SlideShare una empresa de Scribd logo
1 de 29
PCI-DSS
INTRODUCTION
Nguyen Ngo, Ninh Dang
Agenda
PCI-DSS Fundamental
  What is PCI-DSS
 • Why are the PCI Security Standards Important?
 • Key Definitions
  PCI Standards Boundary
  Recommended Understanding
Instruction
  Determine PCI-Level
  Validate Requirement
  Choose SAQ
Implementation
  Principles
  PCI-DSS-Requirements
  PA-DSS Requirements
  Self Assessment Questionnaire
  Report
PCI-DSS
Fundamental
Payment Card Data Issues




                           4
What is PCI ???
PCI stands for the Payment Card Industry and is used to refer to:

    The PCI Security Standards Council ™(PCI SSC), an industry body
       founded by the major card brands to protect cardholder data.
       Founders:




    The global Security Standards created and maintained by the PCI SSC
       to protect cardholder payment data.


• Key Learning Point: Compliance with PCI Security Standards is
  mandatory for merchants and their service providers, and is enforced
  by the major card brands who established the PCI SSC


                                                                          5
What is PCI DSS?


      “The PCI Data Security Standard represents a
   common set of industry tools and measurements
       to help ensure the safe handling of sensitive
   information…the standard provides an actionable
    framework for developing a robust account data
   security process - including preventing, detecting
            and reacting to security incidents.”

              – PCI Standards Council –
Why are the PCI Security
Standards Important?
The Standards are important because they:

Protect cardholder data in order to help prevent data compromises and
   subsequent fraud activity…
     •   Customers expect merchants and their acquirers to keep their card
         account data safe
     •   Data compromises can result in significant fines and losses for
         merchants and can damage the merchant’s reputation with
         customers
     •   The number of data compromise incidents is increasing annually –
         organized criminal enterprises are targeting vulnerable merchants




                                                                             7
PCI-DSS Object
Key Definitions
Data definitions

•   Cardholder data: PAN (Primary Account Number), Cardholder Name, Service Code.
    Expiration Code.

•   Sensitive authentication data: Full Magnetic Stripe Data, CCV, PIN (Personal
    identification number).

Keywords

•   PCI-DSS: Payment Card Industry Data Security Standards

•   PA-DSS : Payment Applications Data Security Standards

•   PTS: PIN Transaction Security

•   QSA: Qualified Security Assessor

•   SAQ: Self Assessment Questionnaire

•   ASV: Approved Scanning Vendor

                                                                                   9
PCI Standards Boundary




• The PCI Data Security Standard (PCI DSS) If a business accepts or processes
  payment cards, it must comply with the PCI DSS. It is the standard merchants,
  processors, and service providers must meet for the complete protection of payment
  cardholder data.

• The Payment Application-Data Security Standard (PA-DSS) and PIN Transaction
  Security (PTS) (previously known as PIN Entry Device (PED)) security requirements
  support the overall implementation of PCI DSS by allowing merchants to choose from
  Council certified payment application software and PIN entry devices.



                                                                                       10
Recommended Understanding
PCI DSS tells you what you need to do; what standards you need to
  meet to be compliant

PCI DSS does not tell you how to become compliant. That is individual
  to your situation and your environment

    - Your system

    - Your processes

    - Your vendors

    - Your customers

Being compliant does necessary make you secure

Being secure leads to compliance – not the other way around
                                                                        11
Instructions
Instruction

•Determining your PCI Level

•Validation requirements

•Selecting the SAQ that Best Applies to Your
Organization




                                               13
Determining your PCI Level
You need to assess where you are on the scale of risk:

Level 1
      All Channels
          6MM Visa or MC transactions per year



         Level 2
               All Channels
                        1MM - 6MM Visa or MC transactions per year
                        E-Commerce - >150,000 - 6 MM MC transactions per year


                  Level 3
                            20,000 - 150,000 e-commerce MC transactions per year
                            20,000 - 999,999 e-commerce Visa transactions per year



                             Level 4
                               <20,000 Visa or MC e-commerce transactions per year
                               <1MM non-e-commerce Visa or MC transactions per year



