Presentation is loading. Please wait.

Presentation is loading. Please wait.

PCI 101. Trustwave Corporate Profile Copyright Trustwave 2008 Confidential 2009 SC Magazine “Recommended” Managed Security Services Forrester 9 out of.

Published byJessie Young Modified over 9 years ago

Similar presentations

Presentation on theme: "PCI 101. Trustwave Corporate Profile Copyright Trustwave 2008 Confidential 2009 SC Magazine “Recommended” Managed Security Services Forrester 9 out of."— Presentation transcript:

1 PCI 101

2 Trustwave Corporate Profile

3 Copyright Trustwave 2008 Confidential 2009 SC Magazine “Recommended” Managed Security Services Forrester 9 out of 10 rating NAC solution Founded in 1995 Approximately 600 employees in 21 locations on six continents Chicago is global HQ; London, Sydney and Sao Paolo are regional HQs Secure Operation Centers in Chicago and Warsaw Award-winning, patented security technology 2010 SC Magazine “Finalist” Encryption 2009 Frost & Sullivan NAC Best Practices Thousands of customers throughout the world, including 6 of the Fortune Top 10 Trustwave is an established company serving a global client base with industry-leading solutions

4 Copyright Trustwave 2008 Confidential Benchmark work for HIPAA, GLBA, SOX, ISO 27000 series MSSP with more than 1,400 devices under management Monitor more than 18 million events per day Top 10 global Certificate Authority with more than 40,000 SSL certificates issued Performed more than 2,000 network and application penetration tests Conducted more than 740 forensic investigations PCI DSS leader – Trustwave has certified 42 percent of PsPs; 40 percent of Payment Apps. Fully qualified for all PCI-related work: QSA (2002); ASV (2003); PA-QSA (2005); QIRA (2005) The leader in compliance and data security

5 Copyright Trustwave 2008 Confidential Global Presence Global Headquarters Chicago, IL EMEA Headquarters London, UK LAC Headquarters Sao Paolo, Brazil APAC Headquarters Sydney, Australia Toronto, Canada Bogota’, Columbia Dallas, TX Austin,TX Mexico City, Mexico Santiago, Chile Pretoria, South Africa Dubai, United Arab Emirates Mumbai, India Tokyo, Japan Shanghai, China Beijing, China Rennes, France Stockholm, Sweden Budapest, Hungary Kiev, Ukraine Pittsburg, PA Boston, MA Denver, CO Warsaw, Poland Frankfurt, Germany Annapolis, MD Belo Horizonte, Brazil

6 Copyright Trustwave 2008 Confidential 6 Payment Card Acceptance The Payment Card Industry’s Data Security Standard states: PCI Data Security Requirements apply to all members, merchants, and service providers that store, process or transmit cardholder data 6

7 Copyright Trustwave 2008 Confidential The Mandate: Visa Merchant Levels Defined 7 LevelMerchant Classification Criteria (as of July 18, 2006) 1 Any merchant -regardless of acceptance channel-that: Processes over 6 million Visa transactions per year In some cases, merchants who suffered a hack or an attack that resulted in an account data compromise Has been identified by any other payment card brand as Level 1 2 Any merchant that processes 1 million to 6 million Visa transactions, regardless of acceptance channel 3 Any merchant that processes 20,000 to 1 million Visa e-commerce transactions 4 Any merchant that processes fewer than 20,000 Visa e-commerce transactions or fewer than 1 million Visa transactions regardless of acceptance channel

8 Copyright Trustwave 2008 Confidential 8 Validation Actions Depend on Level Merchant Level Validation ActionsValidated ByDeadline 1 Annual On-site PCI DSS Data Security Assessment Qualified Security Assessor 9/30/04 (Visa’s new level 1 merchants have up to one year from identification to validate) Quarterly Network ScanApproved Scanning Vendor 2 Annual PCI DSS Self- Assessment Questionnaire/Annual On-site PCI DSS Data Security Assessment Merchant/Qualified Security Assessor 6/30/05 (Visa’s new level 2 merchants have until 9/30/07) Quarterly Network ScanApproved Scanning Vendor

9 Copyright Trustwave 2008 Confidential 9 Validation Actions Depend on Level (cont.) Merchant Level Validation ActionsValidated ByDeadline 3 Annual PCI DSS Self- Assessment Questionnaire Merchant 6/30/05 Quarterly Network ScanApproved Scanning Vendor 4 Annual PCI DSS Self- Assessment Questionnaire Merchant Validation requirements and dates are determined by the merchant’s acquirer Quarterly Network ScanApproved Scanning Vendor

10 PCI DSS Standard Overview

11 Copyright Trustwave 2008 Confidential Develop and maintain secure systems and applications Use and regularly update anti- virus software or programs Six Goals, Twelve Requirements Do not use vendor-supplied defaults for system passwords and other security parameters Install and maintain a firewall configuration to protect cardholder data Encrypt transmission of cardholder data across open, public networks Protect stored cardholder data Restrict access to cardholder data by business need-to-know Assign a unique ID to each person with computer access Build and Maintain a Secure Network Protect cardholder data Maintain a vulnerability management program Restrict physical access to cardholder data Implement strong access control measures Regularly test security systems and processes Track and monitor all access to network resources and cardholder data Regularly monitor and test networks Maintain a policy that addresses information security for employees and contractors Maintain an information security policy

