PCI Card Production Security Requirements Challenges for Card Manufacturing and Personalization. Larry Brown ICMA 2015 EXPO

Similar documents
Overview: Compliance and Security Management PCI-DSS Control Compliance Suite Overview

The Devil is in the Details: The Secrets to Complying with PCI Requirements. Michelle Kaiser Bray Faegre Baker Daniels

Table of Contents. PCI Information Security Policy

Will you be PCI DSS Compliant by September 2010?

Site Data Protection (SDP) Program Update

FAQs. The Worldpay PCI Program. Help protect your business and your customers from data theft

Payment Card Industry Data Security Standards Version 1.1, September 2006

PCI DSS 3.2 AWARENESS NOVEMBER 2017

SIP Trunks. PCI compliance paired with agile and cost-effective telephony

The Honest Advantage

Donor Credit Card Security Policy

PCI DSS COMPLIANCE 101

AuthAnvil for Retail IT. Exploring how AuthAnvil helps to reach compliance objectives

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

What is PCI/DSS and What s new Presented by Brian Marshall Vanguard Professional Services

PCI DSS 3.1 is here. Are you ready? Mike Goldgof Sr. Director Product Marketing

The PCI Security Standards Council PCI DSS Virtualization Webinar

Navigating the PCI DSS Challenge. 29 April 2011

Summary of Changes from PA-DSS Version 2.0 to 3.0

Clearing the Path to PCI DSS Version 2.0 Compliance

Merchant Guide to PCI DSS

A Perfect Fit: Understanding the Interrelationship of the PCI Standards

City of Portland Audit: Follow-Up on Compliance with Payment Card Industry Data Security Standard BY ALEXANDRA FERCAK SENIOR MANAGEMENT AUDITOR

The Future of PCI: Securing payments in a changing world

June 2013 PCI DSS COMPLIANCE GUIDE. Look out for the tips in the blue boxes if you use Fetch TM payment solutions.

PCI COMPLIANCE IS NO LONGER OPTIONAL

PCI Compliance: It's Required, and It's Good for Your Business

PCI DSS Compliance. Verba SOLUTION GUIDE. Introduction. Verba and the Payment Card Industry Data Security Standard

PDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.2)

Clearing the Path to PCI DSS Version 2.0 Compliance

Introduction to the PCI DSS: What Merchants Need to Know

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

Payment Card Industry Internal Security Assessor: Quick Reference V1.0

ISACA Kansas City Chapter PCI Data Security Standard v2.0 Overview

PCI DSS. Compliance and Validation Guide VERSION PCI DSS. Compliance and Validation Guide

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards

All the Latest Data Security News. Best Practices and Compliance Information From the PCI Council

PCI DSS COMPLIANCE DATA

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

6 Vulnerabilities of the Retail Payment Ecosystem

ISO27001:2013 The New Standard Revised Edition

Advanced Certifications PA-DSS and P2PE. Erik Winkler, VP, ControlCase

COMPLIANCE BRIEF: HOW VARONIS HELPS WITH PCI DSS 3.1

Using GRC for PCI DSS Compliance

2012PHILIPPINES ECC International :: MALAYSIA :: VIETNAM :: INDONESIA :: INDIA :: CHINA

University of Sunderland Business Assurance PCI Security Policy

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) banksa.com.au

Payment Card Industry (PCI) Payment Application Data Security Standard. Requirements and Security Assessment Procedures. Version 2.0.

INFORMATION SECURITY BRIEFING

PCI DSS and the VNC SDK

NB Appendix CIP NB-0 - Cyber Security Personnel & Training

PCI compliance the what and the why Executing through excellence

Standard CIP 007 3a Cyber Security Systems Security Management

Policy Document. PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy

PCI DSS. A Pocket Guide EXTRACT. Fourth edition ALAN CALDER GERAINT WILLIAMS

PCI Compliance Updates

SECTION 1 - WHAT DO WE DO WITH YOUR INFORMATION?

