SlideShare uma empresa Scribd logo

PCI-DSS for IDRBT

Shanmugavel Sankaran
Shanmugavel Sankaran

preso prepared for IDRBT PCI DSS training

TecnologiaEconomia e finanças
1 de 46
Baixar para ler offline
PCI DSS & PII Shanmugavel Sankaran FixNix InfoSec Solutions Pvt Ltd
Session Etiquette •  Please turn off all cell phones. •  Please keep side conversations to a minimum. •  If you must leave during the presentation, please do so as quietly as possible. 2
3 What is PCI? "   The Payment Card Industry Data Security Standard (PCI DSS) was created jointly in 2004 by four major credit-card companies: Visa, MasterCard, Discover and American Express. "   PCI DSS is a widely accepted set of policies and procedures intended to optimize the security of credit, debit and cash card transactions and protect cardholders against misuse of their personal information. "   Adherence to the PCI DSS aides in securing cardholder payment data that is stored, processed or transmitted by merchants and processors. "   PCI DSS specifies requirements entailing many security technologies and business processes, and reflects most of the best practices for securing sensitive information. "   PCI DSS is rapidly becoming the recognized standard for securing all organizational data, not just credit card information, and is currently being considered as the basis of legislation by several states. •  (Source: PCI Security Standards Council)
4 What Is Cardholder Data? Cardholder data is any Personally Identifiable Information (PII) associated with the cardholder §  Card Holder Data §  Primary Account Number (PAN) with: §  Expiration date or §  Card holder name §  Sensitive Authentication Data §  CVV or CVC (Card Verification Values) §  Track 1 and Track 2 Data (magnetic stripe)
Who Must Comply? "   PCI data security requirements apply to all merchants and service providers that store, process or transmit any cardholder data. All organizations with access to cardholder information must meet the data security standards. "   However, the way in which organizations validate their compliance differs based on whether they are merchants or service providers and on specific validation requirements defined by each credit card brand. Each of the five major credit card companies has its own set of validation requirements. "   Information regarding service provider levels and validation requirements can be obtained from each individual credit card company’s Web site. "   The security requirements apply to all system components, network components, servers or applications included in, or connected to, the processing of cardholder data. 5
What is PCI? •  Payment Card Industry Data Security Standard •  PCI Scope includes: –  Storing, processing and transmitting of cardholder data AND any connected system •  Continuous program – not a one time project! 6
PCI Version 2.0 •  Has changed the way we do business •  Costs have increased •  Documentation, Documentation! 7
What’s New in PCI 2.0? •  Scoping? •  Wireless Networks •  Storing Hashed Data •  Self-Assessment Questionnaire C-VT 8
PCI Security Standards Council •  Global Forum •  PCIDSS, PA-DSS, PCI PTS •  Approve QSAs, ASVs •  Develop and publish PCI documentation including SAQs •  Training 9
Payment Brands, Acquirers and Processors •  Payment Brands –  Track compliance and enforce standards –  Determine event response –  Define merchant levels •  Acquirers and Processors –  Set merchant level –  Determine compliance –  Approve compensating controls 10
Updates from Feedback on the PCI Standards •  Request change to existing requirement/testing procedure (34%) •  Request clarification (27%) •  Request for additional guidance (19%) •  Feedback only – no change requested (12%) •  Request for new requirement/testing procedure (7%) PCI SSC Press Release Dated 9/5/12 "PCI Security Standards Council Releases Summary of Feedback on PCI Standards" 11
Following Topics Most Frequently mentioned Suggestions: •  PCI DSS Req 11.2 – Prescribing use of specific tools, requiring ASCs to perform internal scans and define “significant change” •  PCI DSS Scope of Assessment – Detailed guidance on scoping and segmentation •  PCI DSS Req 12.8 – Clarify terms “service provider” and “shared”, and provide more prescriptive requirements regarding written agreements that apply to service providers 12
Following Topics Most Frequently mentioned Suggestions (Con’t): •  PCI DSS SAQs – Suggestions for updating; either too complex or not detailed enough •  PCI DSS Req 3.4 – Further clarification and guidance since encryption and key management are complex requirements, and truncation/hashing and tokenization is not a convenient method to store and retrieve data •  PCI DSS Req 8.5 – Updating password requirements including expanding authentication beyond just passwords 13
PCI SCC Releases •  PCI Mobile Payment Acceptance Security Guidelines –  Offer software developers and mobile device manufacturers guidance on designing appropriate security controls to provide solutions for merchants to accept mobile payments securely PCI SSC Press Release Dated 9/13/12 14
PCI SSC Releases (Con’t) •  Point-to-Point Encryption (P2PE) Resources –  Program Guide and SAQ to support implementation of hardware-based P2PE solutions PCI SSC Press Release Dated 6/28/12 15
New PCI Professional Program (PCIP) •  PCI SSC’s 1st Individual Accreditation Program •  Designed to build greater level of PCI expertise across the industry •  Minimum 2 years IT or IT related experience and base level of knowledge and awareness in information technology, network security and architecture and payment industry participants PCI SSC Press Release Dated 9/6/12 16
PCI DSS Risk Assessment Guidelines The supplement outlines the relationship between PCI DSS and risk assessments, including various industry risk methodologies and key components of a risk assessment. Key components include developing a risk assessment team, building a risk assessment methodology, risks introduced by third parties, risk reporting and critical success factors. Key recommendations include: •  Formalized risk assessment methodology suited to the culture and requirements of the organization •  Continuous risk assessment •  Risk assessment cannot be used to avoid PCI DSS compliance PCI DSS Press Release Dated 11/16/12 17
Info Supplement – E-commerce Guidelines This supplement was released to provide guidance to merchants using electronic commerce (e-commerce) to sell goods and services in their quest to obtain PCI Compliance. •  Merchants may develop their own payment software, use a third-party software, or a combination. •  Merchants may use various technologies: payment processing applications, application-programming interfaces (APIs), inline frames (iFrames), or hosted payment pages. •  Merchants may maintain different levels of control and responsibility for managing the supporting IT infrastructure. PCI SSC Information Supplement Dated 1/2013 18
Info Supplement – E-commerce Guidelines (Con’t) Key Considerations: •  No option completely removes PCI DSS responsibilities. NOT even outsourcing! •  Payment applications should be PA-DSS compliant. Check them against the PCI SSC’s list of Validated Payment Applications. –  For in-house developed application, use PA-DSS as a best-practice. •  Documentation! Document relationships between the merchant and third parties in regards to PCI DSS! 19
