BUSINESS CLARITY ™ PCI – The Pathway to Compliance.

Slides:

Advertisements

Similar presentations

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Advertisements

Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.

What we all need to know. Approval Date: April 30, 2012 Approved by: President's Council.

National Bank of Dominica Ltd Merchant Seminar Facilitator: Janiere Frank Fraud & Compliance Analyst June 16, 2011.

Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.

.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.

PCI DSS for Retail Industry

PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

New PCI Credit Card Security Requirements An in depth look at how to apply the new standards and protect your institution.

PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.

This refresher course will:

Navigating Compliance Requirements DCM 6.2 Regs and Codes linford & co llp.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

Session 4: Data Privacy and Fraud Moderator: Bill Houck, Director, Risk Management, UATP Panelist: Peter Warner, EVP, Retail Decisions Cherie Lauretta,

Information Security Jim Cusson, CISSP. Largest Breaches 110, NorthgateArinso, Verity Trustees 6, Aurora St. Luke's Medical.

Smart Payment Processing ™ Protecting Your Business from Card Data Theft Presenter: Lucas Zaichkowsky.

Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.

JARED BIRD Nagios: Providing Value Throughout the Organization.

Visa Europe Implementing PCI DSS Requirements Within Your Organisation September 2008 Simon Breeden.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?

Visa Cemea Account Information Security (AIS) Programme

1 Goal is protection of sensitive data New Rice policy calls for protection of sensitive personally identifying information Confidential information includes:

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

Around the World, Around the Corner WorldPay for Small Business.

Why Comply with PCI Security Standards?

Northern KY University Merchant Training

Disclaimer Copyright Michael Chapple and Jane Drews, This work is the intellectual property of the authors. Permission is granted for this material.

Payment Card Industry Data Security Standard (PCI DSS) By Roni Argetsinger

MasterCard Site Data Protection Program Program Alignment.

An Introduction to PCI Compliance. Data Breach Trends About PCI-SSC 12 Requirements of PCI-DSS Establishing Your Validation Level PCI Basics Benefits.

Visa Europe Confidential PCI DSS Protecting your business Lara Fiorani, Visa Europe Basel 25 April, 2006.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.

PCI requirements in business language What can happen with the cardholder data?

Brian Cloud August 06, Overall Digital Security  What is Digital Security  Murphy’s Law Since 2005, over 263M records breeched (privacyreports.com)

DATE: 3/28/2014 GETTING STARTED WITH THE INTEGRITY EASY PCI PROGRAM Presenter : Integrity Payment Systems Title: Easy PCI Program.

PCI DSS Readiness Presented By: Paul Grégoire, CISSP, QSA, PA-QSA

Payment Card PCI DSS Compliance SAQ-A Training Accounts Receivable Services, Controller’s Office 7/1/2012.

FIVE STEPS TO REDUCE THE RISK OF CYBERCRIME TO YOUR BUSINESS.

Case Study: Department of Revenue Data Breach National Association of State Auditors, Comptrollers and Treasurers March 21, 2013.

Identity Protection (Red Flag/PCI Compliance/SSN Remediation) SACUBO Fall Workshop Savannah, GA November 3, 2009.

Introduction To Plastic Card Industry (PCI) Data Security Standards (DSS) April 28,2012 Cathy Pettis, SVP ICUL Service Corporation.

PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.

Data Security and Payment Card Acceptance Presented by: Brian Ridder Senior Vice President First National September 10, 2009.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

ThankQ Solutions Pty Ltd Tech Forum 2013 PCI Compliance.

1 Payment Card Industry (PCI) Security Standard Developed by the PCI Security Council formed by major card issuers: Visa, MasterCard, American Express,

Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.

VeriShield Protect Revolutionary technology that simplifies PCI DSS compliance with no system upgrades Now available on V x Solutions!

What lessons can we learn from other data breaches? Target Sentry Insurance Dynacare Laboratories 1 INTRODUCTION.

Standards in Use. EMV June 16Caribbean Electronic Payments LLC2.

The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit.

Washington State Auditor’s Office Third Party Receipting Presented to Washington Public Ports Association June 2016 Peg Bodin, CISA.

Performing Risk Analysis and Testing: Outsource or In-house

PCI-DSS Security Awareness

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance

Payment card industry data security standards

Team 1 – Incident Response

Regulatory Compliance

Internet Payment.

Session 11 Other Assurance Services

Switchover from Teledeposit to VIRTUAL TERMINAL Moneris Solutions

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance

Data Compliance.

PCI DSS Erin Carrick.

Cyber Trends and Market Update

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance

Presentation transcript:

BUSINESS CLARITY ™ PCI – The Pathway to Compliance

BUSINESS CLARITY ™ 2 Proprietary and Confidential – Do Not Distribute Agenda What is PCI? Why PCI is Different From Everything Else Who Must Comply With PCI? Costs of a Data Breach How Do We Become Compliant? Tools to Help Get You There

BUSINESS CLARITY ™ 3 Proprietary and Confidential – Do Not Distribute What is PCI? The major credit card issuers created PCI (Payment Card Industry) compliance standards to protect personal information and ensure security when transactions are processed using a payment card. The PCI standards are divided into six categories:  Maintain a secure network  Protect cardholder data  Maintain a vulnerability management program  Implement strong access control measures  Regularly monitor and test networks  Maintain an Information Security Policy

BUSINESS CLARITY ™ 4 Proprietary and Confidential – Do Not Distribute What is PCI?(cont.) There are four PCI merchant levels, based on the number of transactions processed per year:  Level 1 merchants process over 6 million transactions  Level 2 merchants process between 1 million to 6 million  Level 3 merchants process between 20,000 to 1 million  Level 4 merchants process less than 20,000 Compliance validation requirements vary based on a business’s merchant level, with level 1 requiring a report on compliance by a Qualified Security Assessor, and all other levels completing a Self- Assessment Questionnaire Level 2 and 3 merchants also require quarterly network scans by an Approved Scan Vendor and a completed Attestation of Compliance Form.

BUSINESS CLARITY ™ 5 Proprietary and Confidential – Do Not Distribute Why is PCI Different From Everything Else? PCI is not risk-based like SOX – it is a prescriptive-based approach to security  PCI requires security patches applied every 30 days, where SOX let’s the company determine how frequently to patch  PCI does not leave much wiggle room for companies PCI does not accommodate risk acceptance  All security deficiencies must be addressed and remedied  Management cannot determine that a low or medium level of risk is acceptable to the company PCI does not recognize compensating controls  In risk-based security, strengths in one area can make up for low level deficiencies in others; this is not the case with PCI

BUSINESS CLARITY ™ 6 Proprietary and Confidential – Do Not Distribute Who Must Comply With PCI? All members of the payment card industry (financial institutions, credit card companies, and merchants) must comply with these standards if they want to access credit cards. Failure to meet the standards can result in fines from banks and credit card companies, and the loss of credit card processing privileges.

BUSINESS CLARITY ™ 7 Proprietary and Confidential – Do Not Distribute What Could a Data Breach Cost Us? Largest consumer credit card data theft: TJ Maxx lost over 45 million customer credit card records. The company had to set aside $250,000,000 to cover losses, but researchers have determined that they could be on the hook for over $1 billion.  All it took was a laptop and a directional antenna, and thieves were able to crack the security on the WiFi at a single store. From there, they were able to get enough data to compromise the central customer database. Hannaford, a grocery chain, had data stolen on 4.2 million credit card accounts by malware that their attackers installed on more than 300 company servers in at least six states.  Within 3 weeks of reporting the breach over 1,800 cases of fraud had been linked to the data theft, averaging exposure of over $100k per case.  In addition, 2 class action lawsuits are pending against the company. Damages in class action suits are not limited.

BUSINESS CLARITY ™ 8 Proprietary and Confidential – Do Not Distribute How Do We Get Compliant? Determine the security validation requirements based on your merchant level Determine what types of credit card information you capture, how long it is kept, and compare to actual business needs Make certain you have a very technical, security-focused auditor on your PCI compliance team  A CPA or non-technical IT auditor will typically find PCI compliance difficult, because of the extremely technical requirements Walk through the Self-Assessment Questionnaire fearlessly and with eyes wide open Get top-level management/Board of Directors on board from the outset, to ensure funding and support for the compliance initiative

BUSINESS CLARITY ™ 9 Proprietary and Confidential – Do Not Distribute Tools To Help You Get There: The PCI Compliance Checklist

BUSINESS CLARITY ™ 10 Proprietary and Confidential – Do Not Distribute Our Blue-Chip Customer Base

BUSINESS CLARITY ™ 11 Proprietary and Confidential – Do Not Distribute Thank You