SlideShare une entreprise Scribd logo

Demystifying Pci Dss

Amanda Squires@Pod1
Amanda Squires@Pod1

The document discusses the Payment Card Industry Data Security Standard (PCI-DSS) compliance. It defines PCI-DSS, explains why businesses should be compliant, outlines penalties for non-compliance and data breaches, provides steps to achieve compliance, and how Rackspace can help with compliance through managed security services. Rackspace itself has achieved PCI-DSS compliance certification for physical security and network infrastructure.

Technologie
1  sur  23
Télécharger pour lire hors ligne
1 Demystifying Payment Card Industry Data Security Standard Compliance Francis Ofungwu Manager of Security Strategy, Rackspace Rackspace Partner Network www.rackspace.co.uk
2 Agenda • What is PCI-DSS? • Why Should My Business or Clients Be PCI-DSS Compliant? • Penalties For Non-Compliance • Penalties For Security Breaches • Key Steps Towards PCI-DSS Compliance • How Rackspace Can Help • Rackspace’s PCI-DSS Position • Questions Rackspace Partner Network www.rackspace.co.uk
3 What is PCI-DSS? Rackspace Partner Network www.rackspace.co.uk
4 What is PCI-DSS? According to the PCI Security Standards Council: PCI-DSS is a set of comprehensive requirements for enhancing payment account data security. • The standard was developed by the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa. • The primary aim of the council was to help facilitate the broad adoption of consistent data security measures on a global basis. • “PCI DSS should now be considered Business As Usual for any merchant accepting cards.” (HSBC PCI-DSS Merchant Guide-January 2008) Rackspace Partner Network www.rackspace.co.uk
5 Why Should My Business Be PCI-DSS Compliant? Rackspace Partner Network www.rackspace.co.uk
6 Why Should my Business or Clients be PCI-DSS Compliant? If your business stores, processes, or transmits Cardholder data, there is a requirement to be PCI-DSS compliant. This also includes service providers that provide services for merchants who process, store, or transmit Cardholder data. Non-compliance to PCI-DSS could lead to: • Loss of reputation • Increased costs for accepting credit card transactions • Substantial fines associated with security breaches and non- compliance • Revocation of a merchant’s ability to accept credit card payments. Rackspace Partner Network www.rackspace.co.uk
7 Penalties for Non-Compliance Rackspace Partner Network www.rackspace.co.uk
8 Penalties for Non-Compliance Penalties for non-compliance will depend on the card scheme. Examples of non-compliance penalties are as follows: Event Penalty (Euro) Non-compliance after 30 days of notification 5,000 per incident of non-compliance letter Non-compliance after 90 days of notification 10,000 per incident of non-compliance letter Non-compliance after 120 days of notification 25,000 per incident of non-compliance letter Rackspace Partner Network www.rackspace.co.uk
9 Penalties For Security Breaches Rackspace Partner Network www.rackspace.co.uk
10 PENALTIES FOR SECURITY BREACHES When there is a breach, the card scheme will require an independent forensic investigation. As with the penalties for non-compliance, penalties levied for security breaches will depend on the card schemes. For Example, Number of compromised Penalty accounts 0 – 19,999 25,000 20,000 – 99,999 100,000 100,000-199,999 200,000 200,000-299,999 300,000 300,000-399,999 400,000 400,000-499,999 500,000 >500,000 750,000 Rackspace Partner Network www.rackspace.co.uk
11 Key Steps Towards PCI-DSS Compliance Rackspace Partner Network www.rackspace.co.uk
12 Key Steps Towards PCI-DSS Compliance • Contact your merchant bank • Conduct a scoping exercise • Review business processes • Utilise the information on the PCI-SSC Website https://www.pcisecuritystandards.org/ • Engage a QSA (Qualified Security Assessor) • Engage an ASV (Approved Scanning Vendor) • Don’t rest on your laurels Rackspace Partner Network www.rackspace.co.uk