                                                                                      14
Validation requirements
Level 1 Merchants
    Complete an Annual On-Site PCI Data Security Assessment in accordance with PCI Audit Procedures (Visa
      website). You can use this template for your Report on Compliance (ROC).
    Engage a Visa-approved Qualified Data Security Company to complete your ROC.
    Validate the ROC by the due date (preferably sooner in case issues arise in the ROC. This will help eliminate
      assessment of fines.)
    Provide the ROC to Bank of America Merchant Services.
    Merchant’s internal auditor may prepare the ROC, which must be accompanied by a letter signed by an
      executive-level officer of Merchant’s organization validating the ROC.
    Complete quarterly network scans to check your systems for vulnerabilities.
    Complete annual penetration testing to test that your systems are hacker-resistant.
    Ensure that these security scans are performed by a qualified independent scan vendor.
Level 2, 3 and 4 Merchants
    Complete and validate an Annual PCI Self-Assessment Questionnaire.
    Complete Quarterly Network Scans to check your systems for vulnerabilities.
    Complete annual penetration testing to test that your systems are hacker-resistant.
    Ensure that these security scans are performed by a qualified independent scan vendor.


                                                                                                                    15
Selecting the SAQ that Best Applies
to Your Organization
SAQ    Description
 A     Card-not-present (e-commerce or mail/telephone-order) merchants, all
       cardholder data functions outsourced. This would never apply to face-to-
       face merchants.

 B     Imprint Only merchants with no electronic cardholder data storage, or
       standalone, dial out terminal merchant with no electronic cardholder data
       storage

C-VT   Merchant using only web-based virtual terminals, no cardholder data storage

 C     Merchants with payment application systems connected to the internet, no
       electronic cardholder data storage

 D     All other merchants not included in descriptions for SAQ types A through C
       above, and all service providers defined by a payment brand as eligible to
       complete an SAQ




                                                                                     16
Implements
Implement

•Determine Scope
•Rebuild system base on requirements
•Self Assessment Questionnaires
•Report




                                       18
Determining Scope – Network
Segmented
Determining Scope – Network
Segmented
Determining Scope – Network
Segmented
Principles

SECURE  TRACK  AUDIT

• You need to ensure that your data is first secured …
  both physical and electronically.

• You need to ensure you have mechanism in place to
  track who access your data and when

• You need to review your tracking (audit) to look for
  anomalies



                                                         22
PCI DSS – Requirements
Six Goals, Twelve Requirements
Build and Maintain a       1. Install and maintain a firewall configuration to protect
Secure Network                cardholder data
                           2. Do not use vendor-supplied defaults for system passwords
                              and other security parameters
Protect Cardholder Data    3. Protect stored cardholder data
                           4. Encrypt transmission of cardholder data across open, public
                              networks
Maintain a Vulnerability   5. Use and regularly update anti-virus software or programs
Management Program
                           6. Develop and maintain secure systems and applications
Implement Strong           7. Restrict access to cardholder data by business need-to-know
Access Control
Measures                   8. Assign a unique ID to each person with computer access
                           9. Restrict physical access to cardholder data
Regularly Monitor and      10.Track and monitor all access to network resources and
Test Networks                 cardholder data
                           11.Regularly test security systems and processes
Maintain an Information    12.Maintain a policy that addresses information security for
Security Policy               employees and contractors
                                                                                            23
PA-DSS Introduction
Formerly known as -PABP (Payment Application Best Practices)
supervised by Visa

Goals
        Develop secure payment applications that do not store
        prohibited data, such as full magnetic stripe, CVV2 or PIN
    data
        Ensure their payment applications support compliance
        with the PCI DSS

The requirements for the PA-DSS are derived from the PCI DSS
Why focus on software? Vulnerable payment applications are
currently the leading cause of data compromise incidents, particularly
for small merchants.

