Jon Bonham, CISA, QSA Director, ERC

Slides:



Advertisements
Similar presentations
Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Advertisements

Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.
PCI DSS for Retail Industry
Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.
Navigating the New SAQs (Helping the 99% validate PCI compliance)
PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.
Complying With Payment Card Industry Data Security Standards (PCI DSS)
2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.
This refresher course will:
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
University of Utah Financial and Business Services
Property of CampusGuard Compliance With The PCI DSS.
Smart Payment Processing ™ Protecting Your Business from Card Data Theft Presenter: Lucas Zaichkowsky.
Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.
Payment Card PCI DSS Compliance SAQ-D Training Accounts Receivable Services, Controller’s Office 7/1/2012.
PCI DSS Version 3.0 For Controllers and Business Users Luke Harris, Office of State the Controller David Reavis, UNC General Administration November 10,
Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
Kevin R Perry August 12, Part 1: High Level Changes & Clarifications.
Introduction to PCI DSS
Northern KY University Merchant Training
PCI and how it affects College Stores… ROBIN MAYO | PCIP ECOMMERCE MANAGER EAST CAROLINA UNIVERISTY.
PCI's Changing Environment – “What You Need to Know & Why You Need To Know It.” Stephen Scott – PCI QSA, CISA, CISSP
Web Advisory Committee June 17,  Implementing E-commerce at UW  Current Status and Future Plans  PCI Data Security Standard  Questions.
PCI DSS The Payment Card Industry (PCI) Data Security Standard (DSS) was developed by the PCI Security Standards Council to encourage and enhance cardholder.
Payment Card Industry Data Security Standard (PCI DSS) By Roni Argetsinger
PCI 3.0 Boot Camp Payment Card Industry Data Security Standards 3.0.
Protecting Your Credit Card Security Environment (PCI) September 26, 2012 Jacob Arthur, CPA, QSA, CEH Timothy Agee, CISA, CGEIT, QSA FDH Consulting Frasier,
The influence of PCI upon retail payment design and architectures Ian White QSA Head of UK&I and ME PCI Team September 4, 2013 Weekend Conference 7 & 8.
NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
DATE: 3/28/2014 GETTING STARTED WITH THE INTEGRITY EASY PCI PROGRAM Presenter : Integrity Payment Systems Title: Easy PCI Program.
Credit Card Processing Gail “Montreal” Shoffey Keeler August 14, 2007.
Payment Card PCI DSS Compliance SAQ-A Training Accounts Receivable Services, Controller’s Office 7/1/2012.
Introduction to Payment Card Industry Data Security Standard
Identity Protection (Red Flag/PCI Compliance/SSN Remediation) SACUBO Fall Workshop Savannah, GA November 3, 2009.
North Carolina Community College System IIPS Conference – Spring 2009 Jason Godfrey IT Security Manager (919)
Introduction To Plastic Card Industry (PCI) Data Security Standards (DSS) April 28,2012 Cathy Pettis, SVP ICUL Service Corporation.
Smart Payment Processing ™ Recur} Happen again. Persist. Return. Come back. Reappear. Come again.
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
Data Security and Payment Card Acceptance Presented by: Brian Ridder Senior Vice President First National September 10, 2009.
Payment Card PCI DSS Compliance SAQ-B Training Accounts Receivable Services, Controller’s Office 7/1/2012.
ThankQ Solutions Pty Ltd Tech Forum 2013 PCI Compliance.
e-Learning Module Credit/Debit Payment Card Acceptance and Security
1 Payment Card Industry (PCI) Security Standard Developed by the PCI Security Council formed by major card issuers: Visa, MasterCard, American Express,
Statewide Electronic Commerce Program North Carolina Office of the State Controller March 2016 Fayetteville Fort Bragg.
July 2015…... Michigan Community Colleges Performance with NBS Thru October, 2015.
By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit.
WHAT NEW, WHAT NEXT IN PAYMENT PROCESSING. EMV WHAT IS EMV? 3  An acronym created by Europay ®, MasterCard ® and Visa ®  The global standard for the.
Credit Card Compliance
MARTA’s Road to PCI Compliance
Wake Forest University
PCI DSS Improve the Security of Your Ecommerce Environment
Summary of Changes PCI DSS V. 3.1 to V. 3.2
PCI-DSS Security Awareness
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Payment card industry data security standards
Where Do You Have Cardholder Data?
PCI DSS modular approach for F2F EMV mature environments
Internet Payment.
Session 11 Other Assurance Services
Switchover from Teledeposit to VIRTUAL TERMINAL Moneris Solutions
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
PCI Compliance : Whys and wherefores
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
MARTA’s Road to PCI Compliance
PCI 3.1 Compliance Panel for CHECO
Presented by: Jeff Soukup
Online Payment Options for Government
Presentation transcript:

Jon Bonham, CISA, QSA Director, ERC JBonham@Coalfire.com PCI, What is it all about? Jon Bonham, CISA, QSA Director, ERC JBonham@Coalfire.com Fayetteville Fort Bragg

Agenda Introduction of Coalfire PCI 101 Is it for the Business Office or IT Department Some changes that have an impact on schools Questions and Answers Contact Information

Coalfire Services

Coalfire Regional Offices Over 300 employees

About Coalfire QSA for the state of North Carolina Agencies, Departments, Colleges and Universities are all set up on Coalfire’s Navis platform for scans and SAQs. Coalfire as a division set up just to handle state and local government as well as higher education and large diverse hospital systems. Coalfire successfully manages projects for small stand alone colleges as well as large diverse multi campus University systems. Coalfire is a leader in PCI, HIPAA, FERPA, FISMA, GLBA and Personal information auditing and assessments. Coalfire is vendor agnostic so they don’t care who you use for any hardware, software, managed services or card processing. They work for their customers as a trusted partner and advisor.

First Breach?

Where did this all start? In December of 2004, VISA and MasterCard aligned their programs under the banner PCI Data Security Standard (PCI DSS) American Express, Discover, JCB and Diners endorsed this new standard as well VISA initially managed and coordinated the PCI DSS Card brands created the PCI Security Standards Council (SSC) to assume management of the program PCI SSC managed by Executive and Management Committees made up of senior representatives from the card brands End Result Common security requirements for securing card data.

Who Does What? 1. Develops Standards 2. Establishes compliance requirements 3. Enforces requirements on merchants 4. Merchant

What you signed up for

We don’t want to just check a box

What are We Protecting Cardholder Verification Number (CVN) PAN Cardholder Verification Number (CVN) Visa/Discover's Card Verification Value (CVV) Mastercard's Card Validation Code (CVC) Called Prohibited Data – can not retain after authorization Primary Account Number (PAN) CVN

What does this have to do with business? Income Easier No bounced checks The decision to take cards was made in the business office The contracts were signed by the business office The part in the contract about always being PCI compliant was signed by the business office

IT Department Install and configure the hardware and software Segment and maintain the network Monitor what is happening Implement changes Work with the business office, merchants and vendors to maintain a secure cardholder date environment.

Just a thought or action isn’t enough.

Overkill

SAQ Validation Types

Penetration Test Required V3.0 SAQ Validation Types SAQ Validation Type Description # of Questions v3.0 Change # from v2.0 ASV Scan Required v3.0 Penetration Test Required V3.0 A Card-not-present merchants: All payment processing functions fully outsourced, no electronic cardholder data storage 14 +1 No A-EP E-commerce merchants re-directing to a third-party website for payment processing, no electronic cardholder data storage 139 NEW Yes B Merchants with only imprint machines or only standalone dial-out payment terminals: No e- commerce or electronic cardholder data storage 41 +12 B-IP Merchants with standalone, IP-connected payment terminals: No e-commerce or electronic cardholder data storage 83 C Merchants with payment application systems connected to the Internet: No e-commerce or electronic cardholder data storage +59 C-VT Merchants with web-based virtual payment terminals: No e-commerce or electronic cardholder data storage 73 +22 D-MER All other SAQ-eligible merchants 326 +38 D-SP SAQ-eligible service providers 347 P2PE Hardware payment terminals in a validated PCI P2PE solution only: No e-commerce or electronic cardholder data storage 35

The “Bucket” Approach SAQ A’s SAQ B’s SAQ C’s MID MID MID MID MID MID MID MID MID MID MID MID MID MID MID MID MID MID MID MID MID MID MID MID MID SAQ A’s MID MID MID MID MID MID MID MID MID MID MID MID MID MID MID MID MID MID MID MID MID MID MID MID MID SAQ B’s SAQ C’s From this to…………………………………………….this

PCI DSS 3.1: Goals The PCI SSC is pushing the concept of ongoing or continuous compliance management Monitoring of security controls Detect and respond to failures in security controls Review all changes to the environment Organization structure changes Periodic reviews Annual hardware/software review

Some of the new requirements to keep in mind. Dataflow diagrams Requirement 2.4 Inventory of all in-scope system components Requirement 5.1.2 Risk-based malware review for systems not commonly affected by malicious software Requirement 8.1.3.b Termination processes must include all physical authentication methods in addition to systems

PCI DSS 3.1: New Requirements New requirement to maintain information about which PCI DSS requirements are managed by the service provider.

PCI DSS 3.1: Requirement(s) 9.9.x New (merchant) requirements to protect point-of-sale devices that capture payment card data from tampering or unauthorized modification or substitution.

Expanded requirements/expectations for penetration testing controls. PCI DSS 3.1 Requirement 11.3.X Expanded requirements/expectations for penetration testing controls.

PCI DSS 3.1 Requirement 12.9 Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data.

Questions about the changes?

Thanks for attending! Jon Bonham, CISA, QSA JBONHAM@COALFIRE.COM

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.