SlideShare une entreprise Scribd logo

Pci dss-for-it-providers

Calyptix Security
Calyptix Security

The Payment Card Industry Data Security Standard leaves IT service providers with more questions than answers. Get an overview of PCI DSS, what it means for MSPs and VARs, and get a list of resources to learn more and achieve compliance for your own organization and clients.

Technologie
1  sur  19
Télécharger pour lire hors ligne
PCI DSS for IT Providers The rules and impact on MSPs and VARs For PCI DSS Version 3.0
#webclinic What is PCI DSS? • Payment Card Industry Data Security Standard • Enforced by PCI Security Standard Council • Council formed by the five major card brands shown
#webclinic What’s the goal? • Cardholder data: – Primary account number – Cardholder name – Expiration date – Service code • Sensitive authentication data: – Full track data (from magnetic strip) – CAV2 / CVC2 / CVV2 / CID – PIN blocks • Protect cardholder data and sensitive auth. data
#webclinic What does it cover? • All components of the “cardholder data environment” • Includes all people, processes, and technology that handle cardholder data • Examples: – Payment card readers, POS systems, PCs – Firewalls, routers, switches, servers – Purchased and custom applications
#webclinic The Threat is Real • Top motivation of cyber threats: money • POS malware is proliferating • Retailers large and small are being breached Source: 2014 Verizon Data Breach Investigation Report
#webclinic Who has to comply? • Merchants • Processors • Financial institutions • Service providers • Anyone who stores, processes, or transmits cardholder data
#webclinic What about MSPs and VARs? • Must comply internally if you accept payment cards • Must conform services to comply for clients • Our Recommendation: Find a compliance expert
#webclinic Clients need your expertise Offer new products and services for compliance Security is more than “compliance”, so offer enhanced protection PCI DSS = Opportunity for IT Providers
#webclinic • Failure to comply could cost you:  Customer confidence  Sales and revenue  Reputation, brand damage  Malpractice lawsuits  Fines and penalties  Cost of reissuing cards PCI DSS = Potential trap for IT Providers
#webclinic Penalties for Noncompliance • Card brands can issue fines of $5,000 to $100,000 per month • Higher transaction fees • Many small victims go out of business – Cost of breach can include containment, forensic investigation, legal fees, audits, card replacement
#webclinic What are the rules? • Build and Maintain a Secure Network and Systems – 1. Install and maintain a firewall configuration to protect cardholder data – 2. Do not use vendor-supplied defaults for system passwords and other security parameters • Protect Cardholder Data – 3. Protect stored cardholder data – 4. Encrypt transmission of cardholder data across open, public networks • Maintain a Vulnerability Management Program – 5. Protect all systems against malware and regularly update anti-virus software or programs – 6. Develop and maintain secure systems and applications
#webclinic What are the rules? • Implement Strong Access Control Measures – 7. Restrict access to cardholder data by business need to know – 8. Identify and authenticate access to system components – 9. Restrict physical access to cardholder data • Regularly Monitor and Test Networks – 10. Track and monitor all access to network resources and cardholder data – 11. Regularly test security systems and processes • Maintain an Information Security Policy – 12. Maintain a policy that addresses information security for all personnel
#webclinic How do I comply? • Ask your merchant acquirer to walk you though the steps • Small merchants typically must : 1. Complete a self assessment questionnaire (SAQ) 2. Sign attestation of compliance 3. Send required documents to the merchant acquirer
#webclinic How do I comply? • Required documents include: 1. Vulnerability scan results 2. Security policy 3. Network diagram
#webclinic Vulnerability scans • External scan of network • Required by PCI DSS • Results based on settings and condition of firewall • Performed by merchant acquirer or approved vendor – Examples: SecurityMetrics; Trustwave
#webclinic About Calyptix Calyptix makes network security easy for small and medium networks. Our all-in-one solution, AccessEnforcer, delivers advanced protection in a simple platform. Learn more: Calyptix.com info@calyptix.com 704-971-8989
#webclinic Calyptix Resources • PCI DSS for IT Providers: 4 steps for compliance – http://www.calyptix.com/pci-dss-it-providers-4-steps-for-compliance/ • PCI DSS and AccessEnforcer – http://www.calyptix.com/pci-dss-accessenforcer/ • PCI DSS: Easier and cheaper compliance with SAQs – http://www.calyptix.com/2014/07/pci-dss-make-compliance-easier-and- cheaper/
#webclinic Additional Resources • Requirements and Security Assessment Procedures: – https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf • Report on Compliance Reporting Template – https://www.pcisecuritystandards.org/documents/PCI_DSS_v3_ROC_Reporting_Te mplate.pdf • Attestation of Validation – https://www.pcisecuritystandards.org/documents/PA- DSS_Attestation_of_Validation_v3_0.docx • Glossary of Terms, Abbreviations, and Acronyms: – https://www.pcisecuritystandards.org/documents/PCI_DSS_Glossary_v3.pdf
#webclinic Additional Resources • Understanding the SAQs for PCI DSS v3.0 https://www.pcisecuritystandards.org/documents/Understanding_SAQs_PCI_DSS_v3.pdf • Self-Assessment Questionnaires – A – https://www.pcisecuritystandards.org/documents/SAQ_A_v3.docx – B – https://www.pcisecuritystandards.org/documents/SAQ_B_v3.docx – C – https://www.pcisecuritystandards.org/documents/SAQ_C_v3.docx – D (Merchant) https://www.pcisecuritystandards.org/documents/SAQ_D_v3_Merchant.docx – D (Service Provider) https://www.pcisecuritystandards.org/documents/SAQ_D_v3_ServiceProvider.docx

