SlideShare uma empresa Scribd logo

PCI Version Three and Thee

Terra Verde
Terra Verde

An overview of PCI DSS 3.0 and how it applies to you and your business.

NegóciosEconomia e finanças
1 de 56
Baixar para ler offline
Why PCI! •  In August 2012 an employee of the South Carolina Department of Revenue opened an email enabling a malware attack.! – Employee’s credentials were lifted.! – Miscreants used credentials in remote login! •  75GB of backups exfiltrated in September! •  Income tax returns of every SC citizen exposing SSNs, bank account numbers, etc.! •  CC numbers exfiltrated but not exposed.!
PCI DSS QSA ROC AOCISA SAQPA-DSS P2PE Acronym soup ASV
The Acronyms! •  Payment Card Industry—the brands! •  Data Security Standard has requirements! – Self Assessment Questionnaires have fewer! •  Approved Scanning Vendor—external scans! •  Qualified Security Assessor—test and report! – Internal Security Assessor—home grown! •  Report On Compliance—requirements met?! – Attestation Of Compliance—cross my heart! •  Payment Application-DSS—e.g. point of sale!
ATM  Security  Guidelines   Mobile  Payment  Acceptance  Security  Guidelines  for  Developers  v1.0     Mobile  Payment  Acceptance  Security  Guidelines  for  Merchants  v1.0     PCI  DSS  2.0  Cloud  CompuBng  Guidelines     PCI  DSS  2.0  eCommerce  Guidelines     PCI  DSS  2.0  Risk  Assessment  Guidelines     PCI  DSS  Applicability  in  an  EMV  Environment  Guidance  v1.0     PCI  DSS  TokenizaBon  Guidelines     PCI  DSS  v2.0  Wireless  Guidelines     PCI  DSS  VirtualizaBon  Guidelines  v2.0     ProtecBng  Telephone-­‐based  Payment  Card  Data     Requirement  11.3  PenetraBon  TesBng  v1.2     Requirement  6.6  ApplicaBon  Reviews  and  Web  ApplicaBon  Firewalls  Clarified  v1.2     Skimming  PrevenBon—Best  PracBces  for  Merchants   Understanding  the  SAQs  for  PCI  DSS  v3.0         Information Suppliments!
What’s on the card
 Cardholder data (CHD) and SAD! •  Primary account number—PAN! •  Sensitive authentication data—SAD! – Encoded into the magnetic track! •  Card Verification Code 1—CVV1! – Encoded into “chip and PIN” cards—PIN! – Printed on the front or back on the card! •  CVV2! •  Expiration date! •  Cardholder name!
Chiseled in STONE! ✽ —  Even  if  encrypted   ✽  SensiBve  AuthenBcaBon  Data   —  Even  if  it’s  sound   1 2 3 4
Call Centers! No ! PCI standard calls for! a clean desk!
Call Centers! •  No PCI standard calls for a clean desk.! –  Control physical media, e.g. paper, flash drive.! –  Restrict access to handheld devices.! •  Recordings of calls may hold CHD—encrypt.! •  But what about sensitive authentication data?! –  Avoid it by not collecting CVV2 et al, or pause recording, or connect caller to Interactive Voice Response (IVR) system; or,! –  Deploy a compensating control.! •  Protecting Telephone-based Payment Card Data!
What is a compensating control?
 1 of 2! •  Described when the deployed controls are not those specified in the requirement.! •  For each compensating control one must:! – state the technical or business reason compliance to the requirement as written is not possible;! – describe what the original control was supposed to do and what the compensating control does;! – Identify risk cause by lack of original control;!
What is a compensating control?
 2 of 2! – Describe the control and how it addresses the requirement and any increased risk;! – The QSA must describe how the control was tested to validate; and,! –  Describe how will the control be maintained.! •  A compensating control cannot be one that is already mandated for the asset.! – e.g. integrity checking on the server which doesn’t have anti-malware software installed.!
Electronic Commerce! •  No physical presence so you don’t worry about point-of-sale systems, skimmers, or track data.! •  Instead, you’re on the friendly Internet using hardy web browsers and servers.!
Store, process, and transmit! •  Your web server talks to your customer to take order and collect CHD for payment.! •  To make purchases “easier” for your customer, you save the CHD, but not SAD, for subsequent purchases.! •  You communicate with your processor to authenticate account and then make the charge.! •  You have a lot of explaining to do.!
Your applications! •  May be bespoke—customized to your business by you or third party.! – This application must be evaluated by the QSA.! •  May be purchased commodity software.! – Purchase PCI-certified Payment Applications and follow Implementation Guide.! – If not, QSA must evaluate.! •  May be a mélange, e.g. your web services fronting purchased shopping cart software.!
Over there for payment please! What if I get someone else to accept the CHD and process the charge?! I never see CHD.! Do I still have to be PCI compliant? !
That depends! •  The PCI DSS 2.0 eCommerce Guidelines describes several scenarios.! – Shared Management! •  Direct Post! •  iFrame! •  Redirect! – Wholly outsourced! •  A new SAQ, A-EP, is available for version 3!
Embedded APIs with Direct Post! •  Use processor-provided APIs to plug code into customer’s browser window.! •  When data is entered into payment fields, it is sent directly to the processor, not to the merchant.! •  Merchant must ensure that that its website is not compromised.!
Inline iFrames! •  Processor’s web page is embedded within the web page of the merchant.! •  Data entered into iFrame is sent directly to the processor and not seen by the merchant.! •  Compromise of merchant website may result in a compromise of iFrame.!
Hosted-payment page! •  Merchant’s page contains link to payment processor website.! •  Customer is redirected to that site to enter payment information.! •  If the merchant webpage is compromised, the customer could be redirected to a bad-guy site to enter CHD.!
Wholly outsourced! •  Customer connects directly to third-party site for all functions, including payment.! – Merchant can login to manage store content.! •  This is also a good solution for those businesses who collect payment information over the phone.! – The CSR connects directly to the customer or to the card processor to enter CHD and amount to be charged.!
Oh No! Not Another Version!
Version 3.0 ! •  Three year development cycle! •  Available for compliance in 2014! •  Mandatory for compliance beginning 2015!
What did they want to fix! •  Divergent interpretations of the standard! •  Weak or default passwords! •  Slow detection of compromise! •  Security problems introduced by 3rd parties! •  and various other areas!
Highlights! •  The twelve steps…errr…requirements remain! •  Some sub-requirements added! •  Policy and procedure requirements proximate to items each policy and procedure addresses! •  Descriptions of tests are more precise! –  Aligned language of requirement and test ! –  Clarified what to do to verify compliance! •  More rigor in determining scope of assessment! •  More guidance on log reviews! •  More rigorous penetration testing!
No hiding documentation sins! •  Version 2 aggregates all policy and procedure requirements in one location.! – 12.1.1 Verify that the [security] policy addresses all PCI DSS requirements. ! – 12.2 Verify that [daily operational security procedures] are consistent with this specification, and include administrative and technical procedures for each of the requirements.! •  Difficult to detect requirements not covered.!
Moved to relevant locations! – 1.5 managing firewalls are . ! – 2.5 managing vendor defaults and other security parameters are ! – 3.7 protecting stored cardholder data are – 8.8 identification and authentication are ! – 10.8 monitoring all access to network resources and cardholder data are !
Eschew Ambiguity! •  Too much variance in interpretation among QSAs! – Clients get different interpretations.! – PCI Counsel’s Quality Control sees too much 
 variance in the Reports on Compliance (ROC).! •  Version 3 removes ambiguities in the specification that result in inconsistent interpretations of a requirement.!
Guidance for each requirement!
V2 ROC Reporting Instructions!
V3 Report on Compliance Template!
Version 3 SAQs! •  Format and content changes! – Expected Testing, a new column ! – the Special column has been replaced with Yes with CCW (compensating control worksheet) and N/A! – sections reorganized to ensure that an entity’s attestation encompasses all elements of the SAQ and AOC! •  eligibility for, and requirements within, each SAQ have been revised!