12 Copyright Trustwave 2008 Confidential Requirement 1: Install and maintain a firewall to protect cardholder data Requirement 2: Do not use vendor-supplied defaults Requirement 3: Protect stored data Requirement 6: Develop and maintain secure systems and applications Requirement 8: Assign a unique ID to each person with computer access Requirement 10: Track and monitor access to network and card data Requirement 11: Regularly test security systems and processes Requirement 12: Maintain a policy that addresses information security Violations found in incident response investigations in 2009. Top PCI DSS Violations

13 Copyright Trustwave 2008 Confidential Self Assessment Questionnaire (SAQ) 1.2 SAQ Version Validation Type Description of Subject Merchant SAQ 1.2 A 13 Questions 1 Card not present merchants only that outsource all parts of the credit card transaction. Data is only kept in paper reports. SAQ 1.2 B 27 Questions 2 This merchant only accepts payment cards using an imprint machine and does not keep any card data electronically. SAQ 1.2 B 27 Questions 3 Merchants who use stand alone, dial out terminal connected to a phone line or processor. Terminal has NO internet connection and no data is stored electronically. SAQ 1.2 C 41 Questions 4 Payment application is connected to the internet but is not connected to any other system w/in the network. No data is stored electronically. Service providers who connect remotely to the application are in compliance with Security Best Practices. SAQ 1.2 D 222 Questions 5Any merchant that does not fit any of the above categories and any eligible service provider.

14 Copyright Trustwave 2008 Confidential Resources PCI Security Standards Council: https://www.pcisecuritystandards.org/index.shtml Visa CISP: http://www.visa.com/cisp MasterCard SDP: http://www.mastercard.com/sdp 14

15 Copyright Trustwave 2008 Confidential Program Features and Value Proposition PCI AssistantExternal Vulnerability ScansPCI WizardRobust Educational ToolsSecurity Policy AdvisorSecurity Awareness Training24/7/365 Help DeskCustomer WebinarsMerchant Reporting 15

16 Copyright Trustwave 2008 Confidential TrustKeeper TrustKeeper is Trustwave's compliance portal that merchants will use to manage, track and validate their compliance status. TrustKeeper is the leading portal used by acquiring banks to monitor PCI DSS compliance status among merchants. TrustKeeper offers easy-to-use vulnerability assessment and management services to help merchants meet all their PCI DSS compliance requirements.

17 Copyright Trustwave 2008 Confidential TrustKeeper Agent TrustKeeper Agent is an optional component of TrustKeeper that installs on Windows PCs or PC based payment terminals. TrustKeeper Agent: –Assists with setting up and managing vulnerability scans –Collects information needed to answer technical system questions and reports back to TrustKeeper –Monitors systems to ensure the security and data storage settings meet the requirements of the PCI DSS –Provides information for summarized and detailed reports in TrustKeeper

18 Copyright Trustwave 2008 Confidential Welcome Splash Page 18

19 Copyright Trustwave 2008 Confidential PCI Wizard Choice 19

20 Copyright Trustwave 2008 Confidential PCI Wizard for a Dial-up Merchant 20

21 Copyright Trustwave 2008 Confidential Questions and Help Text 21 How Do I Choose?

22 Copyright Trustwave 2008 Confidential Resolve Issues with Remediation Advice 22

23 Copyright Trustwave 2008 Confidential Pre-Filled SAQ for Merchant Review 23

24 Copyright Trustwave 2008 Confidential Certificate of Compliance 24

25 Copyright Trustwave 2008 Confidential Security Policy Advisor 25 TrustKeeper’s Security Policy Advisor

26 Copyright Trustwave 2008 Confidential Security Awareness Training 26

27 Copyright Trustwave 2008 Confidential TrustKeeper Agent 27

Download ppt "PCI 101. Trustwave Corporate Profile Copyright Trustwave 2008 Confidential 2009 SC Magazine “Recommended” Managed Security Services Forrester 9 out of."

Similar presentations

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.

Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.
Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.

Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.
Mobile Payment Security The Good, the Bad and the Ugly

Mobile Payment Security The Good, the Bad and the Ugly
The Payment Card Industry Data Security Standard (PCI DSS)

The Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS for Retail Industry

PCI DSS for Retail Industry
Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.

Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.
UCSB Credit Card Processing and PCI Compliance

UCSB Credit Card Processing and PCI Compliance
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.

PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
Navigating the New SAQs (Helping the 99% validate PCI compliance)

Navigating the New SAQs (Helping the 99% validate PCI compliance)
PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.

PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.
Complying With Payment Card Industry Data Security Standards (PCI DSS)

Complying With Payment Card Industry Data Security Standards (PCI DSS)
2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.

2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Property of CampusGuard Compliance With The PCI DSS.

Property of CampusGuard Compliance With The PCI DSS.
Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.

Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?

Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?
Jeff Williams Information Security Officer CSU, Sacramento

Jeff Williams Information Security Officer CSU, Sacramento
Visa Cemea Account Information Security (AIS) Programme

Visa Cemea Account Information Security (AIS) Programme

Similar presentations

Ads by Google