Recommandé

PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to Know
AlienVault
 
PCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to KnowPCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to Know
Terra Verde
 
PCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder dataPCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder data
InMobi Technology
 
PCI DSS Essential Guide
PCI DSS Essential GuidePCI DSS Essential Guide
PCI DSS Essential Guide
Kim Jensen
 
PCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance StrategyPCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance Strategy
AlienVault
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overview
sameh Abulfotooh
 
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarComsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Ariel Ben-Harosh
 
PA-DSS
PA-DSSPA-DSS
PA-DSS
Christian Heinrich
 

Recommandé

PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to Know
AlienVault
 
PCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to KnowPCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to Know
Terra Verde
 
PCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder dataPCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder data
InMobi Technology
 
PCI DSS Essential Guide
PCI DSS Essential GuidePCI DSS Essential Guide
PCI DSS Essential Guide
Kim Jensen
 
PCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance StrategyPCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance Strategy
AlienVault
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overview
sameh Abulfotooh
 
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarComsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Ariel Ben-Harosh
 
PA-DSS
PA-DSSPA-DSS
PA-DSS
Christian Heinrich
 
Application security and pa dss certification
Application security and pa dss certificationApplication security and pa dss certification
Application security and pa dss certification
Alexander Polyakov
 
PCI DSS
PCI DSSPCI DSS
PCI DSS
Duy Do Phan
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guide
Mohammad Makchudul Alam (Arif)
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as Usual
Kimberly Simon MBA
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2
Kimberly Simon MBA
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
Kimberly Simon MBA
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS Compliance
Saumya Vishnoi
 
Data Discovery and PCI DSS
Data Discovery and PCI DSSData Discovery and PCI DSS
Data Discovery and PCI DSS
Kimberly Simon MBA
 
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONPCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
himalya sharma
 
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONPCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
himalya sharma
 
Card Data Discovery and PCI DSS
Card Data Discovery and PCI DSSCard Data Discovery and PCI DSS
Card Data Discovery and PCI DSS
Kimberly Simon MBA
 
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden WilliamsPCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
Anton Chuvakin
 
PCI Compliance in the Cloud
PCI Compliance in the CloudPCI Compliance in the Cloud
PCI Compliance in the Cloud
Kimberly Simon MBA
 
PCI DSSand PA DSS
PCI DSSand PA DSSPCI DSSand PA DSS
PCI DSSand PA DSS
Kimberly Simon MBA
 
A Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security StandardsA Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security Standards
Victor Oluwajuwon Badejo
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
Kimberly Simon MBA
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
Kimberly Simon MBA
 
PCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed IntroductionPCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed Introduction
ControlCase
 
Continual Compliance Monitoring
Continual Compliance MonitoringContinual Compliance Monitoring
Continual Compliance Monitoring
Kimberly Simon MBA
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Kimberly Simon MBA
 
Payment Card Industry Security Standards
Payment Card Industry Security StandardsPayment Card Industry Security Standards
Payment Card Industry Security Standards
Ashintha Rukmal
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
ControlCase
 

Contenu connexe

Tendances

Application security and pa dss certification
Application security and pa dss certificationApplication security and pa dss certification
Application security and pa dss certification
Alexander Polyakov
 
