Things?RootedCon 2017 - Workshop: IoT Insecurity of Things?
RootedCon 2017 - Workshop: IoT Insecurity of Things?
 
PCI DSS en la Nube
PCI DSS en la NubePCI DSS en la Nube
PCI DSS en la Nube
 
Cambios de las versiones 3.2, Cuestionarios y Ecosistema de Normas PCI
Cambios de las versiones 3.2, Cuestionarios y Ecosistema de Normas PCICambios de las versiones 3.2, Cuestionarios y Ecosistema de Normas PCI
Cambios de las versiones 3.2, Cuestionarios y Ecosistema de Normas PCI
 
Overdrive Hacking Conference 2016 - Riesgos en el uso de las Redes Sociales (...
Overdrive Hacking Conference 2016 - Riesgos en el uso de las Redes Sociales (...Overdrive Hacking Conference 2016 - Riesgos en el uso de las Redes Sociales (...
Overdrive Hacking Conference 2016 - Riesgos en el uso de las Redes Sociales (...
 
Conferencia sobre Protección de Datos (Bogotá): Errores comunes en la identif...
Conferencia sobre Protección de Datos (Bogotá): Errores comunes en la identif...Conferencia sobre Protección de Datos (Bogotá): Errores comunes en la identif...
Conferencia sobre Protección de Datos (Bogotá): Errores comunes en la identif...
 
Conferencia sobre Protección de Datos (Bogotá): Aprendiendo de las Sanciones
Conferencia sobre Protección de Datos (Bogotá): Aprendiendo de las SancionesConferencia sobre Protección de Datos (Bogotá): Aprendiendo de las Sanciones
Conferencia sobre Protección de Datos (Bogotá): Aprendiendo de las Sanciones
 
Catosfera 2016: Anàlisi de xarxes socials amb finalitats d'investigació: ris...
Catosfera 2016: Anàlisi de xarxes socials amb finalitats d'investigació: ris...Catosfera 2016: Anàlisi de xarxes socials amb finalitats d'investigació: ris...
Catosfera 2016: Anàlisi de xarxes socials amb finalitats d'investigació: ris...
 
CIBERSEG'16. Técnicas #OSINT
CIBERSEG'16. Técnicas #OSINTCIBERSEG'16. Técnicas #OSINT
CIBERSEG'16. Técnicas #OSINT
 
VI Foro Evidencias Electrónicas en la Investigación Policial. Análisis forens...
VI Foro Evidencias Electrónicas en la Investigación Policial. Análisis forens...VI Foro Evidencias Electrónicas en la Investigación Policial. Análisis forens...
VI Foro Evidencias Electrónicas en la Investigación Policial. Análisis forens...
 
CIBERSEG '15 - Taller: Ingeniería inversa en aplicaciones Android
CIBERSEG '15 - Taller: Ingeniería inversa en aplicaciones AndroidCIBERSEG '15 - Taller: Ingeniería inversa en aplicaciones Android
CIBERSEG '15 - Taller: Ingeniería inversa en aplicaciones Android
 
(ISC)2 Security Congress EMEA. You are being watched.
(ISC)2 Security Congress EMEA. You are being watched.(ISC)2 Security Congress EMEA. You are being watched.
(ISC)2 Security Congress EMEA. You are being watched.
 

Recently uploaded

The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
Safe Software
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overview
DianaGray10
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc
 

Recently uploaded (20)

Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 Warsaw
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentation
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
 
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
 
Vector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxVector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptx
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overview
 
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The InsideCollecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
 
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
 
Generative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfGenerative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdf
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptx
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data Science
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 

