Walter Conway, QSA 403 Labs, LLC Sneak Preview: What to Expect from PCI DSS v. 2.0  Changes  Clarifications  Guidance.

Slides:



Advertisements
Similar presentations
Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
Advertisements

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
National Bank of Dominica Ltd Merchant Seminar Facilitator: Janiere Frank Fraud & Compliance Analyst June 16, 2011.
Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.
.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.
Mobile Payment Security The Good, the Bad and the Ugly
PCI DSS for Retail Industry
Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.
Troy Leach April 2012 The PCI Security Standards Council.
PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Protecting Your Customers’ Card Data ASTRA Presentation Brian Chapman and Peter O’Rourke.
University of Utah Financial and Business Services
Property of CampusGuard Compliance With The PCI DSS.
Smart Payment Processing ™ Protecting Your Business from Card Data Theft Presenter: Lucas Zaichkowsky.
Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.
Payment Card Industry (PCI) Data Security Standards (DSS) Updates and Trends for 2009.
Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
PCI DSS and MasterCard Site Data Protection Program Payment System Integrity September 2008.
GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.
Kevin R Perry August 12, Part 1: High Level Changes & Clarifications.
Why Comply with PCI Security Standards?
Northern KY University Merchant Training
PCI and how it affects College Stores… ROBIN MAYO | PCIP ECOMMERCE MANAGER EAST CAROLINA UNIVERISTY.
PCI's Changing Environment – “What You Need to Know & Why You Need To Know It.” Stephen Scott – PCI QSA, CISA, CISSP
Web Advisory Committee June 17,  Implementing E-commerce at UW  Current Status and Future Plans  PCI Data Security Standard  Questions.
PCI DSS & PII Emily Coble UNC Chapel Hill. Session Etiquette Please turn off all cell phones. Please keep side conversations to a minimum. If you must.
Payment Card Industry Data Security Standard (PCI DSS) By Roni Argetsinger
PCI 3.0 Boot Camp Payment Card Industry Data Security Standards 3.0.
The ABC’s of PCI DSS Eric Beschinski Relationship Manager Utility Payment Conference Kay Limbaugh Specialist, Electronic Bills & Payments &
MasterCard Site Data Protection Program Program Alignment.
PCI DSS Managed Service Solution October 18, 2011.
The influence of PCI upon retail payment design and architectures Ian White QSA Head of UK&I and ME PCI Team September 4, 2013 Weekend Conference 7 & 8.
An Introduction to PCI Compliance. Data Breach Trends About PCI-SSC 12 Requirements of PCI-DSS Establishing Your Validation Level PCI Basics Benefits.
Top 10 Things Your Merchants Should Know about PCI Presenters: Chris Bucolo – Senior Business Development Manager, ControlScan Stephanie Sperry – Senior.
NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
DATE: 3/28/2014 GETTING STARTED WITH THE INTEGRITY EASY PCI PROGRAM Presenter : Integrity Payment Systems Title: Easy PCI Program.
PCI DSS Readiness Presented By: Paul Grégoire, CISSP, QSA, PA-QSA
North Carolina Community College System IIPS Conference – Spring 2009 Jason Godfrey IT Security Manager (919)
Introduction To Plastic Card Industry (PCI) Data Security Standards (DSS) April 28,2012 Cathy Pettis, SVP ICUL Service Corporation.
Smart Payment Processing ™ Recur} Happen again. Persist. Return. Come back. Reappear. Come again.
What you need to know about PCI-DSS Jane Drews Chief Information Security Officer Information Security & Policy Office
Payment Card Industry (PCI)
EMV: What is it and how will it impact your business.
Jon Bonham, CISA, QSA Director, ERC
©2015 RSM US LLP. All Rights Reserved. PCI 3.1 AND 3.2 AND BEYOND Tips and Tricks to Stay PCI Compliant April 14, 2016.
The Unique Alternative to the Big Four ® 25 th Annual Conference of the Association of Local Government Auditors (ALGA) Understanding Payment Card Industry.
©2015 RSM US LLP. All Rights Reserved IASA CAROLINA’S CHAPTER MEETING WAKE FOREST UNIVERSITY CHARLOTTE DECEMBER 14, 2015.
Standards in Use. EMV June 16Caribbean Electronic Payments LLC2.
Protecting Sensitive Data: From Passwords to PANs
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit.
WHAT NEW, WHAT NEXT IN PAYMENT PROCESSING. EMV WHAT IS EMV? 3  An acronym created by Europay ®, MasterCard ® and Visa ®  The global standard for the.
PCI 3.1 Boot Camp Payment Card Industry Data Security Standards 3.1.
PCI COMPLIANCE & A/R AUTOMATION 101 Nodus Technologies, Inc.
Payment Card Industry Data Security Standards
Wake Forest University
Summary of Changes PCI DSS V. 3.1 to V. 3.2
How Tokenization and Point-to-Point Encryption Can Reduce PCI Scope
Burton Group Take 5! The PCI Half-Dozen: 6 Recommendations for PCI Compliance Diana Kelley, VP & Service Director March,
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Payment card industry data security standards
Where Do You Have Cardholder Data?
Making a Holiday Special For All The Right Reasons
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
PCI Compliance : Whys and wherefores
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Presented by: Jeff Soukup
Presentation transcript:

Walter Conway, QSA 403 Labs, LLC Sneak Preview: What to Expect from PCI DSS v. 2.0  Changes  Clarifications  Guidance

University of Wisconsin Lockdown 2010 | Walter Conway, QSA, | 403 Labs, LLC | © Agenda  PCI DSS in context  New PCI version in October – “fine tuning” -Lifecycle -Cardholder data discovery -Clarifications -SAQ revisions -Emerging technology guidance  What this means for you

University of Wisconsin Lockdown 2010 | Walter Conway, QSA, | 403 Labs, LLC | © Labs, LLC  Information security consulting firm  Payment Card Industry: -Qualified Security Assessor (QSA) -Payment Application QSA (PA-QSA) -Approved Scanning Vendor (ASV)  Work with service providers and merchants of all sizes

University of Wisconsin Lockdown 2010 | Walter Conway, QSA, | 403 Labs, LLC | © PCI DSS: 6 Goals, 12 Requirements

University of Wisconsin Lockdown 2010 | Walter Conway, QSA, | 403 Labs, LLC | © Some PCI DSS Basics  Payment Card Industry Data Security Standard  Goal is to protect Cardholder Data -And to keep you out of the headlines  If you take plastic, PCI applies to you -“Store, process, or transmit” cardholder data  Whole of PCI DSS apples to all merchants  New PCI release due October Reflect latest attack vectors, technology, practices  PCI does not make you secure

University of Wisconsin Lockdown 2010 | Walter Conway, QSA, | 403 Labs, LLC | © Some PCI DSS Basics (cont.)  Each card brand has its own security program -Merchant levels -Validation (e.g., MasterCard’s new rules) -Penalties, fees  Safe harbor – can it exist?  Compliance -People, process, technology -No “silver bullet”

University of Wisconsin Lockdown 2010 | Walter Conway, QSA, | 403 Labs, LLC | © PCI DSS v. 2.0 – Lifecycle  3-Year Lifecycle -Announced in June -Consistency: PCI DSS, PA-DSS, PCI PTS -Interim versions for errata, new threats -FAQ, supplements to continue  Benefits -Fewer new requirements -More time for implementation and feedback -Version 1.2 sunset December 2011

University of Wisconsin Lockdown 2010 | Walter Conway, QSA, | 403 Labs, LLC | © PCI DSS v. 2.0 – Lifecycle

University of Wisconsin Lockdown 2010 | Walter Conway, QSA, | 403 Labs, LLC | © PCI DSS v. 2.0 – Data Discovery  Cardholder data discovery “methodology”  Find all your electronic cardholder data  “Data leakage”  Data breaches and “unknown unknowns”

University of Wisconsin Lockdown 2010 | Walter Conway, QSA, | 403 Labs, LLC | © PCI DSS v. 2.0 – Hashing  Hashing  Produces unique fixed length output for each unique input  Hash functions are not keyed/reversible  Hash may include a “salt”

University of Wisconsin Lockdown 2010 | Walter Conway, QSA, | 403 Labs, LLC | © PCI DSS v. 2.0 – Segmentation  Network segmentation is not required, but recommended  Isolate systems that “store, process, or transmit” CHD  Limit PCI scope

University of Wisconsin Lockdown 2010 | Walter Conway, QSA, | 403 Labs, LLC | © PCI DSS v. 2.0 – SAQs  Goal is to remove ambiguities  Expect minor but critical changes clarifying who can use them  Will we see new SAQ(s)?

