Presentation by Peter Verderber and Ben Rothke at the 2009 BT Managed Security Leaders Conference

1. Peter Verderber , CISSP, CISA, PCI QSA Principal Consultant Ben Rothke , CISSP, CISA, PCI QSA Senior Security Consultant Managed Security Leaders Conference What’s new with PCI? November 18, 2009 Check out the SecureThinking blog: http://bt-securethinking.blogspot.com . Follow us on Twitter: http://twitter.com/securethinking

2. Agenda Evolution of the PCI DSS PCI SSC Updates – The Impact of QA Inspections Key messages and take-aways Introductions PCI DSS Updates – Gray Areas & Emerging Trends

5. PCI Timeline 2001 Visa establishes CISP (Card Information Security Program)

6. PCI Timeline 2001 Formation of the PCI Security Standards Council (PCI SSC) 2004 PCI SSC is an open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection. Mission is to enhance payment account data security by driving education and awareness of the PCI Security Standards. Founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc.

7. PCI Timeline 2001 PCI DSS version 1.1 released 2004 2006 PCI DSS (Data Security Standard) is a worldwide information security standard assembled by the PCI SSC. Standard was created to help organizations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise. PCI DSS applies to all organizations which hold, process, or pass cardholder information from any card branded with the logo of one of the card brands.

8. PCI Timeline 2001 PCI DSS version 1.2 and PA-DSS 1.2 released 2004 2006 2008 PA-DSS is the Council-managed program formerly under the supervision of the Visa Inc. program known as the Payment Application Best Practices (PABP). Goal of PA-DSS is to help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic stripe, CVV2 or PIN data, and ensure their payment applications support compliance with the PCI DSS

9. PCI Timeline 2001 PCI wireless guidelines released 2004 2006 2008 2009 Wireless guidelines recommend use of Wireless Intrusion Prevention System (WIPS) to automate wireless scanning for large organizations. Wireless guidelines clearly define how wireless security applies to PCI DSS 1.2 compliance. Guidelines apply to the deployment of WLANs in cardholder data environments (CDE) – which is a network environment that possesses or transmits credit card data.

15. Contact Information Peter Verderber [email_address] 561-206-2064 http://www.linkedin.com/in/peteverd Ben Rothke ben.rothke@bt.com 973-489-0838 www.linkedin.com/in/benrothke www.twitter.com/benrothke

16. www.bt.com/security