SlideShare una empresa de Scribd logo

Symbiotic Consulting Group LLC - PCI Compliance Overview

Descargar como PPTX, PDF
R
Rosy Kaur
1 de 28
Symbiotic Consulting Group LLC PCI Compliance – Background, Importance and Options for your Organization September 10, 2015www.symbioticconsultinggroup.com
Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015 Key Topics • PCI Meaning and Definition • PCI Evolution • Meaning of PCI DSS • PCI Compliance Criteria • What does this mean to my company? • Case Study: 2013 Breach of Target Page 2
Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015 PCI Meaning and Definition The Payment Card Industry (PCI) standard is a set of requirements designed to ensure that ALL organizations that store, process, or transmit cardholder and customer data do so in a secure environment! • This has to be a joint effort between IT and Business teams Page 3
Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015 PCI Meaning and Definition (cont.) Common PCI Myths • We don’t take enough cards to necessitate compliance, hence PCI is irrelevant • Our company outsources card processing so we are compliant • PCI is just an IT issue and they will deal with it • PCI is unreasonable / difficult • PCI compliance makes us secure • We can’t be a target Page 4
Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015
Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015 Key Topics • PCI Meaning and Definition • PCI Evolution • Meaning of PCI DSS • PCI Compliance Criteria • What does this mean to my company? • Case Study: 2013 Breach of Target Page 6
Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015 PCI Evolution PCI Security Standards Council was founded in year 2006 by some of the major card brands: • Visa • MasterCard • Amex • Discover • JCB Each card brand has inputs and feedback into the guidance provided by the council. Page 7
Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015 PCI Evolution (cont.) A credit card as defined by the Council is any card that is backed by a major card brand, including but not limited to the following: • Credit • Debit • HSA • FSA • Payroll • Others Page 8
Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015 PCI Evolution (cont.) PCI Security Standard Council is responsible for the oversight of the PCI Standards, which include guidance relative to the following: • PCI DSS • PA-DSS • P2PE • PTS Page 9
Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015
Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015 Key Topics • PCI Meaning and Definition • PCI Evolution • Meaning of PCI DSS • PCI Compliance Criteria • What does this mean to my company? • Case Study: 2013 Breach of Target Page 11
Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015 Meaning of PCI DSS • Core set of best security practices • Set of 12 requirements broken down into 6 categories, as follows: 1. Build and maintain a secure network 2. Protect cardholder data 3. Maintain a vulnerability management program 4. Implement strong access control measures 5. Monitor and test networks 6. Maintain an information security policy Page 12
Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015 Meaning of PCI DSS (cont.)
Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015 Meaning of PCI DSS (cont.) • PCI DSS can include the following depending on the organization:  PA-DSS  P2PE Solution Provider  PTS Page 14
Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015
Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015 Key Topics • PCI Meaning and Definition • PCI Evolution • Meaning of PCI DSS • PCI Compliance Criteria • What does this mean to my company? • Case Study: 2013 Breach of Target Page 16
Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015 PCI Compliance Criteria • Compliance is determined based on how your organization stores, processes, and/or transmits cardholder data across your infrastructure • Compliance is based on “Level” and “Type” • Level is based on the number of transactions performed in a 12-month period • Type is defined by how your organization takes credit cards Page 17
Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015 PCI Compliance Criteria (cont.)
Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015 PCI Compliance Criteria (cont.) Levels are based on the number of transactions. Visa defines them as follows: Page 19 Level Description 1 Organizations with over 6M Visa transactions per year OR Any organization that Visa, at its sole discretion, determines should meet the Level 1 requirements to minimize the risk to Visa 2 Organization with 1M to 6M Visa transactions per year 3 Organization with 20,000 to 1M Visa e-commerce transactions per year 4 Organizations with fewer than 20,000 Visa e-commerce transactions per year, and all other merchants - regardless of acceptance channel - processing up to 1M Visa transactions per year
Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015 PCI Compliance Criteria (cont.) Types are defined by how your organization takes credit cards and are broken down as follows: Page 20 Type Description A Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced; this would never apply to face-to-face merchants B Imprint-only merchants with no cardholder data storage OR Stand-alone dial-up terminal merchants, no cardholder data storage C Merchants with payment application systems connected to the Internet, no cardholder data storage C-VT Merchants using only web-based virtual terminals, no electronic cardholder data storage D All other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by a payment brand as eligible to complete an SAQ
Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015 Key Topics • PCI Meaning and Definition • PCI Evolution • Meaning of PCI DSS • PCI Compliance Criteria • What does this mean to my company? • Case Study: 2013 Breach of Target Page 21
Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015 What does this mean to my company? Action on your organization’s part for PCI: • Depending on what “Type” of organization you are, you will have to address anywhere from 15 to 200 + controls Cost Impact: • Hardware • Software • Application Maintenance (Data encryption, security etc) • Internal Resources • External Resources Page 22
Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015 What does this mean to my company?(cont.) Based on the volume of transactions, organizations would be required to perform the following: Page 23 Level Visa Description 1 • Annual report on compliance (“ROC”) to be completed by Qualified Security Assessor (“QSA”) • Quarterly network scan by Approved Scan Vendor (“ASV”) • Attestation of Compliance Form 2 • Annual Self-Assessment Questionnaire (“SAQ”) • Quarterly network scan by ASV • Attestation of Compliance Form 3 • Annual SAQ • Quarterly network scan by ASV • Attestation of Compliance Form 4 • Annual SAQ recommended • Quarterly network scan by ASV • Compliance validation requirements set by merchant bank
Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015 Key Topics • PCI Meaning and Definition • PCI Evolution • Meaning of PCI DSS • PCI Compliance Criteria • What does this mean to my company? • Case Study: 2013 Breach of Target Page 24
Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015 Case Study: 2013 Breach of Target What happened: • Lost ~40 million credit and debit cards, ~ 70 million data files • Theft period: November 27 – December 15 • Malware on point-of-sale terminals  Not detected until December 15 Page 25
Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015 Case Study: 2013 Breach of Target(cont.) Common Questions 1. How could this happen? 2. Was Target PCI compliant? 3. How do I know if I was affected? Costs? • Credit score monitoring • Fines, sanctions and lawsuits • Reputational damage Page 26
Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015 Case Study: 2013 Breach of Target(cont.)
Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015 28 Thank You!!! Phone: 561-922-0120 Email: info@symbioticconsultinggroup.com Our Global Office Locations USA Headquarters Office Florida 2701, N.W. 2nd Avenue #214 Boca Raton, FL - 33431 Tel : 561-922-0120 Fax: 561-455-9893 USA Texas Branch 9660 Audelia Road, Suite 123-51 Dallas, TX 75238 Tel : 561-922-0120, Fax: 561-455-9893 Europe (Romania) Shared Services Branch Aviatorilor 5A, Suite 47 Baia Mare, Maramures 430223, Romania, Europe Tel: +40 362 881 664 India (Pune) Branch C-30, KPCT Mall, Fatima Nagar Pune, Maharashtra, 411040 Tel : 561-922-0120 Fax: 561-455-9893

