SlideShare une entreprise Scribd logo

PCI DSS: Why it matters

Internet Security Auditors
Internet Security Auditors

Presentación de Steve Wilson de VISA sobre la visión de esta marca del porqué de contemplar la implantación de PCI DSS dentro de la empresa y los beneficios que aporta su implantación.

TechnologieBusiness
1  sur  20
Télécharger pour lire hors ligne
For Visa Internal Use Only This information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities PCI DSS – Why it matters Steve Wilson Head of Information Security Compliance Visa Europe Madrid 7 November 2007
Presentation Identifier.2Information Classification as NeededThis information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities 2PCI DSS – Why it matters For Visa Internal Use Only What is PCI DSS ? • ‘Common sense’ approach to data security • Closely linked to other standards • BS 7799 • ISO 27001 • Sarbannes Oxley etc • Focussed on card data • Owned and managed by PCI SSC (independent of the card schemes) • Any organisation can become a participant
For Visa Internal Use Only This information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities Why is PCI DSS important ?
Presentation Identifier.4Information Classification as NeededThis information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities 4PCI DSS – Why it matters For Visa Internal Use Only A simple equation Data = identity = money
Presentation Identifier.5Information Classification as NeededThis information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities 5PCI DSS – Why it matters For Visa Internal Use Only A Visa card… Card number Expiry date
Presentation Identifier.6Information Classification as NeededThis information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities 6PCI DSS – Why it matters For Visa Internal Use Only A Visa card…(cont.) CVV2 The card account number, plus a three-digit Card Verification Value 2 (CVV2) is indent-printed on the signature panel Magnetic Stripe made up of “Track 1” and “Track 2” data Track data and CVV2 should never be stored after authorisation
Presentation Identifier.7Information Classification as NeededThis information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities 7PCI DSS – Why it matters For Visa Internal Use Only Card data is retained by companies for 3 weeks or longer after authorisation Reasons given include: – Marketing purposes – As a unique customer identifier – Fraud analysis – Customer profiling
Presentation Identifier.8Information Classification as NeededThis information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities 8PCI DSS – Why it matters For Visa Internal Use Only Data security and your brand -How much would your brand be worth if you lose your consumers trust? -Would your consumers stay with you? -Would your shareholders stay with you?
Presentation Identifier.9Information Classification as NeededThis information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities 9PCI DSS – Why it matters For Visa Internal Use Only Your brand needs security! -Compromises do happen everyday, everywhere -In the consumer’s view, consumers, card schemes and merchants share responsibility for protecting their card data ¹Source: Javelin Strategy and Research 2007 Yet… 63% of consumers views merchants as the weakest link when it comes to protecting their data…¹
Presentation Identifier.10Information Classification as NeededThis information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities 10PCI DSS – Why it matters For Visa Internal Use Only Merchants as the weakest link
Presentation Identifier.11Information Classification as NeededThis information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities 11PCI DSS – Why it matters For Visa Internal Use Only Consumer confidence seriously impacted by a data breach In the case of a breach…. 49% of consumers believe merchants to be the most likely source of the data breach 3 out of 4 consumers won’t shop again at a compromised merchant Investing in PCI DSS should be part of your consumer retention plans
Presentation Identifier.12Information Classification as NeededThis information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities 12PCI DSS – Why it matters For Visa Internal Use Only Media and regulators are watching us… -National and European Government are showing increasing interest in the area of account information security • The European Commission is considering legislation on the duty to notify (suspicion of breach and actual compromise) – already adopted in California, Minnesota and Texas -Media increasingly questioning industry compliance and progress…..
Presentation Identifier.13Information Classification as NeededThis information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities 13PCI DSS – Why it matters For Visa Internal Use Only Security and your corporate social responsibility strategy 84% of consumers want to shop at merchants who are security market leaders A secure merchant secures consumers trust! Can you retain your shareholders if you lose your customers?
Presentation Identifier.14Information Classification as NeededThis information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities 14PCI DSS – Why it matters For Visa Internal Use Only Security/IT benefits A socially responsible merchant is fully aware of how its systems work and what it is doing to protect card data in their possession PCI DSS makes you aware of issues; -This enables you to fix them -This works towards protecting consumers and shareholders trust in your brand
Presentation Identifier.15Information Classification as NeededThis information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities 15PCI DSS – Why it matters For Visa Internal Use Only Financial benefits -The sheer financial cost of a compromise may prove hard to bear -Large retailers indicate that their business case for investing in PCI DSS is based on the potential financial cost of reacting to a data breach
Presentation Identifier.16Information Classification as NeededThis information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities 16PCI DSS – Why it matters For Visa Internal Use Only Costing the reaction to a data breach = € 10,000,000¹ +Hiring security firms to contain the compromise +Replacing systems +Increased customer service costs +Actual costs of internal investigations +Outside legal defence fees +Discounted services offered +Lost employee productivity +Financial hit from lost customers ¹Figure is based on the average cost of containing a compromise based on research by the Ponemon Institute
Presentation Identifier.17Information Classification as NeededThis information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities 17PCI DSS – Why it matters For Visa Internal Use Only Some Tips from Large Merchants in Europe and US Sr. management sponsorship is mandatory • Assign dedicated people • PCI DSS is as much about people and business processes as it is systems • Map and document your business processes – Trace cardholder from point of sale to billing and settlement. – Map systems, applications and databases that support these processes – Re-engineer processes to remove duplicate or unnecessary data • Reduce the scope as much as possible – Segment cardholder data network from rest of network – If you don’t need it, don’t store it! • Engage a QSA early on in the project
Presentation Identifier.18Information Classification as NeededThis information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities 18PCI DSS – Why it matters For Visa Internal Use Only Considerations -We need to reduce our information footprint -We need to rethink ways of achieving the same marketing ad fraud objectives without storing data unnecessarily -We need to prioritise the removal of magstripe and card verification data
Presentation Identifier.19Information Classification as NeededThis information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities 19PCI DSS – Why it matters For Visa Internal Use Only Support from Visa Europe Collateral available from Visa Europe website http://www.visaeurope.com/aboutvisa/security/ais/main.jsp • Merchant implementation guides -Service Provider guides • Available in English, French, Spanish, German, Italian • List of certified Service Providers • Work with Acquiring banks to provide • Merchant training • Guidance on specific issues
For Visa Internal Use Only This information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities Thank you

