Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
PCI Compliance Explained And Why It Should Matter To Your Business
1. Presents: PCI Compliance Explained and Why it Should Matter to Your Business Presented by: John Bedrick, AccuCode Topic Here
2. Agenda About AccuCode Industries that need to be PCI Compliant and Does PCI DSS Apply to My Business? Data Breach News and Who is at risk? What is being stolen (at risk) and What is being attacked? What the Payment Card Industry (PCI) Data Security Standards (DSS) are and how they came to be Merchant Levels and how that applies to your business (validation requirements) PCI DSS Requirements Benefits to being PCI Compliant and the consequences of being non-compliant to the PCI DSS Definition of a compromise AO:Compliance™ and Next steps on the road to becoming PCI Compliant Questions and Answers
3.
4. VAR, Professional & Managed Services, Commercial Software Products
5. National leader in application of retail systems, security & compliance, wireless networking, mobile computing, bar code & RFID technologies
6. Fastest Growing Privately Held Company in the U.S.
10. Data Breach News Clips Breach News Breach News Breach News Breach News Breach News Breach News Breach News Breach News 1/26/2011 - Hamilton Beach Brands –Hacker code was discovered on servers that host hamiltonbeach.com & proctorsilex.com. The servers were breached on January 5th, 2011. Customer names, credit card data, addresses, telephone #s & emails were captured. 3/17/ 2008- Hannaford Bros. Supermarket chain –The company is currently aware of about 1,800+ cases of reported fraud related to the security breach. 4.2+Million credit & debit card #s were stolen. Albert Segvec Gonzalez (1 of the hackers) was also involved in the TJX data breach. 1/17/2007– TJX Companies – Unauthorized intrusions into computer systems that process & store customer transactions including: credit card, debit card, check & merchandise return transactions. Data from 2003 - December 2006 may have been accessed. 2/24/2011 - Snow Creek Ski Resort –A hacker was able to obtain payment card information around Friday February 18th. Information from electronic card transactions that were performed on-site were exposed. 3/10/2011 - Se San Diego Hotel –Malicious software was uploaded to the Hotel's computer system sometime around September of 2010. Customer credit card information was obtained and sold to a group of seven people who used the information to make fraudulent charges. 3/15/2011 - Nation's Giant Hamburgers – Over 200 cases of identity theft were traced to Nation's Giant Hamburgers in Vacaville, CA. The cause of the breach was said to be a problem with the credit card machines in the store. 3/15/2011 - Health Net Inc. – Nine servers containing sensitive health information went missing from Health Net's data center. The servers contained personal and financial data of 1.9 million current and former policyholders. 3/28/2011 - Major Boston Restaurant Group That Failed to Secure Personal Data to Pay $110,000 Under Settlement – Penalty Paid In Connection With 2009 Data Breach At Restaurants That Include Ned Devine’s, The Green Briar, The Harp, And Others.
16. Online / Web / Internet – eCommerce (card absent*)
17. Via Facsimile/Fax (card absent*)Regardless of the size of your business or the volume of transactions you do each year While checks are not covered under PCI DSS they may be covered under state privacy laws * = Commonly referred to as “Card Not Present”
18. What is the Payment Card Industry (PCI), how it came to be and what is cardholder data?
23. QSA/PTS Lab education, certification, and quality assurance
24. Final validation and listing maintenance for PA-DSS validated applications Led by Executive Committee composed of representatives from the card brands Board of Advisors offers guidance on the evolution of the PCI DSS
25. Role of the PCI SSC Improve payment account security throughout the transaction process by way of the PCI DSS Manage the evolution of security standards The PCI SSC is NOT responsible for enforcing compliance. Payment card brands and acquiring banks enforce PCI compliance.
32. Storage not permitted after authorizationMasterCard: CVC2-Card Validation Code Visa: CVV2-Card Verification Value Discover: Card member ID American Express: Card Identification Number CVV2/CVC2 CID
33. PCI Data Security Standard (DSS)Goals, Requirements and Common PCI Compliance Failures
35. Compliance to the PCI DSS - Requirements 98.4% 97.5% 99.2% 95.1% 92.6% 90.9% 83.6% 74.6% 68.9% 48.4% 8.1% 7.4% Source: Trustwave - 2011 Global Security Report
36. Merchant levels and How it Applies to Your Business (Validation requirements)
37. The Mandate: Merchant Levels DefinedVisa, MasterCard, Discover, & JCB *Any merchant can be assigned to a specific level by their acquirer, bank, or by a card brand.
38. The Mandate: Merchant Levels DefinedAmerican Express (AMEX) *Any merchant can be assigned to a specific level by their acquirer, bank, or AMEX. **Compliance at this level is strongly suggested, but not mandated.
About the PCI Security Standards Council:The PCI Security Standards Council is an open global forum, launched in 2006, that is responsible for the development, management, education, and awareness of the PCI Security Standards, including the Data Security Standard (PCI DSS), Payment Application Data Security Standard (PA-DSS), and PIN Transaction Security (PTS) requirements. The Council's five founding global payment brands -- American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. -- have agreed to incorporate the PCI DSS as the technical requirements of each of their data security compliance programs. Each founding member also recognizes the QSAs, PA-QSAs and ASVs certified by the PCI Security Standards Council.All five payment brands share equally in the Council's governance, have equal input into the PCI Security Standards Council and share responsibility for carrying out the work of the organization. Other industry stakeholders are encouraged to join the Council as Participating Organizations and review proposed additions or modifications to the standards.Note that enforcement of compliance with the PCI DSS and determination of any non-compliance penalties are carried out by the individual payment brands and not by the Council. Any questions in those areas should be directed to the payment brands.
Assess and Analyze (This critical step will help you understand how much becoming PCI compliant will cost you!)Assess the current environmentAnalyze any gaps that may existClose the GapsRemediate gaps & problem areasGet the environment compliantStay CompliantPerform regular testing & scanningRemediate to stay compliant