PCI DSS Cloud Computing Guidelines •  The Guidelines and Information Supplement provides a overview of the cloud environment explaining common deployment and service models and how implementations may differ. •  Roles and responsibilities between the provider and customer across the different models are explained as well as guidance on how to determine and Document these responsibilities. •  PCI DSS considerations and compliance challenges are discussed including scoping, segmentation and validating compliance in the cloud environment. •  Other security considerations are explored on the business and IT side in using cloud technologies. PCI DSS Press Release Dated 2/7/13. 20
PCI Mobile Payment Acceptance Security Guidelines for Merchants as End-Users •  Document provides a high level introduction and overview of mobile payments and security risks of mobile devices. This “unique, complex and evolving mobile environment underscores the need for all parties in the payment chain to work together to ensure mobile acceptance solutions are deployed securely.” •  Key areas: –  Objectives and Guidance for the Security of a Payment Transaction –  Guidelines for Securing the Mobile Device –  Guidelines for Securing the Payment Acceptance Solution Appendices provided PCI DSS Press Release Dated 2/14/13. 21
Merchant Issues on Campus •  CDE – Cardholder Data Environment (where does the data reside – everywhere?) •  Call Centers – Voice Recording •  VOIP – Voice Over Internet Protocol •  Service Providers •  Remote Events 22
Merchant Issues on Campus (Con’t) •  Bookstores •  Medical practices •  Patient collections •  Conferences •  Pledge drives 23
Merchant Issues on Campus (Con’t) •  Food service •  Kiosks •  Paper forms •  Unrelated third parties –  Does this make you a service provider? Treasury Institute for Higher Education 2012 PCI Workshop - Walt Conway, QSA 403 Labs 24
What is PII? PII (Personally Identifiable Information) is any information about an individual that can be used to distinguish or trace an individual’s identity or can be linked to an individual. Examples: –  Name: full name, mother’s maiden name, alias –  Personal ID number: SS number, Passport, driver’s license or credit card numbers –  Medical, educational, financial and employment information 25
Personally Identifiable Information (PII) The escalation of security breaches involving personally identifiable information (PII) has contributed to the loss of millions of records over the past several years. Individual Harm Organizational Harm –  Identity theft - Loss of public trust –  Embarrassment - Legal liability –  Blackmail - Remediation cost ($$$) 26
Risk-Based Approach to Guarding the Security of PII If we guard our toothbrushes and diamonds with equal zeal, we will lose fewer toothbrushes and more diamonds. McGeorge Bundy fmr US National Security Advisor •  Identify all PII residing in the data environment •  Minimize the use, collection, and retention of PII •  Categorize PII by confidentiality impact level •  Apply appropriate safeguards based on confidentiality level •  Develop an incident response plan to handle PII breaches •  Exercise a coordinated effort in managing PII issues 27
Identify ALL PII Residing in Your Environment •  An organization cannot properly protect PII it does not know about! •  Be sure to consider your environment: –  Databases –  Shared network drives –  Backup tapes –  Contractor sites 28
Minimize PII Used, Collected and Stored •  The likelihood of harm caused by a breach involving PII is greatly reduced if an organization minimizes the amount of PII it uses, collects and stores. •  Best Practices: –  Review current holdings of PII and ensure they are accurate, relevant, timely and complete –  Reduce PII holdings to the minimum necessary for proper performance of business functions –  Develop a schedule for periodic review of PII holdings –  Establish a plan to eliminate the unnecessary collection and use of SSNs 29
Categorize PII by Confidentiality Impact Level •  All PII is not created equal. •  PII should be evaluated to determine its PII confidentiality impact level – low, moderate, or high –  The impact level indicates the potential harm that could result to the individuals and/or the organization if the PII were inappropriately accessed, used, or disclosed. 30
Develop an Incident Response Plan for PII Breaches •  Breaches involving PII are hazardous to both individuals and organizations •  Harm to individuals and organizations can be contained and minimized through the development of an effective IRP for breaches involving PII, including: –  Determining when and how individuals should be notified –  How a breach should be reported –  Whether to provide remedial services, like credit monitoring, to affected individuals 31
Encourage a Concerted Effort Regarding PII Issues •  Protecting the confidentiality of PII requires knowledge of information systems, information security, privacy as well as legal requirements. •  Organizations should encourage close coordination among their chief privacy officers, chief information officers, chief information security officers and legal counsel when making decisions related to PII policies 32
PCI Compliance – Trends and Tips §  Follow industry best practices for network and IT security §  Use tools and services geared toward PCI Compliance §  Align with a larger partner for credit card processing Joel Dubbin, CISSP. SearchCIO.com
PCI is not about securing sensitive data, it’s about eliminating data altogether. John Kindervag, Forrester Analyst and former QSA PCI Compliance – Trends and Tips
Virtualization §  Servers - Req 2.2.1 – One primary function per server §  Entire box in-scope? §  PCI DSS is technology neutral §  No guidance for QSAs PCI Compliance – Trends and Tips
Segmenta(on   §  Reduce  the  cardholder  data  landscape   §  Reduces  cost  of  remedia(on   §  Reduces  exposure   PCI Compliance – Trends and Tips
Outsourcing (Card data, Service Providers, Shared Hosting, Managed Services) §  Must third party be PCI certified? §  Who owns the liability? §  What entities does a PCI assessment cover? PCI Compliance – Trends and Tips
“PCI SWALLOWS ITS OWN TAIL” •  “I’m concerned that as long as the payment card industry is writing the standards, we’ll never see a more secure system,” (Rep. Bennie) Thompson said. “We in Congress must consider whether we can continue to rely on industry-created standards, particularly if they’re inadequate to address the ongoing threat.” •  http://information-security-resources.com/2009/04/01/payment-card- industry-swallows-its-own-tail PCI Compliance – Trends and Tips
39
40
41
42
43
44
45 •  PCI Security Standards Council- www.pcisecuritystandards.org •  The SANS Institute- www.sans.org •  The National Institute of Standards and Technology- www.nist.gov •  The Center for Internet Security- www.cisecurity.org •  Approved QSA Listing- https://www.pcisecuritystandards.org/resources/qualified_security_assessors.htm •  Approved ASV Listing- https://www.pcisecuritystandards.org/resources/approved_scanning_vendors.htm •  PCI KnowledgeBase http://www.knowpci.com •  PCI Auditor Community Site (Message Board) http://pcifile.org/phpBB2/index.php •  PCI DSS Compliance Demystified (Blog) http://pcianswers.com/ Useful links
Questions? 46