13 How Rackspace Can Help Rackspace Partner Network www.rackspace.co.uk
14 How Rackspace can help The Rackspace PCI-DSS Toolbox: Rackspace’s PCI Toolbox solution: Hardware, Software, and Services • Managed Cisco Firewalls • VPN System Management Access (included with all firewalls) • Sophos/Symantec Anti-virus protection • SSL Certificates • Alert Logic Intrusion Detection Services (IDS) • PCI ASV Network Scanning Service (included with IDS) • Physical System Security (included with standard support) • Patch Management Services (included with standard support) Rackspace Partner Network www.rackspace.co.uk
15 How Rackspace can help Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data • Fully Managed Cisco Firewalls • VPN System Management Access • Network Segmentation. Requirement 2: Do not use vendor-supplied defaults for systems passwords and other security requirements. Rackspace implements industry best practices in network device deployments to ensure system hardening specifications required by the standard are met. Rackspace Partner Network www.rackspace.co.uk
16 How Rackspace can help Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software. Rackspace provides a Managed Anti-Virus solution that provides proactive protection against viruses, worms, Trojans, spyware and other malware. Requirement 6: Develop and maintain secure systems and applications. Rackspace provides a reliable, and flexible Managed Patching services to help maintain secure systems. Rackspace Partner Network www.rackspace.co.uk
17 How Rackspace can help Implement Strong Access Control Measures Requirement 9: Restrict physical access to cardholder data Rackspace physical security controls are based on the best practices set out in the ISO/IEC 27002:2005 Information Security Standard. These controls include: • Data centre access limited to Rackspace data centre technicians • Biometric scanning for controlled data center access • Security camera monitoring at all data centre locations • 24x7 onsite staff provide additional protection against unauthorised entry • Unmarked facilities to help maintain low profile Rackspace Partner Network www.rackspace.co.uk
18 How Rackspace can help Regularly Monitor and Test Networks Requirement 11: Regularly test security systems and processes Rackspace offers an Intrusion Detection System (IDS) service that meets a number of sub-requirements set out in requirement 11 of the standard, including the requirement for PCI-SSC approved internal and external vulnerability scanning. Rackspace Partner Network www.rackspace.co.uk
19 Rackspace’s PCI-DSS Position Rackspace Partner Network www.rackspace.co.uk
20 Rackspace’s PCI-DSS Position On June 30, 2009, Visa USA accredited Rackspace Hosting as a Compliant Level 1 Payment Card Industry (PCI) Service Provider. The scope of Rackspace’s 2009 PCI Service Provider accreditation covers the following: -Physical Security for: - UK & US Data centres - U.S & U.K Offices - Network Infrastructure (Routers & Switches) - Rackspace employee access to Network Devices Rackspace Partner Network www.rackspace.co.uk
21 Summary Rackspace Partner Network www.rackspace.co.uk
22 Summary •If you store, process, or transmit cardholder data then you have a requirement to be PCI-DSS compliant. •There are penalties associated with non-compliance and data security breaches. •Rackspace can help you and your clients drive PCI-DSS compliance through the PCI-DSS Toolbox. •Review the information publically available on the PCI-SSC website. https://www.pcisecuritystandards.org/ Rackspace Partner Network www.rackspace.co.uk
23 Questions Rackspace Partner Network www.rackspace.co.uk