There’s some new SAQs in town! •  A-EP! e-commerce merchants who outsource all payment processing to 3rd parties, using a website that doesn’t directly receive cardholder data but that can impact the security of the payment transaction! •  A-IP! merchants using only standalone, 
 PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage !
This is me! ENIAC!UNIVAC!
New authentication requirement! •  If you use identical credentials to authenticate yourself to all your customers…! •  …a compromise of one of those customers exposes all the other customers.! •  New Requirement 8.5.1! Service providers with remote access to customer premises (for example, for support of POS systems or servers) must use a unique authentication credential for each customer. !
Division of labor with 3rd party! •  New requirement, 12.8.5, mandates that the assessed entity is aware of which DSS requirements are managed by the service provider and which are managed by the entity.! •  How this division is documented and agreed between the assessed entity and the service provider is not specified.!
Service Provider Responsibility1 of 2! New requirement,12.9, mandates that Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of
 the customer, or to the
 extent that they could
 impact the security
 of the customer’s CDE.!
Service Provider Responsibility2 of 2! •  The exact wording of that acknowledgement will depend on:! – the agreement between the two parties;! – the details of the service being provided; and,! – the responsibilities assigned to each party.! •  The acknowledgement does not have to include the exact wording provided in this requirement.! •  Get your lawyers involved!
Service Provider Responsibility2 of 2! •  The exact wording of that acknowledgement will depend on:! – the agreement between the two parties;! – the details of the service being provided; and,! – the responsibilities assigned to each party.! •  The acknowledgement does not have to include the exact wording provided in this requirement.! •  Get your lawyers involved!
They’re getting serious about the CDE! Clause 3.1.1 of the ROC requires documentation of how the assessor validated the accuracy of the PCI DSS scope by describing:! –  The methods or processes (for example, tools, observations, feedback, scans, data flow analysis) used to identify and document all existences of cardholder data.! –  The methods or processes (for example, tools, observations, feedback, scans, data flow analysis) used to verify that no cardholder data exists outside of the CDE scope defined for this assessment.! –  How the results of the methods/processes were evaluated to verify that PCI DSS scope is appropriate.! –  How the results of the methods/processes were documented (e.g. the results may be a diagram or an inventory of cardholder data locations).! –  Why the methods used for scope verification are considered by the assessor to be effective and accurate.! –  Provide the name of the assessor who attests that the scope of the assessment has been verified to be accurate and appropriate.!
A Penetration Test Methodology! •  Based on industry-accepted approaches,
 e.g. NIST SP800-115! •  A new clause 11.3! –  Test entire perimeter of CDE & all critical systems! –  Validate all scope-reduction controls—segmentation! –  Test from inside and from outside of the network! –  Test network-function components and OSs! –  As a minimum, perform application tests for the vulnerabilities listed in Requirement 6.5!
Those vulnerabilities are! •  Injection flaws, particularly SQL injection. ! •  Buffer overflow ! •  Insecure cryptographic storage ! •  Insecure communications ! •  Improper error handling ! •  Cross-site scripting (XSS) ! •  Improper Access Control, ! •  Cross-site request forgery (CSRF)! •  Broken authentication and session management. !
If you develop! •  Requirement 6.5 mandates that programmers of internally-developed and bespoke applications must be trained in secure coding techniques, including how to avoid common coding vulnerabilities, and understanding how sensitive data is handled in memory. ! •  The QSA must identify the records of training that were examined to verify that software developers received training on secure coding techniques, including how to avoid common coding vulnerabilities, and understanding how sensitive data is handled in memory. !
Authentication! •  Requirement 8.2–6 text recognizes methods other than password, e.g. passphrases or certificates! –  Authentication credentials! •  Minimum password length is still 7 characters! –  “Alternatively, the passwords/phrases must have complexity and strength at least equivalent to the parameters specified above.”! •  A service provider must use a different password for each of its clients.!
Quicker detection of compromise! •  Deploy a integrity change-detection mechanism to alert personnel to unauthorized modification of critical system files, configuration files, or content files ! – configure the software to perform critical file comparisons at least weekly. !
Quicker detection of compromise! •  Deploy a integrity change-detection mechanism to alert personnel to unauthorized modification of critical system files, configuration files, or content files ! –  configure the software to perform critical file coparison at least weekly. ! •  New requirement, 11.5.1, mandates the implementation of a process to respond to any alerts generated by that mechanism. !
How much work is this?! •  Greater effort to move from 2.0 to 3.0 than from 1.2 to 2.0! •  PCI compliance should be continuous! – No frantic preparation before the arrival of the auditors and a round of drinks after they leave.! •  More stringent testing procedures may find that previously compliant elements are now non-compliant.!
Some new requirements need not be in place until 30 June 2015! –  6.5.11 Broken Authentication and Session Management ! –  8.5.1 Use of unique authentication credentials for each client of a service provider.! –  9.9 Protect POS from physical tampering! –  11.3 Penetration test methodology! –  12.9 Written acknowledgement of 3rd party responsibilities and compliance! Some breathing room!
If your organization…! •  practices good information governance such that it is aware of what types of data it has and where it stores, processes, and sends that data;! •  properly protects access to its information and its processes; and,! •  defines appropriate policies implemented by self-documenting processes that not only comply with PCI requirements but also create easily discoverable evidence that compliance was continuous throughout the year; then!
Not only do you have…! A good security and risk posture!   You should be compliant with little additional effort.!  
One more thing! •  Organizations often spend much effort to reduce the portion of the enterprise that will be subject to PCI DSS audit.! •  The effort to protect CHD and SAD within the CDE should also be applied to PII throughout the entire enterprise.! •  Had South Carolina done so, it’s likely no PII would have been exposed. ! •  A tugboat may lead us to the answer. !
The T. J. Hooper! •  Towed barges and cargo lost in storm! •  Cargo owners sue claiming negligence! – Radio was a readily available technology! – Couldn’t receive broadcasts warning of storm! •  No other tugboat operators had radios— !the standard of care for the industry! •  In a landmark decision Judge Learned Hand found the tugboat owners liable!
“Indeed  in  most  cases  reasonable  prudence  is  in   fact  common  prudence,  but  strictly  it  is  never  its   measure.  A  whole  calling  may  have  unduly   lagged  in  the  adopBon  of  new  and  available   devices…Courts  must  in  the  end  say  what  is   required.  There  are  precauBons  so  imperaBve   that  even  their  universal  disregard  will  not   excuse  their  omission.”                                  —Judge  Learned  Hand,  1932      
Custom is not based merely on old standards. It also must be based on adapting to new technology. The duty of care is a relative concept that changes.
?Hoyt  L.  Kesterson  II   Senior  Security  Architect   hoyt.kesterson@tvrms.com   602  316  1985   Scobsdale,  Arizona  