                                                                         24
PA-DSS Requirements
Fourteen Requirements
Requirement 1    Do not retain full magnetic stripe, card validation code or value
                 (CAV2, CID, CVC2, CVV2), or PIN block data
Requirement 2    Protect stored cardholder data
Requirement 3    Provide secure authentication features
Requirement 4    Log payment application activity
Requirement 5    Develop secure payment applications (5.2 - OWASP Guide, SANS CWE Top 25,
                     CERT Secure Coding)
Requirement 6    Protect wireless transmissions
Requirement 7    Test payment applications to address vulnerabilities
Requirement 8    Facilitate secure network implementation
Requirement 9    Cardholder data must never be stored on a server connected to the Internet
Requirement 10   Facilitate secure remote software updates
Requirement 11   Facilitate secure remote access to payment application
Requirement 12   Encrypt sensitive traffic over public networks
Requirement 13   Encrypt all non-console administrative access
Requirement 14   Maintain instructional documentation and training programs

                 for customers, resellers, and integrators




                                                                                              25
SAQ Objectives
                        Self Assessment Questionnaires

                        • Based on industry feedback
                        • Flexibility for multiple merchant
Self-Assessment
Questionnaire (SAQ) A     types
                        • Providing guidance for the intent
                          and applicability of the
                          underlying requirements




                                                          26
Self Assessment Questionnaires
  SAQ
Validatio                          Description                                 SAQ
 n Type
            Card-Not-Present (e-commerce or MO/TO) merchants, all                A
   1        cardholder data functions outsourced. This would never
            apply to face-to-face merchants                                 <11 Questions

                                                                                 B
   2        Imprint-only merchants with no cardholder data storage
                                                                            21 Questions

                                                                                 B
            Stand alone dial-up terminal merchants, no cardholder data
   3
            storage                                                         21 Questions

                                                                                  C
            Merchants with payment application systems connected to
   4
            the Internet, no cardholder data storage                        38 Questions


            All other merchants (not included in descriptions for SAQs A,        D
   5        B or C above) and all service providers defined by a
            payment brand as eligible to complete an SAQ                      Full DSS


                                                                                         27
Reports

Regular reports are required for PCI DSS
 compliance.

All merchants, service providers and processors
 may be required to submit quarterly scan
 reports,

All reports must be performed by a PCI SSC
 approved ASV




                                                  28
THANK YOU

Más contenido relacionado

La actualidad más candente

PCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfPCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfControlCase
 
Payment Card Industry Security Standards
Payment Card Industry Security StandardsPayment Card Industry Security Standards
Payment Card Industry Security StandardsAshintha Rukmal
 
French PCI DSS v4.0 Webinaire.pdf
French PCI DSS v4.0 Webinaire.pdfFrench PCI DSS v4.0 Webinaire.pdf
French PCI DSS v4.0 Webinaire.pdfControlCase
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)Kimberly Simon MBA
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromMart Rovers
 
Information Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsInformation Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsPECB
 
Domain 6 - Security Assessment and Testing
Domain 6 - Security Assessment and TestingDomain 6 - Security Assessment and Testing
Domain 6 - Security Assessment and TestingMaganathin Veeraragaloo
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Radar Cyber Security
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Identity & Access Management Day 2022.pdf
Identity & Access Management Day 2022.pdfIdentity & Access Management Day 2022.pdf
Identity & Access Management Day 2022.pdfChinatu Uzuegbu
 

La actualidad más candente (20)

PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2
 
PCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfPCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdf
 
PCI DSS for Penetration Testing
PCI DSS for Penetration TestingPCI DSS for Penetration Testing
PCI DSS for Penetration Testing
 
Payment Card Industry Security Standards
Payment Card Industry Security StandardsPayment Card Industry Security Standards
Payment Card Industry Security Standards
 
French PCI DSS v4.0 Webinaire.pdf
French PCI DSS v4.0 Webinaire.pdfFrench PCI DSS v4.0 Webinaire.pdf
French PCI DSS v4.0 Webinaire.pdf
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interprom
 
Information Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsInformation Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO Standards
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 Introduction
 
Domain 6 - Security Assessment and Testing
Domain 6 - Security Assessment and TestingDomain 6 - Security Assessment and Testing
Domain 6 - Security Assessment and Testing
 
Security & Compliance
Security & ComplianceSecurity & Compliance
Security & Compliance
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
ISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdfISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdf
 