Recommandé

PCI Myths
PCI MythsPCI Myths
PCI MythsSasha Nunke
 
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONPCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONhimalya sharma
 
Pci dss-for-it-providers
Pci dss-for-it-providersPci dss-for-it-providers
Pci dss-for-it-providersCalyptix Security
 
Will your cloud be compliant
Will your cloud be compliantWill your cloud be compliant
Will your cloud be compliantEvgeniya Shumakher
 
Spirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinSpirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinAnton Chuvakin
 
PCI DSS
PCI DSSPCI DSS
PCI DSSDuy Do Phan
 
PCI DSS Essential Guide
PCI DSS Essential GuidePCI DSS Essential Guide
PCI DSS Essential GuideKim Jensen
 
Approach pci- dss
Approach pci- dssApproach pci- dss
Approach pci- dssVikrant Burbure
 

Recommandé

PCI Myths
PCI MythsPCI Myths
PCI MythsSasha Nunke
 
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONPCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONhimalya sharma
 
Pci dss-for-it-providers
Pci dss-for-it-providersPci dss-for-it-providers
Pci dss-for-it-providersCalyptix Security
 
Will your cloud be compliant
Will your cloud be compliantWill your cloud be compliant
Will your cloud be compliantEvgeniya Shumakher
 
Spirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinSpirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinAnton Chuvakin
 
PCI DSS
PCI DSSPCI DSS
PCI DSSDuy Do Phan
 
PCI DSS Essential Guide
PCI DSS Essential GuidePCI DSS Essential Guide
PCI DSS Essential GuideKim Jensen
 
Approach pci- dss
Approach pci- dssApproach pci- dss
Approach pci- dssVikrant Burbure
 
A Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security StandardsA Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security StandardsVictor Oluwajuwon Badejo
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveMark Akins
 
Apani PCI-DSS Compliance
Apani PCI-DSS ComplianceApani PCI-DSS Compliance
Apani PCI-DSS ComplianceApani Enterprise Security Software
 
Verderber Rothke What’s New With PCI
Verderber Rothke What’s New With PCIVerderber Rothke What’s New With PCI
Verderber Rothke What’s New With PCIBen Rothke
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSSKimberly Simon MBA
 
Myths and realities of data security and compliance - Isaca Alanta - ulf matt...
Myths and realities of data security and compliance - Isaca Alanta - ulf matt...Myths and realities of data security and compliance - Isaca Alanta - ulf matt...
Myths and realities of data security and compliance - Isaca Alanta - ulf matt...Ulf Mattsson
 
PCI Compliance for Dummies
PCI Compliance for DummiesPCI Compliance for Dummies
PCI Compliance for DummiesLiberteks
 
Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação
Adoção do PCI no Brasil - 10o Workshop SegInfo - ApresentaçãoAdoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação
Adoção do PCI no Brasil - 10o Workshop SegInfo - ApresentaçãoClavis Segurança da Informação
 
Rightscale Webinar: PCI in Public Cloud
Rightscale Webinar: PCI in Public CloudRightscale Webinar: PCI in Public Cloud
Rightscale Webinar: PCI in Public CloudRightScale
 
Facilities Management Security solution
Facilities Management Security solutionFacilities Management Security solution
Facilities Management Security solutionSsgstubbs
 
Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010Erik Ginalick
 
PCI Compliance a Business Issue Isaca 2009
PCI Compliance a Business Issue Isaca 2009PCI Compliance a Business Issue Isaca 2009
PCI Compliance a Business Issue Isaca 2009Jason Edelstein
 
PCI DSS Certification
PCI DSS CertificationPCI DSS Certification
PCI DSS Certificationhodonoghue
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSSSaumya Vishnoi
 
Pci dss scoping and segmentation with links converted-converted
Pci dss scoping and segmentation with links converted-convertedPci dss scoping and segmentation with links converted-converted
Pci dss scoping and segmentation with links converted-convertedVISTA InfoSec
 
FedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP MarketplaceFedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP MarketplaceControlCase
 
How the latest trends in data security can help your data protection strategy...
How the latest trends in data security can help your data protection strategy...How the latest trends in data security can help your data protection strategy...
How the latest trends in data security can help your data protection strategy...Ulf Mattsson
 
Sunera Business & Technology Risk Consulting
Sunera Business & Technology Risk ConsultingSunera Business & Technology Risk Consulting
Sunera Business & Technology Risk ConsultingSunera
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS ComplianceKimberly Simon MBA
 