Recomendados

Smart Card to the Cloud for Convenient, Secured NFC Payment
Smart Card to the Cloud for Convenient, Secured NFC PaymentSmart Card to the Cloud for Convenient, Secured NFC Payment
Smart Card to the Cloud for Convenient, Secured NFC PaymentSazzadur Rahaman
 
Invoice Automation Paul Turner
Invoice Automation Paul TurnerInvoice Automation Paul Turner
Invoice Automation Paul TurnerPaul_M_Turner
 
Digital invoicing application
Digital invoicing applicationDigital invoicing application
Digital invoicing applicationMohammedAbraruddin3
 
e-Invoice System and e-Way Bill
e-Invoice System and e-Way Bille-Invoice System and e-Way Bill
e-Invoice System and e-Way BillMohammedAbraruddin3
 
Horizon_Brochure
Horizon_BrochureHorizon_Brochure
Horizon_BrochureOmar Tarish
 
ACE POS
ACE POSACE POS
ACE POSSuzoy Banerjiee
 
Digital Invoicing & Digital Payments | Emagia Digital Invoicing Software | Di...
Digital Invoicing & Digital Payments | Emagia Digital Invoicing Software | Di...Digital Invoicing & Digital Payments | Emagia Digital Invoicing Software | Di...
Digital Invoicing & Digital Payments | Emagia Digital Invoicing Software | Di...emagia
 
Understanding Digital Payments
Understanding Digital PaymentsUnderstanding Digital Payments
Understanding Digital PaymentsSantosh Potadar
 

Recomendados

Smart Card to the Cloud for Convenient, Secured NFC Payment
Smart Card to the Cloud for Convenient, Secured NFC PaymentSmart Card to the Cloud for Convenient, Secured NFC Payment
Smart Card to the Cloud for Convenient, Secured NFC PaymentSazzadur Rahaman
 
Invoice Automation Paul Turner
Invoice Automation Paul TurnerInvoice Automation Paul Turner
Invoice Automation Paul TurnerPaul_M_Turner
 
Digital invoicing application
Digital invoicing applicationDigital invoicing application
Digital invoicing applicationMohammedAbraruddin3
 
e-Invoice System and e-Way Bill
e-Invoice System and e-Way Bille-Invoice System and e-Way Bill
e-Invoice System and e-Way BillMohammedAbraruddin3
 
Horizon_Brochure
Horizon_BrochureHorizon_Brochure
Horizon_BrochureOmar Tarish
 
ACE POS
ACE POSACE POS
ACE POSSuzoy Banerjiee
 
Digital Invoicing & Digital Payments | Emagia Digital Invoicing Software | Di...
Digital Invoicing & Digital Payments | Emagia Digital Invoicing Software | Di...Digital Invoicing & Digital Payments | Emagia Digital Invoicing Software | Di...
Digital Invoicing & Digital Payments | Emagia Digital Invoicing Software | Di...emagia
 
Understanding Digital Payments
Understanding Digital PaymentsUnderstanding Digital Payments
Understanding Digital PaymentsSantosh Potadar
 
Supply Chain Visibility: Parts Town - An O2C Journey from Manual Processing t...
Supply Chain Visibility: Parts Town - An O2C Journey from Manual Processing t...Supply Chain Visibility: Parts Town - An O2C Journey from Manual Processing t...
Supply Chain Visibility: Parts Town - An O2C Journey from Manual Processing t...Aggregage
 
Supply Chain Visibility: Parts Town - An O2C Journey from Manual Processing t...
Supply Chain Visibility: Parts Town - An O2C Journey from Manual Processing t...Supply Chain Visibility: Parts Town - An O2C Journey from Manual Processing t...
Supply Chain Visibility: Parts Town - An O2C Journey from Manual Processing t...Emily Millard Murphy
 
December 2007 Document Recognition Technology Overview Presentation
December 2007 Document Recognition Technology Overview PresentationDecember 2007 Document Recognition Technology Overview Presentation
December 2007 Document Recognition Technology Overview PresentationJohn Wang
 
QRev Market Pitch - Hypermarkets
QRev Market Pitch - HypermarketsQRev Market Pitch - Hypermarkets
QRev Market Pitch - HypermarketsZahid Shaikh
 
Mobile payment-security-risk-and-response
Mobile payment-security-risk-and-responseMobile payment-security-risk-and-response
Mobile payment-security-risk-and-responseDESMOND YUEN
 
Payment Gateway
Payment GatewayPayment Gateway
Payment GatewayAshraf Bashir
 
Unified Payment Interface
Unified Payment InterfaceUnified Payment Interface
Unified Payment InterfaceAkash Chandra
 
Mobile payment solution
Mobile payment solutionMobile payment solution
Mobile payment solutionhearme limited company
 
праздник 8 марта средняя группа №8 здание 5
праздник 8 марта средняя группа №8 здание 5праздник 8 марта средняя группа №8 здание 5
праздник 8 марта средняя группа №8 здание 5Elena Valerevna
 
масленица
масленицамасленица
масленицаElena Valerevna
 
подготовительная группа. Здание №3
подготовительная группа. Здание №3подготовительная группа. Здание №3
подготовительная группа. Здание №3Elena Valerevna
 