University of Wisconsin Lockdown 2010 | Walter Conway, QSA, | 403 Labs, LLC | © PCI DSS v. 2.0 – Guidance  Emerging technologies  Virtualization  Tokenization  End-to-end encryption  EMV standard (chip cards)  PCI Council guidance for compliance  Impact on PCI  Map to PCI requirements

University of Wisconsin Lockdown 2010 | Walter Conway, QSA, | 403 Labs, LLC | © PCI DSS v. 2.0 – Tokenization  A data security technology in which strings of random characters called tokens can be used in lieu of other, more valuable data, such as PANs  Vendor and in-house solutions  Tokenization can reduce (not eliminate) PCI scope -Everything depends on implementation PlaintextCiphertext Tokenization Engine Secure Repository

University of Wisconsin Lockdown 2010 | Walter Conway, QSA, | 403 Labs, LLC | © PCI DSS v. 2.0 – End-to-End Encryption  Encryption: a cryptographic process for disguising data by applying a series of complex mathematical operations to data to render it unreadable to anyone without the proper decryption key  Encryption is a keyed, reversible function  Security depends on the key -A big number that if compromised, bye-bye security  Encrypted data are still in PCI scope PlaintextCiphertext Key Encryption

University of Wisconsin Lockdown 2010 | Walter Conway, QSA, | 403 Labs, LLC | © PCI DSS v. 2.0 – End-to-End Encryption  Really “point-to-point”  End-to-End encryption -PAN encrypted from POS terminal all the way through the payment processing cycle -CHD always stored and transmitted as ciphertext -Critical element: merchant cannot decrypt  For more information -PCI Council guidance documents, FAQ -Visa’s best practices for data field encryption

University of Wisconsin Lockdown 2010 | Walter Conway, QSA, | 403 Labs, LLC | © PANs, Hashes, Encryption, Tokens PAN (card number) Truncated PAN XX XXXX 2299 Hashed PAN (Renders PAN unreadable; one way)2fd4e1c6 7a2d28fc Encrypted PAN (More characters than the PAN and is structurally different) 9Ojr73h3d^&hh#&HFH&##ED*HD#* Format-preserving encryption (Structurally similar to the PAN) Token (Like the PAN in length and character type, but randomly derived)

University of Wisconsin Lockdown 2010 | Walter Conway, QSA, | 403 Labs, LLC | © PCI DSS v. 2.0 – Emerging Technologies  Encryption, tokenization are still maturing -May not work with all applications, systems -Standards? -Lots of marketing hype  Encryption security depends on protecting key  Look for guidance from PCI Council -Don’t expect specifics on implementation  Read Visa’s best practices document  As of today, only truncation and hashing remove CHD from scope

University of Wisconsin Lockdown 2010 | Walter Conway, QSA, | 403 Labs, LLC | © PCI DSS v. 2.0 – Get Smart  PCI Council FAQ  PCI Council courses  Standards training  Independent Security Assessor (ISA)  Other PCI training options

University of Wisconsin Lockdown 2010 | Walter Conway, QSA, | 403 Labs, LLC | © PCI DSS v. 2.0 – Conclusions  Expect refinements, not major changes  3-year lifecycle for each standard  Find your CHD…all of it!  Revised SAQs should help  Guidance on emerging technologies  Announcements, webinars over the summer  DSS v. 2.0 not unveiled until September?

University of Wisconsin Lockdown 2010 | Walter Conway, QSA, | 403 Labs, LLC | © What to Expect from PCI DSS v. 2.0  Questions? Comments? Thoughts?  Thank you! See my PCI column at StorefrontBacktalk.com Higher Ed PCI blog: treasuryinstitutepcidss.blogspot.com

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.