Crush Cloud Complexity, Simplify Security - Shield X
Crush Cloud Complexity, Simplify Security - Shield XCrush Cloud Complexity, Simplify Security - Shield X
Crush Cloud Complexity, Simplify Security - Shield XPrime Infoserv
 
Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Crew
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperShaun O'keeffe
 

Contenu connexe

Tendances

A Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security StandardsA Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security StandardsVictor Oluwajuwon Badejo
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveMark Akins
 
Verderber Rothke What’s New With PCI
Verderber Rothke What’s New With PCIVerderber Rothke What’s New With PCI
Verderber Rothke What’s New With PCIBen Rothke
 
Myths and realities of data security and compliance - Isaca Alanta - ulf matt...
Myths and realities of data security and compliance - Isaca Alanta - ulf matt...Myths and realities of data security and compliance - Isaca Alanta - ulf matt...
Myths and realities of data security and compliance - Isaca Alanta - ulf matt...Ulf Mattsson
 
PCI Compliance for Dummies
PCI Compliance for DummiesPCI Compliance for Dummies
PCI Compliance for DummiesLiberteks
 
Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação
Adoção do PCI no Brasil - 10o Workshop SegInfo - ApresentaçãoAdoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação
Adoção do PCI no Brasil - 10o Workshop SegInfo - ApresentaçãoClavis Segurança da Informação
 
Rightscale Webinar: PCI in Public Cloud
Rightscale Webinar: PCI in Public CloudRightscale Webinar: PCI in Public Cloud
Rightscale Webinar: PCI in Public CloudRightScale
 
Facilities Management Security solution
Facilities Management Security solutionFacilities Management Security solution
Facilities Management Security solutionSsgstubbs
 
Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010Erik Ginalick
 
PCI Compliance a Business Issue Isaca 2009
PCI Compliance a Business Issue Isaca 2009PCI Compliance a Business Issue Isaca 2009
PCI Compliance a Business Issue Isaca 2009Jason Edelstein
 
PCI DSS Certification
PCI DSS CertificationPCI DSS Certification
PCI DSS Certificationhodonoghue
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSSSaumya Vishnoi
 
Pci dss scoping and segmentation with links converted-converted
Pci dss scoping and segmentation with links converted-convertedPci dss scoping and segmentation with links converted-converted
Pci dss scoping and segmentation with links converted-convertedVISTA InfoSec
 
FedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP MarketplaceFedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP MarketplaceControlCase
 
How the latest trends in data security can help your data protection strategy...
How the latest trends in data security can help your data protection strategy...How the latest trends in data security can help your data protection strategy...
How the latest trends in data security can help your data protection strategy...Ulf Mattsson
 
Sunera Business & Technology Risk Consulting
Sunera Business & Technology Risk ConsultingSunera Business & Technology Risk Consulting
Sunera Business & Technology Risk ConsultingSunera
 
Crush Cloud Complexity, Simplify Security - Shield X
Crush Cloud Complexity, Simplify Security - Shield XCrush Cloud Complexity, Simplify Security - Shield X
Crush Cloud Complexity, Simplify Security - Shield XPrime Infoserv
 

Tendances (20)

A Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security StandardsA Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security Standards
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA Perspective
 
Apani PCI-DSS Compliance
Apani PCI-DSS ComplianceApani PCI-DSS Compliance
Apani PCI-DSS Compliance
 
Verderber Rothke What’s New With PCI
Verderber Rothke What’s New With PCIVerderber Rothke What’s New With PCI
Verderber Rothke What’s New With PCI
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
 
Myths and realities of data security and compliance - Isaca Alanta - ulf matt...
Myths and realities of data security and compliance - Isaca Alanta - ulf matt...Myths and realities of data security and compliance - Isaca Alanta - ulf matt...
Myths and realities of data security and compliance - Isaca Alanta - ulf matt...
 