Recomendados

PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...John Baines
 
A practical guides to PCI compliance
A practical guides to PCI complianceA practical guides to PCI compliance
A practical guides to PCI complianceJisc
 
Pcidss qr gv3_1
Pcidss qr gv3_1Pcidss qr gv3_1
Pcidss qr gv3_1leon bonilla
 
PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011Donald E. Hester
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overviewokrantz
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSSSaumya Vishnoi
 
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAININGPCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAININGhimalya sharma
 
Alcumus ISOQAR PCIDSS Compliance Presentation
Alcumus ISOQAR PCIDSS Compliance PresentationAlcumus ISOQAR PCIDSS Compliance Presentation
Alcumus ISOQAR PCIDSS Compliance PresentationBhargav Upadhyay
 

Recomendados

PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...John Baines
 
A practical guides to PCI compliance
A practical guides to PCI complianceA practical guides to PCI compliance
A practical guides to PCI complianceJisc
 
Pcidss qr gv3_1
Pcidss qr gv3_1Pcidss qr gv3_1
Pcidss qr gv3_1leon bonilla
 
PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011Donald E. Hester
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overviewokrantz
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSSSaumya Vishnoi
 
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAININGPCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAININGhimalya sharma
 
Alcumus ISOQAR PCIDSS Compliance Presentation
Alcumus ISOQAR PCIDSS Compliance PresentationAlcumus ISOQAR PCIDSS Compliance Presentation
Alcumus ISOQAR PCIDSS Compliance PresentationBhargav Upadhyay
 
P0 Pcidss Overview
P0 Pcidss OverviewP0 Pcidss Overview
P0 Pcidss Overviewb28stu
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guideMohammad Makchudul Alam (Arif)
 
PCI DSS
PCI DSSPCI DSS
PCI DSSDuy Do Phan
 
Payment Card Industry Introduction CMTA APR 2010
Payment Card Industry Introduction CMTA APR 2010Payment Card Industry Introduction CMTA APR 2010
Payment Card Industry Introduction CMTA APR 2010Donald E. Hester
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overviewsameh Abulfotooh
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperShaun O'keeffe
 