Recomendados

MTBiz May-June 2019
MTBiz May-June 2019 MTBiz May-June 2019
MTBiz May-June 2019
Mutual Trust Bank Ltd.
 
fidelity national information 2005 ar
fidelity national information 2005 arfidelity national information 2005 ar
fidelity national information 2005 ar
finance48
 
RC Agenda_Aug26
RC Agenda_Aug26RC Agenda_Aug26
RC Agenda_Aug26
Elisa Cogan Salsberg
 
Requirement of PCI DSS in India.
Requirement of PCI DSS in India.Requirement of PCI DSS in India.
Requirement of PCI DSS in India.
CA Priyadarshan Behera
 
GCC Financial Cards & Payments Market Size, Share, Demand, Growth, Trends and...
GCC Financial Cards & Payments Market Size, Share, Demand, Growth, Trends and...GCC Financial Cards & Payments Market Size, Share, Demand, Growth, Trends and...
GCC Financial Cards & Payments Market Size, Share, Demand, Growth, Trends and...
NarayanSharma67
 
The Payment Card Industry Security Standards Council - Minimizing Risk
The Payment Card Industry Security Standards Council - Minimizing RiskThe Payment Card Industry Security Standards Council - Minimizing Risk
The Payment Card Industry Security Standards Council - Minimizing Risk
Allied Wallet
 
Data & Dollars Delivery: NACHA’s Roadmap for XML in the ACH
Data & Dollars Delivery: NACHA’s Roadmap for XML in the ACHData & Dollars Delivery: NACHA’s Roadmap for XML in the ACH
Data & Dollars Delivery: NACHA’s Roadmap for XML in the ACH
Nasreen Quibria
 
Re investment news April 2016
Re investment news April 2016Re investment news April 2016
Re investment news April 2016
Mid-America Association of Real Estate Investors
 

Recomendados

MTBiz May-June 2019
MTBiz May-June 2019 MTBiz May-June 2019
MTBiz May-June 2019
Mutual Trust Bank Ltd.
 
fidelity national information 2005 ar
fidelity national information 2005 arfidelity national information 2005 ar
fidelity national information 2005 ar
finance48
 
RC Agenda_Aug26
RC Agenda_Aug26RC Agenda_Aug26
RC Agenda_Aug26
Elisa Cogan Salsberg
 
Requirement of PCI DSS in India.
Requirement of PCI DSS in India.Requirement of PCI DSS in India.
Requirement of PCI DSS in India.
CA Priyadarshan Behera
 
GCC Financial Cards & Payments Market Size, Share, Demand, Growth, Trends and...
GCC Financial Cards & Payments Market Size, Share, Demand, Growth, Trends and...GCC Financial Cards & Payments Market Size, Share, Demand, Growth, Trends and...
GCC Financial Cards & Payments Market Size, Share, Demand, Growth, Trends and...
NarayanSharma67
 
The Payment Card Industry Security Standards Council - Minimizing Risk
The Payment Card Industry Security Standards Council - Minimizing RiskThe Payment Card Industry Security Standards Council - Minimizing Risk
The Payment Card Industry Security Standards Council - Minimizing Risk
Allied Wallet
 
Data & Dollars Delivery: NACHA’s Roadmap for XML in the ACH
Data & Dollars Delivery: NACHA’s Roadmap for XML in the ACHData & Dollars Delivery: NACHA’s Roadmap for XML in the ACH
Data & Dollars Delivery: NACHA’s Roadmap for XML in the ACH
Nasreen Quibria
 
Re investment news April 2016
Re investment news April 2016Re investment news April 2016
Re investment news April 2016
Mid-America Association of Real Estate Investors
 
Artificial intelligence & Machine learning role in financial services
Artificial intelligence & Machine learning role in financial servicesArtificial intelligence & Machine learning role in financial services
Artificial intelligence & Machine learning role in financial services
Prudhvi Parne
 
Data Security: A field guide for franchisors
Data Security: A field guide for franchisorsData Security: A field guide for franchisors
Data Security: A field guide for franchisors
Grant Thornton LLP
 
Business credit for business owners - Credit Management Association
Business credit for business owners - Credit Management AssociationBusiness credit for business owners - Credit Management Association
Business credit for business owners - Credit Management Association
Credit Management Association
 
09Feb2012ISOAgent[1]
09Feb2012ISOAgent[1]09Feb2012ISOAgent[1]
09Feb2012ISOAgent[1]
Kelly Shermach
 
CyberSource MRC Survey - Top 9 Fraud Attacks and Winning Mitigating Strategie...
CyberSource MRC Survey - Top 9 Fraud Attacks and Winning Mitigating Strategie...CyberSource MRC Survey - Top 9 Fraud Attacks and Winning Mitigating Strategie...
CyberSource MRC Survey - Top 9 Fraud Attacks and Winning Mitigating Strategie...
Visa
 