PCI Compliance for Dummies
PCI Compliance for DummiesPCI Compliance for Dummies
PCI Compliance for Dummies
 
Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação
Adoção do PCI no Brasil - 10o Workshop SegInfo - ApresentaçãoAdoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação
Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação
 
Rightscale Webinar: PCI in Public Cloud
Rightscale Webinar: PCI in Public CloudRightscale Webinar: PCI in Public Cloud
Rightscale Webinar: PCI in Public Cloud
 
Facilities Management Security solution
Facilities Management Security solutionFacilities Management Security solution
Facilities Management Security solution
 
Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010
 
PCI Compliance a Business Issue Isaca 2009
PCI Compliance a Business Issue Isaca 2009PCI Compliance a Business Issue Isaca 2009
PCI Compliance a Business Issue Isaca 2009
 
PCI DSS Certification
PCI DSS CertificationPCI DSS Certification
PCI DSS Certification
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSS
 
Pci dss scoping and segmentation with links converted-converted
Pci dss scoping and segmentation with links converted-convertedPci dss scoping and segmentation with links converted-converted
Pci dss scoping and segmentation with links converted-converted
 
FedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP MarketplaceFedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP Marketplace
 
How the latest trends in data security can help your data protection strategy...
How the latest trends in data security can help your data protection strategy...How the latest trends in data security can help your data protection strategy...
How the latest trends in data security can help your data protection strategy...
 
Sunera Business & Technology Risk Consulting
Sunera Business & Technology Risk ConsultingSunera Business & Technology Risk Consulting
Sunera Business & Technology Risk Consulting
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
Crush Cloud Complexity, Simplify Security - Shield X
Crush Cloud Complexity, Simplify Security - Shield XCrush Cloud Complexity, Simplify Security - Shield X
Crush Cloud Complexity, Simplify Security - Shield X
 

Similaire à Demystifying Pci Dss

Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Crew
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperShaun O'keeffe
 
Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxgealehegn
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS ComplianceControlCase
 
Data Power For Pci Webinar Aug 2012
Data Power For Pci Webinar Aug 2012Data Power For Pci Webinar Aug 2012
Data Power For Pci Webinar Aug 2012gaborvodics
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewisc2-hellenic
 
Customer Case Study: Achieving PCI Compliance in AWS
Customer Case Study: Achieving PCI Compliance in AWSCustomer Case Study: Achieving PCI Compliance in AWS
Customer Case Study: Achieving PCI Compliance in AWSAmazon Web Services
 
PCI DSS 4.0 Webinar Final.pptx
PCI DSS 4.0 Webinar Final.pptxPCI DSS 4.0 Webinar Final.pptx
PCI DSS 4.0 Webinar Final.pptxControlCase
 
An Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power SystemsAn Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power SystemsHelpSystems
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Risk Crew
 
Biznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital ForensicsBiznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital ForensicsYusuf Hadiwinata Sutandar
 
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)Miminten
 
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantMelanie Beam
 
eCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Merchants
 

Similaire à Demystifying Pci Dss (20)

Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The Essentials
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - Whitepaper
 
Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptx
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
Data Power For Pci Webinar Aug 2012
Data Power For Pci Webinar Aug 2012Data Power For Pci Webinar Aug 2012
Data Power For Pci Webinar Aug 2012
 
PruebaJLF.pptx
PruebaJLF.pptxPruebaJLF.pptx
PruebaJLF.pptx
 
PCI DSSand PA DSS
PCI DSSand PA DSSPCI DSSand PA DSS
PCI DSSand PA DSS
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and review
 
Customer Case Study: Achieving PCI Compliance in AWS
Customer Case Study: Achieving PCI Compliance in AWSCustomer Case Study: Achieving PCI Compliance in AWS
Customer Case Study: Achieving PCI Compliance in AWS
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
 
