Troy Leach April 2012 The PCI Security Standards Council.

Slides:

Advertisements

Similar presentations

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.

Advertisements

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

What we all need to know. Approval Date: April 30, 2012 Approved by: President's Council.

National Bank of Dominica Ltd Merchant Seminar Facilitator: Janiere Frank Fraud & Compliance Analyst June 16, 2011.

Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.

.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.

Mobile Payment Security The Good, the Bad and the Ugly

PCI DSS for Retail Industry

Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.

PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.

Navigating the New SAQs (Helping the 99% validate PCI compliance)

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

PCI Compliance Roundtable Update Presented by the PCI Compliance Task Force.

Smart Payment Processing ™ Protecting Your Business from Card Data Theft Presenter: Lucas Zaichkowsky.

C USTOMER CREDIT CARD AND DEBIT CARD SECURITY (PCI – DSS COMPLIANCE) What is PCI – DSS Compliance and Who needs to do this?

Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.

© 2012 Presented by: Preparation For EMV Chip Technology Keith Swiat.

© Vendor Safe Technologies 2008 B REACHES BY M ERCHANT T YPE 70% 1% 9% 20% Data provided by Visa Approved QIRA November 2008 from 475 Forensic Audits.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?

Security Controls – What Works

Credit Card Changes that Impact You! Changes to Accounts Receivable, Cash Receipts and Student Billing 7.77 Wanda Mahon & Bucky Wall Corporate Readiness.

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

Chapter 12 Strategies for Managing the Technology Infrastructure.

PCI's Changing Environment – “What You Need to Know & Why You Need To Know It.” Stephen Scott – PCI QSA, CISA, CISSP

Security & PCI Compliance The Future of Electronic Payments Security & PCI Compliance Greg Grant Vice President – Managed Security Services.

PCI PIN Entry Device Security Requirements PCI PIN Security Standards

Philip is a subject matter expert in Accenture’s Payment practice with more than 30 years experience across payments, transaction processing, networks,

PCI 3.0 Boot Camp Payment Card Industry Data Security Standards 3.0.

ISO 9001:2015 Revision overview - General users

The Right Choice for Call Recording OAISYS and PCI DSS Compliance Managing Payment Card Industry Compliance with OAISYS Call Recording Solutions.

The influence of PCI upon retail payment design and architectures Ian White QSA Head of UK&I and ME PCI Team September 4, 2013 Weekend Conference 7 & 8.

An Introduction to PCI Compliance. Data Breach Trends About PCI-SSC 12 Requirements of PCI-DSS Establishing Your Validation Level PCI Basics Benefits.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

SEC835 Database and Web application security Information Security Architecture.

DATE: 3/28/2014 GETTING STARTED WITH THE INTEGRITY EASY PCI PROGRAM Presenter : Integrity Payment Systems Title: Easy PCI Program.

2010 User Conference April 23 rd – 25 th, Philadelphia, PA PCI Compliance & Security Presented By: Kevin Smith & Mark Setzer Stone Edge Technologies, Inc.

Introduction To Plastic Card Industry (PCI) Data Security Standards (DSS) April 28,2012 Cathy Pettis, SVP ICUL Service Corporation.

Walter Conway, QSA 403 Labs, LLC Sneak Preview: What to Expect from PCI DSS v. 2.0  Changes  Clarifications  Guidance.

© 2012-Robert G Parker May 24, 2012 Page: 1 © 2012-Robert G Parker May 24, 2012 Page: 1 © 2012-Robert G Parker May 24, 2012 Page: 1 © 2012-Robert G Parker.

PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.

Identity Management: A Technical Perspective Richard Cissée DAI-Labor; Technische Universität Berlin

Qusay H. Mahmoud CIS* CIS* Service-Oriented Computing Qusay H. Mahmoud, Ph.D.

Customer Interface for wuw.com 1.Context. Customer Interface for wuw.com 2. Content Our web-site can be classified as an service-dominant website. 3.

PCI Training for PointOS Resellers PointOS Updated September 28, 2010.

What you need to know about PCI-DSS Jane Drews Chief Information Security Officer Information Security & Policy Office

The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad.

Langara College PCI Awareness Training

VeriShield Protect Revolutionary technology that simplifies PCI DSS compliance with no system upgrades Now available on V x Solutions!

PAYWARE SIM Secure Integration Method. WHY PAYWARE SIM? PAYware SIM provides a single interface to simply and securely integrate Windows-based POS systems.

Global Mobile Card Reader Market WEBSITE Single User License: US$ 2500 No of Pages: 55 Corporate User License: US$

Standards in Use. EMV June 16Caribbean Electronic Payments LLC2.

By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.

Protection of Personal Information Act An Analysis on the impact.

A Global Approach to EMF Management and Standards Mike Wood Vice Chairman, ITU-T SG5, WP2 11th Symposium on ICT, Environment and Climate Change 21 April.