Pcidss
PcidssPcidss
Pcidssyazsapa
 
Secrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance ProjectsSecrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance ProjectsChristopher Foot
 
Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010Donald E. Hester
 
Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptwebhostingguy
 
PCI DSS introduction by khaled mosharraf,
PCI DSS introduction by khaled mosharraf,PCI DSS introduction by khaled mosharraf,
PCI DSS introduction by khaled mosharraf,Khaled Mosharraf
 
Reducing cardholder data footprint with tokenization and other techniques
Reducing cardholder data footprint with tokenization and other techniquesReducing cardholder data footprint with tokenization and other techniques
Reducing cardholder data footprint with tokenization and other techniquesVISTA InfoSec
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS ComplianceSaumya Vishnoi
 
An Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power SystemsAn Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power SystemsHelpSystems
 
Aggregation Platforms-White Paper
Aggregation Platforms-White PaperAggregation Platforms-White Paper
Aggregation Platforms-White PaperEnvestnet Yodlee India
 
PCI_Presentation_OASIS
PCI_Presentation_OASISPCI_Presentation_OASIS
PCI_Presentation_OASISDermot Clarke
 
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantMelanie Beam
 
Quick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security StandardQuick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security Standard- Mark - Fullbright
 
Adventures in PCI Wonderland
Adventures in PCI WonderlandAdventures in PCI Wonderland
Adventures in PCI WonderlandMichele Chubirka
 
Pci dss v3-2-1
Pci dss v3-2-1Pci dss v3-2-1
Pci dss v3-2-1leon bonilla
 
PruebaJLF.pptx
PruebaJLF.pptxPruebaJLF.pptx
PruebaJLF.pptxJoseLuna802663
 
Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxgealehegn
 

Mais conteúdo relacionado

Mais procurados

P0 Pcidss Overview
P0 Pcidss OverviewP0 Pcidss Overview
P0 Pcidss Overviewb28stu
 
Payment Card Industry Introduction CMTA APR 2010
Payment Card Industry Introduction CMTA APR 2010Payment Card Industry Introduction CMTA APR 2010
Payment Card Industry Introduction CMTA APR 2010Donald E. Hester
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperShaun O'keeffe
 
Secrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance ProjectsSecrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance ProjectsChristopher Foot
 
Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010Donald E. Hester
 
Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptwebhostingguy
 
PCI DSS introduction by khaled mosharraf,
PCI DSS introduction by khaled mosharraf,PCI DSS introduction by khaled mosharraf,
PCI DSS introduction by khaled mosharraf,Khaled Mosharraf
 
Reducing cardholder data footprint with tokenization and other techniques
Reducing cardholder data footprint with tokenization and other techniquesReducing cardholder data footprint with tokenization and other techniques
Reducing cardholder data footprint with tokenization and other techniquesVISTA InfoSec
 
An Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power SystemsAn Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power SystemsHelpSystems
 
PCI_Presentation_OASIS
PCI_Presentation_OASISPCI_Presentation_OASIS
PCI_Presentation_OASISDermot Clarke
 
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantMelanie Beam
 
Quick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security StandardQuick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security Standard- Mark - Fullbright
 
Adventures in PCI Wonderland
Adventures in PCI WonderlandAdventures in PCI Wonderland
Adventures in PCI WonderlandMichele Chubirka
 

Mais procurados (20)

P0 Pcidss Overview
P0 Pcidss OverviewP0 Pcidss Overview
P0 Pcidss Overview
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guide
 
PCI DSS
PCI DSSPCI DSS
PCI DSS
 
Payment Card Industry Introduction CMTA APR 2010
Payment Card Industry Introduction CMTA APR 2010Payment Card Industry Introduction CMTA APR 2010
Payment Card Industry Introduction CMTA APR 2010
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overview
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - Whitepaper
 
Pcidss
PcidssPcidss
Pcidss
 
Secrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance ProjectsSecrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance Projects
 
Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010
 
Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.ppt
 
PCI DSS introduction by khaled mosharraf,
PCI DSS introduction by khaled mosharraf,PCI DSS introduction by khaled mosharraf,
PCI DSS introduction by khaled mosharraf,
 
Reducing cardholder data footprint with tokenization and other techniques
Reducing cardholder data footprint with tokenization and other techniquesReducing cardholder data footprint with tokenization and other techniques
Reducing cardholder data footprint with tokenization and other techniques
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS Compliance
 
An Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power SystemsAn Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power Systems
 
Aggregation Platforms-White Paper
Aggregation Platforms-White PaperAggregation Platforms-White Paper
Aggregation Platforms-White Paper
 
PCI_Presentation_OASIS
PCI_Presentation_OASISPCI_Presentation_OASIS
PCI_Presentation_OASIS
 
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
 
Quick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security StandardQuick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security Standard
 
Adventures in PCI Wonderland
Adventures in PCI WonderlandAdventures in PCI Wonderland
Adventures in PCI Wonderland
 
Pci dss v3-2-1
Pci dss v3-2-1Pci dss v3-2-1
Pci dss v3-2-1
 

Semelhante a PCI-DSS for IDRBT

Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxgealehegn
 
pci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.pptpci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.pptgealehegn
 
