Presentation is loading. Please wait.

Presentation is loading. Please wait.

Presented by: Jeff Soukup

Published byまさとし なみこし Modified over 5 years ago

Similar presentations

Presentation on theme: "Presented by: Jeff Soukup"— Presentation transcript:

1 Presented by: Jeff Soukup
PCI DSS 101 Presented by: Jeff Soukup

2 Agenda Trustwave Corporate Profile PCI Scope
PCI DSS Makes Business Sense Compromise Statistics PCI DSS Standard Overview Resources Questions

3 Trustwave Corporate Profile

4 Mission Trustwave is committed to identifying
and protecting sensitive data in every form in every environment. Our vision is for a global community in which transactions are safe and information flows freely and securely. Changed all text to black.

5 Trustwave is an established company serving a global client base with industry-leading solutions
Founded in 1995 Approximately 425 employees in 21 locations on six continents Thousands of customers throughout the world, including 6 of the Fortune Top 10 Chicago is global HQ; London, Sydney and Sao Paolo are regional HQs Secure Operation Centers in Chicago and Warsaw Changed all text to black. Award-winning, patented security technology 2010 SC Magazine “Finalist” Encryption 2009 SC Magazine “Recommended” Managed Security Services 2009 Frost & Sullivan NAC Best Practices Forrester 9 out of 10 rating NAC solution

6 The leader in compliance and data security
MSSP with more than 1,400 devices under management Monitor more than 18 million events per day Top 10 global Certificate Authority with more than 40,000 SSL certificates issued Performed more than 2,000 network and application penetration tests Conducted more than 740 forensic investigations Benchmark work for HIPAA, GLBA, SOX, ISO series Changed all text to black. PCI DSS leader – Trustwave has certified 42 percent of PsPs; 40 percent of Payment Apps. Fully qualified for all PCI-related work: QSA (2002); ASV (2003); PA-QSA (2005); QIRA (2005)

7 PCI Scope

8 Payment Card Acceptance
The Payment Card Industry’s Data Security Standard states: PCI Data Security Requirements apply to all members, merchants, and service providers that store, process or transmit cardholder data 8

9 Supporting the PCI Smart Program
August 19 PCI SSC The Payment Card Industry self-regulates to protect cardholder data They Payment Card Industry Security Standards Council (PCI SSC) was founded by the major card brands and is responsible for developing, communicating and maintaining industry security standards. Trustwave Confidential-Page

10 Data Supporting a Transaction
Supporting the PCI Smart Program Data Supporting a Transaction Sensitive Authentication Data** Cardholder Data PAN Cardholder Name* Expiration Date* Primary Account Number (PAN) Payment card number (credit or debit) that identifies the Issuer and the particular cardholder account. Cardholder Name Customer to whom the card is issued or individual authorized to use the card. Expiration Date Expiration dates provide another layer of fraud protection when transactions are processed manually. Magnetic Stripe Contains sensitive account information which should not be stored by a merchant’s system. There are 2 types of magnetic stripe data: Track 1 contains the cardholder’s name as well as account number and other discretionary data. Track 2 contains cardholder’s account, encrypted PIN, plus other discretionary data. Track 2 is the most common. Card Validation Value or Code The 3 digit number printed on the back of most payment cards, such as Visa, MasterCard and Discover. This number is an added security feature for card not present transactions and is not part of the regular credit card number. The following list provides the terms for each card brand: CAV Card Authentication Value (JCB) CVC Card Validation Code (MasterCard) CVV Card Verification Value (Visa and Discover) CSC Card Security Code (American Express) Note: Located on front of card, flat print. Magnetic Stripe/Track Data Track 1, Track 2 CVV Storage Permitted Protection Required Service Code* Storage NOT Permitted *These data elements must be protected if stored in conjunction with PAN . **Sensitive authentication data must NOT be stored subsequent to authorization – even if encrypted. Trustwave Confidential-Page

11 Merchant Acceptance Channels
Supporting the PCI Smart Program August 19 Merchant Acceptance Channels POS-Dial Terminal POS-IP Terminal Touch Screen & Computer E-Commerce Multiple Point of Sale (POS) Dial Terminal Point of Sale (POS) IP Terminal Touch Screen & Computer E-Commerce Multiple Trustwave Confidential-Page