PCI DSS 4.0 Webinar Final.pptx
PCI DSS 4.0 Webinar Final.pptxPCI DSS 4.0 Webinar Final.pptx
PCI DSS 4.0 Webinar Final.pptx
 
An Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power SystemsAn Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power Systems
 
PCI DSS for Penetration Testing
PCI DSS for Penetration TestingPCI DSS for Penetration Testing
PCI DSS for Penetration Testing
 
PCI DSS for Pentesting
PCI DSS for PentestingPCI DSS for Pentesting
PCI DSS for Pentesting
 
Payment System Risk. Visa
Payment System Risk. VisaPayment System Risk. Visa
Payment System Risk. Visa
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892
 
Biznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital ForensicsBiznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital Forensics
 
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
 
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
 
eCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain Media
 

Dernier

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 

Dernier (20)

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 

Demystifying Pci Dss

  • 1. 1 Demystifying Payment Card Industry Data Security Standard Compliance Francis Ofungwu Manager of Security Strategy, Rackspace Rackspace Partner Network www.rackspace.co.uk
  • 2. 2 Agenda • What is PCI-DSS? • Why Should My Business or Clients Be PCI-DSS Compliant? • Penalties For Non-Compliance • Penalties For Security Breaches • Key Steps Towards PCI-DSS Compliance • How Rackspace Can Help • Rackspace’s PCI-DSS Position • Questions Rackspace Partner Network www.rackspace.co.uk
  • 3. 3 What is PCI-DSS? Rackspace Partner Network www.rackspace.co.uk
  • 4. 4 What is PCI-DSS? According to the PCI Security Standards Council: PCI-DSS is a set of comprehensive requirements for enhancing payment account data security. • The standard was developed by the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa. • The primary aim of the council was to help facilitate the broad adoption of consistent data security measures on a global basis. • “PCI DSS should now be considered Business As Usual for any merchant accepting cards.” (HSBC PCI-DSS Merchant Guide-January 2008) Rackspace Partner Network www.rackspace.co.uk
  • 5. 5 Why Should My Business Be PCI-DSS Compliant? Rackspace Partner Network www.rackspace.co.uk
  • 6. 6 Why Should my Business or Clients be PCI-DSS Compliant? If your business stores, processes, or transmits Cardholder data, there is a requirement to be PCI-DSS compliant. This also includes service providers that provide services for merchants who process, store, or transmit Cardholder data. Non-compliance to PCI-DSS could lead to: • Loss of reputation • Increased costs for accepting credit card transactions • Substantial fines associated with security breaches and non- compliance • Revocation of a merchant’s ability to accept credit card payments. Rackspace Partner Network www.rackspace.co.uk
  • 7. 7 Penalties for Non-Compliance Rackspace Partner Network www.rackspace.co.uk
  • 8. 8 Penalties for Non-Compliance Penalties for non-compliance will depend on the card scheme. Examples of non-compliance penalties are as follows: Event Penalty (Euro) Non-compliance after 30 days of notification 5,000 per incident of non-compliance letter Non-compliance after 90 days of notification 10,000 per incident of non-compliance letter Non-compliance after 120 days of notification 25,000 per incident of non-compliance letter Rackspace Partner Network www.rackspace.co.uk
  • 9. 9 Penalties For Security Breaches Rackspace Partner Network www.rackspace.co.uk
  • 10. 10 PENALTIES FOR SECURITY BREACHES When there is a breach, the card scheme will require an independent forensic investigation. As with the penalties for non-compliance, penalties levied for security breaches will depend on the card schemes. For Example, Number of compromised Penalty accounts 0 – 19,999 25,000 20,000 – 99,999 100,000 100,000-199,999 200,000 200,000-299,999 300,000 300,000-399,999 400,000 400,000-499,999 500,000 >500,000 750,000 Rackspace Partner Network www.rackspace.co.uk
  • 11. 11 Key Steps Towards PCI-DSS Compliance Rackspace Partner Network www.rackspace.co.uk
