Embed Size (px)
DESCRIPTION
Evolution Presentation
Citation preview
PCI Data Security Standardsinformation for
Merchants
by Evolution Security Systems
Our Clients
Background of PCI
In 2006, 40 million Credit Card data was hacked due to breaches at third party payment processors
PCI DSS is a joint effort by Visa, MasterCard, American Express, Discover and JCB.
PCI applies to all merchants and services providers that process, transmit, or store credit card information.
The standard is enforced by the card companies and acquirer banks.
When Should I Act?
“All Deadlines had Passed”Bob RussoDirector, PCI Security Standards Council
The Pressure is Here…
Recently Visa has issued letters to service providers demanding them to be complied and certified by as early as June 2008.
This is a long-awaited final call to the industry. No more excuse of “I don’t know” or “PCI has nothing to do with my organization”.
12 Key Requirements of PCI
12 Key Requirements for All Organizations
Protect Cardholder Data 1. Protect stored data (in both hardcopy and electronic copy)
2. Encrypt transmissions of cardholder data (electronic copy)
Implement Strong Access Control Measures
3. Restrict access by need-to-know
4. Assign unique IDs to all users
5. Restrict physical access to cardholder data (hardcopy)
Regularly Monitor and Test Networks
6. Track and monitor access to cardholder data
7. Regularly test security systems and processes
Maintain an Information Security Policy
8. Maintain an information security policy
Build and Maintain a Secure Network
9. Install and maintain a firewall
10. Do not use vendor default password
Maintain a Vulnerability Management Program
11. Use and update antivirus software
12. Develop and maintain secure systems and applications
Guidelines for Credit Card Data Storage
Data Element StoragePermitted
ProtectionRequired
PCI DSSREQ. 3.4
Cardholder Data(in both hardcopy and electronic copy)
Primary Account Number (PAN)
Yes YesYes
Cardholder Name Yes Yes No
Service Code Yes Yes No
Expiration Date Yes Yes No
Sensitive Authentication DataFull Magnetic Stripe No N/A N/A
CVC2 / CVV2 / CID No N/A N/A
PIN / PIN Block No N/A N/A
What if I am not compliant?
What if my business is not PCI complaint?
• In case of compromise, your business is in risk of potential financial liabilities (including the full cost of any fraud perpetrated on compromised card accounts)
• In additional, your business may have to bare investigative and legal costs, as well as charges to re-issue compromised credit cards
• Invasive media attention could cause significant damage to the image of your business
• In some cases, a single compromise can cause enough damage to close down a business
PCI DSS protects cardholders and minimises the risk to your businessPCI DSS protects cardholders and minimises the risk to your business
By being PCI Compliant
• A compromise is less likely to happen
• You obtained “Safe Harbor” status: credit card companies will not levy compromise fees if confirmed that the organisation was PCI compliant at the time of compromise
• Easily identify any risks in the way you store or transmit customer data
• Provide a clear path of action and remediation to address any data security risks
• Ensure that your service providers do not put your business at risk
• Demonstrate to your customers that you are serious about their data
• Most importantly, as a merchant, PCI compliant is compulsory
What should I do?
• Annual Self-Assessment Questionnaire• Quarterly network scan by ASV (if applicable)
• Annual Self-Assessment Questionnaire• Quarterly network scan by ASV (if applicable)
• Annual Self-Assessment Questionnaire• Quarterly network scan by ASV
• Annual Self-Assessment Questionnaire• Quarterly network scan by ASV
• Annual Self-Assessment Questionnaire• Quarterly network scan by ASV• Annual Onsite Review (optional)
• Annual Self-Assessment Questionnaire• Quarterly network scan by ASV• Annual Onsite Review (optional)
• Annual onsite assessment by QSA• Quarterly network scan by ASV• Self-assessment Questionnaire (optional)
• Annual onsite assessment by QSA• Quarterly network scan by ASV• Self-assessment Questionnaire (optional)
OthersOthers
Processing 20,000 to 1,000,000 e-commerce transactions annually
Processing 20,000 to 1,000,000 e-commerce transactions annually
Processing 1,000,000 to 6,000,000 transactions annuallyProcessing 1,000,000 to 6,000,000 transactions annually
Processing over 6,000,000 transactions annually ORMerchants that card company determines should meet the Level 1 merchant requirements
Processing over 6,000,000 transactions annually ORMerchants that card company determines should meet the Level 1 merchant requirements
Merchant Levels
Step
2
6-Step PCI Compliance Process
Define which merchant level your business belongs to
Map out the data flows in your business
Conduct a Gap Analysis and scope the project
Plan and implement remediation
Obtain certification
Staying compliant
Step
1
Step
4
Step
3
Step
6
Step
5
Seeking assistance from QSA and Consultants
Conducting Gap Analysis
Prioritizing Remediation
Implementing changes & safeguards
Maintaining Compliance
Evolution’s Full PCI Cycle
Summary
Work…
• Scanning the required network with credit card information transaction
• On-site Audit and perform Interview session
• Review all the related agreement with 3rd party on credit card information handling
• Review all the related procedure document and policy
Remember…
• All merchants must comply with PCI DSS, regardless of size. The only difference is the type of validation required
• All deadline had passed. All parties that process credit card data must comply now.
• A single compromise can cause significant damages to your company, or even put you out of business
• Evolution provides a full cycle of PCI QSA services, helping you understand, assess, remediate, obtain certification, and stay compliant
Questions and Answers
For more information, visithttp://pci.evolve-online.com