день птиц группа № 5
день птиц группа № 5день птиц группа № 5
день птиц группа № 5Elena Valerevna
 
егэ
егэегэ
егэElena Valerevna
 
Арт-холл 2.10.14
Арт-холл 2.10.14Арт-холл 2.10.14
Арт-холл 2.10.14Elena Valerevna
 
осенние праздники здание3
осенние праздники здание3осенние праздники здание3
осенние праздники здание3Elena Valerevna
 
пдд 15 апреля
пдд 15 апреляпдд 15 апреля
пдд 15 апреляElena Valerevna
 
8 марта
8 марта 8 марта
8 марта Elena Valerevna
 
день птиц старшая группа №7 здание №5
день птиц старшая группа №7 здание №5день птиц старшая группа №7 здание №5
день птиц старшая группа №7 здание №5Elena Valerevna
 
день здоровья 7.04.14г
день здоровья 7.04.14гдень здоровья 7.04.14г
день здоровья 7.04.14гElena Valerevna
 
акция день птиц средняя группа №3 здание 3
акция день птиц средняя группа №3 здание 3акция день птиц средняя группа №3 здание 3
акция день птиц средняя группа №3 здание 3Elena Valerevna
 
презентация 1 мл группа 8 марта
презентация 1 мл группа 8 мартапрезентация 1 мл группа 8 марта
презентация 1 мл группа 8 мартаElena Valerevna
 
День открытых дверей
День открытых дверейДень открытых дверей
День открытых дверейElena Valerevna
 

Mais conteúdo relacionado

Mais procurados

Supply Chain Visibility: Parts Town - An O2C Journey from Manual Processing t...
Supply Chain Visibility: Parts Town - An O2C Journey from Manual Processing t...Supply Chain Visibility: Parts Town - An O2C Journey from Manual Processing t...
Supply Chain Visibility: Parts Town - An O2C Journey from Manual Processing t...Aggregage
 
Supply Chain Visibility: Parts Town - An O2C Journey from Manual Processing t...
Supply Chain Visibility: Parts Town - An O2C Journey from Manual Processing t...Supply Chain Visibility: Parts Town - An O2C Journey from Manual Processing t...
Supply Chain Visibility: Parts Town - An O2C Journey from Manual Processing t...Emily Millard Murphy
 
December 2007 Document Recognition Technology Overview Presentation
December 2007 Document Recognition Technology Overview PresentationDecember 2007 Document Recognition Technology Overview Presentation
December 2007 Document Recognition Technology Overview PresentationJohn Wang
 
QRev Market Pitch - Hypermarkets
QRev Market Pitch - HypermarketsQRev Market Pitch - Hypermarkets
QRev Market Pitch - HypermarketsZahid Shaikh
 
Mobile payment-security-risk-and-response
Mobile payment-security-risk-and-responseMobile payment-security-risk-and-response
Mobile payment-security-risk-and-responseDESMOND YUEN
 
Unified Payment Interface
Unified Payment InterfaceUnified Payment Interface
Unified Payment InterfaceAkash Chandra
 

Mais procurados (8)

Supply Chain Visibility: Parts Town - An O2C Journey from Manual Processing t...
Supply Chain Visibility: Parts Town - An O2C Journey from Manual Processing t...Supply Chain Visibility: Parts Town - An O2C Journey from Manual Processing t...
Supply Chain Visibility: Parts Town - An O2C Journey from Manual Processing t...
 
Supply Chain Visibility: Parts Town - An O2C Journey from Manual Processing t...
Supply Chain Visibility: Parts Town - An O2C Journey from Manual Processing t...Supply Chain Visibility: Parts Town - An O2C Journey from Manual Processing t...
Supply Chain Visibility: Parts Town - An O2C Journey from Manual Processing t...
 
December 2007 Document Recognition Technology Overview Presentation
December 2007 Document Recognition Technology Overview PresentationDecember 2007 Document Recognition Technology Overview Presentation
December 2007 Document Recognition Technology Overview Presentation
 
QRev Market Pitch - Hypermarkets
QRev Market Pitch - HypermarketsQRev Market Pitch - Hypermarkets
QRev Market Pitch - Hypermarkets
 
Mobile payment-security-risk-and-response
Mobile payment-security-risk-and-responseMobile payment-security-risk-and-response
Mobile payment-security-risk-and-response
 
Payment Gateway
Payment GatewayPayment Gateway
Payment Gateway
 
Unified Payment Interface
Unified Payment InterfaceUnified Payment Interface
Unified Payment Interface
 
Mobile payment solution
Mobile payment solutionMobile payment solution
Mobile payment solution
 

Destaque

праздник 8 марта средняя группа №8 здание 5
праздник 8 марта средняя группа №8 здание 5праздник 8 марта средняя группа №8 здание 5
праздник 8 марта средняя группа №8 здание 5Elena Valerevna
 
подготовительная группа. Здание №3
подготовительная группа. Здание №3подготовительная группа. Здание №3
подготовительная группа. Здание №3Elena Valerevna
 
день птиц группа № 5
день птиц группа № 5день птиц группа № 5
день птиц группа № 5Elena Valerevna
 
осенние праздники здание3
осенние праздники здание3осенние праздники здание3
осенние праздники здание3Elena Valerevna
 
день птиц старшая группа №7 здание №5
день птиц старшая группа №7 здание №5день птиц старшая группа №7 здание №5
день птиц старшая группа №7 здание №5Elena Valerevna
 
день здоровья 7.04.14г
день здоровья 7.04.14гдень здоровья 7.04.14г
день здоровья 7.04.14гElena Valerevna
 
акция день птиц средняя группа №3 здание 3
акция день птиц средняя группа №3 здание 3акция день птиц средняя группа №3 здание 3
акция день птиц средняя группа №3 здание 3Elena Valerevna
 
презентация 1 мл группа 8 марта
презентация 1 мл группа 8 мартапрезентация 1 мл группа 8 марта
презентация 1 мл группа 8 мартаElena Valerevna
 
День открытых дверей
День открытых дверейДень открытых дверей
День открытых дверейElena Valerevna
 
как мы провели лето 2014
как мы провели лето 2014как мы провели лето 2014
как мы провели лето 2014Elena Valerevna
 
Выступление А.А. Антиповой
Выступление А.А. АнтиповойВыступление А.А. Антиповой
Выступление А.А. АнтиповойElena Valerevna
 
день здоровья 7.04.14г
день здоровья 7.04.14гдень здоровья 7.04.14г
день здоровья 7.04.14гElena Valerevna
 