Falcon 012009
Falcon 012009Falcon 012009
Falcon 012009
Northwest Card Association
 
An overview of the 9th Cash Management University
An overview of the 9th Cash Management UniversityAn overview of the 9th Cash Management University
An overview of the 9th Cash Management University
Eglantine Landrain
 
Artificial Intelligence in Banking
Artificial Intelligence in BankingArtificial Intelligence in Banking
Artificial Intelligence in Banking
Khawar Nehal khawar.nehal@atrc.net.pk
 
Synthetic Identities and AML
Synthetic Identities and AMLSynthetic Identities and AML
Synthetic Identities and AML
doylebc
 
Intro to Credit
Intro to CreditIntro to Credit
Intro to Credit
Self Financial, Inc.
 
How Leading Financial Services Organizations Gain Competitive Edge With Inter...
How Leading Financial Services Organizations Gain Competitive Edge With Inter...How Leading Financial Services Organizations Gain Competitive Edge With Inter...
How Leading Financial Services Organizations Gain Competitive Edge With Inter...
ibi
 
PCI_Presentation_OASIS
PCI_Presentation_OASISPCI_Presentation_OASIS
PCI_Presentation_OASIS
Dermot Clarke
 
What Everybody Ought to Know About PCI DSS and PA-DSS
What Everybody Ought to Know About PCI DSS and PA-DSSWhat Everybody Ought to Know About PCI DSS and PA-DSS
What Everybody Ought to Know About PCI DSS and PA-DSS
London School of Cyber Security
 
Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010
Donald E. Hester
 
Evolution Pci For Pod1
Evolution Pci For Pod1Evolution Pci For Pod1
Evolution Pci For Pod1
Amanda Squires@Pod1
 
PCI FAQs and Myths
PCI FAQs and MythsPCI FAQs and Myths
PCI FAQs and Myths
BluePayProcessing
 
PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011
Donald E. Hester
 
PCI FAQs and Myths - BluePay
PCI FAQs and Myths - BluePayPCI FAQs and Myths - BluePay
PCI FAQs and Myths - BluePay
BluePayProcessing
 
PCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should carePCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should care
Sean D. Goodwin
 
Payment Card Industry Introduction CMTA APR 2010
Payment Card Industry Introduction CMTA APR 2010Payment Card Industry Introduction CMTA APR 2010
Payment Card Industry Introduction CMTA APR 2010
Donald E. Hester
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - Whitepaper
Shaun O'keeffe
 
Understanding Your PCI DSS Guidelines: Successes and Failures
Understanding Your PCI DSS Guidelines: Successes and FailuresUnderstanding Your PCI DSS Guidelines: Successes and Failures
Understanding Your PCI DSS Guidelines: Successes and Failures
- Mark - Fullbright
 

Más contenido relacionado

La actualidad más candente

CyberSource MRC Survey - Top 9 Fraud Attacks and Winning Mitigating Strategie...
CyberSource MRC Survey - Top 9 Fraud Attacks and Winning Mitigating Strategie...CyberSource MRC Survey - Top 9 Fraud Attacks and Winning Mitigating Strategie...
CyberSource MRC Survey - Top 9 Fraud Attacks and Winning Mitigating Strategie...
Visa
 
Synthetic Identities and AML
Synthetic Identities and AMLSynthetic Identities and AML
Synthetic Identities and AML
doylebc
 

La actualidad más candente (11)

Artificial intelligence & Machine learning role in financial services
Artificial intelligence & Machine learning role in financial servicesArtificial intelligence & Machine learning role in financial services
Artificial intelligence & Machine learning role in financial services
 
Data Security: A field guide for franchisors
Data Security: A field guide for franchisorsData Security: A field guide for franchisors
Data Security: A field guide for franchisors
 
Business credit for business owners - Credit Management Association
Business credit for business owners - Credit Management AssociationBusiness credit for business owners - Credit Management Association
Business credit for business owners - Credit Management Association
 
09Feb2012ISOAgent[1]
09Feb2012ISOAgent[1]09Feb2012ISOAgent[1]
09Feb2012ISOAgent[1]
 
CyberSource MRC Survey - Top 9 Fraud Attacks and Winning Mitigating Strategie...
CyberSource MRC Survey - Top 9 Fraud Attacks and Winning Mitigating Strategie...CyberSource MRC Survey - Top 9 Fraud Attacks and Winning Mitigating Strategie...
CyberSource MRC Survey - Top 9 Fraud Attacks and Winning Mitigating Strategie...
 
