Download presentation
Presentation is loading. Please wait.
Published byMarie-Noëlle Auger Modified over 6 years ago
1
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Commonwealth of Massachusetts Office of the State Comptroller March 2007 PCI DSS Compliance -- March 2007
2
What is PCI DSS? Mandatory compliance program resulting from a collaboration between the credit card associations to create common industry security requirements for cardholder data. PCI DSS Compliance -- March 2007
3
More about PCI compliance….
Common set of industry tools and measurements to ensure safe handling of sensitive information. Actionable framework for developing a robust account data security process—including preventing, detecting, and reacting to security incidents. Technical requirements for secure storage, processing, and transmission of cardholder data. Common auditing and scanning procedures. PCI DSS Compliance -- March 2007
4
Who has to worry about it?
If you transact credit card business, you have to worry about it. Merchants and third party providers who process, transmit, or store cardholder data are required to adhere to certain data security standards. Applies to credit card business transacted over all payment channels (POS, mail, IVR, and e-commerce). PCI DSS Compliance -- March 2007
5
Who are the stakeholders?
Credit card industry – Founders of the PCI Security Standards Council are Visa, Mastercard, Amex, Discover, and JCB brands. Acquiring banks/member banks – must require PCI compliance from merchants and service providers doing credit card business. Merchants and service providers – must be PCI compliant, regardless of channel. Our customers. PCI DSS Compliance -- March 2007
6
PCI DSS: Covers 6 Areas/12 Requirements
Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data and sensitive information across open public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications PCI DSS Compliance -- March 2007
7
PCI DSS: Covers 6 Areas/12 Requirements (continued)
Implement Strong Access Control Measures 7. Restrict access to data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security PCI DSS Compliance -- March 2007
8
Major Activity Areas Identify merchant level (dependent on volume).
Subject matter expertise. Consulting and recommendations. Compliance – relates to infrastructure security and business procedures (may be supported by Qualified Security Assessor (QSA)). Annual self-assessment questionnaire Annual on-site security audit (depending on merchant level) Validation – process performed by an Approved Scanning Vendor (ASV) on all external-facing IP addresses. Possibly, audit (depending on merchant level). PCI DSS Compliance -- March 2007
9
Our Approach See what departments and other states are doing.
Communicate – share information to promote awareness of the issue, identify participating departments, and gain support. Learn about PCI DSS Compliance. Check in with banks and service providers on their PCI Compliance status and requirements. Initiate a procurement to identify Qualified Security Assessors (QSVs) and Approved Scanning Vendors (ASVs) to assist departments in achieving compliance and validation. Identify costs and funding. PCI DSS Compliance -- March 2007
10
Consequences of Non-Compliance
Forensic investigation Steep monetary fines (up to $500K) levied by the card associations plus damages Lawsuits Damage to reputation Bad publicity Revocation of credit card business privileges PCI DSS Compliance -- March 2007
11
For more information: See and for general information. Check out the self-assessment questionnaire at: to assess level of effort and resources to remediate problems and achieve compliance. See and Visa Cardholder Information Program (CISP) links. See for Mastercard Site Data Protection (SDP) information Stay tuned for updates on RFR progress. PCI DSS Compliance -- March 2007
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.