педсовет «компетентности детей, комплекс личных качеств и навыков социальног...
педсовет «компетентности детей, комплекс личных качеств и навыков социальног...педсовет «компетентности детей, комплекс личных качеств и навыков социальног...
педсовет «компетентности детей, комплекс личных качеств и навыков социальног...Elena Valerevna
 
Practica porfe agustin eliminar y grabar
Practica porfe agustin eliminar y grabarPractica porfe agustin eliminar y grabar
Practica porfe agustin eliminar y grabarElizita Aguila Peralta
 

Destaque (20)

праздник 8 марта средняя группа №8 здание 5
праздник 8 марта средняя группа №8 здание 5праздник 8 марта средняя группа №8 здание 5
праздник 8 марта средняя группа №8 здание 5
 
масленица
масленицамасленица
масленица
 
подготовительная группа. Здание №3
подготовительная группа. Здание №3подготовительная группа. Здание №3
подготовительная группа. Здание №3
 
день птиц группа № 5
день птиц группа № 5день птиц группа № 5
день птиц группа № 5
 
егэ
егэегэ
егэ
 
Арт-холл 2.10.14
Арт-холл 2.10.14Арт-холл 2.10.14
Арт-холл 2.10.14
 
осенние праздники здание3
осенние праздники здание3осенние праздники здание3
осенние праздники здание3
 
пдд 15 апреля
пдд 15 апреляпдд 15 апреля
пдд 15 апреля
 
8 марта
8 марта 8 марта
8 марта
 
день птиц старшая группа №7 здание №5
день птиц старшая группа №7 здание №5день птиц старшая группа №7 здание №5
день птиц старшая группа №7 здание №5
 
день здоровья 7.04.14г
день здоровья 7.04.14гдень здоровья 7.04.14г
день здоровья 7.04.14г
 
акция день птиц средняя группа №3 здание 3
акция день птиц средняя группа №3 здание 3акция день птиц средняя группа №3 здание 3
акция день птиц средняя группа №3 здание 3
 
презентация 1 мл группа 8 марта
презентация 1 мл группа 8 мартапрезентация 1 мл группа 8 марта
презентация 1 мл группа 8 марта
 
День открытых дверей
День открытых дверейДень открытых дверей
День открытых дверей
 
как мы провели лето 2014
как мы провели лето 2014как мы провели лето 2014
как мы провели лето 2014
 
Выступление А.А. Антиповой
Выступление А.А. АнтиповойВыступление А.А. Антиповой
Выступление А.А. Антиповой
 
день здоровья 7.04.14г
день здоровья 7.04.14гдень здоровья 7.04.14г
день здоровья 7.04.14г
 
педсовет «компетентности детей, комплекс личных качеств и навыков социальног...
педсовет «компетентности детей, комплекс личных качеств и навыков социальног...педсовет «компетентности детей, комплекс личных качеств и навыков социальног...
педсовет «компетентности детей, комплекс личных качеств и навыков социальног...
 
2014
20142014
2014
 
Practica porfe agustin eliminar y grabar
Practica porfe agustin eliminar y grabarPractica porfe agustin eliminar y grabar
Practica porfe agustin eliminar y grabar
 

Semelhante a PCI Version Three and Thee

Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...Stephanie Gutowski
 
A practical guides to PCI compliance
A practical guides to PCI complianceA practical guides to PCI compliance
A practical guides to PCI complianceJisc
 
PCI compliance and fraud prevention for non profits
PCI compliance and fraud prevention for non profitsPCI compliance and fraud prevention for non profits
PCI compliance and fraud prevention for non profitsNetSquared Vancouver
 
Adventures in PCI Wonderland
Adventures in PCI WonderlandAdventures in PCI Wonderland
Adventures in PCI WonderlandMichele Chubirka
 
Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxgealehegn
 
apidays New York 2023 - Embedded Payments in B2B and B2C use cases, Adrita Bh...
apidays New York 2023 - Embedded Payments in B2B and B2C use cases, Adrita Bh...apidays New York 2023 - Embedded Payments in B2B and B2C use cases, Adrita Bh...
apidays New York 2023 - Embedded Payments in B2B and B2C use cases, Adrita Bh...apidays
 
PayU's Digital Transformation: Transparency from Dev to Prod, Monitoring Micr...
PayU's Digital Transformation: Transparency from Dev to Prod, Monitoring Micr...PayU's Digital Transformation: Transparency from Dev to Prod, Monitoring Micr...
PayU's Digital Transformation: Transparency from Dev to Prod, Monitoring Micr...AppDynamics
 
Hdfc case presentation
Hdfc case presentationHdfc case presentation
Hdfc case presentationRohit Patidar
 
PCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should carePCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should careSean D. Goodwin
 
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)Miminten
 
PayU Biz Product Deck (1)
PayU Biz Product Deck (1)PayU Biz Product Deck (1)
PayU Biz Product Deck (1)ICICI Bank
 
EMV Payments: Changes at the Point of Sale
EMV Payments: Changes at the Point of SaleEMV Payments: Changes at the Point of Sale
EMV Payments: Changes at the Point of Sale- Mark - Fullbright
 
Self-Checkout for Restaurants / AI Restaurants (2024-02)
Self-Checkout for Restaurants / AI Restaurants (2024-02)Self-Checkout for Restaurants / AI Restaurants (2024-02)
Self-Checkout for Restaurants / AI Restaurants (2024-02)byteLAKE
 
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantMelanie Beam
 
eCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Merchants
 
PayNet Mobile Banking Introduction 2017
PayNet Mobile Banking Introduction 2017PayNet Mobile Banking Introduction 2017
PayNet Mobile Banking Introduction 2017Tushar Belwal
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Risk Crew
 

Semelhante a PCI Version Three and Thee (20)

Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
 
A practical guides to PCI compliance
A practical guides to PCI complianceA practical guides to PCI compliance
A practical guides to PCI compliance
 
PCI compliance and fraud prevention for non profits
PCI compliance and fraud prevention for non profitsPCI compliance and fraud prevention for non profits
PCI compliance and fraud prevention for non profits
 
Adventures in PCI Wonderland
Adventures in PCI WonderlandAdventures in PCI Wonderland
Adventures in PCI Wonderland
 
Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptx
 
apidays New York 2023 - Embedded Payments in B2B and B2C use cases, Adrita Bh...
apidays New York 2023 - Embedded Payments in B2B and B2C use cases, Adrita Bh...apidays New York 2023 - Embedded Payments in B2B and B2C use cases, Adrita Bh...
apidays New York 2023 - Embedded Payments in B2B and B2C use cases, Adrita Bh...
 
PayU's Digital Transformation: Transparency from Dev to Prod, Monitoring Micr...
PayU's Digital Transformation: Transparency from Dev to Prod, Monitoring Micr...PayU's Digital Transformation: Transparency from Dev to Prod, Monitoring Micr...
PayU's Digital Transformation: Transparency from Dev to Prod, Monitoring Micr...
 