Falcon 012009
Falcon 012009Falcon 012009
Falcon 012009
 
An overview of the 9th Cash Management University
An overview of the 9th Cash Management UniversityAn overview of the 9th Cash Management University
An overview of the 9th Cash Management University
 
Artificial Intelligence in Banking
Artificial Intelligence in BankingArtificial Intelligence in Banking
Artificial Intelligence in Banking
 
Synthetic Identities and AML
Synthetic Identities and AMLSynthetic Identities and AML
Synthetic Identities and AML
 
Intro to Credit
Intro to CreditIntro to Credit
Intro to Credit
 
How Leading Financial Services Organizations Gain Competitive Edge With Inter...
How Leading Financial Services Organizations Gain Competitive Edge With Inter...How Leading Financial Services Organizations Gain Competitive Edge With Inter...
How Leading Financial Services Organizations Gain Competitive Edge With Inter...
 

Similar a Symbiotic Consulting Group LLC - PCI Compliance Overview

PCI_Presentation_OASIS
PCI_Presentation_OASISPCI_Presentation_OASIS
PCI_Presentation_OASIS
Dermot Clarke
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - Whitepaper
Shaun O'keeffe
 
Understanding Your PCI DSS Guidelines: Successes and Failures
Understanding Your PCI DSS Guidelines: Successes and FailuresUnderstanding Your PCI DSS Guidelines: Successes and Failures
Understanding Your PCI DSS Guidelines: Successes and Failures
- Mark - Fullbright
 
Payment card industry data security standard 1
Payment card industry data security standard 1Payment card industry data security standard 1
Payment card industry data security standard 1
wardell henley
 

Similar a Symbiotic Consulting Group LLC - PCI Compliance Overview (20)

PCI_Presentation_OASIS
PCI_Presentation_OASISPCI_Presentation_OASIS
PCI_Presentation_OASIS
 
What Everybody Ought to Know About PCI DSS and PA-DSS
What Everybody Ought to Know About PCI DSS and PA-DSSWhat Everybody Ought to Know About PCI DSS and PA-DSS
What Everybody Ought to Know About PCI DSS and PA-DSS
 
Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010
 
Evolution Pci For Pod1
Evolution Pci For Pod1Evolution Pci For Pod1
Evolution Pci For Pod1
 
PCI FAQs and Myths
PCI FAQs and MythsPCI FAQs and Myths
PCI FAQs and Myths
 
PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011
 
PCI FAQs and Myths - BluePay
PCI FAQs and Myths - BluePayPCI FAQs and Myths - BluePay
PCI FAQs and Myths - BluePay
 
PCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should carePCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should care
 
Payment Card Industry Introduction CMTA APR 2010
Payment Card Industry Introduction CMTA APR 2010Payment Card Industry Introduction CMTA APR 2010
Payment Card Industry Introduction CMTA APR 2010
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - Whitepaper
 
Understanding Your PCI DSS Guidelines: Successes and Failures
Understanding Your PCI DSS Guidelines: Successes and FailuresUnderstanding Your PCI DSS Guidelines: Successes and Failures
Understanding Your PCI DSS Guidelines: Successes and Failures
 
PCI Compliance for Payment Security
PCI Compliance for Payment SecurityPCI Compliance for Payment Security
PCI Compliance for Payment Security
 
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
 
eCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain Media
 
PCI DSS Compliance Readiness
PCI DSS Compliance ReadinessPCI DSS Compliance Readiness
PCI DSS Compliance Readiness
 
