Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
PCI DSS Overview What it is and why you might find it useful. Delivered by Amy Zhu (amyseeger@hotmail.com) Jan 2010
Risks in Payment Industry 06/03/10
Credit card theft is big business! <ul><li>Phishing attempts on the rise </li></ul><ul><ul><li>to trick individuals into d...
PCI SSC and PCI DSS 06/03/10
Payment Card Industry Players 06/03/10 Payment SP/Acquirers Card Association
Prior to 2004… Cardholder Information Security Program (CISP) Site Data Protection Program (SDP) Discover Information Secu...
And there Comes the PCI DSS 06/03/10 Payment Card Industry Security Standard Council 支付卡行业安全标准协会
Target Audience “ Payment Card Industry (PCI) Data security requirements apply to all Members, merchants, and service prov...
What is PCI DSS <ul><li>Data Security Requirements </li></ul><ul><ul><li>A set of Targets (6), Requirements (12) and Detai...
Data Elements & Protection Req. Data Element Storage Permitted Protection Required PCI DSS Req. 3,4 Cardholder Data Primar...
Front Face of Payment Card
Rear Face of Payment Card
PCI DSS Requirements #1 06/03/10 PCI Data Security Standard  Build and Maintain a Secure Network <ul><li>Install and maint...
PCI DSS Requirements #2 PCI Data Security Standard  Implement Strong Access Control Measures <ul><li>Restrict access to ca...
Merchant levels <ul><li>Merchant levels are based on yearly transaction volume of merchant </li></ul><ul><li>Specific crit...
PCI Compliance: Business Need Subject Title 06/03/10 Compliance Validation Levels Annual Assessment Perimeter Scan <ul><li...
Where Do You Fit in the PCI Ecosystem? 06/03/10 PCI Compliance  Required Compliance  Failure   results in… PCI-related fin...
Consequences of Non-Compliance 06/03/10 Fines Up to $500K per incident (VISA alone), government fines, insurance, and liti...
<ul><li>Avoid penalties  due to  non-compliance </li></ul><ul><li>Compliance is  good for business —win and retain custome...
PCI Review:  Protection against Fraud <ul><li>Standards and requirements for data security </li></ul><ul><li>Applies throu...
How to Comply with PCI DSS 06/03/10
The Steps of PCI DSS Compliance <ul><li>Define the Scope of Assessment </li></ul><ul><li>Sampling of Business Facilities a...
Methods to Achieve the Compliance <ul><li>Independent Assessment </li></ul><ul><ul><li>Applicable to the Merchants/SPs pro...
The Continuous Process <ul><li>Assess </li></ul><ul><ul><li>All the IT infrastructures and Business Processes </li></ul></...
A Comprehensive View:  Corporate Compliance Framework Although PCI provides compliance requirements in most areas, it is o...
Q & A Following are Supplementary Materials 06/03/10
For More Information <ul><li>www.visa.com/cisp </li></ul><ul><li>www.pcisecuritystandards.org </li></ul>
<ul><li>Sensitive Authentication Data </li></ul><ul><li>Security-related information (card validation codes/values, full m...
Track 1 & 2
Track 2
Important Card Data <ul><li>Financial card dimensions, location of magnetic stripe, and data encoding and layout all cover...
Important Card Data <ul><li>For processing transactions it is necessary for merchant to present multiple fields to acquiri...
Prochain SlideShare
Chargement dans…5
×