Hdfc case presentation
Hdfc case presentationHdfc case presentation
Hdfc case presentation
 
PCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should carePCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should care
 
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
 
PayU Biz Product Deck (1)
PayU Biz Product Deck (1)PayU Biz Product Deck (1)
PayU Biz Product Deck (1)
 
PCI Compliance Process
PCI Compliance ProcessPCI Compliance Process
PCI Compliance Process
 
PCI DSS
PCI DSSPCI DSS
PCI DSS
 
EMV Payments: Changes at the Point of Sale
EMV Payments: Changes at the Point of SaleEMV Payments: Changes at the Point of Sale
EMV Payments: Changes at the Point of Sale
 
Self-Checkout for Restaurants / AI Restaurants (2024-02)
Self-Checkout for Restaurants / AI Restaurants (2024-02)Self-Checkout for Restaurants / AI Restaurants (2024-02)
Self-Checkout for Restaurants / AI Restaurants (2024-02)
 
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
 
eCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain Media
 
PayNet Mobile Banking Introduction 2017
PayNet Mobile Banking Introduction 2017PayNet Mobile Banking Introduction 2017
PayNet Mobile Banking Introduction 2017
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892
 
qr code (1).pptx
qr code (1).pptxqr code (1).pptx
qr code (1).pptx
 

Último

Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesMysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesDipal Arora
 
Grateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdfGrateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdfPaul Menig
 
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...rajveerescorts2022
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756dollysharma2066
 
HONOR Veterans Event Keynote by Michael Hawkins
HONOR Veterans Event Keynote by Michael HawkinsHONOR Veterans Event Keynote by Michael Hawkins
HONOR Veterans Event Keynote by Michael HawkinsMichael W. Hawkins
 
Organizational Transformation Lead with Culture
Organizational Transformation Lead with CultureOrganizational Transformation Lead with Culture
Organizational Transformation Lead with CultureSeta Wicaksana
 
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRLMONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRLSeo
 
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...amitlee9823
 
Regression analysis: Simple Linear Regression Multiple Linear Regression
Regression analysis: Simple Linear Regression Multiple Linear RegressionRegression analysis: Simple Linear Regression Multiple Linear Regression
Regression analysis: Simple Linear Regression Multiple Linear RegressionRavindra Nath Shukla
 
Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Neil Kimberley
 
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...lizamodels9
 
Value Proposition canvas- Customer needs and pains
Value Proposition canvas- Customer needs and painsValue Proposition canvas- Customer needs and pains
Value Proposition canvas- Customer needs and painsP&CO
 
Call Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine ServiceCall Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine Serviceritikaroy0888
 
M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.Aaiza Hassan
 
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...Dipal Arora
 
A DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMANA DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMANIlamathiKannappan
 
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...Lviv Startup Club
 
The Coffee Bean & Tea Leaf(CBTL), Business strategy case study
The Coffee Bean & Tea Leaf(CBTL), Business strategy case studyThe Coffee Bean & Tea Leaf(CBTL), Business strategy case study
The Coffee Bean & Tea Leaf(CBTL), Business strategy case studyEthan lee
 
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756dollysharma2066
 

Último (20)

Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesMysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
 
Grateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdfGrateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdf
 
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
 
Forklift Operations: Safety through Cartoons
Forklift Operations: Safety through CartoonsForklift Operations: Safety through Cartoons
Forklift Operations: Safety through Cartoons
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
 
HONOR Veterans Event Keynote by Michael Hawkins
HONOR Veterans Event Keynote by Michael HawkinsHONOR Veterans Event Keynote by Michael Hawkins
HONOR Veterans Event Keynote by Michael Hawkins
 
Organizational Transformation Lead with Culture
Organizational Transformation Lead with CultureOrganizational Transformation Lead with Culture
Organizational Transformation Lead with Culture
 
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRLMONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
 
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
 
Regression analysis: Simple Linear Regression Multiple Linear Regression
Regression analysis: Simple Linear Regression Multiple Linear RegressionRegression analysis: Simple Linear Regression Multiple Linear Regression
Regression analysis: Simple Linear Regression Multiple Linear Regression
 
Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023
 
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
 
Value Proposition canvas- Customer needs and pains
Value Proposition canvas- Customer needs and painsValue Proposition canvas- Customer needs and pains
Value Proposition canvas- Customer needs and pains
 
Call Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine ServiceCall Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine Service
 
M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.
 
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
 
A DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMANA DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMAN
 
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
 
The Coffee Bean & Tea Leaf(CBTL), Business strategy case study
The Coffee Bean & Tea Leaf(CBTL), Business strategy case studyThe Coffee Bean & Tea Leaf(CBTL), Business strategy case study
The Coffee Bean & Tea Leaf(CBTL), Business strategy case study
 