Payment card industry data security standard 1
Payment card industry data security standard 1Payment card industry data security standard 1
Payment card industry data security standard 1
 
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
 
Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação
Adoção do PCI no Brasil - 10o Workshop SegInfo - ApresentaçãoAdoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação
Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação
 
PCI-DSS for IDRBT
PCI-DSS for IDRBTPCI-DSS for IDRBT
PCI-DSS for IDRBT
 
Adventures in PCI Wonderland
Adventures in PCI WonderlandAdventures in PCI Wonderland
Adventures in PCI Wonderland
 

Symbiotic Consulting Group LLC - PCI Compliance Overview

  • 1. Symbiotic Consulting Group LLC PCI Compliance – Background, Importance and Options for your Organization September 10, 2015www.symbioticconsultinggroup.com
  • 2. Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015 Key Topics • PCI Meaning and Definition • PCI Evolution • Meaning of PCI DSS • PCI Compliance Criteria • What does this mean to my company? • Case Study: 2013 Breach of Target Page 2
  • 3. Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015 PCI Meaning and Definition The Payment Card Industry (PCI) standard is a set of requirements designed to ensure that ALL organizations that store, process, or transmit cardholder and customer data do so in a secure environment! • This has to be a joint effort between IT and Business teams Page 3
  • 4. Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015 PCI Meaning and Definition (cont.) Common PCI Myths • We don’t take enough cards to necessitate compliance, hence PCI is irrelevant • Our company outsources card processing so we are compliant • PCI is just an IT issue and they will deal with it • PCI is unreasonable / difficult • PCI compliance makes us secure • We can’t be a target Page 4
  • 5. Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015
  • 6. Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015 Key Topics • PCI Meaning and Definition • PCI Evolution • Meaning of PCI DSS • PCI Compliance Criteria • What does this mean to my company? • Case Study: 2013 Breach of Target Page 6
  • 7. Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015 PCI Evolution PCI Security Standards Council was founded in year 2006 by some of the major card brands: • Visa • MasterCard • Amex • Discover • JCB Each card brand has inputs and feedback into the guidance provided by the council. Page 7
  • 8. Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015 PCI Evolution (cont.) A credit card as defined by the Council is any card that is backed by a major card brand, including but not limited to the following: • Credit • Debit • HSA • FSA • Payroll • Others Page 8
  • 9. Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015 PCI Evolution (cont.) PCI Security Standard Council is responsible for the oversight of the PCI Standards, which include guidance relative to the following: • PCI DSS • PA-DSS • P2PE • PTS Page 9
  • 10. Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015
  • 11. Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015 Key Topics • PCI Meaning and Definition • PCI Evolution • Meaning of PCI DSS • PCI Compliance Criteria • What does this mean to my company? • Case Study: 2013 Breach of Target Page 11
  • 12. Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015 Meaning of PCI DSS • Core set of best security practices • Set of 12 requirements broken down into 6 categories, as follows: 1. Build and maintain a secure network 2. Protect cardholder data 3. Maintain a vulnerability management program 4. Implement strong access control measures 5. Monitor and test networks 6. Maintain an information security policy Page 12
  • 13. Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015 Meaning of PCI DSS (cont.)
  • 14. Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015 Meaning of PCI DSS (cont.) • PCI DSS can include the following depending on the organization:  PA-DSS  P2PE Solution Provider  PTS Page 14
  • 15. Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015
  • 16. Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015 Key Topics • PCI Meaning and Definition • PCI Evolution • Meaning of PCI DSS • PCI Compliance Criteria • What does this mean to my company? • Case Study: 2013 Breach of Target Page 16
  • 17. Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015 PCI Compliance Criteria • Compliance is determined based on how your organization stores, processes, and/or transmits cardholder data across your infrastructure • Compliance is based on “Level” and “Type” • Level is based on the number of transactions performed in a 12-month period • Type is defined by how your organization takes credit cards Page 17