Apakah PCI DSS
Apakah PCI DSSApakah PCI DSS
Apakah PCI DSS
 
Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
 
Cyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in DepthCyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in Depth
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
 
Identity & Access Management Day 2022.pdf
Identity & Access Management Day 2022.pdfIdentity & Access Management Day 2022.pdf
Identity & Access Management Day 2022.pdf
 

Destacado

PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowAlienVault
 
Twitter Bootstrap Presentation
Twitter Bootstrap PresentationTwitter Bootstrap Presentation
Twitter Bootstrap PresentationDuy Do Phan
 
PCI DSS Essential Guide
PCI DSS Essential GuidePCI DSS Essential Guide
PCI DSS Essential GuideKim Jensen
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualKimberly Simon MBA
 
Retail IT 2013: Data Security & PCI Compliance Briefing
Retail IT 2013: Data Security & PCI Compliance BriefingRetail IT 2013: Data Security & PCI Compliance Briefing
Retail IT 2013: Data Security & PCI Compliance BriefingKaseya
 
BlackBerry Basic
BlackBerry BasicBlackBerry Basic
BlackBerry BasicDuy Do Phan
 
PCI DSS & PA DSS Version 3.0
PCI DSS & PA DSS Version 3.0PCI DSS & PA DSS Version 3.0
PCI DSS & PA DSS Version 3.0ControlCase
 
PCI DSS - Payment Card Industry Data Security Standard
PCI DSS - Payment Card Industry Data Security StandardPCI DSS - Payment Card Industry Data Security Standard
PCI DSS - Payment Card Industry Data Security StandardAlvaro Machaca Tola
 
PCI DSS & PA DSS Version 3.0 Changes Webinar
PCI DSS & PA DSS Version 3.0 Changes WebinarPCI DSS & PA DSS Version 3.0 Changes Webinar
PCI DSS & PA DSS Version 3.0 Changes WebinarControlCase
 
Using the PDCA model to improve cervical cancer
Using the PDCA model to improve cervical cancerUsing the PDCA model to improve cervical cancer
Using the PDCA model to improve cervical cancerDana D. Hines, PhD
 
Introduction to Tokenization
Introduction to TokenizationIntroduction to Tokenization
Introduction to TokenizationNabeel Yoosuf
 
PCI DSS and Logging: What You Need To Know by Dr. Anton Chuvakin
PCI DSS and Logging: What You Need To Know by Dr. Anton ChuvakinPCI DSS and Logging: What You Need To Know by Dr. Anton Chuvakin
PCI DSS and Logging: What You Need To Know by Dr. Anton ChuvakinAnton Chuvakin
 
ISO 27001 2013 A12 Operations Security Part 2 - by Software development compa...
ISO 27001 2013 A12 Operations Security Part 2 - by Software development compa...ISO 27001 2013 A12 Operations Security Part 2 - by Software development compa...
ISO 27001 2013 A12 Operations Security Part 2 - by Software development compa...iFour Consultancy
 
Iso 27001 2013 clause 6 - planning - by Software development company in india
Iso 27001 2013 clause 6 - planning - by Software development company in indiaIso 27001 2013 clause 6 - planning - by Software development company in india
Iso 27001 2013 clause 6 - planning - by Software development company in indiaiFour Consultancy
 
ISO 27001 2013 Clause 4 - context of an organization - by Software developmen...
ISO 27001 2013 Clause 4 - context of an organization - by Software developmen...ISO 27001 2013 Clause 4 - context of an organization - by Software developmen...
ISO 27001 2013 Clause 4 - context of an organization - by Software developmen...iFour Consultancy
 

Destacado (18)

PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to Know
 
Twitter Bootstrap Presentation
Twitter Bootstrap PresentationTwitter Bootstrap Presentation
Twitter Bootstrap Presentation
 
WCF
WCFWCF
WCF
 
PCI DSS Essential Guide
PCI DSS Essential GuidePCI DSS Essential Guide
PCI DSS Essential Guide
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as Usual
 