12 The Mandate: Visa Merchant Levels Defined
Merchant Classification Criteria (as of July 18, 2006) 1 Any merchant -regardless of acceptance channel-that: Processes over 6 million Visa transactions per year In some cases, merchants who suffered a hack or an attack that resulted in an account data compromise Has been identified by any other payment card brand as Level 1 2 Any merchant that processes 1 million to 6 million Visa transactions, regardless of acceptance channel 3 Any merchant that processes 20,000 to 1 million Visa e-commerce transactions 4 Any merchant that processes fewer than 20,000 Visa e-commerce transactions or fewer than 1 million Visa transactions regardless of acceptance channel

13 Validation Actions Depend on Level
Merchant Level Validation Actions Validated By Deadline 1 Annual On-site PCI DSS Data Security Assessment Qualified Security Assessor 9/30/04 (Visa’s new level 1 merchants have up to one year from identification to validate) Quarterly Network Scan Approved Scanning Vendor 2 Annual PCI DSS Self-Assessment Questionnaire/Annual On-site PCI DSS Data Security Assessment Merchant/Qualified Security Assessor 6/30/05 (Visa’s new level 2 merchants have until 9/30/07)

14 Validation Actions Depend on Level (cont.)
Merchant Level Validation Actions Validated By Deadline 3 Annual PCI DSS Self-Assessment Questionnaire 6/30/05 Quarterly Network Scan Approved Scanning Vendor 4 Validation requirements and dates are determined by the merchant’s acquirer

15 Self Assessment Questionnaire (SAQ) 1.2
SAQ Version Validation Type Description of Subject Merchant SAQ 1.2 A 13 Questions 1 Card not present merchants only that outsource all parts of the credit card transaction. Data is only kept in paper reports. SAQ 1.2 B 27 Questions 2 This merchant only accepts payment cards using an imprint machine and does not keep any card data electronically. 3 Merchants who use stand alone, dial out terminal connected to a phone line or processor. Terminal has NO internet connection and no data is stored electronically. SAQ 1.2 C 41 Questions 4 Payment application is connected to the internet but is not connected to any other system w/in the network. No data is stored electronically. Service providers who connect remotely to the application are in compliance with Security Best Practices. SAQ 1.2 D 222 Questions 5 Any merchant that does not fit any of the above categories and any eligible service provider.

16 PCI DSS Makes Business Sense

17 PCI DSS Compliance: Sound Business Practice
Fundamental Best Security Practices Avoid fraud Helps to understand own system better Clarifies where data is stored Upholds Brand Name Adds value to name Increases consumer confidence Non-compliant, compromised business could expect: Damage to their brand/reputation Investigation costs Remediation costs Fines and fees

18 Supporting the PCI Smart Program
August 19 Non-Compliance Non-compliance with the PCI DSS can result in: Non-compliance fees from the Acquiring bank Fees are assessed on a regular basis, usually monthly Financial costs to reverse damages in the event of a security breach Regulatory fines and penalties in the event of a security breach Higher costs to process credit card transactions or even loss of the ability to process credit card transactions in the event of a breach Stricter compliance requirements being imposed on a merchant after a breach Trustwave Confidential-Page

19 Compromise Statistics

20 Incident Response – About the Sample Set
Header August 19 Incident Response – About the Sample Set Types of Detection Explain each: Self-Detection Public Detection Law Enforcement Regulatory Detection (#1) Regulator Detection is the most successful because they are able to correlate fraud use with common legitimate source. Trustwave Confidential-Page

21 Incident Response – About the Sample Set
Header August 19 Incident Response – About the Sample Set Industries Explain the idea of “It wont happen to me.” and “it is only an ecommmerce problem”. Non-traditional targets made up more than 50% of the 2009 cases. Trustwave Confidential-Page

22 Incident Response – About the Sample Set
Header August 19 Incident Response – About the Sample Set Company Size Rather equal distribution across various organization sizes, not much of a trend here. Trustwave Confidential-Page

23 Incident Response – Investigative Conclusions
Header August 19 Incident Response – Investigative Conclusions Types of Data at Risk Criminal want MONEY. Explain what track data is and how it is used for fraud. Explain Chip and PIN -> iCVV problem with issuers not following the rules Payment Card Data is a target for criminals looking to turn data into cash quickly. Trustwave Confidential-Page

24 Incident Response – Investigative Conclusions
Header August 19 Incident Response – Investigative Conclusions Types of Target Assets Flows from the target data Where there is data in the systems, attackers will target Explain each item: Software Ecommerce Payment Switch ATM Hardware Terminal Hacking – readers/bluetooth, GMS While many POS vendors have patched their systems to support security controls, many companies are still running very old software. Trustwave Confidential-Page

