The influence of PCI upon retail payment design and architectures Ian White QSA Head of UK&I and ME PCI Team September 4, 2013 Weekend Conference 7 & 8.

Slides:



Advertisements
Similar presentations
Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Advertisements

Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.
PCI DSS for Retail Industry
Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security.
Complying With Payment Card Industry Data Security Standards (PCI DSS)
2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Property of CampusGuard Compliance With The PCI DSS.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Jeff Williams Information Security Officer CSU, Sacramento
Property of the University of Notre Dame Navigating the Regulatory Maze: Notre Dame’s PCI DSS Solution EDUCAUSE Midwest Regional Conference March 17, 2008.
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
Copyright Security-Assessment.com 2005 Payment Card Industry Digital Security Standards Presented By Carl Grayson.
GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.
Kevin R Perry August 12, Part 1: High Level Changes & Clarifications.
ORACLE ON VERIZON CLOUD Proprietary & Confidential, Verizon Enterprise Solutions Oracle OpenWorld September, Anne Plese, Verizon Enterprise.
Why Comply with PCI Security Standards?
Introduction to PCI DSS
Northern KY University Merchant Training
Payment Card Industry (PCI) Data Security Standard
PCI's Changing Environment – “What You Need to Know & Why You Need To Know It.” Stephen Scott – PCI QSA, CISA, CISSP
Disclaimer Copyright Michael Chapple and Jane Drews, This work is the intellectual property of the authors. Permission is granted for this material.
Web Advisory Committee June 17,  Implementing E-commerce at UW  Current Status and Future Plans  PCI Data Security Standard  Questions.
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is.
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is.
Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted.
Payment Card Industry Data Security Standard (PCI DSS) By Roni Argetsinger
AICC Overview November 21, 2011.
Protecting Your Credit Card Security Environment (PCI) September 26, 2012 Jacob Arthur, CPA, QSA, CEH Timothy Agee, CISA, CGEIT, QSA FDH Consulting Frasier,
The Right Choice for Call Recording OAISYS and PCI DSS Compliance Managing Payment Card Industry Compliance with OAISYS Call Recording Solutions.
EDUCAUSE Security Conference Denver, Colorado April 10 to 12, 2006 Bob Beer Biggs Engineering 117 (419)
An Introduction to PCI Compliance. Data Breach Trends About PCI-SSC 12 Requirements of PCI-DSS Establishing Your Validation Level PCI Basics Benefits.
NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
The Payment Card Industry (PCI) Data Security Standard: What it is and why you might find it useful Fred Hopper, CISSP TASK - 27 March 2007.
PCI requirements in business language What can happen with the cardholder data?
© 2011 Verizon. All Rights Reserved. Reserved Net Conference for Cisco WebEx Event Center Presenter Name Presenter Title Month XX, 2013.
PCI: As complicated as it sounds? Gerry Lawrence CTO
Credit Card Processing Gail “Montreal” Shoffey Keeler August 14, 2007.
Introduction to Payment Card Industry Data Security Standard
Introduction To Plastic Card Industry (PCI) Data Security Standards (DSS) April 28,2012 Cathy Pettis, SVP ICUL Service Corporation.
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is.
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Data Security and Payment Card Acceptance Presented by: Brian Ridder Senior Vice President First National September 10, 2009.
Payment Card PCI DSS Compliance SAQ-B Training Accounts Receivable Services, Controller’s Office 7/1/2012.
© 2008 Verizon. All Rights Reserved. PTE /08 GLOBAL CAPABILITY. PERSONAL ACCOUNTABILITY. Verizon Instant Net Conference powered by Cisco-WebEx T26.
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is.
ThankQ Solutions Pty Ltd Tech Forum 2013 PCI Compliance.
1 Payment Card Industry (PCI) Security Standard Developed by the PCI Security Council formed by major card issuers: Visa, MasterCard, American Express,
Standards in Use. EMV June 16Caribbean Electronic Payments LLC2.
By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit.
Introduction to PCI DSS
Payment Card Industry (PCI) Rules and Standards
PCI-DSS Security Awareness
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Payment card industry data security standards
PCI DSS modular approach for F2F EMV mature environments
Internet Payment.
Session 11 Other Assurance Services
Session 11 Other Assurance Services
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Presented by: Jeff Soukup
Presentation transcript:

The influence of PCI upon retail payment design and architectures Ian White QSA Head of UK&I and ME PCI Team September 4, 2013 Weekend Conference 7 & 8 September 2013

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.2 PROPRIETARY STATEMENT This document and any attached materials are the sole property of Verizon and are not to be used by you other than to evaluate Verizon’s service. This document and any attached materials are not to be disseminated, distributed, or otherwise conveyed throughout your organization to employees without a need for this information or to any third parties without the express written permission of Verizon. © 2013 Verizon. All Rights Reserved. The Verizon name and logo and all other names, logos, and slogans identifying Verizon’s products and services are trademarks and service marks or registered trademarks and service marks of Verizon Trademark Services LLC or its affiliates in the United States and/or other countries. All other trademarks and service marks are the property of their respective owners.