Security Requirements and Assessment Procedures for EMV 3-D Secure Core Components: ACS, DS, and 3DS Server

Enter company name Enter city name, Enter country name Enter Assessor company name

Conformance of Avaya Aura Workforce Optimization Quality Monitoring Recording Solution with the PCI Data Security Standard

SECTION 1 WHAT DO WE DO W ITH YOUR INFORMATION?

Standard CIP Cyber Security Critical Cyber Asset Identification

PCI DSS Illuminating the Grey 25 August Roger Greyling

Standard CIP Cyber Security Critical Cyber Asset Identification

Credit Card Data Compromise: Incident Response Plan

Critical Infrastructure Protection for the Energy Industries. Building Identity Into the Network

Best Practices (PDshop Security Tips)

Standard CIP Cyber Security Systems Security Management

A QUICK PRIMER ON PCI DSS VERSION 3.0

INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS AKAMAI SOLUTIONS BRIEF INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.

Escaping PCI purgatory.

GUIDE TO STAYING OUT OF PCI SCOPE

Motorola AirDefense Retail Solutions Wireless Security Solutions For Retail

PCI Time-Based Requirements as a Starting Point for Business-As-Usual Process Monitoring

Standard CIP 004 3a Cyber Security Personnel and Training

WHITE PAPER. PCI and PA DSS Compliance with LogRhythm

Credit Union Service Organization Compliance

PCI SSC Global Security Standards for the payments industry

Request for Comments (RFC) Process Guide

PCI Compliance Security Awareness Program For Marine Corps Community Services Contacts: Paul Watson

Establish and Maintain Secure Cardholder Data with IBM Payment Card Industry Solutions

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Information Security Policy

PCI DSS 3.0 Branden R. Williams, 12 September 2013

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Dan Lobb CRISC Lisa Gable CISM Katie Friebus

Best Practices for PCI DSS Version 3.2 Network Security Compliance

Employee Security Awareness Training Program

PCI Data Security. Meeting the Challenges of PCI DSS Payment Card Security

Customer Compliance Portal. User Guide V2.0

Standard CIP 007 4a Cyber Security Systems Security Management

What is HIPPA/PCI? Understanding HIPAA. Understanding PCI DSS

OpenChain Specification Version 1.2 pc6 (DRAFT) [With Edit Markups Turned Off]

SECURITY CODE. Responsible Care. American Chemistry Council. 7 April 2011

Data Sheet The PCI DSS

PCI & You: more than you wanted to know.

Payment Card Industry (PCI) Data Security Standard

White Paper. Closing PCI DSS Security Gaps with Proactive Endpoint Monitoring and Protection

Transcription:

PCI Card Production Security Requirements Challenges for Card Manufacturing and Personalization Larry Brown ICMA 2015 EXPO

Good afternoon ICMA 25 th Anniversary EXPO attendees I m Larry Brown and I ve had the privilege of working in the card industry for about 30 years. As I m sure many of you are aware, especially the Secured Card Processors, the Physical and Logical Security Requirements for Card Production have recently been consolidated under the PCI Security Standards Council. Implementation schedules vary by association; Visa and MasterCard are currently utilizing the new requirements for most manufacturing and personalization facilities.

Factors Potentially Affecting You The immediate or near-term affect to your operation s requirement will initially depend upon which Association(s) you process under and implementation timing. In some instances you may find that requirements are somewhat more restrictive; in some instances the requirement may actually be more liberal. In either instance, however, the requirements will be more consistent and