Recommandé

Requirement of PCI-DSS in India.
Requirement of PCI-DSS in India.Requirement of PCI-DSS in India.
Requirement of PCI-DSS in India.
CA Priyadarshan Behera
 
Payment card industry data security standard 1
Payment card industry data security standard 1Payment card industry data security standard 1
Payment card industry data security standard 1
wardell henley
 
Manage a Recurring Gift Process and Implement PCI Compliance with The Raiser’...
Manage a Recurring Gift Process and Implement PCI Compliance with The Raiser’...Manage a Recurring Gift Process and Implement PCI Compliance with The Raiser’...
Manage a Recurring Gift Process and Implement PCI Compliance with The Raiser’...
Blackbaud Pacific
 
Payment Card Industry Introduction CMTA APR 2010
Payment Card Industry Introduction CMTA APR 2010Payment Card Industry Introduction CMTA APR 2010
Payment Card Industry Introduction CMTA APR 2010
Donald E. Hester
 
Hatstand Snaphot - Extraterritorial Reach of the MiFID Review
Hatstand Snaphot - Extraterritorial Reach of the MiFID ReviewHatstand Snaphot - Extraterritorial Reach of the MiFID Review
Hatstand Snaphot - Extraterritorial Reach of the MiFID Review
Silvano Stagni
 
AML Transaction Monitoring Tuning Webinar
AML Transaction Monitoring Tuning WebinarAML Transaction Monitoring Tuning Webinar
AML Transaction Monitoring Tuning Webinar
Idan Tohami
 
Open Banking / PSD2 & GDPR Regulations and How They Are Changing Fraud & Fina...
Open Banking / PSD2 & GDPR Regulations and How They Are Changing Fraud & Fina...Open Banking / PSD2 & GDPR Regulations and How They Are Changing Fraud & Fina...
Open Banking / PSD2 & GDPR Regulations and How They Are Changing Fraud & Fina...
Idan Tohami
 
Chapter 10 aml technologies
Chapter 10 aml technologiesChapter 10 aml technologies
Chapter 10 aml technologies
Quan Risk
 