PCI Certification and remediation services
PCI Certification and remediation servicesPCI Certification and remediation services
PCI Certification and remediation servicesTariq Juneja
 
eCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Merchants
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveMark Akins
 
PCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should carePCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should careSean D. Goodwin
 
Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Crew
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Risk Crew
 
Introduction to the Payment Card Industry Data Security Standard (PCI DSS) - ...
Introduction to the Payment Card Industry Data Security Standard (PCI DSS) - ...Introduction to the Payment Card Industry Data Security Standard (PCI DSS) - ...
Introduction to the Payment Card Industry Data Security Standard (PCI DSS) - ...AtoZ Compliance
 
PCI Compliance (for developers)
PCI Compliance (for developers)PCI Compliance (for developers)
PCI Compliance (for developers)Maksim Djackov
 
PCI DSS 4.0 Webinar Final.pptx
PCI DSS 4.0 Webinar Final.pptxPCI DSS 4.0 Webinar Final.pptx
PCI DSS 4.0 Webinar Final.pptxControlCase
 
Payment card industry data security standard
Payment card industry data security standardPayment card industry data security standard
Payment card industry data security standardsallychiu
 
Payment Card Industry Data Security Standard
Payment Card Industry Data Security StandardPayment Card Industry Data Security Standard
Payment Card Industry Data Security StandardInfosec train
 

Semelhante a PCI-DSS for IDRBT (20)

PruebaJLF.pptx
PruebaJLF.pptxPruebaJLF.pptx
PruebaJLF.pptx
 
Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptx
 
pci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.pptpci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.ppt
 
PCI DSS Compliance Readiness
PCI DSS Compliance ReadinessPCI DSS Compliance Readiness
PCI DSS Compliance Readiness
 
PCI Certification and remediation services
PCI Certification and remediation servicesPCI Certification and remediation services
PCI Certification and remediation services
 
Evolution Pci For Pod1
Evolution Pci For Pod1Evolution Pci For Pod1
Evolution Pci For Pod1
 
eCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain Media
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA Perspective
 
PCI DSS for Penetration Testing
PCI DSS for Penetration TestingPCI DSS for Penetration Testing
PCI DSS for Penetration Testing
 
2016_07_22_can_you_protect_my_cc_data
2016_07_22_can_you_protect_my_cc_data2016_07_22_can_you_protect_my_cc_data
2016_07_22_can_you_protect_my_cc_data
 
PCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should carePCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should care
 
What Everybody Ought to Know About PCI DSS and PA-DSS
What Everybody Ought to Know About PCI DSS and PA-DSSWhat Everybody Ought to Know About PCI DSS and PA-DSS
What Everybody Ought to Know About PCI DSS and PA-DSS
 
Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The Essentials
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892
 
PCI DSS for Pentesting
PCI DSS for PentestingPCI DSS for Pentesting
PCI DSS for Pentesting
 
Introduction to the Payment Card Industry Data Security Standard (PCI DSS) - ...
Introduction to the Payment Card Industry Data Security Standard (PCI DSS) - ...Introduction to the Payment Card Industry Data Security Standard (PCI DSS) - ...
Introduction to the Payment Card Industry Data Security Standard (PCI DSS) - ...
 
PCI Compliance (for developers)
PCI Compliance (for developers)PCI Compliance (for developers)
PCI Compliance (for developers)
 
PCI DSS 4.0 Webinar Final.pptx
PCI DSS 4.0 Webinar Final.pptxPCI DSS 4.0 Webinar Final.pptx
PCI DSS 4.0 Webinar Final.pptx
 
Payment card industry data security standard
Payment card industry data security standardPayment card industry data security standard
Payment card industry data security standard
 
Payment Card Industry Data Security Standard
Payment Card Industry Data Security StandardPayment Card Industry Data Security Standard
Payment Card Industry Data Security Standard
 

Mais de Shanmugavel Sankaran

The Virtual Security Officer Platform
The Virtual Security Officer PlatformThe Virtual Security Officer Platform
The Virtual Security Officer PlatformShanmugavel Sankaran
 
Wilson Sonsini Executive Orders on TikTok and WeChat: Ambiguity and a Few Oth...
Wilson Sonsini Executive Orders on TikTok and WeChat: Ambiguity and a Few Oth...Wilson Sonsini Executive Orders on TikTok and WeChat: Ambiguity and a Few Oth...
Wilson Sonsini Executive Orders on TikTok and WeChat: Ambiguity and a Few Oth...Shanmugavel Sankaran
 
national standards of People's Republic of China
national standards of People's Republic of China national standards of People's Republic of China
national standards of People's Republic of China Shanmugavel Sankaran
 
FixNix vCISO CyberSecurity Network Security for Covid91
FixNix vCISO CyberSecurity Network Security for Covid91FixNix vCISO CyberSecurity Network Security for Covid91
FixNix vCISO CyberSecurity Network Security for Covid91Shanmugavel Sankaran
 
