PCI 3.1 Boot Camp Payment Card Industry Data Security Standards 3.1.

Slides:

Advertisements

Similar presentations

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.

Advertisements

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.

Mobile Payment Security The Good, the Bad and the Ugly

PCI DSS for Retail Industry

Agenda Introduction Payment gateways Weaknesses Attacks Conclusion.

Navigating the New SAQs (Helping the 99% validate PCI compliance)

Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security.

Complying With Payment Card Industry Data Security Standards (PCI DSS)

2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

University of Utah Financial and Business Services

Property of CampusGuard Compliance With The PCI DSS.

Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.

Payment Card PCI DSS Compliance SAQ-D Training Accounts Receivable Services, Controller’s Office 7/1/2012.

Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

Why Comply with PCI Security Standards?

Northern KY University Merchant Training

Payment Card Industry (PCI) Data Security Standard

PCI's Changing Environment – “What You Need to Know & Why You Need To Know It.” Stephen Scott – PCI QSA, CISA, CISSP

Security & PCI Compliance The Future of Electronic Payments Security & PCI Compliance Greg Grant Vice President – Managed Security Services.

Disclaimer Copyright Michael Chapple and Jane Drews, This work is the intellectual property of the authors. Permission is granted for this material.

Web Advisory Committee June 17,  Implementing E-commerce at UW  Current Status and Future Plans  PCI Data Security Standard  Questions.

Payment Card Industry Data Security Standard (PCI DSS) By Roni Argetsinger

PCI 3.0 Boot Camp Payment Card Industry Data Security Standards 3.0.

An Introduction to PCI Compliance. Data Breach Trends About PCI-SSC 12 Requirements of PCI-DSS Establishing Your Validation Level PCI Basics Benefits.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

PCI requirements in business language What can happen with the cardholder data?

DATE: 3/28/2014 GETTING STARTED WITH THE INTEGRITY EASY PCI PROGRAM Presenter : Integrity Payment Systems Title: Easy PCI Program.

PCI DSS Readiness Presented By: Paul Grégoire, CISSP, QSA, PA-QSA

Payment Card PCI DSS Compliance SAQ-A Training Accounts Receivable Services, Controller’s Office 7/1/2012.

Presented by Bob Wesolowski James R. Rennert, CFRE President Dir. of Mission Advancement Caring Habits, Inc. Sisters of St. Joseph Briarcliff Manor, NY.

North Carolina Community College System IIPS Conference – Spring 2009 Jason Godfrey IT Security Manager (919)

Introduction To Plastic Card Industry (PCI) Data Security Standards (DSS) April 28,2012 Cathy Pettis, SVP ICUL Service Corporation.

Payment Card PCI DSS Compliance SAQ-B Training Accounts Receivable Services, Controller’s Office 7/1/2012.

PCI Training for PointOS Resellers PointOS Updated September 28, 2010.

BUSINESS CLARITY ™ PCI – The Pathway to Compliance.

Standards in Use. EMV June 16Caribbean Electronic Payments LLC2.

By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.

Introduction to PCI DSS

Credit Card Compliance

MARTA’s Road to PCI Compliance

Payment Card Industry Data Security Standards

Wake Forest University

PCI DSS Improve the Security of Your Ecommerce Environment

Summary of Changes PCI DSS V. 3.1 to V. 3.2

Performing Risk Analysis and Testing: Outsource or In-house

PCI Compliance Service

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance

Payment card industry data security standards

Tokenizing Your Circulation Data

Where Do You Have Cardholder Data?

PCI DSS modular approach for F2F EMV mature environments

2013 PCI:DSS Meeting OSU Business Affairs

Internet Payment.

Breaches by Merchant Type

Switchover from Teledeposit to VIRTUAL TERMINAL Moneris Solutions

Payment Card Industry Data Security Compliance

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance

PCI Compliance : Whys and wherefores

PCI Data Security Compliance SCITDA Spring Conference

Rld pci compliance project

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance

MARTA’s Road to PCI Compliance

Utility Payment Conference

PCI 3.1 Compliance Panel for CHECO

Presented by: Jeff Soukup

Presentation transcript:

PCI 3.1 Boot Camp Payment Card Industry Data Security Standards 3.1

PURPOSE Why am I here? PCI 3.1 Boot Camp - March 20162

Agenda PCI Importance SAQ Review Mitigation Plan for SSL/early TLS EMV vs P2PE PCI 3.1 Boot Camp - March 20163

