Why Comply with PCI Security Standards?

Slides:



Advertisements
Similar presentations
Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Advertisements

Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.
National Bank of Dominica Ltd Merchant Seminar Facilitator: Janiere Frank Fraud & Compliance Analyst June 16, 2011.
Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security.
PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.
Complying With Payment Card Industry Data Security Standards (PCI DSS)
2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Property of CampusGuard Compliance With The PCI DSS.
C USTOMER CREDIT CARD AND DEBIT CARD SECURITY (PCI – DSS COMPLIANCE) What is PCI – DSS Compliance and Who needs to do this?
Payment Card PCI DSS Compliance SAQ-D Training Accounts Receivable Services, Controller’s Office 7/1/2012.
© Vendor Safe Technologies 2008 B REACHES BY M ERCHANT T YPE 70% 1% 9% 20% Data provided by Visa Approved QIRA November 2008 from 475 Forensic Audits.
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?
Jeff Williams Information Security Officer CSU, Sacramento
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.
Introduction to PCI DSS
Northern KY University Merchant Training
Payment Card Industry (PCI) Data Security Standard
PCI's Changing Environment – “What You Need to Know & Why You Need To Know It.” Stephen Scott – PCI QSA, CISA, CISSP
Payment Card Industry Data Security Standard (PCI DSS) By Roni Argetsinger
Central Michigan University Payroll and Travel Services 3.
EDUCAUSE Security Conference Denver, Colorado April 10 to 12, 2006 Bob Beer Biggs Engineering 117 (419)
The influence of PCI upon retail payment design and architectures Ian White QSA Head of UK&I and ME PCI Team September 4, 2013 Weekend Conference 7 & 8.
An Introduction to PCI Compliance. Data Breach Trends About PCI-SSC 12 Requirements of PCI-DSS Establishing Your Validation Level PCI Basics Benefits.
NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
The Payment Card Industry (PCI) Data Security Standard: What it is and why you might find it useful Fred Hopper, CISSP TASK - 27 March 2007.
PCI requirements in business language What can happen with the cardholder data?
MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.
Brian Cloud August 06, Overall Digital Security  What is Digital Security  Murphy’s Law Since 2005, over 263M records breeched (privacyreports.com)
DATE: 3/28/2014 GETTING STARTED WITH THE INTEGRITY EASY PCI PROGRAM Presenter : Integrity Payment Systems Title: Easy PCI Program.
PCI: As complicated as it sounds? Gerry Lawrence CTO
Credit Card Processing Gail “Montreal” Shoffey Keeler August 14, 2007.
Introduction to Payment Card Industry Data Security Standard
Introduction To Plastic Card Industry (PCI) Data Security Standards (DSS) April 28,2012 Cathy Pettis, SVP ICUL Service Corporation.
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
Data Security and Payment Card Acceptance Presented by: Brian Ridder Senior Vice President First National September 10, 2009.
Information Security 2013 Roadshow - PCI. Roadshow Outline  What IS PCI  Why we Care about PCI  What PCI Means to You and Me.
Payment Card PCI DSS Compliance SAQ-B Training Accounts Receivable Services, Controller’s Office 7/1/2012.
What you need to know about PCI-DSS Jane Drews Chief Information Security Officer Information Security & Policy Office
ThankQ Solutions Pty Ltd Tech Forum 2013 PCI Compliance.
e-Learning Module Credit/Debit Payment Card Acceptance and Security
1 Payment Card Industry (PCI) Security Standard Developed by the PCI Security Council formed by major card issuers: Visa, MasterCard, American Express,
Langara College PCI Awareness Training
BUSINESS CLARITY ™ PCI – The Pathway to Compliance.
Standards in Use. EMV June 16Caribbean Electronic Payments LLC2.
By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit.
WHAT NEW, WHAT NEXT IN PAYMENT PROCESSING. EMV WHAT IS EMV? 3  An acronym created by Europay ®, MasterCard ® and Visa ®  The global standard for the.
Introduction to PCI DSS
Payment Card Industry (PCI) Rules and Standards
Payment Card Industry (PCI) Rules and Standards
Performing Risk Analysis and Testing: Outsource or In-house
PCI-DSS Security Awareness
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Payment card industry data security standards
Internet Payment.
Breaches by Merchant Type
Session 11 Other Assurance Services
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Payment Card Industry - Requirements and implementation challenges in Armenian market Vladislav Muradyan Partner.
PCI Device Inspections
Presented by: Jeff Soukup
Presentation transcript:

Why Comply with PCI Security Standards? Compliance with the PCI DSS means that your systems are secure, and customers can trust you with their sensitive payment card information: Trust means your customers have confidence in doing business with you Confident customers are more likely to be repeat customers, and to recommend you to others Compliance improves your reputation with acquirers and payment brands

But if you are not compliant …….. Compromised data negatively affects consumers, merchants, and financial institutions Just one incident can severely damage your reputation and your ability to conduct business effectively, far into the future Account data breaches can lead to catastrophic loss of sales, relationships and standing in your community, and depressed share price if yours is a public company Possible negative consequences also include: Lawsuits and Insurance claims Higher transaction fees, higher compliance fees or even terminated account from Acquirer Fines from Card Companies and Government bodies

But if you are not compliant …….. Q: What are the penalties for non-compliance? A: The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The bank will most likely pass this fine on downstream until it eventually hits the merchant. Furthermore, the bank will also most likely either terminate the merchant relationship or increase transaction fees. ..so what you should look into is whether you already have information from your acquirer on what will happen ion a potential fraud accident.

What are EMV and PCI? Authentication technology for the point of sale part of the transaction when the physical card is actually present. When this chip is embedded on a card, it helps ensure the card being used is real and that it belongs to the person using it.  It drastically reduces the chances of your business accepting lost, stolen or counterfeit cards. Security controls to protect the cardholder's confidential information on payment cards, not just at the moment the card is swiped or dipped, but all the way through the transaction process. They also apply when payments are made online or via telephone, where the card is not present, to make sure your customers' card data is kept safe. Both EMV and PCI is founded by the card issuers to protect cardholders and merchants from fraud incidents. EMV is to ensure the correct identity of the card reducing the chances of businesses accepting lost or stolæen cards. PCI is about protecting the cardholder data through the whole payment process physically or online or via telephone.

What are the PCI standards? And there are different standards for each section of the payment environment. PTS for the device itself aimed towards the payment device manufactures. PA DSS which is for software applications handling the payment process and then PCI DSS which is about securing the payment data environment. Then beneath it all you see something called P2PE which is the new standard many payment devices fullfill now. What that cover I will come into later. Youyr concentration should mainly be on the PCI DSS unless you develop software payment applications yourself.

What does PCI DSS cover? Objective Requirement Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software on all systems commonly affected by malware 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security 6 objectives and 12 requirements Run through and then requirement 9

PCI DSS - the Point of Sale

“Restrict physical access to cardholder data” PCI DSS Requirement 9 “Restrict physical access to cardholder data”

PCI DSS 3.0 – Requirement 9.9 “Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution. These requirements apply to card-reading devices used in card-present transactions (that is, card swipe or dip) at the point of sale. Requirement 9.9 is a best practice until June 30, 2015, after which it becomes a requirement.” Version 3.0 came into effect on 1st January, 2014

PCI DSS – Requirement 9.9.1 – 9.9.3 Maintain an up-to-date list of devices Make, model of devices Location Device serial number Take pictures of devices and surroundings Cabling, ceilings, items around devices Periodically inspect device surfaces from tampering Provide staff training to be aware of security and evidence of tampering.

PCI DSS Recommendations New Document September 2014 PCI’s recommendation on how to meet PCI DSS 3.0 Requirement 9 Security measures to take at the Point of Sale How to avoid skimming attacks How to physically secure your payment terminal using Stands & Locking cables

Skimming Prevention – Page 19 “Secure all terminals to the physical structure of the payment location when possible” Skimming Prevention: Best Practices for Merchants, September 2014

Skimming Prevention – Page 18 “Mount and secure the terminal and cables with locking stands, cable trays, and other securing mechanisms” Skimming Prevention: Best Practices for Merchants, September 2014

Skimming Prevention – Page 21 “Consider cable locks: Some terminals have slots so that you can attach a cable lock (as used to secure laptop computers) to the terminal. This can then be used to thread the payment terminal cable to the cash register and then secured to prevent both the terminal and the cable from being compromised. This is strongly recommended as a best practice. To insert a skimming device, it is often necessary to remove the terminal from its location, or swap the existing terminal for another compromised terminal” 1 2 3 Skimming Prevention: Best Practices for Merchants, September 2014