Embed Size (px)
Citation preview
PCI- DSS v3: Protecting Cardholder Data
Agenda
• PCI DSS v3 : An Overview• PCI DSS: How it is different from other similar
standards?• PCI DSS vs ISO 27001• Protecting Cardholder data through PCI DSS v3• Common Myths regarding PCI DSS• Security vs Compliance
PCI DSS: An Overview1. The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that either:
• Process, • Store or • Transmit
“credit card information maintain a secure environment”.
2. The PCI DSS is administered and managed by the PCI SSC - Payment Card Industry Security Standard Council (www.pcisecuritystandards.org), an independent body that was created by the major payment card brands
(Visa, MasterCard, American Express, Discover and JCB.).
PCI DSS: Why it has become important?
• No of Card Transactions : 10000 per second
• No of non cash payments (as per 2013) = 333 Bn(Card Payments = 181 billion
• If 7 billion on planet have a card, they would have used at least 19 times.
PCI DSS: Card Details
Payment Account Number (PAN)
Hologram
Cardholder name
Expiry Date
Payment Brand Logo
EMV CHIP
PCI DSS: 3 year Update cycle
PCI DSS: Who all entities are at play?
Payment Brands
Banks
Merchants
Service Providers
PCI DSS: What are Card present Transaction?
PCI DSS: What are Card not present Transaction?
PCI DSS: What Card details can / can’t be stored
PCI DSS: What Card details can / can’t be stored
PCI DSS: Path to Certification
PCI DSS vs ISO27001
Just for clarity
Compliance Mandates
Compliance Mandatory
Compliance Voluntary
Company Scope Functioning Levels Overall Company
Degree of Compliance
Must Meet All Standards
Standards Voluntary
Separation of Systems
High Low
Degree of Flexibility
Low High
FEATURES PCI - DSS ISO 27001:2013
PCI DSS vs ISO27001
Is it good idea to have both?
• ISO is an overall measure for companies to use for compliance of information security management.
• PCI is a more standardized and regulated sub-section of information security management that pertains specifically to cardholder data.
• PCI compliance could be a part of overall ISO compliance if a company were concerned with meeting both regulations.
Common Myths regarding PCI DSS
• One vendor and product will make us compliant• Outsourcing card processing makes us compliant• PCI DSS compliance is an IT project• PCI DSS will make us secure• PCI DSS is unreasonable; it requires too much• PCI DSS requires us to hire a Qualified Security Assessor• We don’t take enough credit cards to be compliant• We completed a SAQ so we’re compliant• PCI DSS makes us store cardholder data• PCI DSS is too hard
Useful Links for PCI DSS• https://www.pcisecuritystandards.org/security_standards/documents.php• http://www.beyondsecurity.com/pci_compliance.html• https://www.pcicomplianceguide.org/pci-faqs-2/
The way to see it……..
You can read as costs saved in fines, legal fees, decreases in stock equity, and especially lost business
THANK YOU !!
- Manasdeep