  • 12. 12 Key Steps Towards PCI-DSS Compliance • Contact your merchant bank • Conduct a scoping exercise • Review business processes • Utilise the information on the PCI-SSC Website https://www.pcisecuritystandards.org/ • Engage a QSA (Qualified Security Assessor) • Engage an ASV (Approved Scanning Vendor) • Don’t rest on your laurels Rackspace Partner Network www.rackspace.co.uk
  • 13. 13 How Rackspace Can Help Rackspace Partner Network www.rackspace.co.uk
  • 14. 14 How Rackspace can help The Rackspace PCI-DSS Toolbox: Rackspace’s PCI Toolbox solution: Hardware, Software, and Services • Managed Cisco Firewalls • VPN System Management Access (included with all firewalls) • Sophos/Symantec Anti-virus protection • SSL Certificates • Alert Logic Intrusion Detection Services (IDS) • PCI ASV Network Scanning Service (included with IDS) • Physical System Security (included with standard support) • Patch Management Services (included with standard support) Rackspace Partner Network www.rackspace.co.uk
  • 15. 15 How Rackspace can help Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data • Fully Managed Cisco Firewalls • VPN System Management Access • Network Segmentation. Requirement 2: Do not use vendor-supplied defaults for systems passwords and other security requirements. Rackspace implements industry best practices in network device deployments to ensure system hardening specifications required by the standard are met. Rackspace Partner Network www.rackspace.co.uk
  • 16. 16 How Rackspace can help Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software. Rackspace provides a Managed Anti-Virus solution that provides proactive protection against viruses, worms, Trojans, spyware and other malware. Requirement 6: Develop and maintain secure systems and applications. Rackspace provides a reliable, and flexible Managed Patching services to help maintain secure systems. Rackspace Partner Network www.rackspace.co.uk
  • 17. 17 How Rackspace can help Implement Strong Access Control Measures Requirement 9: Restrict physical access to cardholder data Rackspace physical security controls are based on the best practices set out in the ISO/IEC 27002:2005 Information Security Standard. These controls include: • Data centre access limited to Rackspace data centre technicians • Biometric scanning for controlled data center access • Security camera monitoring at all data centre locations • 24x7 onsite staff provide additional protection against unauthorised entry • Unmarked facilities to help maintain low profile Rackspace Partner Network www.rackspace.co.uk
  • 18. 18 How Rackspace can help Regularly Monitor and Test Networks Requirement 11: Regularly test security systems and processes Rackspace offers an Intrusion Detection System (IDS) service that meets a number of sub-requirements set out in requirement 11 of the standard, including the requirement for PCI-SSC approved internal and external vulnerability scanning. Rackspace Partner Network www.rackspace.co.uk
  • 19. 19 Rackspace’s PCI-DSS Position Rackspace Partner Network www.rackspace.co.uk
  • 20. 20 Rackspace’s PCI-DSS Position On June 30, 2009, Visa USA accredited Rackspace Hosting as a Compliant Level 1 Payment Card Industry (PCI) Service Provider. The scope of Rackspace’s 2009 PCI Service Provider accreditation covers the following: -Physical Security for: - UK & US Data centres - U.S & U.K Offices - Network Infrastructure (Routers & Switches) - Rackspace employee access to Network Devices Rackspace Partner Network www.rackspace.co.uk
  • 21. 21 Summary Rackspace Partner Network www.rackspace.co.uk
  • 22. 22 Summary •If you store, process, or transmit cardholder data then you have a requirement to be PCI-DSS compliant. •There are penalties associated with non-compliance and data security breaches. •Rackspace can help you and your clients drive PCI-DSS compliance through the PCI-DSS Toolbox. •Review the information publically available on the PCI-SSC website. https://www.pcisecuritystandards.org/ Rackspace Partner Network www.rackspace.co.uk
  • 23. 23 Questions Rackspace Partner Network www.rackspace.co.uk