Top 10 Most Downloaded Games on Play Store in 2024
Get PCI Compliant - Martin Gronow direct
1. How to tackle the PCI Issue
Corporate Presentation
Grand Connaught Rooms – 1st May 2012
Martin Gronow – Product Line Manager – TTB
Peter Jackson – Head of Risk Consultancy Group - IRM
2. IRM Key Facts & Background
Background Service Portfolio
• Founded in 1998 to provide assurance • PCI DSS Services
services to FTSE 250 companies • Security Risk Assessment
• Technical Assurance • Security Management
• Network Security • Technical Assurance
• Data forensics • Network forensics managed services
• Joined CESG CHECK Scheme in 2001 • Security Management Services
• Joined PCI DSS Scheme in 2005
• Progressed into business risk consulting
Managed Services
• Compliance
• Standards • NetFACTS
• Defined CREST standards for network • OmniPORT
forensics
• Virtual team supplier to MoD and GCHG “IRM has worked extremely hard to be
flexible to meet our changing demands and
requirements. They are our security partner
Information Risk Management Plc of choice” CISO, Cable & Wireless
Worldwide
Information Risk Management Plc
3rd Floor Winchester House | 259 – 269 Old Marylebone Road | London NW1 5RA | UK Tel+44 (0)20 7808 6420 | Fax +44 (0)20 7808 6421
3. Our Capability
Certifications
CLAS and CHECK (Team Leader/ Team Member)
PCI QSA / QFI
CISCO CCSP
CHECKPOINT CCSA / CCSE
CISA / CISM
SANS GIAC CHTQ
OSSTMM OPST / OPSA / Trainer
GSEC
Lead Auditor ISO 27001
MBCS
MSc
EnCe
CISMP
ISC (2) CISSP
“IRM’s consultants are active
ISEB Business Continuity Practitioner
within the security industry and
sit on various panels and have Consultants background checked prior to
been instrumental in employment
establishing bodies such as Consultants are cleared up to DV as required
CREST. “
Information Risk Management Plc
Security, Privacy, Trust
Information Risk Management Plc
rd
4. Example Clients & Frameworks
Information Risk Management Plc
3rd Floor Winchester House | 259 – 269 Old Marylebone Road | London NW1 5RA | UK Tel+44 (0)20 7808 6420 | Fax +44 (0)20 7808 6421
info@irmplc.com http://www.irmplc.com
IRM is a company registered in England with Company Number 3612719.
5. Requirement For PCI
Fines for non-compliancy can include the following:
• Fines of $500,000 per data security incident
• Fines of $50,000 per day for non-compliance with
published standards
• Liability for all fraud losses incurred from
compromised account numbers
• Liability for the cost of re-issuing cards associated
with the compromise
• Suspension of merchant accounts
6. What is PCI DSS?
Stands for Payment Card Industry Data Security Standard
Purpose - Protecting Cardholder data to help prevent fraud.
Scope – any business that stores, processes or transmits
cardholder data – including taking payments over the phone.
If these calls are recorded they become subject to PCI DSS.
Its requirement is the removal of the sensitive authentication
data as per the table below. Violation is subject to fines.
CARDHOLDER DATA SENSITIVE AUTHENTICATION DATA
• Primary Account Number (PAN) • Full Magnetic Stripe Data
• Cardholder name • CAV2/CVC2/CVV2/CID
• Service Code • PIN/PIN Block
• Expiration Date
Data must encrypted or not stored Must not be stored
7. PCI Enforcement
Merchants are classified according to the number of transactions processed.
• Level 4
Level 3
Any merchant processing <20k
or up to 1m Visa or MasterCard
transactions per year
Level 2
Any eCommerce merchant processing up to 1m
Visa or MasterCard transactions per year
Level 1
Any merchant processing 1m-6m Visa or MasterCard transactions
per year
Any merchant processing over 6m MasterCard and Visa card transactions per year
8. Is PCI Mandatory?
• Yes – PCI compliance is a contractual obligation
• Visa/Mastercard require all Merchants & Service
providers to be validated against PCI DSS V2.0
• Smaller merchants not required to explicitly validate
compliance but….
• None compliance but may trigger penalties and/or
fines in the event of a breach.
• Data breaches can be subject to Data Protection laws
• The Information Commissioners' Office regards
compliance with PCI as basic best practice
9. Product/Proposition Overview
The one big thing:
Cloud-based Hosted call recording solution
- Designed specifically to help customers meet PCI DSS
- Delivered with minimal cost, effort or disruption
The next big thing:
Hosted Call Recording PCI helps Prevent fraud.
- Removes sensitive information from vulnerable areas
- Live Agent telephone ordering
Simple but flexible:
- No complex integration
- Ideal for Remote workers or 3rd party Call Handling
- Disaster Recovery solution
10. Benefits of Hosted Call Recording
Pay as you go service
No Set-up fees or capital investment
- No Maintenance or Upgrade costs
- Simple monthly charge
No capacity worries
Calls automatically recorded as they transit the network
- Record inbound, outbound or both
- No line or equipment limits
- Store for 1 day, 100 days or forever
Simple but flexible:
- Recordings stored at multiple locations
- Secure retrieval interface
- Ideal for Remote workers or 3rd party Call Handling
Editor's Notes
Non-compliancy brings about fines and penalties from the payment card industry and providers. Banks have been seizing money from client accounts for payment of fines.In the event of a breach customers are required to hire a forensic investigation team from a list of approved firms.
Developed by the PCI Standards Council this is a self-regulated group comprising global payment brands American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Its purpose is for protecting Cardholder data to help prevent fraud. There are 12 principal controls which have been defined. Link to PCI websiteIts scope covers all entities that store, process or transmit cardholder data, including businesses accepting payment over the phone. If these calls are recorded they become subject to PCI DSS.Its requirement is the removal of the sensitive authentication data as per the table below. Violation is subject to fines.
From 1st October 2010 it became mandatory for Levels 1 & 2 to be compliant. It is not yet mandatory for Levels 3 & 4, although penalties could be enforced at all Levels.Penalties can vary dependent on the card issuer and the Merchant Level. However, a publicised guideline is as follows:Fines at the rate of €5 per compromised account A breach fee in excess of €100,000 per incident Possible restrictions on the merchant Permanent prohibition of the merchant’s participation in Visa and MasterCard programs Beyond compliance, business risks relative to brand, customer loyalty and company valuation exist
is not a legal or regulatory requirementData breaches of personal data are subject to Data Protection laws (£500k limit)
Stop start compatible with most phone systemsNo complex integration – can be applied to inbound (NGN/IVR) or outbound (CPS/LLU)Ideal for companies using Remote workers or 3rd partiesCan be used as part of a Disaster Recovery solutionSupplementing Premises Based systems
Records all call – including IVR, transfersScales as your business grows