Retail IT 2013: Data Security & PCI Compliance Briefing
Retail IT 2013: Data Security & PCI Compliance BriefingRetail IT 2013: Data Security & PCI Compliance Briefing
Retail IT 2013: Data Security & PCI Compliance Briefing
 
BlackBerry Basic
BlackBerry BasicBlackBerry Basic
BlackBerry Basic
 
SSL
SSLSSL
SSL
 
PCI DSS & PA DSS Version 3.0
PCI DSS & PA DSS Version 3.0PCI DSS & PA DSS Version 3.0
PCI DSS & PA DSS Version 3.0
 
PCI DSS - Payment Card Industry Data Security Standard
PCI DSS - Payment Card Industry Data Security StandardPCI DSS - Payment Card Industry Data Security Standard
PCI DSS - Payment Card Industry Data Security Standard
 
PCI DSS & PA DSS Version 3.0 Changes Webinar
PCI DSS & PA DSS Version 3.0 Changes WebinarPCI DSS & PA DSS Version 3.0 Changes Webinar
PCI DSS & PA DSS Version 3.0 Changes Webinar
 
Using the PDCA model to improve cervical cancer
Using the PDCA model to improve cervical cancerUsing the PDCA model to improve cervical cancer
Using the PDCA model to improve cervical cancer
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
 
Introduction to Tokenization
Introduction to TokenizationIntroduction to Tokenization
Introduction to Tokenization
 
PCI DSS and Logging: What You Need To Know by Dr. Anton Chuvakin
PCI DSS and Logging: What You Need To Know by Dr. Anton ChuvakinPCI DSS and Logging: What You Need To Know by Dr. Anton Chuvakin
PCI DSS and Logging: What You Need To Know by Dr. Anton Chuvakin
 
ISO 27001 2013 A12 Operations Security Part 2 - by Software development compa...
ISO 27001 2013 A12 Operations Security Part 2 - by Software development compa...ISO 27001 2013 A12 Operations Security Part 2 - by Software development compa...
ISO 27001 2013 A12 Operations Security Part 2 - by Software development compa...
 
Iso 27001 2013 clause 6 - planning - by Software development company in india
Iso 27001 2013 clause 6 - planning - by Software development company in indiaIso 27001 2013 clause 6 - planning - by Software development company in india
Iso 27001 2013 clause 6 - planning - by Software development company in india
 
ISO 27001 2013 Clause 4 - context of an organization - by Software developmen...
ISO 27001 2013 Clause 4 - context of an organization - by Software developmen...ISO 27001 2013 Clause 4 - context of an organization - by Software developmen...
ISO 27001 2013 Clause 4 - context of an organization - by Software developmen...
 

Similar a PCI DSS

ECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantMelanie Beam
 
eCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Merchants
 
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)Miminten
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperShaun O'keeffe
 
Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Crew
 
PCI Certification and remediation services
PCI Certification and remediation servicesPCI Certification and remediation services
PCI Certification and remediation servicesTariq Juneja
 
Visa Compliance Mark National Certification
Visa Compliance Mark National CertificationVisa Compliance Mark National Certification
Visa Compliance Mark National CertificationMark Pollard
 
PCI_Presentation_OASIS
PCI_Presentation_OASISPCI_Presentation_OASIS
PCI_Presentation_OASISDermot Clarke
 
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...Stephanie Gutowski
 
PCI Compliance: What You Need to Know
PCI Compliance: What You Need to KnowPCI Compliance: What You Need to Know
PCI Compliance: What You Need to KnowSasha Nunke
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS ComplianceControlCase
 
PCI DSS Data Security Compliance Program Overview
PCI DSS Data Security Compliance Program OverviewPCI DSS Data Security Compliance Program Overview
PCI DSS Data Security Compliance Program Overview- Mark - Fullbright
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewisc2-hellenic
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Risk Crew
 

Similar a PCI DSS (20)

ECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
 
eCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain Media
 
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
 
PruebaJLF.pptx
PruebaJLF.pptxPruebaJLF.pptx
PruebaJLF.pptx
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - Whitepaper
 
Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The Essentials
 
PCI DSS Compliance Readiness
PCI DSS Compliance ReadinessPCI DSS Compliance Readiness
PCI DSS Compliance Readiness
 
