A talk at the Jisc security conference 2019 by Matt Ball, chairman, PCI DSS Special Interest Group.

1. New technology...
....revolutionising the same old motives
6th November 2019

2. Technology expanding card payments....
1950 -10,000 cards 2017 – 20.48 billion cards

3. Payment Security the continual need

4. Card fraud facts
• 2017: £565.4 million (UK Issued cards)
• 2018: £671.4 million (UK Issued cards)
• 2018: £1.21 billion card fraud stopped by banks/card companies (up 14% from 2017)
£6.27 in every £10 of attempted card fraud prevented
Card fraud needs a continual supply of card data..... We process a lot of cards...

5. The “Die Hard” guide to common attacks
Physical Attack Physical Network Compromise Remote Cyber Attack

6. Payment Security Perspectives
• Essential Business as Usual activity
• Integrates into payment processing
• It’s the “silent service” your payers expect
• It’s the “silent service” that your organisation thinks it has
• Success is achieved via cross departmental partnership

7. PCI DSS Perspectives
PCI-DSS: Payment Card Industry Data Security Standard.
“ A standard designed with the aim of protecting the customer’s card
holder data when it’s received, used, transmitted or stored within the
merchant’s organisation.”

8. PCI DSS Perspectives
• PCI DSS is the minimum data security standard
• PCI DSS compliance evidences card payment security
• PCI DSS compliance is a contractual obligation
• PCI DSS is not a tick box exercise
• Payment Security & PCI DSS is continuous
• Success is achieved via cross departmental partnership

9. Security vs. Compliance
Security Compliance
Keeping the safe locked 24/7
Something we do every day
• Customer Expectation
• Business Expectation
• Acquirer Expectation
Reporting the safe was locked on the day
we checked it
A point in time view

10. Take card payments? – You have a CDE

11. The CDE: Card Data Environment
What is it?
The people, processes and technology that store, process, or transmit cardholder data
or sensitive authentication data.
CDE and supporting services impact payment security
CDE and supporting services will be your PCI Scope

12. Merchant ID(MID): Heart of the CDE
Merchant ID
• Links to Acquirer (supplied under contract)
• Accountable business owner
• Essential to take a card payment
Payment
Service
• Face to Face
• MOTO / Cardholder not present
• Online
Supporting
Services
• Networks - Voice & Data
• IT Support & support services
• Physical Services / Facilities

13. When payment security comes off the rails...

14. Recognising value shapes our payment security approach
Misunderstanding value

15. Convenience trumps security
It’s only a post-it note......it’s not like the world will see it....

16. Other common causes
• Lack of accountability and ownership (actual or perceived)
• Training shortfall (not enough, not relevant, not understood)
• Business demands (lack of time/resources/pressures)
• Documentation (incomplete / out of date / just missing)
• Complacency (“It’s never been a problem before”)
• Resistance to change (“We’ve always done it this way”)

17. PCI DSS SIG
• www.pcidsssig.org.uk
• twitter.com/pcidsssig