FixNix and life of Chief Nixer__ A photo essay
FixNix and life of Chief Nixer__ A photo essayFixNix and life of Chief Nixer__ A photo essay
FixNix and life of Chief Nixer__ A photo essayShanmugavel Sankaran
 

Mais de Shanmugavel Sankaran (9)

Educate empower experience
Educate empower experienceEducate empower experience
Educate empower experience
 
The Virtual Security Officer Platform
The Virtual Security Officer PlatformThe Virtual Security Officer Platform
The Virtual Security Officer Platform
 
Wilson Sonsini Executive Orders on TikTok and WeChat: Ambiguity and a Few Oth...
Wilson Sonsini Executive Orders on TikTok and WeChat: Ambiguity and a Few Oth...Wilson Sonsini Executive Orders on TikTok and WeChat: Ambiguity and a Few Oth...
Wilson Sonsini Executive Orders on TikTok and WeChat: Ambiguity and a Few Oth...
 
national standards of People's Republic of China
national standards of People's Republic of China national standards of People's Republic of China
national standards of People's Republic of China
 
FixNix vCISO CyberSecurity Network Security for Covid91
FixNix vCISO CyberSecurity Network Security for Covid91FixNix vCISO CyberSecurity Network Security for Covid91
FixNix vCISO CyberSecurity Network Security for Covid91
 
World earth day
World earth dayWorld earth day
World earth day
 
Cyber security for journalists
Cyber security for journalistsCyber security for journalists
Cyber security for journalists
 
FixNix and life of Chief Nixer__ A photo essay
FixNix and life of Chief Nixer__ A photo essayFixNix and life of Chief Nixer__ A photo essay
FixNix and life of Chief Nixer__ A photo essay
 
Learning from great souls..
Learning from great souls..Learning from great souls..
Learning from great souls..
 

Último

Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 

Último (20)

Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 

PCI-DSS for IDRBT

  • 1. PCI DSS & PII Shanmugavel Sankaran FixNix InfoSec Solutions Pvt Ltd
  • 2. Session Etiquette •  Please turn off all cell phones. •  Please keep side conversations to a minimum. •  If you must leave during the presentation, please do so as quietly as possible. 2
  • 3. 3 What is PCI? "   The Payment Card Industry Data Security Standard (PCI DSS) was created jointly in 2004 by four major credit-card companies: Visa, MasterCard, Discover and American Express. "   PCI DSS is a widely accepted set of policies and procedures intended to optimize the security of credit, debit and cash card transactions and protect cardholders against misuse of their personal information. "   Adherence to the PCI DSS aides in securing cardholder payment data that is stored, processed or transmitted by merchants and processors. "   PCI DSS specifies requirements entailing many security technologies and business processes, and reflects most of the best practices for securing sensitive information. "   PCI DSS is rapidly becoming the recognized standard for securing all organizational data, not just credit card information, and is currently being considered as the basis of legislation by several states. •  (Source: PCI Security Standards Council)
  • 4. 4 What Is Cardholder Data? Cardholder data is any Personally Identifiable Information (PII) associated with the cardholder §  Card Holder Data §  Primary Account Number (PAN) with: §  Expiration date or §  Card holder name §  Sensitive Authentication Data §  CVV or CVC (Card Verification Values) §  Track 1 and Track 2 Data (magnetic stripe)
  • 5. Who Must Comply? "   PCI data security requirements apply to all merchants and service providers that store, process or transmit any cardholder data. All organizations with access to cardholder information must meet the data security standards. "   However, the way in which organizations validate their compliance differs based on whether they are merchants or service providers and on specific validation requirements defined by each credit card brand. Each of the five major credit card companies has its own set of validation requirements. "   Information regarding service provider levels and validation requirements can be obtained from each individual credit card company’s Web site. "   The security requirements apply to all system components, network components, servers or applications included in, or connected to, the processing of cardholder data. 5
  • 6. What is PCI? •  Payment Card Industry Data Security Standard •  PCI Scope includes: –  Storing, processing and transmitting of cardholder data AND any connected system •  Continuous program – not a one time project! 6
  • 7. PCI Version 2.0 •  Has changed the way we do business •  Costs have increased •  Documentation, Documentation! 7
  • 8. What’s New in PCI 2.0? •  Scoping? •  Wireless Networks •  Storing Hashed Data •  Self-Assessment Questionnaire C-VT 8
  • 9. PCI Security Standards Council •  Global Forum •  PCIDSS, PA-DSS, PCI PTS •  Approve QSAs, ASVs •  Develop and publish PCI documentation including SAQs •  Training 9
  • 10. Payment Brands, Acquirers and Processors •  Payment Brands –  Track compliance and enforce standards –  Determine event response –  Define merchant levels •  Acquirers and Processors –  Set merchant level –  Determine compliance –  Approve compensating controls 10
  • 11. Updates from Feedback on the PCI Standards •  Request change to existing requirement/testing procedure (34%) •  Request clarification (27%) •  Request for additional guidance (19%) •  Feedback only – no change requested (12%) •  Request for new requirement/testing procedure (7%) PCI SSC Press Release Dated 9/5/12 "PCI Security Standards Council Releases Summary of Feedback on PCI Standards" 11
  • 12. Following Topics Most Frequently mentioned Suggestions: •  PCI DSS Req 11.2 – Prescribing use of specific tools, requiring ASCs to perform internal scans and define “significant change” •  PCI DSS Scope of Assessment – Detailed guidance on scoping and segmentation •  PCI DSS Req 12.8 – Clarify terms “service provider” and “shared”, and provide more prescriptive requirements regarding written agreements that apply to service providers 12
  • 13. Following Topics Most Frequently mentioned Suggestions (Con’t): •  PCI DSS SAQs – Suggestions for updating; either too complex or not detailed enough •  PCI DSS Req 3.4 – Further clarification and guidance since encryption and key management are complex requirements, and truncation/hashing and tokenization is not a convenient method to store and retrieve data •  PCI DSS Req 8.5 – Updating password requirements including expanding authentication beyond just passwords 13
  • 14. PCI SCC Releases •  PCI Mobile Payment Acceptance Security Guidelines –  Offer software developers and mobile device manufacturers guidance on designing appropriate security controls to provide solutions for merchants to accept mobile payments securely PCI SSC Press Release Dated 9/13/12 14
  • 15. PCI SSC Releases (Con’t) •  Point-to-Point Encryption (P2PE) Resources –  Program Guide and SAQ to support implementation of hardware-based P2PE solutions PCI SSC Press Release Dated 6/28/12 15
  • 16. New PCI Professional Program (PCIP) •  PCI SSC’s 1st Individual Accreditation Program •  Designed to build greater level of PCI expertise across the industry •  Minimum 2 years IT or IT related experience and base level of knowledge and awareness in information technology, network security and architecture and payment industry participants PCI SSC Press Release Dated 9/6/12 16
  • 17. PCI DSS Risk Assessment Guidelines The supplement outlines the relationship between PCI DSS and risk assessments, including various industry risk methodologies and key components of a risk assessment. Key components include developing a risk assessment team, building a risk assessment methodology, risks introduced by third parties, risk reporting and critical success factors. Key recommendations include: •  Formalized risk assessment methodology suited to the culture and requirements of the organization •  Continuous risk assessment •  Risk assessment cannot be used to avoid PCI DSS compliance PCI DSS Press Release Dated 11/16/12 17
  • 18. Info Supplement – E-commerce Guidelines This supplement was released to provide guidance to merchants using electronic commerce (e-commerce) to sell goods and services in their quest to obtain PCI Compliance. •  Merchants may develop their own payment software, use a third-party software, or a combination. •  Merchants may use various technologies: payment processing applications, application-programming interfaces (APIs), inline frames (iFrames), or hosted payment pages. •  Merchants may maintain different levels of control and responsibility for managing the supporting IT infrastructure. PCI SSC Information Supplement Dated 1/2013 18
  • 19. Info Supplement – E-commerce Guidelines (Con’t) Key Considerations: •  No option completely removes PCI DSS responsibilities. NOT even outsourcing! •  Payment applications should be PA-DSS compliant. Check them against the PCI SSC’s list of Validated Payment Applications. –  For in-house developed application, use PA-DSS as a best-practice. •  Documentation! Document relationships between the merchant and third parties in regards to PCI DSS! 19