Recommandé

Requirement of PCI-DSS in India.
Requirement of PCI-DSS in India.Requirement of PCI-DSS in India.
Requirement of PCI-DSS in India.
CA Priyadarshan Behera
 
Payment card industry data security standard 1
Payment card industry data security standard 1Payment card industry data security standard 1
Payment card industry data security standard 1
wardell henley
 
Manage a Recurring Gift Process and Implement PCI Compliance with The Raiser’...
Manage a Recurring Gift Process and Implement PCI Compliance with The Raiser’...Manage a Recurring Gift Process and Implement PCI Compliance with The Raiser’...
Manage a Recurring Gift Process and Implement PCI Compliance with The Raiser’...
Blackbaud Pacific
 
Payment Card Industry Introduction CMTA APR 2010
Payment Card Industry Introduction CMTA APR 2010Payment Card Industry Introduction CMTA APR 2010
Payment Card Industry Introduction CMTA APR 2010
Donald E. Hester
 
Hatstand Snaphot - Extraterritorial Reach of the MiFID Review
Hatstand Snaphot - Extraterritorial Reach of the MiFID ReviewHatstand Snaphot - Extraterritorial Reach of the MiFID Review
Hatstand Snaphot - Extraterritorial Reach of the MiFID Review
Silvano Stagni
 
AML Transaction Monitoring Tuning Webinar
AML Transaction Monitoring Tuning WebinarAML Transaction Monitoring Tuning Webinar
AML Transaction Monitoring Tuning Webinar
Idan Tohami
 
Open Banking / PSD2 & GDPR Regulations and How They Are Changing Fraud & Fina...
Open Banking / PSD2 & GDPR Regulations and How They Are Changing Fraud & Fina...Open Banking / PSD2 & GDPR Regulations and How They Are Changing Fraud & Fina...
Open Banking / PSD2 & GDPR Regulations and How They Are Changing Fraud & Fina...
Idan Tohami
 
Chapter 10 aml technologies
Chapter 10 aml technologiesChapter 10 aml technologies
Chapter 10 aml technologies
Quan Risk
 
MTBiz May-June 2019
MTBiz May-June 2019 MTBiz May-June 2019
MTBiz May-June 2019
Mutual Trust Bank Ltd.
 
PCI DSS Slidecast
PCI DSS SlidecastPCI DSS Slidecast
PCI DSS Slidecast
RobertXia
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overview
okrantz
 
PCI FAQs and Myths
PCI FAQs and MythsPCI FAQs and Myths
PCI FAQs and Myths
BluePayProcessing
 
Privacy and security insurance coverage relates to pci (payment card industry...
Privacy and security insurance coverage relates to pci (payment card industry...Privacy and security insurance coverage relates to pci (payment card industry...
Privacy and security insurance coverage relates to pci (payment card industry...
The Harvey Company Insurance Services
 
Credit Card Processing for Small Business
Credit Card Processing for Small BusinessCredit Card Processing for Small Business
Credit Card Processing for Small Business
Mark Ginnebaugh
 
When does a company need to be PCI compliant
When does a company need to be PCI compliantWhen does a company need to be PCI compliant
When does a company need to be PCI compliant
Divya Kothari
 
Pcidss qr gv3_1
Pcidss qr gv3_1Pcidss qr gv3_1
Pcidss qr gv3_1
leon bonilla
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guide
Mohammad Makchudul Alam (Arif)
 
Visa Compliance Mark National Certification
Visa Compliance Mark National CertificationVisa Compliance Mark National Certification
Visa Compliance Mark National Certification
Mark Pollard
 
Payment System Risk. Visa
Payment System Risk. VisaPayment System Risk. Visa
Payment System Risk. Visa
Internet Security Auditors
 
Payment card industry data security standard
Payment card industry data security standardPayment card industry data security standard
Payment card industry data security standard
sallychiu
 
PCI Compliance for Dummies
PCI Compliance for DummiesPCI Compliance for Dummies
PCI Compliance for Dummies
Liberteks
 
PCI FAQs and Myths - BluePay
PCI FAQs and Myths - BluePayPCI FAQs and Myths - BluePay
PCI FAQs and Myths - BluePay
BluePayProcessing
 
