Upload
visionid
View
108
Download
6
Tags:
Embed Size (px)
DESCRIPTION
A presentation from Stephen O’Boyle, Head of Consultancy at Espion on Pci dss in retail now and into the future!
Citation preview
For more informationvisit www.espiongroup.com 1
PCI DSS in RetailNow and into the Future
Presenter: Stephen O’Boyle, Head of Consultancy
© Espion Sept 2013
For more informationvisit www.espiongroup.com 2
Agenda
1. Current PCI process– Challenges for
• Small retailers• Large retailers
2. Point to Point Encryption (P2PE)3. PCI DSS v3 Highlights
– Clarification– Additional Guidance– Evolving Requirement
4. Summary
© Espion Sept 2013
For more informationvisit www.espiongroup.com 3
Current PCI process• PCI Standards - strong framework for protecting
payment card data• Principles apply to various environments and industry
verticals including small to large retailers– Cardholder data is processed, stored, or transmitted
• Size & type of business will determine the specificcompliance requirements that must be met
• Enforcement and fines managed by payment brands /acquirers– Not the PCI Council
© Espion Sept 2013
For more informationvisit www.espiongroup.com 4
Challenges
• Small Retailers– Awareness of compliance requirements– Implications of non-compliance
• Fines, reputational damage– Identifying correct scope– Performing a self assessment to the
appropriate SAQ
© Espion Sept 2013
For more informationvisit www.espiongroup.com 5
Challenges
• Large Retailers– Identifying scope– Staff awareness– Annual audits / SAQ– Maintaining compliance– P2PE
© Espion Sept 2013
For more informationvisit www.espiongroup.com 6
Point to Point Encryption• Point-to-Point Encryption (P2P Encryption) designed to
– Reduce PCI DSS scope– Protect cardholder data throughout electronic payment
processing cycle
• Protects data as soon as it is collected from a card swipeuntil the payment settlement process is complete
• Sometimes referred to as End-to-End Encryption• “...remember?no silver bullet to securing a payment
environment,” said Bob Russo, general manager, PCISSC– “Implementing one of these technologies will not automatically
make you compliant with the PCI DSS”.
© Espion Sept 2013
For more informationvisit www.espiongroup.com 7
Point to Point Encryption• Guidance produced on P2PE, compliant solution qualifies for
reduced scope. Guidance also states:– P2PE solutions do not eliminate the need to maintain PCI DSS
compliance for specific systems– Recognizes the need for a set of criteria to validate the
effectiveness of P2PE solutions so that merchants can haveconfidence that the solution they deploy properly securescardholder data
• Previously no global standardization of point-to-pointencryption technology or validation of its implementationexists in the industry.
© Espion Sept 2013
For more informationvisit www.espiongroup.com 8
PCI DSS v3 – Change Highlights
• Types of changes to the Standards arecategorized as follows:
1. Clarification
2. Additional Guidance
3. Evolving Requirement
© Espion Sept 2013
For more informationvisit www.espiongroup.com 9
Clarification - PCI DSS v3• Enhanced testing procedures to clarify the level of
validation expected for each requirement– To put more emphasis on the quality and consistency of
assessments.• Clarified that sensitive authentication data must not be
stored after authorization even if PAN is not present– To ensure better understanding of protection of sensitive
authentication data.• Clarified the intent and scope of daily log reviews
– To help entities focus log-review efforts on identifyingsuspicious activity and allow flexibility for review of less-critical logs events, as defined by the entity’s
© Espion Sept 2013
For more informationvisit www.espiongroup.com 10
Additional Guidance - PCI DSS v3• Added guidance for all requirements with content from
the former Navigating PCI DSS Guide– To assist understanding of security objectives and intent of
each requirement• Added guidance for implementing security into business-
as-usual (BAU) activities and best practices formaintaining on-going PCI DSS compliance– To address compromises where the organization had been
PCI DSS compliant but did not maintain that status.– Recommends focus on helping organizations take a
proactive approach to protect cardholder data that focuseson security, not compliance, and makes PCI DSS abusiness-as-usual practice.
© Espion Sept 2013
For more informationvisit www.espiongroup.com 11
Evolving Requirement - PCI DSS v3
• Update list of common vulnerabilities in alignment withOWASP, NIST, SANS, etc., for inclusion in secure codingpractices– To keep current with emerging threats
• Evaluate evolving malware threats for systems notcommonly affected by malware– To promote on-going awareness and due diligence to
protect systems from malware
© Espion Sept 2013
For more informationvisit www.espiongroup.com 12
Summary
• Current PCI process
• Point to Point Encryption (P2PE)
• Highlights of changes in PCI DSS v3
© Espion Sept 2013
For more informationvisit www.espiongroup.com 13
Questions
???
Contact: [email protected]
© Espion Sept 2013
For more informationvisit www.espiongroup.com 14
Information Risk, Security & Compliance
Digital Investigations & Litigation Support
Insight, Intelligence & Control
Technology & Product Distribution
Knowledge Transfer and Certification
© Espion Sept 2013
About Espion
Expertise, Innovation & IP
For more informationvisit www.espiongroup.com 15
About Espion
Seven locations andgrowing.
For more informationvisit www.espiongroup.com
About Espion
57 consultants and hiring.
For more informationvisit www.espiongroup.com
About Espion
Highly qualified andcontinuously developing.
For more informationvisit www.espiongroup.com
About Espion
A culture of achieving.