  • 20. PCI DSS Cloud Computing Guidelines •  The Guidelines and Information Supplement provides a overview of the cloud environment explaining common deployment and service models and how implementations may differ. •  Roles and responsibilities between the provider and customer across the different models are explained as well as guidance on how to determine and Document these responsibilities. •  PCI DSS considerations and compliance challenges are discussed including scoping, segmentation and validating compliance in the cloud environment. •  Other security considerations are explored on the business and IT side in using cloud technologies. PCI DSS Press Release Dated 2/7/13. 20
  • 21. PCI Mobile Payment Acceptance Security Guidelines for Merchants as End-Users •  Document provides a high level introduction and overview of mobile payments and security risks of mobile devices. This “unique, complex and evolving mobile environment underscores the need for all parties in the payment chain to work together to ensure mobile acceptance solutions are deployed securely.” •  Key areas: –  Objectives and Guidance for the Security of a Payment Transaction –  Guidelines for Securing the Mobile Device –  Guidelines for Securing the Payment Acceptance Solution Appendices provided PCI DSS Press Release Dated 2/14/13. 21
  • 22. Merchant Issues on Campus •  CDE – Cardholder Data Environment (where does the data reside – everywhere?) •  Call Centers – Voice Recording •  VOIP – Voice Over Internet Protocol •  Service Providers •  Remote Events 22
  • 23. Merchant Issues on Campus (Con’t) •  Bookstores •  Medical practices •  Patient collections •  Conferences •  Pledge drives 23
  • 24. Merchant Issues on Campus (Con’t) •  Food service •  Kiosks •  Paper forms •  Unrelated third parties –  Does this make you a service provider? Treasury Institute for Higher Education 2012 PCI Workshop - Walt Conway, QSA 403 Labs 24
  • 25. What is PII? PII (Personally Identifiable Information) is any information about an individual that can be used to distinguish or trace an individual’s identity or can be linked to an individual. Examples: –  Name: full name, mother’s maiden name, alias –  Personal ID number: SS number, Passport, driver’s license or credit card numbers –  Medical, educational, financial and employment information 25
  • 26. Personally Identifiable Information (PII) The escalation of security breaches involving personally identifiable information (PII) has contributed to the loss of millions of records over the past several years. Individual Harm Organizational Harm –  Identity theft - Loss of public trust –  Embarrassment - Legal liability –  Blackmail - Remediation cost ($$$) 26
  • 27. Risk-Based Approach to Guarding the Security of PII If we guard our toothbrushes and diamonds with equal zeal, we will lose fewer toothbrushes and more diamonds. McGeorge Bundy fmr US National Security Advisor •  Identify all PII residing in the data environment •  Minimize the use, collection, and retention of PII •  Categorize PII by confidentiality impact level •  Apply appropriate safeguards based on confidentiality level •  Develop an incident response plan to handle PII breaches •  Exercise a coordinated effort in managing PII issues 27
  • 28. Identify ALL PII Residing in Your Environment •  An organization cannot properly protect PII it does not know about! •  Be sure to consider your environment: –  Databases –  Shared network drives –  Backup tapes –  Contractor sites 28
  • 29. Minimize PII Used, Collected and Stored •  The likelihood of harm caused by a breach involving PII is greatly reduced if an organization minimizes the amount of PII it uses, collects and stores. •  Best Practices: –  Review current holdings of PII and ensure they are accurate, relevant, timely and complete –  Reduce PII holdings to the minimum necessary for proper performance of business functions –  Develop a schedule for periodic review of PII holdings –  Establish a plan to eliminate the unnecessary collection and use of SSNs 29
  • 30. Categorize PII by Confidentiality Impact Level •  All PII is not created equal. •  PII should be evaluated to determine its PII confidentiality impact level – low, moderate, or high –  The impact level indicates the potential harm that could result to the individuals and/or the organization if the PII were inappropriately accessed, used, or disclosed. 30
  • 31. Develop an Incident Response Plan for PII Breaches •  Breaches involving PII are hazardous to both individuals and organizations •  Harm to individuals and organizations can be contained and minimized through the development of an effective IRP for breaches involving PII, including: –  Determining when and how individuals should be notified –  How a breach should be reported –  Whether to provide remedial services, like credit monitoring, to affected individuals 31
  • 32. Encourage a Concerted Effort Regarding PII Issues •  Protecting the confidentiality of PII requires knowledge of information systems, information security, privacy as well as legal requirements. •  Organizations should encourage close coordination among their chief privacy officers, chief information officers, chief information security officers and legal counsel when making decisions related to PII policies 32
  • 33. PCI Compliance – Trends and Tips §  Follow industry best practices for network and IT security §  Use tools and services geared toward PCI Compliance §  Align with a larger partner for credit card processing Joel Dubbin, CISSP. SearchCIO.com
  • 34. PCI is not about securing sensitive data, it’s about eliminating data altogether. John Kindervag, Forrester Analyst and former QSA PCI Compliance – Trends and Tips
  • 35. Virtualization §  Servers - Req 2.2.1 – One primary function per server §  Entire box in-scope? §  PCI DSS is technology neutral §  No guidance for QSAs PCI Compliance – Trends and Tips
  • 36. Segmenta(on   §  Reduce  the  cardholder  data  landscape   §  Reduces  cost  of  remedia(on   §  Reduces  exposure   PCI Compliance – Trends and Tips
  • 37. Outsourcing (Card data, Service Providers, Shared Hosting, Managed Services) §  Must third party be PCI certified? §  Who owns the liability? §  What entities does a PCI assessment cover? PCI Compliance – Trends and Tips
  • 38. “PCI SWALLOWS ITS OWN TAIL” •  “I’m concerned that as long as the payment card industry is writing the standards, we’ll never see a more secure system,” (Rep. Bennie) Thompson said. “We in Congress must consider whether we can continue to rely on industry-created standards, particularly if they’re inadequate to address the ongoing threat.” •  http://information-security-resources.com/2009/04/01/payment-card- industry-swallows-its-own-tail PCI Compliance – Trends and Tips
  • 39. 39
  • 40. 40
  • 41. 41
  • 42. 42
  • 43. 43
  • 44. 44
  • 45. 45 •  PCI Security Standards Council- www.pcisecuritystandards.org •  The SANS Institute- www.sans.org •  The National Institute of Standards and Technology- www.nist.gov •  The Center for Internet Security- www.cisecurity.org •  Approved QSA Listing- https://www.pcisecuritystandards.org/resources/qualified_security_assessors.htm •  Approved ASV Listing- https://www.pcisecuritystandards.org/resources/approved_scanning_vendors.htm •  PCI KnowledgeBase http://www.knowpci.com •  PCI Auditor Community Site (Message Board) http://pcifile.org/phpBB2/index.php •  PCI DSS Compliance Demystified (Blog) http://pcianswers.com/ Useful links