Presentation is loading. Please wait.

Presentation is loading. Please wait.

Jon Bonham, CISA, QSA Director, ERC

Published byPaul Burke Modified over 9 years ago

Similar presentations

Presentation on theme: "Jon Bonham, CISA, QSA Director, ERC"— Presentation transcript:

1 Jon Bonham, CISA, QSA Director, ERC JBonham@Coalfire.com
PCI, What is it all about? Jon Bonham, CISA, QSA Director, ERC Fayetteville Fort Bragg

2 Agenda Introduction of Coalfire PCI 101
Is it for the Business Office or IT Department Some changes that have an impact on schools Questions and Answers Contact Information

3 Coalfire Services

4 Coalfire Regional Offices Over 300 employees

5 About Coalfire QSA for the state of North Carolina
Agencies, Departments, Colleges and Universities are all set up on Coalfire’s Navis platform for scans and SAQs. Coalfire as a division set up just to handle state and local government as well as higher education and large diverse hospital systems. Coalfire successfully manages projects for small stand alone colleges as well as large diverse multi campus University systems. Coalfire is a leader in PCI, HIPAA, FERPA, FISMA, GLBA and Personal information auditing and assessments. Coalfire is vendor agnostic so they don’t care who you use for any hardware, software, managed services or card processing. They work for their customers as a trusted partner and advisor.

6

7 First Breach?

8 Where did this all start?
In December of 2004, VISA and MasterCard aligned their programs under the banner PCI Data Security Standard (PCI DSS) American Express, Discover, JCB and Diners endorsed this new standard as well VISA initially managed and coordinated the PCI DSS Card brands created the PCI Security Standards Council (SSC) to assume management of the program PCI SSC managed by Executive and Management Committees made up of senior representatives from the card brands End Result Common security requirements for securing card data.

9 Who Does What? 1. Develops Standards
2. Establishes compliance requirements 3. Enforces requirements on merchants 4. Merchant

10 What you signed up for

11 We don’t want to just check a box

12 What are We Protecting Cardholder Verification Number (CVN)
PAN Cardholder Verification Number (CVN) Visa/Discover's Card Verification Value (CVV) Mastercard's Card Validation Code (CVC) Called Prohibited Data – can not retain after authorization Primary Account Number (PAN) CVN

13 What does this have to do with business?
Income Easier No bounced checks The decision to take cards was made in the business office The contracts were signed by the business office The part in the contract about always being PCI compliant was signed by the business office

14 IT Department Install and configure the hardware and software
Segment and maintain the network Monitor what is happening Implement changes Work with the business office, merchants and vendors to maintain a secure cardholder date environment.

15 Just a thought or action isn’t enough.

16 Overkill

17 SAQ Validation Types

18 Penetration Test Required V3.0
SAQ Validation Types SAQ Validation Type Description # of Questions v3.0 Change # from v2.0 ASV Scan Required v3.0 Penetration Test Required V3.0 A Card-not-present merchants: All payment processing functions fully outsourced, no electronic cardholder data storage 14 +1 No A-EP E-commerce merchants re-directing to a third-party website for payment processing, no electronic cardholder data storage 139 NEW Yes B Merchants with only imprint machines or only standalone dial-out payment terminals: No e- commerce or electronic cardholder data storage 41 +12 B-IP Merchants with standalone, IP-connected payment terminals: No e-commerce or electronic cardholder data storage 83 C Merchants with payment application systems connected to the Internet: No e-commerce or electronic cardholder data storage +59 C-VT Merchants with web-based virtual payment terminals: No e-commerce or electronic cardholder data storage 73 +22 D-MER All other SAQ-eligible merchants 326 +38 D-SP SAQ-eligible service providers 347 P2PE Hardware payment terminals in a validated PCI P2PE solution only: No e-commerce or electronic cardholder data storage 35

19 The “Bucket” Approach SAQ A’s SAQ B’s SAQ C’s
MID MID MID MID MID MID MID MID MID MID MID MID MID MID MID MID MID MID MID MID MID MID MID MID MID SAQ A’s MID MID MID MID MID MID MID MID MID MID MID MID MID MID MID MID MID MID MID MID MID MID MID MID MID SAQ B’s SAQ C’s From this to…………………………………………….this

20 PCI DSS 3.1: Goals The PCI SSC is pushing the concept of ongoing or continuous compliance management Monitoring of security controls Detect and respond to failures in security controls Review all changes to the environment Organization structure changes Periodic reviews Annual hardware/software review

21 Some of the new requirements to keep in mind.
Dataflow diagrams Requirement 2.4 Inventory of all in-scope system components Requirement 5.1.2 Risk-based malware review for systems not commonly affected by malicious software Requirement b Termination processes must include all physical authentication methods in addition to systems

22 PCI DSS 3.1: New Requirements
New requirement to maintain information about which PCI DSS requirements are managed by the service provider.

23 PCI DSS 3.1: Requirement(s) 9.9.x New (merchant) requirements to protect point-of-sale devices that capture payment card data from tampering or unauthorized modification or substitution.

24 Expanded requirements/expectations for penetration testing controls.
PCI DSS 3.1 Requirement 11.3.X Expanded requirements/expectations for penetration testing controls.

25 PCI DSS 3.1 Requirement 12.9 Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data.

26 Questions about the changes?

27 Thanks for attending! Jon Bonham, CISA, QSA

Download ppt "Jon Bonham, CISA, QSA Director, ERC"

Similar presentations

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.

Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.
PCI DSS for Retail Industry

PCI DSS for Retail Industry
Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.

Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.
Navigating the New SAQs (Helping the 99% validate PCI compliance)

Navigating the New SAQs (Helping the 99% validate PCI compliance)
PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.

PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.
Complying With Payment Card Industry Data Security Standards (PCI DSS)

Complying With Payment Card Industry Data Security Standards (PCI DSS)
2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.

2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.
This refresher course will:

This refresher course will:
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
University of Utah Financial and Business Services

University of Utah Financial and Business Services
Property of CampusGuard Compliance With The PCI DSS.

Property of CampusGuard Compliance With The PCI DSS.
Smart Payment Processing ™ 800-846-4472 www.MercuryPay.com Protecting Your Business from Card Data Theft Presenter: Lucas Zaichkowsky.

Smart Payment Processing ™ Protecting Your Business from Card Data Theft Presenter: Lucas Zaichkowsky.
Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.

Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.
Payment Card PCI DSS Compliance SAQ-D Training Accounts Receivable Services, Controller’s Office 7/1/2012.

Payment Card PCI DSS Compliance SAQ-D Training Accounts Receivable Services, Controller’s Office 7/1/2012.
PCI DSS Version 3.0 For Controllers and Business Users Luke Harris, Office of State the Controller David Reavis, UNC General Administration November 10,

PCI DSS Version 3.0 For Controllers and Business Users Luke Harris, Office of State the Controller David Reavis, UNC General Administration November 10,
Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations

Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
Kevin R Perry August 12, 2014. Part 1: High Level Changes & Clarifications.

Kevin R Perry August 12, Part 1: High Level Changes & Clarifications.

Similar presentations

Ads by Google