PCI-DSS for IDRBT
PCI-DSS for IDRBTPCI-DSS for IDRBT
PCI-DSS for IDRBT
 
PCI DSS for Pentesting
PCI DSS for PentestingPCI DSS for Pentesting
PCI DSS for Pentesting
 
PCI Certification and remediation services
PCI Certification and remediation servicesPCI Certification and remediation services
PCI Certification and remediation services
 
Payment System Risk. Visa
Payment System Risk. VisaPayment System Risk. Visa
Payment System Risk. Visa
 
Pci dss-for-it-providers
Pci dss-for-it-providersPci dss-for-it-providers
Pci dss-for-it-providers
 
Visa Compliance Mark National Certification
Visa Compliance Mark National CertificationVisa Compliance Mark National Certification
Visa Compliance Mark National Certification
 
PCI_Presentation_OASIS
PCI_Presentation_OASISPCI_Presentation_OASIS
PCI_Presentation_OASIS
 
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
 
PCI Compliance: What You Need to Know
PCI Compliance: What You Need to KnowPCI Compliance: What You Need to Know
PCI Compliance: What You Need to Know
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
PCI DSS Data Security Compliance Program Overview
PCI DSS Data Security Compliance Program OverviewPCI DSS Data Security Compliance Program Overview
PCI DSS Data Security Compliance Program Overview
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and review
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892
 

Más de Duy Do Phan

Location based AR & how it works
Location based AR & how it worksLocation based AR & how it works
Location based AR & how it worksDuy Do Phan
 
Linux Introduction
Linux IntroductionLinux Introduction
Linux IntroductionDuy Do Phan
 
Cryptography Fundamentals
Cryptography FundamentalsCryptography Fundamentals
Cryptography FundamentalsDuy Do Phan
 
Android Programming Basic
Android Programming BasicAndroid Programming Basic
Android Programming BasicDuy Do Phan
 
SMS-SMPP-Concepts
SMS-SMPP-ConceptsSMS-SMPP-Concepts
SMS-SMPP-ConceptsDuy Do Phan
 
One minute manager
One minute managerOne minute manager
One minute managerDuy Do Phan
 
Work life balance
Work life balanceWork life balance
Work life balanceDuy Do Phan
 

Más de Duy Do Phan (9)

Location based AR & how it works
Location based AR & how it worksLocation based AR & how it works
Location based AR & how it works
 
Linux Introduction
Linux IntroductionLinux Introduction
Linux Introduction
 
Iso8583
Iso8583Iso8583
Iso8583
 
Cryptography Fundamentals
Cryptography FundamentalsCryptography Fundamentals
Cryptography Fundamentals
 
Android Programming Basic
Android Programming BasicAndroid Programming Basic
Android Programming Basic
 
