Presentation is loading. Please wait.

Presentation is loading. Please wait.

PCI 3.1 Boot Camp Payment Card Industry Data Security Standards 3.1.

Published byClinton Skinner Modified over 8 years ago

Similar presentations

Presentation on theme: "PCI 3.1 Boot Camp Payment Card Industry Data Security Standards 3.1."— Presentation transcript:

1 PCI 3.1 Boot Camp Payment Card Industry Data Security Standards 3.1

2 PURPOSE Why am I here? PCI 3.1 Boot Camp - March 20162

3 Agenda PCI Importance SAQ Review Mitigation Plan for SSL/early TLS EMV vs P2PE PCI 3.1 Boot Camp - March 20163

4 PCI Compliance Reset Self Assessment Questionnaire – Start early – Completed accurately – Cash Management-central POC – Use Technical Contacts and Vendors – Use HUIT Sec/NOC/SOC/Desktop Support – Answer N/A or No with compensating controls – Keep supporting documentation on file PCI 3.1 Boot Camp - March 20164

5 PCI Compliance Reset External Vulnerability Scans are important Internal Vulnerability Scans or Application Scans must be done, if required Network Diagrams of CDE are to be submitted to Cash Management PCI 3.1 Boot Camp - March 20165

6 PCI Compliance Reset Documented local Business Policies – Document current business processes – Updated/reviewed annually – Comply with latest PCI standards – Annual PCI Awareness Training for all staff PCI 3.1 Boot Camp - March 20166

7 PCI Compliance Reset Vendor Service Agreements – Document which PCI DSS requirements are managed by each service provider, and which are managed by merchant. PCI 3.1 Boot Camp - March 20167

8 SAQ Review When to use SAQ A vs SAQ A-EP – All processing of cardholder data is entirely outsourced to PCI DSS validated 3rd-party Service Provider = SAQ A – All processing of cardholder data, with the exception of the payment page, is entirely outsourced to a PCI DSS validated 3 rd -party payment processor = SAQ A-EP PCI 3.1 Boot Camp - March 20168

9 SAQ Review When to use SAQ A vs SAQ A-EP – All elements of all payment pages delivered to the consumer’s browser originate only and directly from a PCI DSS validated 3 rd -party servicer provider = SAQ A – Each element of the payment page delivered to the consumer’s browser originates from either the merchant’s website or a PCI DSS compliant service provider = SAQ A-EP PCI 3.1 Boot Camp - March 20169

10 Examples of SAQ A Merchant Merchant has no access to their website, and website is entirely hosted and managed by compliant 3 rd -party payment processor OR Merchant website provides an iFrame or URL link to PCI DSS compliant 3 rd -party payment processor. PCI 3.1 Boot Camp - March 201610

11 Examples of SAQ A-EP Merchant Merchant website creates the payment form, and Direct Post (SOAP) to payment processor Merchant website loads or delivers script that runs in consumers’ browser (eg. JavaScript) and provides functionality that supports creation PCI 3.1 Boot Camp - March 201611

12 PCI 3.1 Boot Camp - March 201612

13 SSL/Early TLS Requirement 2.2.3 – Implement additional security features for any required services, protocols, or daemons that are considered to be insecure Requirement 2.3 – Encrypt all non-console administrative access using strong cryptography. Requirement 4.1 – Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks. PCI 3.1 Boot Camp - March 201613

14 Mitigating SSL and early TLS Risk-mitigation controls – Consolidate functions that use vulnerable protocols over few systems – Remove/disable web browsers, JavaScript and cookies where they are not needed – Configure firewalls to permit SSL/early TLS only to know IP addresses – Expand cover of intrusion-protection systems – Identify unusual increases in requests for fallback to vulnerable protocols PCI 3.1 Boot Camp - March 201614

15 EMV and P2PE Card Present Merchants Point of Sale Systems PCI validated hardware/software vendor Certified to BAMS PCI 3.1 Boot Camp - March 201615

16 Benefits Removes CHD from merchant environment Reduces PCI Compliance Scope Abbreviated SAQ (SAQ C to SAQ P2PE) Reduces chargebacks for non-compliance to EMV implementation PCI 3.1 Boot Camp - March 201616

17 Validating EMV and P2PE Clear POS database of all card data regardless of encryption format Vendor Implementation Guide should be on file at Cash Management Test VLAN between merchant and vendor Validate CDE does not enter merchant environment PCI 3.1 Boot Camp - March 201617

18 MORE INFORMATION PCI 3.1 Boot Camp - March 201618

19 Training Opportunities PCI Security Standards Council – Internal Security Assessor 2 Day Training in Boston June 29-30 $1650 Fee (Reduced from $2850) Applicable to Internal Auditors, Internal Risk and Assessment Staff PCI 3.1 Boot Camp - March 201619

20 Resources – otm.finance.harvard.edu otm.finance.harvard.edu – https://www.pcisecuritystandards.org/merchants/index.php https://www.pcisecuritystandards.org/merchants/index.php – SAQs https://www.pcisecuritystandards.org/security_standards/d ocuments.php?category=saqs https://www.pcisecuritystandards.org/security_standards/d ocuments.php?category=saqs – Harvard Support/Questions pci_compliance@harvard.edu – Trustwave QSA – Cash Management will arrange teleconference PCI 3.1 Boot Camp - March 201620

Download ppt "PCI 3.1 Boot Camp Payment Card Industry Data Security Standards 3.1."

Similar presentations

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.

Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.
Mobile Payment Security The Good, the Bad and the Ugly

Mobile Payment Security The Good, the Bad and the Ugly
PCI DSS for Retail Industry

PCI DSS for Retail Industry
Agenda Introduction Payment gateways Weaknesses Attacks Conclusion.

Agenda Introduction Payment gateways Weaknesses Attacks Conclusion.
Navigating the New SAQs (Helping the 99% validate PCI compliance)

Navigating the New SAQs (Helping the 99% validate PCI compliance)
Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security.

Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security.
Complying With Payment Card Industry Data Security Standards (PCI DSS)

Complying With Payment Card Industry Data Security Standards (PCI DSS)
2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.

2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
University of Utah Financial and Business Services

University of Utah Financial and Business Services
Property of CampusGuard Compliance With The PCI DSS.

Property of CampusGuard Compliance With The PCI DSS.
Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.

Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.
Payment Card PCI DSS Compliance SAQ-D Training Accounts Receivable Services, Controller’s Office 7/1/2012.

Payment Card PCI DSS Compliance SAQ-D Training Accounts Receivable Services, Controller’s Office 7/1/2012.
Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations

Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?

Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
Why Comply with PCI Security Standards?

Why Comply with PCI Security Standards?

Similar presentations

Ads by Google