Payment System Risk. Visa

  • 1. Visa Europe Public Payment System Risk Andrew Mulvenna 10th November 2010
  • 2. Visa Europe Public Agenda • PCI DSS & PA-DSS v2.0 – What’s new? • Visa Europe’s PCI Compliance Programme • Vulnerability Guidance • Encryption and Tokenisation • Questions and Answers 2
  • 3. Visa Europe Public PCI DSS & PA-DSS v2.0 – What’s new? • Mainly clarifications to existing requirements. • Certain requirements will be based more on risk assessment rather than being overly perspective. • The standards will be moving to a three year standard lifecycle.
  • 4. Visa Europe Public The New Life-cycle
  • 5. Visa Europe Public Agenda • PCI DSS & PA-DSS v2.0 – What’s new? • Visa Europe’s PCI Compliance Programme • Vulnerability Guidance • Encryption and Tokenisation • Questions and Answers 5
  • 6. Visa Europe Public The Current Environment • Knowledge of cardholder and account data is (largely) considered proof of ownership. Consequently, cardholder data is inherently valuable to a criminal. • Many retailers believe that there is a disproportionate onus on them to protect data. • What if we could make data less valuable such that it needs less protection? =
  • 7. Visa Europe Public Storing cardholder data Basic principles: • If you don’t need it don’t store it • Delete sensitive authentication data after authorisation • If you store cardholder data you must do one or more of the following: – Truncate – Hash – Encrypt 7Retail Fraud Conference 20 April 2010
  • 8. Visa Europe Public Merchant Levels and Validation Requirements Level Definition Validation requirements 1 Merchants processing more than six million Visa transactions annually via all channels or global merchants identified as level one by any Visa region.** ** Where merchants operate in more than one country or region, if they meet level one criteria in any Visa country or region, they are considered a global Level one merchant. An exception may apply to global merchants if there is no common infrastructure and if Visa data is not aggregated across borders. In such cases merchants are validated according to regional levels. Annual Report on Compliance (ROC) to follow an on- site audit by either a Qualified Security Assessor or qualified internal security resource Quarterly network scan by Approved Scan Vendor (ASV) Attestation of Compliance form 2 Merchants processing one million to six million Visa transactions annually via all channels. Annual Self-Assessment Questionnaire (SAQ) Quarterly network scan by ASV Attestation of Compliance form
  • 9. Visa Europe Public Merchant Levels and Validation Requirements (2) Level Definition Validation requirements 3 Merchants processing 20,000 to one million Visa e- commerce transactions annually. Use a service provider that has certified PCI DSS compliance to process, store and transmit card and account data. OR Have certified their own PCI DSS compliance to the acquirer, who must, on request, be able to validate that compliance to Visa Europe 4 E-commerce merchants only Merchants processing fewer than 20,000 Visa e- commerce transactions annually. Use a service provider that has certified PCI DSS compliance to process, store and transmit card and account data OR Have certified their own PCI DSS compliance to the acquirer, who must, on request, be able to validate that compliance to Visa Europe 4 Non e-commerce merchants processing up to one million Visa transactions annually. Annual SAQ Quarterly network scan by an ASV Attestation of Compliance form
  • 10. Visa Europe Public PCI DSS Prioritised Risk Based Approach Phase PCI DSS Objective (defined by PCI SSC) 1 Remove Sensitive Authentication Data and Limit Data Retention 2 Protect the Perimeter, Internal, and Wireless Networks 3 Secure Applications 4 Protect Through Monitoring and Access Control 5 Render Cardholder Data Unreadable 6 Achieve Final Compliance and Maintenance of PCI DSS Required Validation Merchant Discretion / Safe Harbour
  • 11. Visa Europe Public Agenda • PCI DSS & PA-DSS v2.0 – What’s new? • Visa Europe’s PCI Compliance Programme • Vulnerability Guidance • Encryption And Tokenisation •Questions and Answers 11
  • 13. Visa Europe Public Agenda • PCI DSS & PA-DSS v2.0 – What’s new? • Visa Europe’s PCI Compliance Programme • Vulnerability Guidance • Encryption and Tokenisation • Questions and Answers 13
  • 14. Visa Europe Public New Payment Architectures Encrypting Registers Segmenting Device PCI Compliant Zone Internal or Public Network Point of Decryption PCI Compliant Zone Segmenting Device Encrypting PEDs
  • 15. Visa Europe Public The industry’s first specification for Data Field Encryption – A compressive guidance document describing the key management practices that would be necessary to support encryption solutions – Based on 5 key security objectives – Aimed at consolidating industry best practice 15
  • 16. Visa Europe Public SRED – Secure Read and Exchange of Data • A new optional module within PCI PTS PoI v3. • Describes security requirements for the protection of account data originating from a secure PED.
  • 17. Visa Europe Public What is Tokenisation? • Tokenisation defines a process through which PANs are replaced with surrogate values known as “tokens”. • The security of an individual token relies on the properties of uniqueness and the infeasibility to determine the original PAN knowing only the surrogate value.
  • 18. Visa Europe Public Agenda • PCI DSS & PA-DSS v2.0 – What’s new? • Visa Europe’s PCI Compliance Programme • Vulnerability Guidance • Encryption and Tokenisation •Questions and Answers 18