iOS Basic
iOS BasiciOS Basic
iOS Basic
 
SMS-SMPP-Concepts
SMS-SMPP-ConceptsSMS-SMPP-Concepts
SMS-SMPP-Concepts
 
One minute manager
One minute managerOne minute manager
One minute manager
 
Work life balance
Work life balanceWork life balance
Work life balance
 

PCI DSS

  • 2. Agenda PCI-DSS Fundamental  What is PCI-DSS • Why are the PCI Security Standards Important? • Key Definitions  PCI Standards Boundary  Recommended Understanding Instruction  Determine PCI-Level  Validate Requirement  Choose SAQ Implementation  Principles  PCI-DSS-Requirements  PA-DSS Requirements  Self Assessment Questionnaire  Report
  • 4. Payment Card Data Issues 4
  • 5. What is PCI ??? PCI stands for the Payment Card Industry and is used to refer to: The PCI Security Standards Council ™(PCI SSC), an industry body founded by the major card brands to protect cardholder data. Founders: The global Security Standards created and maintained by the PCI SSC to protect cardholder payment data. • Key Learning Point: Compliance with PCI Security Standards is mandatory for merchants and their service providers, and is enforced by the major card brands who established the PCI SSC 5
  • 6. What is PCI DSS? “The PCI Data Security Standard represents a common set of industry tools and measurements to help ensure the safe handling of sensitive information…the standard provides an actionable framework for developing a robust account data security process - including preventing, detecting and reacting to security incidents.” – PCI Standards Council –
  • 7. Why are the PCI Security Standards Important? The Standards are important because they: Protect cardholder data in order to help prevent data compromises and subsequent fraud activity… • Customers expect merchants and their acquirers to keep their card account data safe • Data compromises can result in significant fines and losses for merchants and can damage the merchant’s reputation with customers • The number of data compromise incidents is increasing annually – organized criminal enterprises are targeting vulnerable merchants 7
  • 9. Key Definitions Data definitions • Cardholder data: PAN (Primary Account Number), Cardholder Name, Service Code. Expiration Code. • Sensitive authentication data: Full Magnetic Stripe Data, CCV, PIN (Personal identification number). Keywords • PCI-DSS: Payment Card Industry Data Security Standards • PA-DSS : Payment Applications Data Security Standards • PTS: PIN Transaction Security • QSA: Qualified Security Assessor • SAQ: Self Assessment Questionnaire • ASV: Approved Scanning Vendor 9
  • 10. PCI Standards Boundary • The PCI Data Security Standard (PCI DSS) If a business accepts or processes payment cards, it must comply with the PCI DSS. It is the standard merchants, processors, and service providers must meet for the complete protection of payment cardholder data. • The Payment Application-Data Security Standard (PA-DSS) and PIN Transaction Security (PTS) (previously known as PIN Entry Device (PED)) security requirements support the overall implementation of PCI DSS by allowing merchants to choose from Council certified payment application software and PIN entry devices. 10
  • 11. Recommended Understanding PCI DSS tells you what you need to do; what standards you need to meet to be compliant PCI DSS does not tell you how to become compliant. That is individual to your situation and your environment - Your system - Your processes - Your vendors - Your customers Being compliant does necessary make you secure Being secure leads to compliance – not the other way around 11
  • 13. Instruction •Determining your PCI Level •Validation requirements •Selecting the SAQ that Best Applies to Your Organization 13
  • 14. Determining your PCI Level You need to assess where you are on the scale of risk: Level 1 All Channels 6MM Visa or MC transactions per year Level 2 All Channels 1MM - 6MM Visa or MC transactions per year E-Commerce - >150,000 - 6 MM MC transactions per year Level 3 20,000 - 150,000 e-commerce MC transactions per year 20,000 - 999,999 e-commerce Visa transactions per year Level 4 <20,000 Visa or MC e-commerce transactions per year <1MM non-e-commerce Visa or MC transactions per year 14
  • 15. Validation requirements Level 1 Merchants Complete an Annual On-Site PCI Data Security Assessment in accordance with PCI Audit Procedures (Visa website). You can use this template for your Report on Compliance (ROC). Engage a Visa-approved Qualified Data Security Company to complete your ROC. Validate the ROC by the due date (preferably sooner in case issues arise in the ROC. This will help eliminate assessment of fines.) Provide the ROC to Bank of America Merchant Services. Merchant’s internal auditor may prepare the ROC, which must be accompanied by a letter signed by an executive-level officer of Merchant’s organization validating the ROC. Complete quarterly network scans to check your systems for vulnerabilities. Complete annual penetration testing to test that your systems are hacker-resistant. Ensure that these security scans are performed by a qualified independent scan vendor. Level 2, 3 and 4 Merchants Complete and validate an Annual PCI Self-Assessment Questionnaire. Complete Quarterly Network Scans to check your systems for vulnerabilities. Complete annual penetration testing to test that your systems are hacker-resistant. Ensure that these security scans are performed by a qualified independent scan vendor. 15