PCI DSS Overview Jan2010

3 387 vues

Publié le

PCI DSS Overview
-PCI SSC and PCI DSS
-How to Comply with PCI DSS

  • Soyez le premier à commenter

PCI DSS Overview Jan2010

  1. 1. PCI DSS Overview What it is and why you might find it useful. Delivered by Amy Zhu (amyseeger@hotmail.com) Jan 2010
  2. 2. Risks in Payment Industry 06/03/10
  3. 3. Credit card theft is big business! <ul><li>Phishing attempts on the rise </li></ul><ul><ul><li>to trick individuals into divulging financial info </li></ul></ul><ul><li>Dramatic move by “hackers” to compromise machines for profit </li></ul><ul><ul><li>keyboard monitoring software </li></ul></ul><ul><li>Many chat channels devoted to underground trading of credit card #’s </li></ul>06/03/10
  4. 4. PCI SSC and PCI DSS 06/03/10
  5. 5. Payment Card Industry Players 06/03/10 Payment SP/Acquirers Card Association
  6. 6. Prior to 2004… Cardholder Information Security Program (CISP) Site Data Protection Program (SDP) Discover Information Security Compliance (DISC) Data Security Standard (DSS) Confused Merchants ??? 06/03/10
  7. 7. And there Comes the PCI DSS 06/03/10 Payment Card Industry Security Standard Council 支付卡行业安全标准协会
  8. 8. Target Audience “ Payment Card Industry (PCI) Data security requirements apply to all Members, merchants, and service providers that store, process or transmit cardholder data.” *Payment Card Industry Data Security Standard 06/03/10
  9. 9. What is PCI DSS <ul><li>Data Security Requirements </li></ul><ul><ul><li>A set of Targets (6), Requirements (12) and Detailed Controls </li></ul></ul><ul><li>Define the Framework of Secure Payment Environment </li></ul><ul><li>Continuous Process </li></ul><ul><ul><li>Assess </li></ul></ul><ul><ul><li>Remediate </li></ul></ul><ul><ul><li>Report </li></ul></ul>
  10. 10. Data Elements & Protection Req. Data Element Storage Permitted Protection Required PCI DSS Req. 3,4 Cardholder Data Primary Account Number Yes Yes Yes Cardholder Name Yes Yes No Service Code Yes Yes No Expiration Date Yes Yes No Sensitive Authentication Data Full Magnetic Stripe Data No N/A N/A CAV2/CVC2/ CVV2/CID No N/A N/A PIN/PIN Block No N/A N/A
  11. 11. Front Face of Payment Card
  12. 12. Rear Face of Payment Card
  13. 13. PCI DSS Requirements #1 06/03/10 PCI Data Security Standard Build and Maintain a Secure Network <ul><li>Install and maintain a firewall confirmation to protect data </li></ul><ul><li>Do not use vendor-supplied defaults for system passwords and other security parameters </li></ul>Protect Cardholder Data <ul><li>Protect stored cardholder data </li></ul><ul><li>Encrypt transmission of cardholder data across public networks </li></ul>Maintain a Vulnerability Management Program <ul><li>Use and regularly update anti-virus software </li></ul><ul><li>Develop and maintain secure systems and applications </li></ul>
  14. 14. PCI DSS Requirements #2 PCI Data Security Standard Implement Strong Access Control Measures <ul><li>Restrict access to cardholder data by business need-to-know </li></ul><ul><li>Assign a unique ID to each person with computer access </li></ul><ul><li>Restrict physical access to cardholder data </li></ul>Regularly Monitor and Test Networks <ul><li>Track and monitor access to network resources and cardholder data </li></ul><ul><li>Regularly test security systems and processes </li></ul>Maintain an Information Security Policy <ul><li>Maintain a policy that addresses information security </li></ul>
  15. 15. Merchant levels <ul><li>Merchant levels are based on yearly transaction volume of merchant </li></ul><ul><li>Specific criteria for placement in merchant levels varies across card companies </li></ul><ul><li>All merchants, regardless of level, must adhere to PCI DSS requirements </li></ul><ul><li>Level into which merchant is placed determines PCI DSS compliance validation (and ultimately cost) </li></ul><ul><li>Let’s take a quick look at Visa’s levels… </li></ul>
  16. 16. PCI Compliance: Business Need Subject Title 06/03/10 Compliance Validation Levels Annual Assessment Perimeter Scan <ul><li>Merchant Level 1 </li></ul><ul><ul><li>Processing > 6M transactions / year (any channel) </li></ul></ul><ul><ul><li>suffered a hack that resulted in data compromise </li></ul></ul>Independent Security Advisor (on site) Qualified Independent Scan Vendor <ul><li>Merchant Level 2 </li></ul><ul><ul><ul><li>processing 1M - 6M transactions / year (any channel) </li></ul></ul></ul>Self Assessment Required Quarterly Network Scan Required <ul><li>Merchant Level 3 </li></ul><ul><ul><ul><li>processing 20K -1 million e-commerce transactions / year </li></ul></ul></ul>Self Assessment Required Quarterly Network Scan Required <ul><li>Merchant Level 4 </li></ul><ul><ul><ul><li>processing < 20K e-commerce transactions / year </li></ul></ul></ul><ul><ul><ul><li>processing < 1M non-ecommerce transactions / year </li></ul></ul></ul>Self Assessment Recommended Quarterly Network Scan Recommended
  17. 17. Where Do You Fit in the PCI Ecosystem? 06/03/10 PCI Compliance Required Compliance Failure results in… PCI-related fines and cash reserves Damaged reputation Card Association Revocation of favorable transaction fee rates Annual self-assessment questionnaire Vendor: implement controls to address PCI requirements Merchant/Customer: measure against these controls Quarterly scans, annual audits (ASV, QSA) Loss of confidence in merchant, bank
