Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Electrical Engineering
  3. Telecommunications

PCI Presentation

advertisement

Evolving Challenges of PCI Compliance

Charlie Wood, PCI QSA, CRISC, CISA

Principal, The Bonadio Group

January 10, 2014

Agenda

• What is PCI?

• Evolution of PCI

• What is PCI DSS?

• Compliance

• What does this mean to me?

• Recent Breach of Target

• Q & A

Page 2

What is PCI?

The Payment Card Industry (PCI) standard is a set of requirements designed to ensure that ALL organizations that store, process, or transmit cardholder data do so in a secure environment.

• The PCI Security Standards Council

Page 3

Evolution of PCI

PCI Security Standards Council was founded in 2006 by the major card brands:

• Visa

• MasterCard

• Amex

• Discover

• JCB

Each card brand has input into the guidance provided by the Council.

Page 4

What is PCI

(cont.)

A credit card as defined by the Council is any card that is backed by a major card brand, including but not limited to:

• Credit

• Debit

• HSA

• FSA

• Payroll

Page 5

Evolution of PCI

(cont.)

PCI Security Standard Council is responsible for the oversight of the PCI Standards, which include guidance relative to the following:

PCI DSS

PA-DSS

P2PE

PTS

Page 6

What is PCI DSS?

• Core set of best security practices

• Set of 12 requirements broken down into 6 categories, as follows:

1. Build and maintain a secure network

2. Protect cardholder data

3. Maintain a vulnerability management program

4. Implement strong access control measures

5. Monitor and test networks

6. Maintain an information security policy

Page 7

What is PCI DSS?

• PCI DSS can include the following depending on the organization:

PA-DSS

P2PE

PTS

Page 8

Common PCI Myths

• We don’t take enough cards to necessitate compliance

• We outsource card processing so we are compliant

• PCI is an IT issue

• PCI is unreasonable / difficult

• PCI compliance makes us secure

• We aren’t a target

Page 9

Compliance

• Compliance is determined based on how your organization stores, processes, and/or transmits cardholder data across your infrastructure

• Compliance is based on “Level” and “Type”

• Level is based on the number of transactions performed in a 12-month period

• Type is defined by how your organization takes credit cards

Page 10

Compliance

(cont.)

Levels are based on the number of transactions. Visa defines them as follows:

3

4

Level Description

1

2

Organizations with over 6M Visa transactions per year

OR

Any organization that Visa, at its sole discretion, determines should meet the Level

1 requirements to minimize the risk to Visa

Organization with 1M to 6M Visa transactions per year

Organization with 20,000 to 1M Visa e-commerce transactions per year

Organizations with fewer than 20,000 Visa e-commerce transactions per year, and all other merchants - regardless of acceptance channel - processing up to 1M Visa transactions per year

Page 11

Compliance

(cont.)

Types are defined by how your organization takes credit cards and are broken down as follows:

Type

A

B

C

C-VT

D

Description

Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced; this would never apply to face-to-face merchants

Imprint-only merchants with no cardholder data storage

OR

Stand-alone dial-up terminal merchants, no cardholder data storage

Merchants with payment application systems connected to the Internet, no cardholder data storage

Merchants using only web-based virtual terminals, no electronic cardholder data storage

All other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by a payment brand as eligible to complete an

SAQ

Page 12

What does this mean to me?

Based on the volume of transactions, organizations would be required to perform the following:

Level

1

2

3

4

Visa Description

• Annual report on compliance (“ROC”) to be completed by Qualified Security

Assessor (“QSA”)

• Quarterly network scan by Approved Scan Vendor (“ASV”)

• Attestation of Compliance Form

• Annual Self-Assessment Questionnaire (“SAQ”)

• Quarterly network scan by ASV

• Attestation of Compliance Form

• Annual SAQ

• Quarterly network scan by ASV

• Attestation of Compliance Form

• Annual SAQ recommended

• Quarterly network scan by ASV

• Compliance validation requirements set by merchant bank

Page 13

What does this mean to me?

(cont.)

In English:

• Depending on what “Type” of organization you are, you will have to address anywhere from 15 to 200 + controls

Cost

• Hardware

• Software

• Internal Resources

• External Resources

Page 14

Recent Breach of Target

What happened:

• Lost ~40 million credit and debit cards

• Theft period: November 27 – December 15

• Malware on point-of-sale terminals

 Not detected until December 15

Page 15

Recent Breach of Target

(cont.)

Common Questions

1. How could this happen?

2. Was Target PCI compliant?

3. How do I know if I was affected?

Costs?

• Credit score monitoring

• Fines, sanctions and lawsuits

• Reputational damage

Page 16

Q & A

Questions?

cwood@bonadio.com

(585) 249-2757

Page 17

Related documents
Cubilis by Stardekk
Cubilis by Stardekk
PowerPoint
PowerPoint
Mobile Payments Security and PCI implications
Mobile Payments Security and PCI implications
Leading Causes of a Data Breach
Leading Causes of a Data Breach
PCI DSS - National Bank of Dominica
PCI DSS - National Bank of Dominica
Merchante Solutions - Security
Merchante Solutions - Security
The PCI DSS - Protect IU
The PCI DSS - Protect IU
Card Connect Overview
Card Connect Overview
Security Update - Information Security Office
Security Update - Information Security Office
View - Tenable Discussions Forum
View - Tenable Discussions Forum
PCI Power Point Presentation
PCI Power Point Presentation
Presentation Materials - Introduction
Presentation Materials - Introduction
Download
advertisement