Embed Size (px)
Citation preview
Introduction
To Plastic Card Industry (PCI)
Data Security Standards (DSS)
April 28,2012
Cathy Pettis, SVP
ICUL Service Corporation
PCI Background
• PCI-DSS developed:– Encourage and enhance cardholder data
security– Facilitate adoption of consistent data security
measures globally– Provide a baseline of Operational and Technical
requiremeents to protect data
Who does PCI-DSS Apply TO
• To ALL entities involved in Payment Card Processing– Merchants– Acquirers– Processors– Issuers– Service Providers
The Question is
• Do you STORE
• PROCESS
• Or TRANSMIT
• Cardholder Data?????
The Answer
• YES, if• Store Cardholder Reports• Card Data Module on your Data Processing
System• Process Card Files- Post Transactions Batch
or On-line-ATM, Debit, Credit• Transmit Files-PBF, Card Issuance, Online
Authorizations
What are the Requirements
• Build and Maintain a Secure Network
• Protect Cardholder Data
• Maintain a Vulnerability Management Program
• Implement Strong Access Control Measures
• Regularly Monitor and Test Networks
• Maintain an Information Security Policy
Build and Maintain a Secure Network
• 1. Install and maintain a firewall configuration to maintain data
• 2. Do not uses vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
• 3. Protect stored cardholder data
• 4. Encrypt transmission of cardholder data across open,public networks
Maintain a Vulnerability Management Program
• 5. Use and regularly update anti-virus software and programs
• 6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
• 7. Restrict access to cardholder data and business NEED TO KNOW
• 8. Assign a unique ID to each person with computer and data access
• 9 Restrict physical access to cardholder data
Regularly Monitor and Test Networks
• 10. Track and Monitor all access to network resources and cardholder data
• 11. Regularly test security systems and processes
Maintain an Information Security Policy
• 12. Maintain a policy that addresses information security for all personnel
Requirements---Easy
• There are ONLY 12
PCI DSS Applicability
• Wherever account data is stored,processed or transmitted????
• Account data is Cardholder Data PLUS sensitive Authentication Data:– Cardholder Data- Primary Account Number
PAN– Cardholder Name– Expiration Date and Service Code
Applicability Information cont’d
• Sensitive Authentication Data includes:– Full magnetic stripe data or equivalent on a
chip– CAV2/CVC2/CVV2/CID– PINs/PIN Blocks
Here’s THE Test
Is Storage Permitted
• PAN Yes
• Cardholder Name Yes
• Service Code Yes
• Expiration Date Yes
• Full Magnetic Stripe Data No
• CVV/CVC/CAV/CID No
• PIN/PIN Block No
If YES, now what?
• Stored data MUST be unreadable
• PAN YES
• Cardholder Name No
• Service Code No
• Expiration Date No
• Sensitive Authentication Data Cannot be stored period
What Next
• Perform a Risk Assessment• Know what data you have, who has access
and what you do with it• Know how your network is secured• Establish an Information Security Policy
and Standards Document• Engage the Board of Directors, Internal
Auditor, External Auditor
What Next cont’d
• Make a Plan to become PCI Compliant
• Engage the services of a Qualified System Assessor (QSA)
• Validate your data providers are PCI Certified
Next
• Security Physical and Data is everyone’s responsibility
• Take it seriously and protect your member cardholder data
Questions???