Quick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security StandardQuick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security Standard
- Mark - Fullbright
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - Whitepaper
Shaun O'keeffe
 
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdfpci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
ssuserbcc088
 
Risks of not complying with sox and pci compliance
Risks of not complying with sox and pci complianceRisks of not complying with sox and pci compliance
Risks of not complying with sox and pci compliance
SysCloud
 
Acc 675 control audit final project
Acc 675 control audit final projectAcc 675 control audit final project
Acc 675 control audit final project
Kelly Giambra
 
Senate_2014_Data_Breach_Testimony_Richey
Senate_2014_Data_Breach_Testimony_RicheySenate_2014_Data_Breach_Testimony_Richey
Senate_2014_Data_Breach_Testimony_Richey
Peter Tran
 
Explotando los datos como materia prima del conocimiento
Explotando los datos como materia prima del conocimientoExplotando los datos como materia prima del conocimiento
Explotando los datos como materia prima del conocimiento
Internet Security Auditors
 
XIII Jornadas STIC CCN-CERT. OSINT de la información a la inteligencia
XIII Jornadas STIC CCN-CERT. OSINT de la información a la inteligenciaXIII Jornadas STIC CCN-CERT. OSINT de la información a la inteligencia
XIII Jornadas STIC CCN-CERT. OSINT de la información a la inteligencia
Internet Security Auditors
 

Contenu connexe

Similaire à PCI DSS: Why it matters

PCI DSS Slidecast
PCI DSS SlidecastPCI DSS Slidecast
PCI DSS Slidecast
RobertXia
 
Credit Card Processing for Small Business
Credit Card Processing for Small BusinessCredit Card Processing for Small Business
Credit Card Processing for Small Business
Mark Ginnebaugh
 
When does a company need to be PCI compliant
When does a company need to be PCI compliantWhen does a company need to be PCI compliant
When does a company need to be PCI compliant
Divya Kothari
 
Visa Compliance Mark National Certification
Visa Compliance Mark National CertificationVisa Compliance Mark National Certification
Visa Compliance Mark National Certification
Mark Pollard
 
Payment card industry data security standard
Payment card industry data security standardPayment card industry data security standard
Payment card industry data security standard
sallychiu
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - Whitepaper
Shaun O'keeffe
 
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdfpci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
ssuserbcc088
 
Senate_2014_Data_Breach_Testimony_Richey
Senate_2014_Data_Breach_Testimony_RicheySenate_2014_Data_Breach_Testimony_Richey
Senate_2014_Data_Breach_Testimony_Richey
Peter Tran
 

Similaire à PCI DSS: Why it matters (20)

MTBiz May-June 2019
MTBiz May-June 2019 MTBiz May-June 2019
MTBiz May-June 2019
 
PCI DSS Slidecast
PCI DSS SlidecastPCI DSS Slidecast
PCI DSS Slidecast
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overview
 
PCI FAQs and Myths
PCI FAQs and MythsPCI FAQs and Myths
PCI FAQs and Myths
 
Privacy and security insurance coverage relates to pci (payment card industry...
Privacy and security insurance coverage relates to pci (payment card industry...Privacy and security insurance coverage relates to pci (payment card industry...
Privacy and security insurance coverage relates to pci (payment card industry...
 
Credit Card Processing for Small Business
Credit Card Processing for Small BusinessCredit Card Processing for Small Business
Credit Card Processing for Small Business
 
When does a company need to be PCI compliant
When does a company need to be PCI compliantWhen does a company need to be PCI compliant
When does a company need to be PCI compliant
 
Pcidss qr gv3_1
Pcidss qr gv3_1Pcidss qr gv3_1
Pcidss qr gv3_1
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guide
 
Visa Compliance Mark National Certification
Visa Compliance Mark National CertificationVisa Compliance Mark National Certification
Visa Compliance Mark National Certification
 
Payment System Risk. Visa
Payment System Risk. VisaPayment System Risk. Visa
Payment System Risk. Visa
 
Payment card industry data security standard
Payment card industry data security standardPayment card industry data security standard
Payment card industry data security standard
 
PCI Compliance for Dummies
PCI Compliance for DummiesPCI Compliance for Dummies
PCI Compliance for Dummies
 
PCI FAQs and Myths - BluePay
PCI FAQs and Myths - BluePayPCI FAQs and Myths - BluePay
PCI FAQs and Myths - BluePay
 
