16. Level 1 – Large Retail Merchants Validation Action Validated By Due Date Annual On-site PCI Data Security Assessment Qualified Data Security Company of Internal Audit if signed by Office of the Company 9/30/2004 Quarterly Network Scan Qualified Independent Scan Vendor New Level 1 merchants have up to one year from identification to validate
17.
18. Level 2 - Mid/Large Merchants Validation Action Validated By Due Date Annual On-site PCI Self-Assessment Questionnaire Merchant Current Quarterly Network Scan Qualified Independent Scan Vendor New Level 2 merchants: 9/30/2007
19.
20. Level 3 – Mid/Low Merchants Validation Action Validated By Due Date Annual On-site Self-Assessment Questionnaire Merchant Current Quarterly Network Scan Qualified Independent Scan Vendor 6/30/2005
21.
22. Level 4* - Small Merchants *The PCI DDS requires that all merchants perform external network scanning to achieve compliance. Acquirers may require submission of scan reports and/or questionnaires by level 4 merchants. Validation Action Validated By Due Date Annual On-site PCI Self-Assessment Questionnaire Merchant Current Quarterly Network Scan Qualified Independent Scan Vendor Validation requirements and dates are determined by the merchant’s acquirer
23.
24.
25.
26.
27.
28.
29.
30.
31.
32.
33.
34.
35. Case Study: The POS System Attacker Retail Store Processor Corporate Internet
36. Compromise Statistics: Industry SpiderLabs data is gathered from more than 140 card compromise cases. Food Service Industry represents the majority of the compromises. Cases By Industry
37. Compromise Statistics: Acceptance Cases by Card Acceptance About 4 out of every 5 cases is a traditional Brick and Mortar environment. Card Present Merchants are not aware of these risks!
38. Compromise Statistics: System Type Majority of the cases involved a compromise of a Software based POS system. None of these systems were Visa PABP or PCI DSS compliant. Cases By System Type
39. Compromise Statistics: Connectivity All Internet connectivity should be considered high risk. SpiderLabs has tracked a trend in migration from T1 and Dial-Up to DSL/Cable. Cases By Connectivity
40. Compromise Statistics: Error Merchant Error vs. 3rd Party Error Half of the compromises were caused by a fault in the service provided by a 3rd party to a Merchant . POS Developers, Integrators, IT Firms are not following PCI DSS and leaving Merchants at Risk!
41. Compromise Statistics: Track Data Track Data storage is never permitted in any environment post authorization. Non-Compliant software packages are storing Track Data and the Merchants did not know until it was too late! Brick and Mortar Cases w/ Track Data Storage
42. Compromise Statistics: PCI DSS Violations Most Common “Not In-Place” Requirement 1: Install and maintain a firewall to protect data Requirement 3: Protect stored data Requirement 6: Develop and maintain secure systems and applications Requirement 8: Assign a unique ID to each person with computer access Requirement 10: Track and monitor all access to network and card data Requirement 11: Regularly test security systems and processes
43.
44. Compromise Statistics: Riskiest Merchant Profile of the Merchant w/ Greatest Compromise Potential Industry: Food Service Payment Acceptance: Card Present System Type: Non-Compliant Software POS Connectivity: DSL or Cable Modem
45.
Editor's Notes
Can you change the Title to Thieve are trying to steal credit card data from your Merchants. Can you add the word Internet in the first sentence? Can you change the 2 nd second sentence to Professional thieves go dumpster diving for credit card thrown out by unsuspecting merchants.
Under Install and Maintain a Firewall add: Dial only terminals are not required to comply with this mandate Dial Only POS Systems with a connection to the Internet are required to comply with this standard. Under Protect Stored Data Add – Databases and files stored on computer discs must be encrypted and access limited to trusted personnel. CDs, floppy disks, removable disc drive containing credit card data must be encrypted and secured during storage.
Under Install and Maintain a Firewall add: Dial only terminals are not required to comply with this mandate Dial Only POS Systems with a connection to the Internet are required to comply with this standard. Under Protect Stored Data Add – Databases and files stored on computer discs must be encrypted and access limited to trusted personnel. CDs, floppy disks, removable disc drive containing credit card data must be encrypted and secured during storage.
Add – Databases and files stored on computer discs must be encrypted and access limited to trusted personnel. CDs, floppy disks, removable disc drive containing credit card data must be encrypted and secured during storage.
Add – Databases and files stored on computer discs must be encrypted and access limited to trusted personnel. CDs, floppy disks, removable disc drive containing credit card data must be encrypted and secured during storage.
Merchant must install and maintain a updated anti-virus software on their computers and POS Systems.
Merchant must install and maintain a updated anti-virus software on their computers and POS Systems.
Should we say the merchant also pays for the cost of forensics and then explain what forensics is?
Should we say the merchant also pays for the cost of forensics and then explain what forensics is?
Should we say the merchant also pays for the cost of forensics and then explain what forensics is?
Should we say the merchant also pays for the cost of forensics and then explain what forensics is?
Make a note that the CCV Card Code is never allowed to be stored or just remove it from the slide Add Customer Card Number
Make a note that the CCV Card Code is never allowed to be stored or just remove it from the slide Add Customer Card Number