25 PCI DSS Standard Overview

26 Six Goals, Twelve Requirements
Install and maintain a firewall configuration to protect cardholder data Do not use vendor- supplied defaults for system passwords and other security parameters Build and Maintain a Secure Network Maintain a vulnerability management program Protect cardholder data

27 Six Goals, Twelve Requirements
Header August 19 Six Goals, Twelve Requirements Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters Build and Maintain a Secure Network Maintain a vulnerability management program Protect cardholder data Encrypt transmission of cardholder data across open, public networks Protect stored cardholder data Trustwave Confidential-Page

28 Six Goals, Twelve Requirements
Header August 19 Six Goals, Twelve Requirements Install and maintain a firewall configuration to protect cardholder data Use and regularly update anti- virus software or programs Do not use vendor-supplied defaults for system passwords and other security parameters Develop and maintain secure systems and applications Build and Maintain a Secure Network Maintain a vulnerability management program Protect cardholder data Encrypt transmission of cardholder data across open, public networks Protect stored cardholder data Trustwave Confidential-Page

29 Six Goals, Twelve Requirements
Header August 19 Six Goals, Twelve Requirements Install and maintain a firewall configuration to protect cardholder data Use and regularly update anti- virus software or programs Do not use vendor-supplied defaults for system passwords and other security parameters Develop and maintain secure systems and applications Build and Maintain a Secure Network Maintain a vulnerability management program Implement strong access control measures Protect cardholder data Restrict access to cardholder data by business need-to-know Encrypt transmission of cardholder data across open, public networks Assign a unique ID to each person with computer access Protect stored cardholder data Restrict physical access to cardholder data Trustwave Confidential-Page

30 Six Goals, Twelve Requirements
Header August 19 Six Goals, Twelve Requirements Install and maintain a firewall configuration to protect cardholder data Track and monitor all access to network resources and cardholder data Use and regularly update anti- virus software or programs Do not use vendor-supplied defaults for system passwords and other security parameters Develop and maintain secure systems and applications Regularly test security systems and processes Build and Maintain a Secure Network Maintain a vulnerability management program Implement strong access control measures Regularly monitor and test networks Protect cardholder data Restrict access to cardholder data by business need-to-know Encrypt transmission of cardholder data across open, public networks Assign a unique ID to each person with computer access Protect stored cardholder data Restrict physical access to cardholder data Trustwave Confidential-Page

31 Six Goals, Twelve Requirements
Install and maintain a firewall configuration to protect cardholder data Track and monitor all access to network resources and cardholder data Use and regularly update anti- virus software or programs Do not use vendor-supplied defaults for system passwords and other security parameters Develop and maintain secure systems and applications Regularly test security systems and processes Build and Maintain a Secure Network Maintain a vulnerability management program Implement strong access control measures Regularly monitor and test networks Maintain an information security policy Protect cardholder data Restrict access to cardholder data by business need-to-know Encrypt transmission of cardholder data across open, public networks Maintain a policy that addresses information security for employees and contractors Assign a unique ID to each person with computer access Protect stored cardholder data Restrict physical access to cardholder data

32 Resources PCI Security Standards Council: Visa CISP: MasterCard SDP:

33 Questions?

Download ppt "Presented by: Jeff Soukup"

Similar presentations

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.

Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.
National Bank of Dominica Ltd. 2011 Merchant Seminar Facilitator: Janiere Frank Fraud & Compliance Analyst June 16, 2011.

National Bank of Dominica Ltd Merchant Seminar Facilitator: Janiere Frank Fraud & Compliance Analyst June 16, 2011.
Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.

Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.
.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.

.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.
The Payment Card Industry Data Security Standard (PCI DSS)

The Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS for Retail Industry

PCI DSS for Retail Industry
Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.

Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.

PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
Navigating the New SAQs (Helping the 99% validate PCI compliance)

Navigating the New SAQs (Helping the 99% validate PCI compliance)
PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.

PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.
Complying With Payment Card Industry Data Security Standards (PCI DSS)

Complying With Payment Card Industry Data Security Standards (PCI DSS)
2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.

2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Property of CampusGuard Compliance With The PCI DSS.

Property of CampusGuard Compliance With The PCI DSS.
Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.

Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.
Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations

Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations
PCI 101. Trustwave Corporate Profile Copyright Trustwave 2008 Confidential 2009 SC Magazine “Recommended” Managed Security Services Forrester 9 out of.

PCI 101. Trustwave Corporate Profile Copyright Trustwave 2008 Confidential 2009 SC Magazine “Recommended” Managed Security Services Forrester 9 out of.
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?

Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?

Similar presentations

Ads by Google