Quick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security StandardQuick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security Standard
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - Whitepaper
 
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdfpci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
 
Risks of not complying with sox and pci compliance
Risks of not complying with sox and pci complianceRisks of not complying with sox and pci compliance
Risks of not complying with sox and pci compliance
 
Acc 675 control audit final project
Acc 675 control audit final projectAcc 675 control audit final project
Acc 675 control audit final project
 
Senate_2014_Data_Breach_Testimony_Richey
Senate_2014_Data_Breach_Testimony_RicheySenate_2014_Data_Breach_Testimony_Richey
Senate_2014_Data_Breach_Testimony_Richey
 

Plus de Internet Security Auditors

XIII Jornadas STIC CCN-CERT. OSINT de la información a la inteligencia
XIII Jornadas STIC CCN-CERT. OSINT de la información a la inteligenciaXIII Jornadas STIC CCN-CERT. OSINT de la información a la inteligencia
XIII Jornadas STIC CCN-CERT. OSINT de la información a la inteligencia
Internet Security Auditors
 
Proceso de implementación de los sistemas de gestión ISO 27001 e ISO 22301
Proceso de implementación de los sistemas de gestión ISO 27001 e ISO 22301Proceso de implementación de los sistemas de gestión ISO 27001 e ISO 22301
Proceso de implementación de los sistemas de gestión ISO 27001 e ISO 22301
Internet Security Auditors
 
PCI DSS en el Cloud: Transferencia Internacional Datos
PCI DSS en el Cloud: Transferencia Internacional DatosPCI DSS en el Cloud: Transferencia Internacional Datos
PCI DSS en el Cloud: Transferencia Internacional Datos
Internet Security Auditors
 
Proteccion de Datos Personales: Conceptos, Sanciones, Metodologia
Proteccion de Datos Personales: Conceptos, Sanciones, MetodologiaProteccion de Datos Personales: Conceptos, Sanciones, Metodologia
Proteccion de Datos Personales: Conceptos, Sanciones, Metodologia
Internet Security Auditors
 
GigaTIC 2017 - Más allá del futuro: Negocio, tecnología y robótica. (Abril 2017)
GigaTIC 2017 - Más allá del futuro: Negocio, tecnología y robótica. (Abril 2017)GigaTIC 2017 - Más allá del futuro: Negocio, tecnología y robótica. (Abril 2017)
GigaTIC 2017 - Más allá del futuro: Negocio, tecnología y robótica. (Abril 2017)
Internet Security Auditors
 
RootedCon 2017 - Workshop: IoT Insecurity of Things?
RootedCon 2017 - Workshop: IoT Insecurity of Things?RootedCon 2017 - Workshop: IoT Insecurity of Things?
RootedCon 2017 - Workshop: IoT Insecurity of Things?
Internet Security Auditors
 
Cambios de las versiones 3.2, Cuestionarios y Ecosistema de Normas PCI
Cambios de las versiones 3.2, Cuestionarios y Ecosistema de Normas PCICambios de las versiones 3.2, Cuestionarios y Ecosistema de Normas PCI
Cambios de las versiones 3.2, Cuestionarios y Ecosistema de Normas PCI
Internet Security Auditors
 
Conferencia sobre Protección de Datos (Bogotá): Errores comunes en la identif...
Conferencia sobre Protección de Datos (Bogotá): Errores comunes en la identif...Conferencia sobre Protección de Datos (Bogotá): Errores comunes en la identif...
Conferencia sobre Protección de Datos (Bogotá): Errores comunes en la identif...
Internet Security Auditors
 
CIBERSEG'16. Técnicas #OSINT
CIBERSEG'16. Técnicas #OSINTCIBERSEG'16. Técnicas #OSINT
CIBERSEG'16. Técnicas #OSINT
Internet Security Auditors
 
VI Foro Evidencias Electrónicas en la Investigación Policial. Análisis forens...
VI Foro Evidencias Electrónicas en la Investigación Policial. Análisis forens...VI Foro Evidencias Electrónicas en la Investigación Policial. Análisis forens...
VI Foro Evidencias Electrónicas en la Investigación Policial. Análisis forens...
Internet Security Auditors
 

Plus de Internet Security Auditors (20)

