Presentation is loading. Please wait.

Presentation is loading. Please wait.

PCI 3.0 Boot Camp Payment Card Industry Data Security Standards 3.0.

Published byDominick Leonard Modified over 9 years ago

Similar presentations

Presentation on theme: "PCI 3.0 Boot Camp Payment Card Industry Data Security Standards 3.0."— Presentation transcript:

1 PCI 3.0 Boot Camp Payment Card Industry Data Security Standards 3.0

2 INTRODUCTIONS PCI 3.0 Boot Camp - March 20152

3 PURPOSE Why am I here? PCI 3.0 Boot Camp - March 20153

4 Changes in SAQs Added two new SAQs A-EP – merchants whose payment page begins at their website or who have some control over the payment page B-IP – merchants using stand-alone credit card terminals via Internet SAQ B, C and C-VT all specifically state they cannot be used if merchant uses ecommerce channels PCI 3.0 Boot Camp - March 20154

5 Trustwave Portal Answering Multiple SAQs Merchants accepting in more than one environment will answer an SAQ to address each environment. Cash Management will open additional Trustwave account for each “hybrid” merchant. The new account will address the lesser involved SAQ (A, A-EP or B) Merchants have the option to terminate the activity related to multiple payment channel PCI 3.0 Boot Camp - March 20155

6 UPDATES TO REQUIREMENTS PCI 3.0 Boot Camp - March 20156

7 Penetration Testing What? An attack on a computer system with the intention of finding security weaknesses, potentially gaining access to it, its functionality and data (Short form known as a Pen Test) Do I need one? PCI 3.0 Boot Camp - March 2015

8 Anti-Virus Updates Requirement #5 Clarified Requirement – Protect all systems against malware New Requirements – Evaluate evolving malware threats – Anti-Virus solutions actively run, used, and managed – Must be logged in accordance with req. 10 How to Implement Change – Build into computer imaging and deployment process – Use centrally managed tools, Like LANDesk, where available – Work with technical contact to come up with a process – HUIT IT Security and Support Services are there to help PCI 3.0 Boot Camp - March 20158

9 Log Review Updates Requirement #10 Clarified Requirements – Granular audit trails linking users to system actions – What access is logged – Log all sec events & system components that deal with CHD – Log review – Store logs for at least one year How to Implement Change – Build into computer imaging and deployment process – Use central logging server where available (Splunk in the FAS) – Work with technical contact to come up with process – HUIT IT Support Services and Info Sec can help PCI 3.0 Boot Camp - March 20159

10 Cardholder Data Requirement #3 Clarified Requirements – Handling of sensitive authentication data – Logical access for disk encryption – Key management procedures How to Implement Change – Limit cardholder storage and retention time. Purge at least quarterly – Do not store sensitive authentication data – Render PAN unreadable – Document and implement procedures to protect encryption keys – Document and implement key management processes and procedures for encrypting cardholder data PCI 3.0 Boot Camp - March 201510

11 Point of Sale Devices Requirement #9 New Requirement – Protect devices from tampering or substitution – Maintain list of devices and inspect periodically – Train personnel to be aware of suspicious behavior and to report tampering of devices How to Implement Change – Place sticker on side/joint of terminal – Request new or replacement terminals from Cash Management for inventory control – Provide employee training to address suspicious behavior or tampering of devices PCI 3.0 Boot Camp - March 201511

12 Service Providers Requirement #12 New Requirement – Document which PCI DSS requirements are managed by each service provider, and which are managed by merchant. – Service providers provide the written acknowledgement to their customers of services provided and security of card data. How to Implement Change – Incorporate delineation of responsibilities within service agreement (eg., application updates) – All service providers must include Harvard PCI Rider and HRCI Rider in Service Agreement – Service Providers must submit Attestation of Compliance from QSA PCI 3.0 Boot Camp - March 201512

13 MORE INFORMATION PCI 3.0 Boot Camp - March 201513

14 Resources – https://www.pcisecuritystandards.org/merchants/index.php https://www.pcisecuritystandards.org/merchants/index.php – SAQs https://www.pcisecuritystandards.org/security_standards/d ocuments.php?category=saqs https://www.pcisecuritystandards.org/security_standards/d ocuments.php?category=saqs – Harvard Support/Questions pci_compliance@harvard.edu – Trustwave QSA – Cash Management will arrange teleconference – otm.finance.harvard.edu otm.finance.harvard.edu PCI 3.0 Boot Camp - March 201514

Download ppt "PCI 3.0 Boot Camp Payment Card Industry Data Security Standards 3.0."

Similar presentations

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
PCI DSS for Retail Industry

PCI DSS for Retail Industry
Troy Leach April 2012 The PCI Security Standards Council.

Troy Leach April 2012 The PCI Security Standards Council.
Navigating the New SAQs (Helping the 99% validate PCI compliance)

Navigating the New SAQs (Helping the 99% validate PCI compliance)
Complying With Payment Card Industry Data Security Standards (PCI DSS)

Complying With Payment Card Industry Data Security Standards (PCI DSS)
2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.

2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.
Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server 2008. Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),

Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
C USTOMER CREDIT CARD AND DEBIT CARD SECURITY (PCI – DSS COMPLIANCE) What is PCI – DSS Compliance and Who needs to do this?

C USTOMER CREDIT CARD AND DEBIT CARD SECURITY (PCI – DSS COMPLIANCE) What is PCI – DSS Compliance and Who needs to do this?
Payment Card PCI DSS Compliance SAQ-D Training Accounts Receivable Services, Controller’s Office 7/1/2012.

Payment Card PCI DSS Compliance SAQ-D Training Accounts Receivable Services, Controller’s Office 7/1/2012.
PCI DSS Version 3.0 For Controllers and Business Users Luke Harris, Office of State the Controller David Reavis, UNC General Administration November 10,

PCI DSS Version 3.0 For Controllers and Business Users Luke Harris, Office of State the Controller David Reavis, UNC General Administration November 10,
Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations

Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?

Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?
Security Controls – What Works

Security Controls – What Works
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.

GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,

DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Kevin R Perry August 12, 2014. Part 1: High Level Changes & Clarifications.

Kevin R Perry August 12, Part 1: High Level Changes & Clarifications.

Similar presentations

Ads by Google