  • 18. Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015 PCI Compliance Criteria (cont.)
  • 19. Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015 PCI Compliance Criteria (cont.) Levels are based on the number of transactions. Visa defines them as follows: Page 19 Level Description 1 Organizations with over 6M Visa transactions per year OR Any organization that Visa, at its sole discretion, determines should meet the Level 1 requirements to minimize the risk to Visa 2 Organization with 1M to 6M Visa transactions per year 3 Organization with 20,000 to 1M Visa e-commerce transactions per year 4 Organizations with fewer than 20,000 Visa e-commerce transactions per year, and all other merchants - regardless of acceptance channel - processing up to 1M Visa transactions per year
  • 20. Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015 PCI Compliance Criteria (cont.) Types are defined by how your organization takes credit cards and are broken down as follows: Page 20 Type Description A Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced; this would never apply to face-to-face merchants B Imprint-only merchants with no cardholder data storage OR Stand-alone dial-up terminal merchants, no cardholder data storage C Merchants with payment application systems connected to the Internet, no cardholder data storage C-VT Merchants using only web-based virtual terminals, no electronic cardholder data storage D All other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by a payment brand as eligible to complete an SAQ
  • 21. Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015 Key Topics • PCI Meaning and Definition • PCI Evolution • Meaning of PCI DSS • PCI Compliance Criteria • What does this mean to my company? • Case Study: 2013 Breach of Target Page 21
  • 22. Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015 What does this mean to my company? Action on your organization’s part for PCI: • Depending on what “Type” of organization you are, you will have to address anywhere from 15 to 200 + controls Cost Impact: • Hardware • Software • Application Maintenance (Data encryption, security etc) • Internal Resources • External Resources Page 22
  • 23. Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015 What does this mean to my company?(cont.) Based on the volume of transactions, organizations would be required to perform the following: Page 23 Level Visa Description 1 • Annual report on compliance (“ROC”) to be completed by Qualified Security Assessor (“QSA”) • Quarterly network scan by Approved Scan Vendor (“ASV”) • Attestation of Compliance Form 2 • Annual Self-Assessment Questionnaire (“SAQ”) • Quarterly network scan by ASV • Attestation of Compliance Form 3 • Annual SAQ • Quarterly network scan by ASV • Attestation of Compliance Form 4 • Annual SAQ recommended • Quarterly network scan by ASV • Compliance validation requirements set by merchant bank
  • 24. Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015 Key Topics • PCI Meaning and Definition • PCI Evolution • Meaning of PCI DSS • PCI Compliance Criteria • What does this mean to my company? • Case Study: 2013 Breach of Target Page 24
  • 25. Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015 Case Study: 2013 Breach of Target What happened: • Lost ~40 million credit and debit cards, ~ 70 million data files • Theft period: November 27 – December 15 • Malware on point-of-sale terminals  Not detected until December 15 Page 25
  • 26. Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015 Case Study: 2013 Breach of Target(cont.) Common Questions 1. How could this happen? 2. Was Target PCI compliant? 3. How do I know if I was affected? Costs? • Credit score monitoring • Fines, sanctions and lawsuits • Reputational damage Page 26
  • 27. Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015 Case Study: 2013 Breach of Target(cont.)
  • 28. Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015 28 Thank You!!! Phone: 561-922-0120 Email: info@symbioticconsultinggroup.com Our Global Office Locations USA Headquarters Office Florida 2701, N.W. 2nd Avenue #214 Boca Raton, FL - 33431 Tel : 561-922-0120 Fax: 561-455-9893 USA Texas Branch 9660 Audelia Road, Suite 123-51 Dallas, TX 75238 Tel : 561-922-0120, Fax: 561-455-9893 Europe (Romania) Shared Services Branch Aviatorilor 5A, Suite 47 Baia Mare, Maramures 430223, Romania, Europe Tel: +40 362 881 664 India (Pune) Branch C-30, KPCT Mall, Fatima Nagar Pune, Maharashtra, 411040 Tel : 561-922-0120 Fax: 561-455-9893