Explotando los datos como materia prima del conocimiento
Explotando los datos como materia prima del conocimientoExplotando los datos como materia prima del conocimiento
Explotando los datos como materia prima del conocimiento
 
XIII Jornadas STIC CCN-CERT. OSINT de la información a la inteligencia
XIII Jornadas STIC CCN-CERT. OSINT de la información a la inteligenciaXIII Jornadas STIC CCN-CERT. OSINT de la información a la inteligencia
XIII Jornadas STIC CCN-CERT. OSINT de la información a la inteligencia
 
Proceso de implementación de los sistemas de gestión ISO 27001 e ISO 22301
Proceso de implementación de los sistemas de gestión ISO 27001 e ISO 22301Proceso de implementación de los sistemas de gestión ISO 27001 e ISO 22301
Proceso de implementación de los sistemas de gestión ISO 27001 e ISO 22301
 
Problemática de implementación de un SGSI o un SGCN en contact centers y BPOs
Problemática de implementación de un SGSI o un SGCN en contact centers y BPOsProblemática de implementación de un SGSI o un SGCN en contact centers y BPOs
Problemática de implementación de un SGSI o un SGCN en contact centers y BPOs
 
PCI DSS en el Cloud: Transferencia Internacional Datos
PCI DSS en el Cloud: Transferencia Internacional DatosPCI DSS en el Cloud: Transferencia Internacional Datos
PCI DSS en el Cloud: Transferencia Internacional Datos
 
Problematicas de PCI DSS en Contact Centers & BPO
Problematicas de PCI DSS en Contact Centers & BPOProblematicas de PCI DSS en Contact Centers & BPO
Problematicas de PCI DSS en Contact Centers & BPO
 
PCI DSS: Justificacion del Cumplimiento
PCI DSS: Justificacion del CumplimientoPCI DSS: Justificacion del Cumplimiento
PCI DSS: Justificacion del Cumplimiento
 
Proteccion de Datos Personales: Conceptos, Sanciones, Metodologia
Proteccion de Datos Personales: Conceptos, Sanciones, MetodologiaProteccion de Datos Personales: Conceptos, Sanciones, Metodologia
Proteccion de Datos Personales: Conceptos, Sanciones, Metodologia
 
GigaTIC 2017 - Más allá del futuro: Negocio, tecnología y robótica. (Abril 2017)
GigaTIC 2017 - Más allá del futuro: Negocio, tecnología y robótica. (Abril 2017)GigaTIC 2017 - Más allá del futuro: Negocio, tecnología y robótica. (Abril 2017)
GigaTIC 2017 - Más allá del futuro: Negocio, tecnología y robótica. (Abril 2017)
 
RootedCon 2017 - Workshop: IoT Insecurity of Things?
RootedCon 2017 - Workshop: IoT Insecurity of Things?RootedCon 2017 - Workshop: IoT Insecurity of Things?
RootedCon 2017 - Workshop: IoT Insecurity of Things?
 
PCI DSS en la Nube
PCI DSS en la NubePCI DSS en la Nube
PCI DSS en la Nube
 
Cambios de las versiones 3.2, Cuestionarios y Ecosistema de Normas PCI
Cambios de las versiones 3.2, Cuestionarios y Ecosistema de Normas PCICambios de las versiones 3.2, Cuestionarios y Ecosistema de Normas PCI
Cambios de las versiones 3.2, Cuestionarios y Ecosistema de Normas PCI
 
Overdrive Hacking Conference 2016 - Riesgos en el uso de las Redes Sociales (...
Overdrive Hacking Conference 2016 - Riesgos en el uso de las Redes Sociales (...Overdrive Hacking Conference 2016 - Riesgos en el uso de las Redes Sociales (...
Overdrive Hacking Conference 2016 - Riesgos en el uso de las Redes Sociales (...
 
Conferencia sobre Protección de Datos (Bogotá): Errores comunes en la identif...
Conferencia sobre Protección de Datos (Bogotá): Errores comunes en la identif...Conferencia sobre Protección de Datos (Bogotá): Errores comunes en la identif...
Conferencia sobre Protección de Datos (Bogotá): Errores comunes en la identif...
 