PCI COMPLIANCE & A/R AUTOMATION 101 Nodus Technologies, Inc.

Payment Card Industry (PCI) Rules and Standards

PCI-DSS Security Awareness

Decrypting Tokenization What is it and why is it important?

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance

Payment card industry data security standards

Internet Payment.

Breaches by Merchant Type

Making a Holiday Special For All The Right Reasons

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance

PCI Device Inspections

UD PCI GUIDELINES A guide for compliance with PCI DSS and the University of Delaware Payment Card Program ALWAYS Process payments immediately using a solution.

Presentation transcript:

Troy Leach April 2012 The PCI Security Standards Council

About the Council Open, global forum Founded 2006 Responsible for PCI Security Standards Development Management Education Awareness

Manufacturers PCI PTS Pin Entry Devices Ecosystem of payment devices, applications, infrastructure and users Software Developers PCI PA-DSS Payment Applications PCI Security MOBILE PAYMENTS Merchants & Service Providers PCI DSS Secure Environments PCI Security Standards Protection of Cardholder Payment Data

Technology Updates: Mobile Questions & Answers Agenda Industry Engagement

Environmental Considerations at a Glance Market Increased interest in adoption of a variety of mobile technologies Absence of both traditional controls and standards PCI SSC Activity Create efficient mechanisms for broader engagement Evaluate need to develop standards Facilitate, when applicable, easier compliance mechanisms

Areas of Focus for Mobile Devices Tamper-resistance, Secure Card Readers, POI & P2PE Applications Requirements and/or Best Practices for authorization and settlement Service Providers Service provider protection of cardholder data and validation MOBILE

Peripheral Device Encryption The mobile device is just a conduit. It has no ability to decrypt the encrypted data and therefore will never have access to clear-text account data. New PTS approval class for Secure (Encrypting) Card Readers (SCR) SCR and other POI Cardholder data is only input using an encrypted solution and transmitted encrypted through a mobile device.

Audio connector plugs into the phones headphone QSA must determine data NOT decrypted on phone No PIN entry Also works on computers – any device with an audio input jack Mobile Phone Plug-in SCR Plug-in MSR encrypts data on the reader even before it reaches the phone

2011 Guidance. Focused on identifying and clarifying the risks associated with accepting payments via mobile solutions and validating mobile payment acceptance applications to version 2.0 of the PA-DSS. Mobile Update – Announcement and FAQ

Mobile Application Categories Applications for category 1 and 2 devices are eligible for PA-DSS Applications for category 3 devices pending development of further guidance and/or standards Category 2: Purpose Built POS Devices Category 3: General Purpose Smart Device Category 1: PTS Approved PED Devices

Current Environmental Concerns Rapid development of applications Lack of traditional controls Too Many Privileges Malicious Apps Wi-Fi Sniffing / Blackjacking Radiation of keys and side channel attacks Distribution and persistent connectivity Ownership and use policy

PTS PED Vendor Solutions Phone is designed and purpose built as a secure device Because secure tamper protected device, may use either SCR or a data key managed similar to PIN key By definition does not use off the shelf mobile phones

PTS PED Vendor Solutions Phone Compartment Cradle for phone May employ encrypting card reader or use data key managed similar to PIN key Card readers integrated to PED

The mobile device has access to cleartext cardholder data. Mobile Task Force to provide guidance and/or best practices Exposure of CHD within device Cardholder data is input using a non-encrypted solution (e.g. manual key entry, non-encrypted card reader, etc.) and transmitted through a mobile device. Application Security within Smart Devices

2012 Guidance Calendar Mobile SCR & P2PE Guidance for Merchants Mobile Acceptance Best Practices Mobile SCR & P2PE Guidance for Assessors and Vendors Roadmap for Category 3 Applications 15

Three Year Outlook: Mobile Devices and Peripherals: Publish guidance on use of attached PTS POI to mobile with P2PE Applications: Develop guidance for mobile device environments and relative security requirements to meet PA-DSS or similar validation Create AQM checklist for PA-DSS qualification If necessary, develop mobile standard(s) for applications and devices that transfer cardholder data Service Providers: Evaluate for potential guidance and/or security requirements for third- parties with access to cardholder data Council will liaise with all relevant bodies in the development of a standard in this area and identify which variants require Council to address

Technology Updates: Mobile Questions & Answers Agenda Industry Engagement

Mobile Task Force PCI Council Members and staff, volunteer participating organizations and subject matter experts Subject matter experts especially important when examining Scenario 2 Examples of subject matter experts: Security Assessors OS Platform Vendors Financial Processors Device Manufactures

Mobile Task Force The purpose of the Mobile Task Force is to evaluate various mobile payment acceptance implementations and determine whether the inherent risk of card data exposure can be addressed by existing PCI requirements or whether additional guidance or requirements must be developed.

Questions? Any Questions? Please visit our website at