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.3 ISG Weekend Conference 7 & 8 September 2013 Agenda The PCI DSS The Retail Environment –Card Payments –The Retail Environment The retail store eCommerce The call centre (MOTO) Current challenges Further Information

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.4 ISG Weekend Conference 7 & 8 September 2013 The PCI Data Security Standard Managed by the PCI SSC on behalf of the Card Brands (Visa, MasterCard, AMEX, Discover and JCB) Currently on version 2.0, with Version 3.0 published 7 th Nov 2013 Compliance is managed by the individual Card Brands Recognises Merchants and Service Providers (or TPP / DSE) Annual validation usually based around transaction volumes (SAQ or Report On Compliance) QSA and ISA roles exist to support independent validation against the control requirements An industry standard – but backed by legislation in some jurisdictions and should be perhaps viewed as “best practice”

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.5 ISG Weekend Conference 7 & 8 September 2013 The Payment Card Industry standards PCI DSS Covers the security of environments that store, process or transmit Account Data. PCI PA DSS Covers Payment Applications so that they can support PCI DSS compliance PCI PTS Covers hardware devices, for example HSM and PEDs, for protection of PIN PCI P2PE Encryption, decryption and key management within secure devices (hardware / hardware) PCI PIN Secure management, processing and transmission of PIN data during online and offline payment processing

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.6 ISG Weekend Conference 7 & 8 September 2013 Cardholder Data Track 1 Track 2 Account Data

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.7 ISG Weekend Conference 7 & 8 September 2013 The PCI DSS Requirements Build and Maintain a Secure Network 1.Install and maintain a firewall configuration to protect cardholder data 2.Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3.Protect stored cardholder data 4.Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5.Use and regularly update anti-virus software or programs 6.Develop and maintain secure systems and applications Implement Strong Access Control Measures 7.Restrict access to cardholder data by business need to know 8.Assign a unique ID to each person with computer access 9.Restrict physical access to cardholder data Regularly Monitor and Test Networks 10.Track and monitor all access to network resources and cardholder data 11.Regularly test security systems and processes Maintain an Information Security Policy 12.Maintain a policy that addresses information security for all personnel PCI DSS Version 2.0

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.8 ISG Weekend Conference 7 & 8 September 2013 The Retail Environment Acceptance ChannelsInstitutionsCorporate Systems POS Terminals Store POS Controller Authorization Servers (Site A) POS Databases (Site B) Acquirer Internet MOTO Finance (Site C) Call Center (Site D) Acquirer Printer (Site E) Loyalty

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.9 ISG Weekend Conference 7 & 8 September 2013 “Connected To” Systems “Connected To” systems support the controls that protect the Cardholder Data Environment (CDE) and as such may be considered to be “in scope” of the PCI DSS for some requirements Typical examples include: –Active Directory (User accounts) –Log Management –AV / malware software update / management servers –Patching servers –Backup servers –Terminal Servers –Time Servers –Support personnel desktops / laptops –…

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.10 ISG Weekend Conference 7 & 8 September 2013 Authorisation Service Provider Acquirer Card Scheme network Issuer Cardholder BofE WWW Merchant The merchant requests and receives authorisation from the issuer to proceed with the transaction and receives an authorisation code

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.11 ISG Weekend Conference 7 & 8 September 2013 Clearing Service Provider Acquirer Card Scheme network Issuer Cardholder BofE WWW Merchant Acquirer sends issuer purchase information and issuer responds and then prepares for Settlement of funds

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.12 ISG Weekend Conference 7 & 8 September 2013 The Store Environment - expected

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.13 ISG Weekend Conference 7 & 8 September 2013 The Store Environment – actual?

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.14 ISG Weekend Conference 7 & 8 September 2013 The Store Environment – with segmentation

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.15 ISG Weekend Conference 7 & 8 September 2013 The Store Environment – P2PE? POS servers communicate with corporate office and card data is transmitted to P2PE solution provider PED and stand-alone chip- and-PIN reader that are P2PE validated

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.16 ISG Weekend Conference 7 & 8 September 2013 Point–to-Point-Encryption (P2PE) Currently very few solutions have been validated (2) The POI device encrypts the card data at the read head using a key that the merchant has no access to. P2PE supports HW to HW and so- called HW to Hybrid solutions (the term “Hybrid” refers to the decryption of the data taking place outside of the HSM and in software on a host system that uses an HSM to protect the keys) The use of a P2PE solution might enable a merchant to use a wide range of devices such as the iPAD as they would only be providing a secure communications path for the (encrypted) data. PCI SSC list of validated P2PE solutions as at 6 th Sept 2013

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.17 ISG Weekend Conference 7 & 8 September 2013 The eCommerce Environment - expected PCI SSC QSA training 2011

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.18 ISG Weekend Conference 7 & 8 September 2013 The eCommerce Environment – actual? PCI SSC QSA training 2011

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.19 ISG Weekend Conference 7 & 8 September 2013 The eCommerce Environment – with segmentation Which PCI DSS requirements apply here – if any?

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.20 ISG Weekend Conference 7 & 8 September 2013 The eCommerce Environment – Using a Third Party? Which PCI DSS requirements apply here – if any?

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.21 ISG Weekend Conference 7 & 8 September 2013 The Call Centre – areas to consider Policies and Procedures Virtual terminals Call recording software

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.22 ISG Weekend Conference 7 & 8 September 2013 Some of the current challenges for retail Logging Legacy systems and encryption CCTV – especially in retail store environment P2PE vs E2EE Wireless scanning / NAC Virtualisation / Cloud Services Contractual frameworks for third parties Loyalty schemes (Tokenisation?)

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.23 ISG Weekend Conference 7 & 8 September 2013 Further Information Go to for detailed information and documentation (standards, guidance and FAQwww.pcissc.org The Card Brands and Acquiring banks have many documents that provide detailed advice and guidance on the PCI DSS and associated compliance issues

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.