Conferencia sobre Protección de Datos (Bogotá): Aprendiendo de las Sanciones
Conferencia sobre Protección de Datos (Bogotá): Aprendiendo de las SancionesConferencia sobre Protección de Datos (Bogotá): Aprendiendo de las Sanciones
Conferencia sobre Protección de Datos (Bogotá): Aprendiendo de las Sanciones
 
Catosfera 2016: Anàlisi de xarxes socials amb finalitats d'investigació: ris...
Catosfera 2016: Anàlisi de xarxes socials amb finalitats d'investigació: ris...Catosfera 2016: Anàlisi de xarxes socials amb finalitats d'investigació: ris...
Catosfera 2016: Anàlisi de xarxes socials amb finalitats d'investigació: ris...
 
CIBERSEG'16. Técnicas #OSINT
CIBERSEG'16. Técnicas #OSINTCIBERSEG'16. Técnicas #OSINT
CIBERSEG'16. Técnicas #OSINT
 
VI Foro Evidencias Electrónicas en la Investigación Policial. Análisis forens...
VI Foro Evidencias Electrónicas en la Investigación Policial. Análisis forens...VI Foro Evidencias Electrónicas en la Investigación Policial. Análisis forens...
VI Foro Evidencias Electrónicas en la Investigación Policial. Análisis forens...
 
CIBERSEG '15 - Taller: Ingeniería inversa en aplicaciones Android
CIBERSEG '15 - Taller: Ingeniería inversa en aplicaciones AndroidCIBERSEG '15 - Taller: Ingeniería inversa en aplicaciones Android
CIBERSEG '15 - Taller: Ingeniería inversa en aplicaciones Android
 
(ISC)2 Security Congress EMEA. You are being watched.
(ISC)2 Security Congress EMEA. You are being watched.(ISC)2 Security Congress EMEA. You are being watched.
(ISC)2 Security Congress EMEA. You are being watched.
 

Dernier

TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024
Stephen Perrenod
 
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Skynet Technologies
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
FIDO Alliance
 

Dernier (20)

TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptx
 
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
 
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
 
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
 
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
 
Introduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxIntroduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptx
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
 
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream Processing
 
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 Warsaw
 
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The InsideCollecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
 
Using IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandUsing IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & Ireland
 