  • 16. Selecting the SAQ that Best Applies to Your Organization SAQ Description A Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to- face merchants. B Imprint Only merchants with no electronic cardholder data storage, or standalone, dial out terminal merchant with no electronic cardholder data storage C-VT Merchant using only web-based virtual terminals, no cardholder data storage C Merchants with payment application systems connected to the internet, no electronic cardholder data storage D All other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by a payment brand as eligible to complete an SAQ 16
  • 18. Implement •Determine Scope •Rebuild system base on requirements •Self Assessment Questionnaires •Report 18
  • 19. Determining Scope – Network Segmented
  • 20. Determining Scope – Network Segmented
  • 21. Determining Scope – Network Segmented
  • 22. Principles SECURE  TRACK  AUDIT • You need to ensure that your data is first secured … both physical and electronically. • You need to ensure you have mechanism in place to track who access your data and when • You need to review your tracking (audit) to look for anomalies 22
  • 23. PCI DSS – Requirements Six Goals, Twelve Requirements Build and Maintain a 1. Install and maintain a firewall configuration to protect Secure Network cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability 5. Use and regularly update anti-virus software or programs Management Program 6. Develop and maintain secure systems and applications Implement Strong 7. Restrict access to cardholder data by business need-to-know Access Control Measures 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and 10.Track and monitor all access to network resources and Test Networks cardholder data 11.Regularly test security systems and processes Maintain an Information 12.Maintain a policy that addresses information security for Security Policy employees and contractors 23
  • 24. PA-DSS Introduction Formerly known as -PABP (Payment Application Best Practices) supervised by Visa Goals Develop secure payment applications that do not store prohibited data, such as full magnetic stripe, CVV2 or PIN data Ensure their payment applications support compliance with the PCI DSS The requirements for the PA-DSS are derived from the PCI DSS Why focus on software? Vulnerable payment applications are currently the leading cause of data compromise incidents, particularly for small merchants. 24
  • 25. PA-DSS Requirements Fourteen Requirements Requirement 1 Do not retain full magnetic stripe, card validation code or value (CAV2, CID, CVC2, CVV2), or PIN block data Requirement 2 Protect stored cardholder data Requirement 3 Provide secure authentication features Requirement 4 Log payment application activity Requirement 5 Develop secure payment applications (5.2 - OWASP Guide, SANS CWE Top 25, CERT Secure Coding) Requirement 6 Protect wireless transmissions Requirement 7 Test payment applications to address vulnerabilities Requirement 8 Facilitate secure network implementation Requirement 9 Cardholder data must never be stored on a server connected to the Internet Requirement 10 Facilitate secure remote software updates Requirement 11 Facilitate secure remote access to payment application Requirement 12 Encrypt sensitive traffic over public networks Requirement 13 Encrypt all non-console administrative access Requirement 14 Maintain instructional documentation and training programs for customers, resellers, and integrators 25
  • 26. SAQ Objectives Self Assessment Questionnaires • Based on industry feedback • Flexibility for multiple merchant Self-Assessment Questionnaire (SAQ) A types • Providing guidance for the intent and applicability of the underlying requirements 26
  • 27. Self Assessment Questionnaires SAQ Validatio Description SAQ n Type Card-Not-Present (e-commerce or MO/TO) merchants, all A 1 cardholder data functions outsourced. This would never apply to face-to-face merchants <11 Questions B 2 Imprint-only merchants with no cardholder data storage 21 Questions B Stand alone dial-up terminal merchants, no cardholder data 3 storage 21 Questions C Merchants with payment application systems connected to 4 the Internet, no cardholder data storage 38 Questions All other merchants (not included in descriptions for SAQs A, D 5 B or C above) and all service providers defined by a payment brand as eligible to complete an SAQ Full DSS 27
  • 28. Reports Regular reports are required for PCI DSS compliance. All merchants, service providers and processors may be required to submit quarterly scan reports, All reports must be performed by a PCI SSC approved ASV 28

Notas del editor

  1. Section divider 1
  2. Slide text 2
  3. Section divider 1
  4. Key Learning Point: Using PCI compliant equipment and software can support merchant efforts to become PCI DSS compliant, but does not make a merchant PCI DSS compliant. The PCI DSS covers all aspects of how a merchant protects cardholder data, which goes beyond using secure equipment and software.
  5. Section divider 1
  6. Key Learning Point : Not all PCI DSS requirements apply to all merchants. Merchants must review each requirement to determine applicability to the merchant’s card payment acceptance systems and business processes.
  7. Section divider 2