Factors Potentially Affecting You Since the PCI Security Standards Council was founded by the predominant card brands, who better to review and consolidate industry standards? Historically, Visa, MasterCard, American Express, Discover and JCB have had somewhat different requirements relating to Physical and Logical Security; although logic tended to drive similar solutions to common risks. Physical Security Requirements are necessarily based upon how best to prevent unauthorized individuals from physically accessing product, components or areas where sensitive cardholder information might be found. Logical Security Requirements are based upon how best to prevent unauthorized logical access to cardholder information and other system based sensitive data elements such as CVV or PIN data, or systems capable of generating secret data. If you are trying to prevent an unauthorized individual from entering an area; then a secured door is usually a requirement. In the past, there was sometimes confusion based upon differing rules about how strong that door had to be, how long it could be open, how unauthorized individuals were restricted from opening the door, etc. So the general requirement, common to almost anyone who attempted to enforce rules or reduce risk by use of an easily understood security measure, was sometimes difficult to accommodate sufficiently to achieve compliance due to differing interpretations as to the specifics. This sometimes created a confusing environment for secured vendors, especially those who processed products for more than one brand.

Factors Potentially Affecting You Most agree that consolidation is a good idea, and will ultimately benefit the Vendor. The new requirements are a culmination of input by the Associations, with many of the changes a result of vendor input and interpretations made in the past to clarify vendor issues. This provides a clear set of requirements that will simplify vendor security planning. This simplifies vendor preparation for logical and physical security reviews, especially for those who must prepare for multiple associations. This enhances security planning and risk remediation for the industry; since there is now or soon will be a consistent approach utilizing best practices from all stakeholders. Do not confuse the new PCI Card Production Logical and Physical Security Requirements with PCI Data Security Standard PCI-DSS. Implementation schedules are announced separately by the various Associations. After draft versions of the proposed PCI requirements had been available for some time; Versions 1.0 for both Physical and Logical Security were released May 2013, with several Technical FAQs released subsequently to provide clarification for requirements where needed. For those shops already affiliated with one or more of the associations, you will quickly recognize some requirements listed almost verbatim and see others that are new or significantly modified.

Examples of Changes Physical Security: Restrooms are prohibited within the High Security Area except where required by law. All enclosed rooms within the HSA are considered HSAs and must conform individually to the dual occupancy and other HSA requirements (this would include miscellaneous areas such as conference rooms). Dual occupancy for each HSA is enforced by the access control system by requiring 2 nd authorized occupant access within 60 seconds. Motion detection for each HSA interfaced with the access control system such that alarms are activated if motion is detected when occupancy = 0 and/or are activated if motion is not detected when occupancy >0. Information on card back must identify vendor that produced the card.

Examples of Changes Logical Security PIN Distribution via Electronic Methods has been added as a separate chapter. An Annex has been added clarifying minimum and equivalent key sizes and strengths for approved algorithms. Network security and configuration requirements have been updated and better described, and in some instances strengthened. Security testing and monitoring clarified User access, emergency changes, remote access, etc. all more clearly described

What Can I Do to Prepare? Go to www.pcisecuritystandards.org and review the new Card Production Logical and Physical Security Standards Compare your existing policies and procedures to determine any gaps Review your facility layout and controls to determine gaps, with particular attention to HSAs Review your network topology and system controls to determine compliance with the new requirements Assess costs and production impacts relative to any modifications necessary to bring bureau into compliance

What Can I Do to Prepare? As in the past, work closely with your Card Association to determine timing When is my next Association Site Review? What is my Association s implementation schedule? Perform a local Risk Assessment What are my areas of greatest risk exposure? Which modifications, if any are needed, can I make quickly and inexpensively? Remember that some changes may be as simple as adding verbiage to existing procedures and implementing the modified procedure. What are the capital implications and how can I plan for any modifications that may require more extensive preparation: construction, equipment acquisition, etc.?

Overview Requirements consolidation seems to be a good thing for the vendor Unified set of requirements for Associations rather than different rules that require substantially different preparation Clarified requirements based upon historic questions regarding interpretations and emerging threats FAQs and Interpretations from different Associations/Vendors will provide a more unified approach to threats that are common to all

Remember We re all in this together The bad guys seem to be getting smarter New threats are emerging every day and responses with new or modified controls are likely to be an ongoing part of our environment A unified, consolidated approach to our response to security threats would seem to make good sense Thank you

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback