Presentation is loading. Please wait.

Presentation is loading. Please wait.

Payment Card Industry - Requirements and implementation challenges in Armenian market Vladislav Muradyan Partner.

Published byErin Franklin Modified over 6 years ago

Similar presentations

Presentation on theme: "Payment Card Industry - Requirements and implementation challenges in Armenian market Vladislav Muradyan Partner."— Presentation transcript:

1 Payment Card Industry - Requirements and implementation challenges in Armenian market
Vladislav Muradyan Partner

2 Table of Contents What is the PCI SSC and PCI DSS?
Payment Industry terminology Who is targeted? Understanding the risk How to secure cardholder data environment?

3 What is the PCI SSC and PCI DSS?

4 What is the PCI SSC and PCI DSS?
The PCI SSC is an independent industry standards body providing oversight of the development and management of Payment Card Industry Data Security Standards on a global basis. The PCI SSC founding payment brands include: American Express Discover Financial JCB International MasterCard Visa, Inc.

5 What is the PCI SSC and PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect account data. PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD) .

6 What is the PCI SSC and PCI DSS?
Account Data Cardholder Data Includes: Sensitive Authentication Data includes: Primary Account Number (PAN) Cardholder Name Expiration Date Service Code Full track data (magnetic-stripe data or equivalent on a chip) CAV2/CVC2/CVV2/CID PINs/PIN blocks

7 What is the PCI SSC and PCI DSS?
PCI Data Security Standard – High level Overview Build and Maintain a Secure Network and Systems 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 1. Protect stored cardholder data 2. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 3. Protect all systems against malware and regularly update anti-virus software or programs 4. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need to know 8. Identify and authenticate access to system components 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel

8 Payment industry terminology
Payment Terminal is the device used to take customer card payments via swipe, dip, insert, tap, or manual entry of the card number. Point-of-sale (or POS) terminal, credit card machine, PDQ terminal, or EMV/chip-enabled terminal are also names used to describe these devices. Electronic Cash Register (or till) registers and calculates transactions, and may print out receipts, but it does not accept customer card payments Integrated Payment Terminal is a payment terminal and electronic cash register in one, meaning it takes payments, registers and calculates transactions, and prints receipts.

9 Payment industry terminology
Cardholder Issuer Merchant Customer purchasing goods either as a “Card Present” or “Card Not Present”; Receives the payment card and bills from the issuer Bank or other organization issuing a payment card on behalf of a Payment Brand (VISA, MasterCard and etc.) Payment Brand issuing a payment card directly (Amex, Discover, JCB) Organization accepting the payment card for payment during a purchase

10 Payment industry terminology
Acquirer Bank or entity the merchant uses to process their payment card transactions Receive authorization request from merchant and forward to Issuer for approval Provide authorization, clearing and settlement services to merchants Acquirer is also called: Merchant Bank ISO (Independent Sales Organization) Payment Brand - Amex, Discover, JCB Never VISA and MasterCard

11 Payment industry terminology
Authorization Clearing Settlement Merchants requests and receives authorization from the Issuer to allow the purchase to be conducted Authorization code is provided Issuer and Acquirer exchange purchase and reconciliation information Issuer pays Acquirer Acquirer pays merchant for cardholder purchase Merchant receives payment Issuer bills cardholder Cardholder gets charged

12 Payment industry terminology
Service Provider is a business that is not a payment brand, directly involved in the processing, storage or transmission of cardholder data on behalf of another entity. Service Provider examples: Transaction Processors Payment Gateways Remittance processing companies Managed Firewall and IDS service providers Web Hosting and Data Center Hosting providers Offsite data storage facilities

13 Payment industry terminology
Merchants Level 1 Level 2 Level 3 and Level 4 Type of Assessment Onsite Assessment Self Assessment Determined by payment brand or acquirer Reporting Requirements ROC and ASV scan report SAQ and ASV scan report

14 Payment industry terminology
Service Providers Level 1 Level 2 Level (American Express) Type of Assessment Onsite Assessment Self Assessment Reporting Requirements ROC and ASV scan report SAQ and ASV scan report

15 Who is targeted? The top targeted industries included:
Retail – 45% of breaches Food and Beverage – 24% of breaches Hospitality – 9% of breaches Financial Services – 7% of breaches Nonprofit – 3% of breaches

16 Who is targeted? Payment processor (2009) – 160 million cards lost
Major retailer (2014) – over 50 million cards lost Malware installed on point-of-sale system to capture data in memory Major retailed (2013) – over 100 million cards lost Senior staff members resigned following breach Payment processor (2009) – 160 million cards lost Malware was used to capture cardholder data as it was processed Reports suggest direct costs for the breach cost 171 million USD

17 Who is targeted? 99,9% of breaches were preventable – caused by known vulnerabilities with fixable patches 76% of companies took weeks or more to discover breach 67% of organizations did not adequately test the security of all in-scope systems

18 Who is targeted? Stolen payment cards and cardholder data
10$ per card and/or cardholder data (USA) 20$ per card and/or cardholder data (Japan) 50$ per card and/or cardholder data (EU)

19 Understanding the risk
The merchants, payment gateways, and other small service providers are a prime target for data thieves 60% of small businesses experienced a cyber breach 71% of hackers attack businesses with under 100 employees 20,752 USD – average cost to a small business due to hacking, up from 8,600 USD in 2013 There are potential financial penalties and damages from lawsuits, and your business may lose the ability to accept payment cards Customers’ card data is a gold mine for criminals

20 Understanding the risk
Factors to make cardholder data environment vulnerable to the security breaches It will never happen with me Not following recommendations and basic security guidelines Not familiar with the PCI DSS compliance and the ways of how to achieve compliance (onsite assessment, SAQ and etc.) Lack of coordination and communication with the merchant bank, data processors and etc. The more features the payment system has, the more complex it is to secure. These extra features often provide easy ways for criminals to steal customer card data

21 Understanding the risk
Security risks vary greatly depending on the complexity of the payment system, whether face-to-face or online Complex environment requires more activities to reduce the risks Simple environment requires less activities to reduce the risks The way to address business needs vs security of the customer card data is to get them in balance

22 How to secure cardholder data environment?
To be familiar with the PCI DSS requirements and other publications related to your business Implementation guidelines, standards and recommendations issued by PCI SSC Definitions of the merchants and service providers level and how to determine the appropriate level and what requirements need be followed Implement information security basics Be in contact with your merchant bank and data processer service provider

23 How to secure cardholder data environment?
The good news is, it is possible to start protecting cardholder data environment right now by implementing basic and not expensive activities: Use strong passwords and change default ones Protect your card data and only store what you need Inspect payment terminals for tampering Install patches from your vendors Use trusted business partners and know how to contact them Protect in-house access to your card data

24 How to secure cardholder data environment?
Use strong passwords and change default ones CHANGE YOUR PASSWORDS REGULARLY MAKE THEM HARD TO GUESS DON’T SHARE It should be noted that computer equipment and software out of the box (including payment terminal) often come with default (preset) passwords such as “password” or “admin,” which are commonly known by hackers and are a frequent source of small merchant breaches

25 How to secure cardholder data environment?
Protect your card data and only store what you need Ask your payment terminal vendor or merchant bank here your systems store data and if you can simplify how you process payments The best way to protect against data breaches is not to store card data at all. Consider outsourcing your card processing to a PCI DSS compliant service provider Securely destroy/shred card data you don’t need. Ask your merchant bank if you REALLY need to store that card data. If you do, ask your merchant bank or service provider about encryption or tokenization technologies that make card data useless even if stolen

26 How to secure cardholder data environment?
Inspect payment terminals for tampering LOOK FOR OBVIOUS SIGNS of tampering, such as broken seals over access cover plates or screws, odd/different cabling, or new devices or features you don’t recognize KEEP A LIST of all payment terminals and take pictures (front, back, cords, and connections) so you know what they are supposed to look like Make sure the payment terminals are secure before you close your shop for the day, including any devices that read your customers’ payment cards or accept their personal identification numbers (PINs) Only allow payment terminal repairs from authorized repair personnel, and only if you are expecting them

27 How to secure cardholder data environment?
Install patches from your vendors ASK the vendor or service provider how it notifies you of new security patches, and make sure you receive and read these notices You may get patches from vendors of your payment terminal, payment applications, other payment systems (tills, cash registers, PCs, etc.), operating systems (Android, Windows, iOS, etc.), MAKE SURE your vendors update your payment terminals, operating systems, etc. so they can support the latest security patches. Ask them Installing patches as soon as possible is very important. Also look out for patches from the payment service provider. Ask your e-commerce hosting provider whether they patch your system (and how often). Make sure they update the operating system, e-commerce platform and/or web application so it can support the latest patches

28 How to secure cardholder data environment?
Use trusted business partners and know how to contact them Who is your merchant bank? Who else helps you process payments? Who did you buy your payment device/software from and who installed it for you? Who are your service providers? Keep company and contact names, phone numbers, website addresses, and other contact details where you can easily find them in an emergency Is your service provider adhering to PCI DSS requirements? For e-commerce merchants, it is important that your payment service provider is PCI DSS compliant as well Once you know who your outside providers are and what they do for you, talk to them to understand how they protect card data

29 How to secure cardholder data environment?
Protect in-house access to your card data Set up your system to grant access only based on a “business need-to-know.” As the owner, you have access to everything. But most employees can do their job with access only to a subset of data, applications, and functions LIMIT ACCESS to payment systems and unencrypted card data to only those employees that need access, and only to the data, applications and functions they need to do their jobs KEEP A LOG. Track all “behind the counter” visitors in your establishment. Include name, reason for visit, and name of employee that authorized visitor’s access. Keep the log for at least a year Ask your payment system vendor or service provider how to securely remove card data before selling or disposing of payment devices (so data cannot be recovered)

30 Questions?

31 THANK YOU!

32 Business risk services & cybersecurity
Contact details For assistance and advice please contact us: 8/1 Vagharshyan str., Yerevan, 0012, Armenia Vladislav Muradyan Partner, Business risk services & cybersecurity T (10) E T +374 (10)

Download ppt "Payment Card Industry - Requirements and implementation challenges in Armenian market Vladislav Muradyan Partner."

Similar presentations

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.

Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.
National Bank of Dominica Ltd. 2011 Merchant Seminar Facilitator: Janiere Frank Fraud & Compliance Analyst June 16, 2011.

National Bank of Dominica Ltd Merchant Seminar Facilitator: Janiere Frank Fraud & Compliance Analyst June 16, 2011.
Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.

Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.
.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.

.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.
PCI DSS for Retail Industry

PCI DSS for Retail Industry
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.

PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
Complying With Payment Card Industry Data Security Standards (PCI DSS)

Complying With Payment Card Industry Data Security Standards (PCI DSS)
2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.

2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.
This refresher course will:

This refresher course will:
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.

Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.
© Vendor Safe Technologies 2008 B REACHES BY M ERCHANT T YPE 70% 1% 9% 20% Data provided by Visa Approved QIRA November 2008 from 475 Forensic Audits.

© Vendor Safe Technologies 2008 B REACHES BY M ERCHANT T YPE 70% 1% 9% 20% Data provided by Visa Approved QIRA November 2008 from 475 Forensic Audits.
Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations

Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.

GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Why Comply with PCI Security Standards?

Why Comply with PCI Security Standards?
Introduction to PCI DSS

Introduction to PCI DSS

Similar presentations

Ads by Google