  18. 18. Consequences of Non-Compliance 06/03/10 Fines Up to $500K per incident (VISA alone), government fines, insurance, and litigation Brand Reputation Share price degradation, loss of customer confidence Revocation of Credit Card Processing Inability to process credit card transactions Additional Compliance Requirements Increased PCI validation requirements
  19. 19. <ul><li>Avoid penalties due to non-compliance </li></ul><ul><li>Compliance is good for business —win and retain customers </li></ul>Obvious Benefits of PCI Compliance 06/03/10 FAILED Fines Higher Transaction Fees Lower risk = Lower Transaction Fees with PCI Compliant Entities <ul><li>We know non-compliance isn’t pretty </li></ul>Card Association
  20. 20. PCI Review: Protection against Fraud <ul><li>Standards and requirements for data security </li></ul><ul><li>Applies throughout data and networking environment </li></ul><ul><li>Currently non-legislative*, but enforceable through fines and penalties </li></ul><ul><li>The obligation for compliance is on merchants and service providers </li></ul><ul><li>Key Principles </li></ul><ul><li>Sensitive authentication data cannot be stored </li></ul><ul><li>Card-holder data must be protected </li></ul>In 2004 the major Credit Card companies aligned their individual security policies to create the Payment Card Industry Data Security Standard (PCI DSS). Current requirements are based on the 2008 version 1.2. 06/03/10
  21. 21. How to Comply with PCI DSS 06/03/10
  22. 22. The Steps of PCI DSS Compliance <ul><li>Define the Scope of Assessment </li></ul><ul><li>Sampling of Business Facilities and System Components </li></ul><ul><li>Compensating Controls </li></ul><ul><ul><li>Validated by QSA on annual basis </li></ul></ul><ul><li>Report </li></ul><ul><ul><li>ROC: Report on Compliance </li></ul></ul><ul><ul><li>Evidence of a passing scan </li></ul></ul><ul><ul><li>Attestation of Compliance </li></ul></ul><ul><li>Clarification (if required) </li></ul>
  23. 23. Methods to Achieve the Compliance <ul><li>Independent Assessment </li></ul><ul><ul><li>Applicable to the Merchants/SPs processing big transaction volume </li></ul></ul><ul><ul><li>Appoint QSA to assess the payment system and environments </li></ul></ul><ul><ul><li>Validation on the Compliance </li></ul></ul><ul><li>Self Assessment </li></ul><ul><ul><li>Applicable to the Merchants/SPs processing small transaction volume </li></ul></ul><ul><ul><li>Finish the Self Assessment Questionnaire </li></ul></ul>
  24. 24. The Continuous Process <ul><li>Assess </li></ul><ul><ul><li>All the IT infrastructures and Business Processes </li></ul></ul><ul><ul><li>Analyze the Vulnerabilities </li></ul></ul><ul><li>Remediate </li></ul><ul><ul><li>Fix the Vulnerabilities </li></ul></ul><ul><li>Report </li></ul><ul><ul><li>ROC: Report On Compliance </li></ul></ul><ul><li>-> Ensure the Security of Cardholder Data </li></ul>
  25. 25. A Comprehensive View: Corporate Compliance Framework Although PCI provides compliance requirements in most areas, it is only a subset of what is required when building a comprehensive security compliance program. Each organization will have unique compliance requirements to consider when building their compliance program Compliance Requirements Business Drivers Corporate Security Policies and Standards PCI DSS Data Privacy SOX HIPAA GLBA Processes and Procedures Procedures Standards Baselines Audit Guidelines Technology Enablement Host Agents Network Agents Asset Database Ticketing System Event Sensors Identity and Access Applications Databases Log Collectors Manual Audit Metrics and Reporting Security Framework ISO 27002 / BS 7799
  26. 26. Q & A Following are Supplementary Materials 06/03/10
  27. 27. For More Information <ul><li>www.visa.com/cisp </li></ul><ul><li>www.pcisecuritystandards.org </li></ul>
  28. 28. <ul><li>Sensitive Authentication Data </li></ul><ul><li>Security-related information (card validation codes/values, full magnetic-stripe data, PINs, and PIN blocks) used to authenticate cardholders, appearing in plain-text or otherwise unprotected form. </li></ul>Glossary Cardholder Data At a minimum, cardholder data contains the full PAN. Cardholder data may also appear in the form of the full PAN plus any of the following: - Cardholder name - Expiration date - Service Code Service Provider Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data. This also includes companies that provide services that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, IDS and other services as well as hosting providers and other entities. Entities such as telecommunications companies that only provide communication links without access to the application layer of the communication link are excluded. Merchant For the purposes of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. PAN PAN Acronym for “primary account number” and also referred to as “account number.” Unique payment card number (typically for credit or debit cards) that identifies the issuer and the particular cardholder account. QSA Acronym for “Qualified Security Assessor,” company approved by to conduct PCI DSS on-site assessments.
  29. 29. Track 1 & 2
  30. 30. Track 2
  31. 31. Important Card Data <ul><li>Financial card dimensions, location of magnetic stripe, and data encoding and layout all covered in ISO standards </li></ul>www.magtek.com
  32. 32. Important Card Data <ul><li>For processing transactions it is necessary for merchant to present multiple fields to acquiring financial institutions – e.g. PAN, expiry date, CVV/CVC, PVV or Pin Offset. </li></ul>

×