2. Agenda
• Intro
• Buzzwords
• PCI – What is it?
• PCI – Do’s and Don'ts
• How to eat an Elephant
• Divide & Conquer
• Questions & Answers
3. Intro … who is this clown?
• Realex Payments … Platform Operations Security Lead
• Certified … CISA. CISM. SSCP. CISSP.
• Former Chair of the Irish Information Security Forum
• Current Item Writer for ISC2
• Responsible for PCI Compliance in Realex Payments
4. Buzzwords
• Member organisations Card Schemes are made up of member organisations who can be
Acquirers, Issuers, or both
• Merchant Merchants are entities that “accept” Card transactions.
Levels 1 – 4, with varying requirements for validation (by volume)
• Acquirer Acquiring Bank - handles Merchant lines of credit
• Issuer Issuing Bank – offers cards to Cardholder
• Cardholder Consumers. Customers … Punters
• Service Provider Entities that service the processing, storing, transport of card
information on behalf of Merchants, Acquirers, or Issuers
5. Merchant Levels … 1 to 4
Level Criteria Validation
1 Process more than 6 Million txns ROC – Report on Compliance
QSA – Qualified Security Assessor
ASV – Approved Scanning Vendor
Attestation of Compliance
2 Process 1 to 6 Million txns SAQ – Self Assessment Questionnaire
ASC – Approved Scanning Vendor
Attestation of Compliance
3 Process 20,000 to 1 Million txns SAQ
ASV (if applicable)
Attestation of Compliance
4 All other merchants SAQ – recommended
ASV (if applicable)
Validation requirements typically set by Acquirer
6. PCI … What is it?
• PCI DSS - Payment Card Industry Data Security Standard
• Published by the PCI Security Standards Council (PCI-SSC)
• PCI-SSC = Visa, MasterCard, Discover, American Express, JCB
• Baseline Information Security Standard that applies to ANY
business that “accept, capture, store, transmit, or process
Credit or Debit card data” – No exceptions.
• Information Security BASELINE. PCI is a floor. Not a ceiling.
7. PCI … Do’s
• Visit the PCI-SCC website (www.pcisecuritystandards.org)
• Read the FAQ (Frequently Asked Questions) Knowledge Base
• SAQ – Self Assessment Questionnaire
• A – Mail Order Telephone Order Merchants
• B – Imprint Only Merchants
• CVT – Virtual Terminals
• C – Merchants with Internet Payment Applications
• D – All other merchant types
8. PCI … Do’s … Prioritised Approach
• Have a clear, accurate and relevant Network Diagram.
• Inventory … cover your assets
• Data … where does it come from, and where does it go?
The Holy Trinity
• Policy Document
• Prioritised Approach Document
• Self Assessment Questionnaire
9. PCI … Don’ts
• Don’t PANIC - Don’t fall for the FUD. Don’t fall in The Hole.
• Don’t boil the ocean – Scope and Segmentation are crucial
• Don’t forget that PCI applies to your organisation, not your
chosen hardware or software products and tools
• Don’t think you can “buy” compliance with products
• Don’t confuse “Compliant” for “Secure”
• Don’t ignore PCI … it’s not going away
14. For your further reading enjoyment …
www.pcisecuritystandards.org/
www.pcisecuritystandards.org/faq/
www.pcisecuritystandards.org/security_standards/getting_started.php
www.visaeurope.com/en/businesses__retailers/payment_security/downloads__resources.asp
www.iisf.ie
Irish Information Security Forum LinkedIn group … members only, just tell them I sent you!