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
 

PCI Version Three and Thee

  • 1.
  • 2. Why PCI! •  In August 2012 an employee of the South Carolina Department of Revenue opened an email enabling a malware attack.! – Employee’s credentials were lifted.! – Miscreants used credentials in remote login! •  75GB of backups exfiltrated in September! •  Income tax returns of every SC citizen exposing SSNs, bank account numbers, etc.! •  CC numbers exfiltrated but not exposed.!
  • 4. The Acronyms! •  Payment Card Industry—the brands! •  Data Security Standard has requirements! – Self Assessment Questionnaires have fewer! •  Approved Scanning Vendor—external scans! •  Qualified Security Assessor—test and report! – Internal Security Assessor—home grown! •  Report On Compliance—requirements met?! – Attestation Of Compliance—cross my heart! •  Payment Application-DSS—e.g. point of sale!
  • 5. ATM  Security  Guidelines   Mobile  Payment  Acceptance  Security  Guidelines  for  Developers  v1.0     Mobile  Payment  Acceptance  Security  Guidelines  for  Merchants  v1.0     PCI  DSS  2.0  Cloud  CompuBng  Guidelines     PCI  DSS  2.0  eCommerce  Guidelines     PCI  DSS  2.0  Risk  Assessment  Guidelines     PCI  DSS  Applicability  in  an  EMV  Environment  Guidance  v1.0     PCI  DSS  TokenizaBon  Guidelines     PCI  DSS  v2.0  Wireless  Guidelines     PCI  DSS  VirtualizaBon  Guidelines  v2.0     ProtecBng  Telephone-­‐based  Payment  Card  Data     Requirement  11.3  PenetraBon  TesBng  v1.2     Requirement  6.6  ApplicaBon  Reviews  and  Web  ApplicaBon  Firewalls  Clarified  v1.2     Skimming  PrevenBon—Best  PracBces  for  Merchants   Understanding  the  SAQs  for  PCI  DSS  v3.0         Information Suppliments!
  • 6. What’s on the card
 Cardholder data (CHD) and SAD! •  Primary account number—PAN! •  Sensitive authentication data—SAD! – Encoded into the magnetic track! •  Card Verification Code 1—CVV1! – Encoded into “chip and PIN” cards—PIN! – Printed on the front or back on the card! •  CVV2! •  Expiration date! •  Cardholder name!
  • 7. Chiseled in STONE! ✽ —  Even  if  encrypted   ✽  SensiBve  AuthenBcaBon  Data   —  Even  if  it’s  sound   1 2 3 4
  • 8. Call Centers! No ! PCI standard calls for! a clean desk!
  • 9. Call Centers! •  No PCI standard calls for a clean desk.! –  Control physical media, e.g. paper, flash drive.! –  Restrict access to handheld devices.! •  Recordings of calls may hold CHD—encrypt.! •  But what about sensitive authentication data?! –  Avoid it by not collecting CVV2 et al, or pause recording, or connect caller to Interactive Voice Response (IVR) system; or,! –  Deploy a compensating control.! •  Protecting Telephone-based Payment Card Data!
  • 10. What is a compensating control?
 1 of 2! •  Described when the deployed controls are not those specified in the requirement.! •  For each compensating control one must:! – state the technical or business reason compliance to the requirement as written is not possible;! – describe what the original control was supposed to do and what the compensating control does;! – Identify risk cause by lack of original control;!
  • 11. What is a compensating control?
 2 of 2! – Describe the control and how it addresses the requirement and any increased risk;! – The QSA must describe how the control was tested to validate; and,! –  Describe how will the control be maintained.! •  A compensating control cannot be one that is already mandated for the asset.! – e.g. integrity checking on the server which doesn’t have anti-malware software installed.!
  • 12. Electronic Commerce! •  No physical presence so you don’t worry about point-of-sale systems, skimmers, or track data.! •  Instead, you’re on the friendly Internet using hardy web browsers and servers.!
  • 13. Store, process, and transmit! •  Your web server talks to your customer to take order and collect CHD for payment.! •  To make purchases “easier” for your customer, you save the CHD, but not SAD, for subsequent purchases.! •  You communicate with your processor to authenticate account and then make the charge.! •  You have a lot of explaining to do.!
  • 14. Your applications! •  May be bespoke—customized to your business by you or third party.! – This application must be evaluated by the QSA.! •  May be purchased commodity software.! – Purchase PCI-certified Payment Applications and follow Implementation Guide.! – If not, QSA must evaluate.! •  May be a mélange, e.g. your web services fronting purchased shopping cart software.!
  • 15. Over there for payment please! What if I get someone else to accept the CHD and process the charge?! I never see CHD.! Do I still have to be PCI compliant? !
  • 16. That depends! •  The PCI DSS 2.0 eCommerce Guidelines describes several scenarios.! – Shared Management! •  Direct Post! •  iFrame! •  Redirect! – Wholly outsourced! •  A new SAQ, A-EP, is available for version 3!
  • 17. Embedded APIs with Direct Post! •  Use processor-provided APIs to plug code into customer’s browser window.! •  When data is entered into payment fields, it is sent directly to the processor, not to the merchant.! •  Merchant must ensure that that its website is not compromised.!
  • 18. Inline iFrames! •  Processor’s web page is embedded within the web page of the merchant.! •  Data entered into iFrame is sent directly to the processor and not seen by the merchant.! •  Compromise of merchant website may result in a compromise of iFrame.!
  • 19. Hosted-payment page! •  Merchant’s page contains link to payment processor website.! •  Customer is redirected to that site to enter payment information.! •  If the merchant webpage is compromised, the customer could be redirected to a bad-guy site to enter CHD.!
  • 20. Wholly outsourced! •  Customer connects directly to third-party site for all functions, including payment.! – Merchant can login to manage store content.! •  This is also a good solution for those businesses who collect payment information over the phone.! – The CSR connects directly to the customer or to the card processor to enter CHD and amount to be charged.!
  • 22. Version 3.0 ! •  Three year development cycle! •  Available for compliance in 2014! •  Mandatory for compliance beginning 2015!
  • 23. What did they want to fix! •  Divergent interpretations of the standard! •  Weak or default passwords! •  Slow detection of compromise! •  Security problems introduced by 3rd parties! •  and various other areas!
  • 24. Highlights! •  The twelve steps…errr…requirements remain! •  Some sub-requirements added! •  Policy and procedure requirements proximate to items each policy and procedure addresses! •  Descriptions of tests are more precise! –  Aligned language of requirement and test ! –  Clarified what to do to verify compliance! •  More rigor in determining scope of assessment! •  More guidance on log reviews! •  More rigorous penetration testing!
  • 25. No hiding documentation sins! •  Version 2 aggregates all policy and procedure requirements in one location.! – 12.1.1 Verify that the [security] policy addresses all PCI DSS requirements. ! – 12.2 Verify that [daily operational security procedures] are consistent with this specification, and include administrative and technical procedures for each of the requirements.! •  Difficult to detect requirements not covered.!
  • 26. Moved to relevant locations! – 1.5 managing firewalls are . ! – 2.5 managing vendor defaults and other security parameters are ! – 3.7 protecting stored cardholder data are – 8.8 identification and authentication are ! – 10.8 monitoring all access to network resources and cardholder data are !
  • 27. Eschew Ambiguity! •  Too much variance in interpretation among QSAs! – Clients get different interpretations.! – PCI Counsel’s Quality Control sees too much 
 variance in the Reports on Compliance (ROC).! •  Version 3 removes ambiguities in the specification that result in inconsistent interpretations of a requirement.!
  • 28. Guidance for each requirement!
  • 29. V2 ROC Reporting Instructions!
  • 30. V3 Report on Compliance Template!
  • 31. Version 3 SAQs! •  Format and content changes! – Expected Testing, a new column ! – the Special column has been replaced with Yes with CCW (compensating control worksheet) and N/A! – sections reorganized to ensure that an entity’s attestation encompasses all elements of the SAQ and AOC! •  eligibility for, and requirements within, each SAQ have been revised!