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden WilliamsPCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
Anton Chuvakin
 

Tendances (20)

Application security and pa dss certification
Application security and pa dss certificationApplication security and pa dss certification
Application security and pa dss certification
 
PCI DSS
PCI DSSPCI DSS
PCI DSS
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guide
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as Usual
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS Compliance
 
Data Discovery and PCI DSS
Data Discovery and PCI DSSData Discovery and PCI DSS
Data Discovery and PCI DSS
 
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONPCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
 
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONPCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
 
Card Data Discovery and PCI DSS
Card Data Discovery and PCI DSSCard Data Discovery and PCI DSS
Card Data Discovery and PCI DSS
 
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden WilliamsPCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
 
PCI Compliance in the Cloud
PCI Compliance in the CloudPCI Compliance in the Cloud
PCI Compliance in the Cloud
 
PCI DSSand PA DSS
PCI DSSand PA DSSPCI DSSand PA DSS
PCI DSSand PA DSS
 
A Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security StandardsA Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security Standards
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
 
PCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed IntroductionPCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed Introduction
 
Continual Compliance Monitoring
Continual Compliance MonitoringContinual Compliance Monitoring
Continual Compliance Monitoring
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
 

Similaire à Pci dss-for-it-providers

Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892
Risk Crew
 
Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptx
gealehegn
 
pci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.pptpci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.ppt
gealehegn
 
Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The Essentials
Risk Crew
 
Pci compliance overview earth link business
Pci compliance overview earth link businessPci compliance overview earth link business
Pci compliance overview earth link business
Mike Shelah
 
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
Miminten
 
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdfpci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
ssuserbcc088
 
Secrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance ProjectsSecrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance Projects
Christopher Foot
 

Similaire à Pci dss-for-it-providers (20)

Payment Card Industry Security Standards
Payment Card Industry Security StandardsPayment Card Industry Security Standards
Payment Card Industry Security Standards
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892
 
PCI DSS Compliance Readiness
PCI DSS Compliance ReadinessPCI DSS Compliance Readiness
PCI DSS Compliance Readiness
 
Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptx
 
pci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.pptpci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.ppt
 
Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The Essentials
 
PCI DSS for Penetration Testing
PCI DSS for Penetration TestingPCI DSS for Penetration Testing
PCI DSS for Penetration Testing
 
Pci compliance overview earth link business
Pci compliance overview earth link businessPci compliance overview earth link business
Pci compliance overview earth link business
 
PCI DSS for Pentesting
PCI DSS for PentestingPCI DSS for Pentesting
PCI DSS for Pentesting
 
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
 
PCI Certification and remediation services
PCI Certification and remediation servicesPCI Certification and remediation services
PCI Certification and remediation services
 
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdfpci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
 
Secrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance ProjectsSecrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance Projects
 
PCI-DSS for IDRBT
PCI-DSS for IDRBTPCI-DSS for IDRBT
PCI-DSS for IDRBT
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and review
 
PCI Compliance (for developers)
PCI Compliance (for developers)PCI Compliance (for developers)
PCI Compliance (for developers)
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSS
 
PCI DSS Compliance Checklist
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance Checklist
 
PCI Compliance - Delving Deeper In The Standard
PCI Compliance - Delving Deeper In The StandardPCI Compliance - Delving Deeper In The Standard
PCI Compliance - Delving Deeper In The Standard
 