PCI Compliance Reset Self Assessment Questionnaire – Start early – Completed accurately – Cash Management-central POC – Use Technical Contacts and Vendors – Use HUIT Sec/NOC/SOC/Desktop Support – Answer N/A or No with compensating controls – Keep supporting documentation on file PCI 3.1 Boot Camp - March 20164

PCI Compliance Reset External Vulnerability Scans are important Internal Vulnerability Scans or Application Scans must be done, if required Network Diagrams of CDE are to be submitted to Cash Management PCI 3.1 Boot Camp - March 20165

PCI Compliance Reset Documented local Business Policies – Document current business processes – Updated/reviewed annually – Comply with latest PCI standards – Annual PCI Awareness Training for all staff PCI 3.1 Boot Camp - March 20166

PCI Compliance Reset Vendor Service Agreements – Document which PCI DSS requirements are managed by each service provider, and which are managed by merchant. PCI 3.1 Boot Camp - March 20167

SAQ Review When to use SAQ A vs SAQ A-EP – All processing of cardholder data is entirely outsourced to PCI DSS validated 3rd-party Service Provider = SAQ A – All processing of cardholder data, with the exception of the payment page, is entirely outsourced to a PCI DSS validated 3 rd -party payment processor = SAQ A-EP PCI 3.1 Boot Camp - March 20168

SAQ Review When to use SAQ A vs SAQ A-EP – All elements of all payment pages delivered to the consumer’s browser originate only and directly from a PCI DSS validated 3 rd -party servicer provider = SAQ A – Each element of the payment page delivered to the consumer’s browser originates from either the merchant’s website or a PCI DSS compliant service provider = SAQ A-EP PCI 3.1 Boot Camp - March 20169

Examples of SAQ A Merchant Merchant has no access to their website, and website is entirely hosted and managed by compliant 3 rd -party payment processor OR Merchant website provides an iFrame or URL link to PCI DSS compliant 3 rd -party payment processor. PCI 3.1 Boot Camp - March

Examples of SAQ A-EP Merchant Merchant website creates the payment form, and Direct Post (SOAP) to payment processor Merchant website loads or delivers script that runs in consumers’ browser (eg. JavaScript) and provides functionality that supports creation PCI 3.1 Boot Camp - March

PCI 3.1 Boot Camp - March

SSL/Early TLS Requirement – Implement additional security features for any required services, protocols, or daemons that are considered to be insecure Requirement 2.3 – Encrypt all non-console administrative access using strong cryptography. Requirement 4.1 – Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks. PCI 3.1 Boot Camp - March

Mitigating SSL and early TLS Risk-mitigation controls – Consolidate functions that use vulnerable protocols over few systems – Remove/disable web browsers, JavaScript and cookies where they are not needed – Configure firewalls to permit SSL/early TLS only to know IP addresses – Expand cover of intrusion-protection systems – Identify unusual increases in requests for fallback to vulnerable protocols PCI 3.1 Boot Camp - March

EMV and P2PE Card Present Merchants Point of Sale Systems PCI validated hardware/software vendor Certified to BAMS PCI 3.1 Boot Camp - March

Benefits Removes CHD from merchant environment Reduces PCI Compliance Scope Abbreviated SAQ (SAQ C to SAQ P2PE) Reduces chargebacks for non-compliance to EMV implementation PCI 3.1 Boot Camp - March

Validating EMV and P2PE Clear POS database of all card data regardless of encryption format Vendor Implementation Guide should be on file at Cash Management Test VLAN between merchant and vendor Validate CDE does not enter merchant environment PCI 3.1 Boot Camp - March

MORE INFORMATION PCI 3.1 Boot Camp - March

Training Opportunities PCI Security Standards Council – Internal Security Assessor 2 Day Training in Boston June $1650 Fee (Reduced from $2850) Applicable to Internal Auditors, Internal Risk and Assessment Staff PCI 3.1 Boot Camp - March

Resources – otm.finance.harvard.edu otm.finance.harvard.edu – – SAQs ocuments.php?category=saqs ocuments.php?category=saqs – Harvard Support/Questions – Trustwave QSA – Cash Management will arrange teleconference PCI 3.1 Boot Camp - March