PCI DSS: Why it matters

  • 1. For Visa Internal Use Only This information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities PCI DSS – Why it matters Steve Wilson Head of Information Security Compliance Visa Europe Madrid 7 November 2007
  • 2. Presentation Identifier.2Information Classification as NeededThis information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities 2PCI DSS – Why it matters For Visa Internal Use Only What is PCI DSS ? • ‘Common sense’ approach to data security • Closely linked to other standards • BS 7799 • ISO 27001 • Sarbannes Oxley etc • Focussed on card data • Owned and managed by PCI SSC (independent of the card schemes) • Any organisation can become a participant
  • 3. For Visa Internal Use Only This information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities Why is PCI DSS important ?
  • 4. Presentation Identifier.4Information Classification as NeededThis information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities 4PCI DSS – Why it matters For Visa Internal Use Only A simple equation Data = identity = money
  • 5. Presentation Identifier.5Information Classification as NeededThis information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities 5PCI DSS – Why it matters For Visa Internal Use Only A Visa card… Card number Expiry date
  • 6. Presentation Identifier.6Information Classification as NeededThis information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities 6PCI DSS – Why it matters For Visa Internal Use Only A Visa card…(cont.) CVV2 The card account number, plus a three-digit Card Verification Value 2 (CVV2) is indent-printed on the signature panel Magnetic Stripe made up of “Track 1” and “Track 2” data Track data and CVV2 should never be stored after authorisation
  • 7. Presentation Identifier.7Information Classification as NeededThis information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities 7PCI DSS – Why it matters For Visa Internal Use Only Card data is retained by companies for 3 weeks or longer after authorisation Reasons given include: – Marketing purposes – As a unique customer identifier – Fraud analysis – Customer profiling
  • 8. Presentation Identifier.8Information Classification as NeededThis information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities 8PCI DSS – Why it matters For Visa Internal Use Only Data security and your brand -How much would your brand be worth if you lose your consumers trust? -Would your consumers stay with you? -Would your shareholders stay with you?
  • 9. Presentation Identifier.9Information Classification as NeededThis information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities 9PCI DSS – Why it matters For Visa Internal Use Only Your brand needs security! -Compromises do happen everyday, everywhere -In the consumer’s view, consumers, card schemes and merchants share responsibility for protecting their card data ¹Source: Javelin Strategy and Research 2007 Yet… 63% of consumers views merchants as the weakest link when it comes to protecting their data…¹
  • 10. Presentation Identifier.10Information Classification as NeededThis information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities 10PCI DSS – Why it matters For Visa Internal Use Only Merchants as the weakest link
  • 11. Presentation Identifier.11Information Classification as NeededThis information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities 11PCI DSS – Why it matters For Visa Internal Use Only Consumer confidence seriously impacted by a data breach In the case of a breach…. 49% of consumers believe merchants to be the most likely source of the data breach 3 out of 4 consumers won’t shop again at a compromised merchant Investing in PCI DSS should be part of your consumer retention plans
  • 12. Presentation Identifier.12Information Classification as NeededThis information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities 12PCI DSS – Why it matters For Visa Internal Use Only Media and regulators are watching us… -National and European Government are showing increasing interest in the area of account information security • The European Commission is considering legislation on the duty to notify (suspicion of breach and actual compromise) – already adopted in California, Minnesota and Texas -Media increasingly questioning industry compliance and progress…..
  • 13. Presentation Identifier.13Information Classification as NeededThis information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities 13PCI DSS – Why it matters For Visa Internal Use Only Security and your corporate social responsibility strategy 84% of consumers want to shop at merchants who are security market leaders A secure merchant secures consumers trust! Can you retain your shareholders if you lose your customers?
  • 14. Presentation Identifier.14Information Classification as NeededThis information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities 14PCI DSS – Why it matters For Visa Internal Use Only Security/IT benefits A socially responsible merchant is fully aware of how its systems work and what it is doing to protect card data in their possession PCI DSS makes you aware of issues; -This enables you to fix them -This works towards protecting consumers and shareholders trust in your brand
  • 15. Presentation Identifier.15Information Classification as NeededThis information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities 15PCI DSS – Why it matters For Visa Internal Use Only Financial benefits -The sheer financial cost of a compromise may prove hard to bear -Large retailers indicate that their business case for investing in PCI DSS is based on the potential financial cost of reacting to a data breach
  • 16. Presentation Identifier.16Information Classification as NeededThis information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities 16PCI DSS – Why it matters For Visa Internal Use Only Costing the reaction to a data breach = € 10,000,000¹ +Hiring security firms to contain the compromise +Replacing systems +Increased customer service costs +Actual costs of internal investigations +Outside legal defence fees +Discounted services offered +Lost employee productivity +Financial hit from lost customers ¹Figure is based on the average cost of containing a compromise based on research by the Ponemon Institute
  • 17. Presentation Identifier.17Information Classification as NeededThis information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities 17PCI DSS – Why it matters For Visa Internal Use Only Some Tips from Large Merchants in Europe and US Sr. management sponsorship is mandatory • Assign dedicated people • PCI DSS is as much about people and business processes as it is systems • Map and document your business processes – Trace cardholder from point of sale to billing and settlement. – Map systems, applications and databases that support these processes – Re-engineer processes to remove duplicate or unnecessary data • Reduce the scope as much as possible – Segment cardholder data network from rest of network – If you don’t need it, don’t store it! • Engage a QSA early on in the project
  • 18. Presentation Identifier.18Information Classification as NeededThis information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities 18PCI DSS – Why it matters For Visa Internal Use Only Considerations -We need to reduce our information footprint -We need to rethink ways of achieving the same marketing ad fraud objectives without storing data unnecessarily -We need to prioritise the removal of magstripe and card verification data
  • 19. Presentation Identifier.19Information Classification as NeededThis information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities 19PCI DSS – Why it matters For Visa Internal Use Only Support from Visa Europe Collateral available from Visa Europe website http://www.visaeurope.com/aboutvisa/security/ais/main.jsp • Merchant implementation guides -Service Provider guides • Available in English, French, Spanish, German, Italian • List of certified Service Providers • Work with Acquiring banks to provide • Merchant training • Guidance on specific issues
  • 20. For Visa Internal Use Only This information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities Thank you