Dernier

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 

Dernier (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 

Pci dss-for-it-providers

  • 1. PCI DSS for IT Providers The rules and impact on MSPs and VARs For PCI DSS Version 3.0
  • 2. #webclinic What is PCI DSS? • Payment Card Industry Data Security Standard • Enforced by PCI Security Standard Council • Council formed by the five major card brands shown
  • 3. #webclinic What’s the goal? • Cardholder data: – Primary account number – Cardholder name – Expiration date – Service code • Sensitive authentication data: – Full track data (from magnetic strip) – CAV2 / CVC2 / CVV2 / CID – PIN blocks • Protect cardholder data and sensitive auth. data
  • 4. #webclinic What does it cover? • All components of the “cardholder data environment” • Includes all people, processes, and technology that handle cardholder data • Examples: – Payment card readers, POS systems, PCs – Firewalls, routers, switches, servers – Purchased and custom applications
  • 5. #webclinic The Threat is Real • Top motivation of cyber threats: money • POS malware is proliferating • Retailers large and small are being breached Source: 2014 Verizon Data Breach Investigation Report
  • 6. #webclinic Who has to comply? • Merchants • Processors • Financial institutions • Service providers • Anyone who stores, processes, or transmits cardholder data
  • 7. #webclinic What about MSPs and VARs? • Must comply internally if you accept payment cards • Must conform services to comply for clients • Our Recommendation: Find a compliance expert
  • 8. #webclinic Clients need your expertise Offer new products and services for compliance Security is more than “compliance”, so offer enhanced protection PCI DSS = Opportunity for IT Providers
  • 9. #webclinic • Failure to comply could cost you:  Customer confidence  Sales and revenue  Reputation, brand damage  Malpractice lawsuits  Fines and penalties  Cost of reissuing cards PCI DSS = Potential trap for IT Providers
  • 10. #webclinic Penalties for Noncompliance • Card brands can issue fines of $5,000 to $100,000 per month • Higher transaction fees • Many small victims go out of business – Cost of breach can include containment, forensic investigation, legal fees, audits, card replacement
  • 11. #webclinic What are the rules? • Build and Maintain a Secure Network and Systems – 1. Install and maintain a firewall configuration to protect cardholder data – 2. Do not use vendor-supplied defaults for system passwords and other security parameters • Protect Cardholder Data – 3. Protect stored cardholder data – 4. Encrypt transmission of cardholder data across open, public networks • Maintain a Vulnerability Management Program – 5. Protect all systems against malware and regularly update anti-virus software or programs – 6. Develop and maintain secure systems and applications
  • 12. #webclinic What are the rules? • Implement Strong Access Control Measures – 7. Restrict access to cardholder data by business need to know – 8. Identify and authenticate access to system components – 9. Restrict physical access to cardholder data • Regularly Monitor and Test Networks – 10. Track and monitor all access to network resources and cardholder data – 11. Regularly test security systems and processes • Maintain an Information Security Policy – 12. Maintain a policy that addresses information security for all personnel
  • 13. #webclinic How do I comply? • Ask your merchant acquirer to walk you though the steps • Small merchants typically must : 1. Complete a self assessment questionnaire (SAQ) 2. Sign attestation of compliance 3. Send required documents to the merchant acquirer
  • 14. #webclinic How do I comply? • Required documents include: 1. Vulnerability scan results 2. Security policy 3. Network diagram
  • 15. #webclinic Vulnerability scans • External scan of network • Required by PCI DSS • Results based on settings and condition of firewall • Performed by merchant acquirer or approved vendor – Examples: SecurityMetrics; Trustwave
  • 16. #webclinic About Calyptix Calyptix makes network security easy for small and medium networks. Our all-in-one solution, AccessEnforcer, delivers advanced protection in a simple platform. Learn more: Calyptix.com info@calyptix.com 704-971-8989
  • 17. #webclinic Calyptix Resources • PCI DSS for IT Providers: 4 steps for compliance – http://www.calyptix.com/pci-dss-it-providers-4-steps-for-compliance/ • PCI DSS and AccessEnforcer – http://www.calyptix.com/pci-dss-accessenforcer/ • PCI DSS: Easier and cheaper compliance with SAQs – http://www.calyptix.com/2014/07/pci-dss-make-compliance-easier-and- cheaper/
  • 18. #webclinic Additional Resources • Requirements and Security Assessment Procedures: – https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf • Report on Compliance Reporting Template – https://www.pcisecuritystandards.org/documents/PCI_DSS_v3_ROC_Reporting_Te mplate.pdf • Attestation of Validation – https://www.pcisecuritystandards.org/documents/PA- DSS_Attestation_of_Validation_v3_0.docx • Glossary of Terms, Abbreviations, and Acronyms: – https://www.pcisecuritystandards.org/documents/PCI_DSS_Glossary_v3.pdf
  • 19. #webclinic Additional Resources • Understanding the SAQs for PCI DSS v3.0 https://www.pcisecuritystandards.org/documents/Understanding_SAQs_PCI_DSS_v3.pdf • Self-Assessment Questionnaires – A – https://www.pcisecuritystandards.org/documents/SAQ_A_v3.docx – B – https://www.pcisecuritystandards.org/documents/SAQ_B_v3.docx – C – https://www.pcisecuritystandards.org/documents/SAQ_C_v3.docx – D (Merchant) https://www.pcisecuritystandards.org/documents/SAQ_D_v3_Merchant.docx – D (Service Provider) https://www.pcisecuritystandards.org/documents/SAQ_D_v3_ServiceProvider.docx