  • 32. There’s some new SAQs in town! •  A-EP! e-commerce merchants who outsource all payment processing to 3rd parties, using a website that doesn’t directly receive cardholder data but that can impact the security of the payment transaction! •  A-IP! merchants using only standalone, 
 PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage !
  • 33.
  • 35. New authentication requirement! •  If you use identical credentials to authenticate yourself to all your customers…! •  …a compromise of one of those customers exposes all the other customers.! •  New Requirement 8.5.1! Service providers with remote access to customer premises (for example, for support of POS systems or servers) must use a unique authentication credential for each customer. !
  • 36. Division of labor with 3rd party! •  New requirement, 12.8.5, mandates that the assessed entity is aware of which DSS requirements are managed by the service provider and which are managed by the entity.! •  How this division is documented and agreed between the assessed entity and the service provider is not specified.!
  • 37. Service Provider Responsibility1 of 2! New requirement,12.9, mandates that Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of
 the customer, or to the
 extent that they could
 impact the security
 of the customer’s CDE.!
  • 38. Service Provider Responsibility2 of 2! •  The exact wording of that acknowledgement will depend on:! – the agreement between the two parties;! – the details of the service being provided; and,! – the responsibilities assigned to each party.! •  The acknowledgement does not have to include the exact wording provided in this requirement.! •  Get your lawyers involved!
  • 39. Service Provider Responsibility2 of 2! •  The exact wording of that acknowledgement will depend on:! – the agreement between the two parties;! – the details of the service being provided; and,! – the responsibilities assigned to each party.! •  The acknowledgement does not have to include the exact wording provided in this requirement.! •  Get your lawyers involved!
  • 40.
  • 41. They’re getting serious about the CDE! Clause 3.1.1 of the ROC requires documentation of how the assessor validated the accuracy of the PCI DSS scope by describing:! –  The methods or processes (for example, tools, observations, feedback, scans, data flow analysis) used to identify and document all existences of cardholder data.! –  The methods or processes (for example, tools, observations, feedback, scans, data flow analysis) used to verify that no cardholder data exists outside of the CDE scope defined for this assessment.! –  How the results of the methods/processes were evaluated to verify that PCI DSS scope is appropriate.! –  How the results of the methods/processes were documented (e.g. the results may be a diagram or an inventory of cardholder data locations).! –  Why the methods used for scope verification are considered by the assessor to be effective and accurate.! –  Provide the name of the assessor who attests that the scope of the assessment has been verified to be accurate and appropriate.!
  • 42. A Penetration Test Methodology! •  Based on industry-accepted approaches,
 e.g. NIST SP800-115! •  A new clause 11.3! –  Test entire perimeter of CDE & all critical systems! –  Validate all scope-reduction controls—segmentation! –  Test from inside and from outside of the network! –  Test network-function components and OSs! –  As a minimum, perform application tests for the vulnerabilities listed in Requirement 6.5!
  • 43. Those vulnerabilities are! •  Injection flaws, particularly SQL injection. ! •  Buffer overflow ! •  Insecure cryptographic storage ! •  Insecure communications ! •  Improper error handling ! •  Cross-site scripting (XSS) ! •  Improper Access Control, ! •  Cross-site request forgery (CSRF)! •  Broken authentication and session management. !
  • 44. If you develop! •  Requirement 6.5 mandates that programmers of internally-developed and bespoke applications must be trained in secure coding techniques, including how to avoid common coding vulnerabilities, and understanding how sensitive data is handled in memory. ! •  The QSA must identify the records of training that were examined to verify that software developers received training on secure coding techniques, including how to avoid common coding vulnerabilities, and understanding how sensitive data is handled in memory. !
  • 45. Authentication! •  Requirement 8.2–6 text recognizes methods other than password, e.g. passphrases or certificates! –  Authentication credentials! •  Minimum password length is still 7 characters! –  “Alternatively, the passwords/phrases must have complexity and strength at least equivalent to the parameters specified above.”! •  A service provider must use a different password for each of its clients.!
  • 46. Quicker detection of compromise! •  Deploy a integrity change-detection mechanism to alert personnel to unauthorized modification of critical system files, configuration files, or content files ! – configure the software to perform critical file comparisons at least weekly. !
  • 47. Quicker detection of compromise! •  Deploy a integrity change-detection mechanism to alert personnel to unauthorized modification of critical system files, configuration files, or content files ! –  configure the software to perform critical file coparison at least weekly. ! •  New requirement, 11.5.1, mandates the implementation of a process to respond to any alerts generated by that mechanism. !
  • 48. How much work is this?! •  Greater effort to move from 2.0 to 3.0 than from 1.2 to 2.0! •  PCI compliance should be continuous! – No frantic preparation before the arrival of the auditors and a round of drinks after they leave.! •  More stringent testing procedures may find that previously compliant elements are now non-compliant.!
  • 49. Some new requirements need not be in place until 30 June 2015! –  6.5.11 Broken Authentication and Session Management ! –  8.5.1 Use of unique authentication credentials for each client of a service provider.! –  9.9 Protect POS from physical tampering! –  11.3 Penetration test methodology! –  12.9 Written acknowledgement of 3rd party responsibilities and compliance! Some breathing room!
  • 50. If your organization…! •  practices good information governance such that it is aware of what types of data it has and where it stores, processes, and sends that data;! •  properly protects access to its information and its processes; and,! •  defines appropriate policies implemented by self-documenting processes that not only comply with PCI requirements but also create easily discoverable evidence that compliance was continuous throughout the year; then!
  • 51. Not only do you have…! A good security and risk posture!   You should be compliant with little additional effort.!  
  • 52. One more thing! •  Organizations often spend much effort to reduce the portion of the enterprise that will be subject to PCI DSS audit.! •  The effort to protect CHD and SAD within the CDE should also be applied to PII throughout the entire enterprise.! •  Had South Carolina done so, it’s likely no PII would have been exposed. ! •  A tugboat may lead us to the answer. !
  • 53. The T. J. Hooper! •  Towed barges and cargo lost in storm! •  Cargo owners sue claiming negligence! – Radio was a readily available technology! – Couldn’t receive broadcasts warning of storm! •  No other tugboat operators had radios— !the standard of care for the industry! •  In a landmark decision Judge Learned Hand found the tugboat owners liable!
  • 54. “Indeed  in  most  cases  reasonable  prudence  is  in   fact  common  prudence,  but  strictly  it  is  never  its   measure.  A  whole  calling  may  have  unduly   lagged  in  the  adopBon  of  new  and  available   devices…Courts  must  in  the  end  say  what  is   required.  There  are  precauBons  so  imperaBve   that  even  their  universal  disregard  will  not   excuse  their  omission.”                                  —Judge  Learned  Hand,  1932      
  • 55. Custom is not based merely on old standards. It also must be based on adapting to new technology. The duty of care is a relative concept that changes.
  • 56. ?Hoyt  L.  Kesterson  II   Senior  Security  Architect   hoyt.kesterson@tvrms.com   602  316  1985   Scobsdale,  Arizona