Payment Card Compliance and Challenges

Similar documents
The Devil is in the Details: The Secrets to Complying with PCI Requirements. Michelle Kaiser Bray Faegre Baker Daniels

PCI DSS 3.2 AWARENESS NOVEMBER 2017

Overview: Compliance and Security Management PCI-DSS Control Compliance Suite Overview

CCISO Blueprint v1. EC-Council

PCI Compliance: It's Required, and It's Good for Your Business

Commerce PCI: A Four-Letter Word of E-Commerce

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Evolution of Cyber Attacks

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

locuz.com SOC Services

PCI DSS COMPLIANCE 101

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards

PCI COMPLIANCE IS NO LONGER OPTIONAL

University of Sunderland Business Assurance PCI Security Policy

Site Data Protection (SDP) Program Update

Navigating the PCI DSS Challenge. 29 April 2011

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

PCI Data Security. Meeting the Challenges of PCI DSS Payment Card Security

Payment Card Industry Data Security Standards Version 1.1, September 2006

All the Latest Data Security News. Best Practices and Compliance Information From the PCI Council

PCI DSS Addressing Cyber-Security Threats. ETCAA June Gabriel Leperlier

AuthAnvil for Retail IT. Exploring how AuthAnvil helps to reach compliance objectives

SECURITY PRACTICES OVERVIEW

The PCI Security Standards Council

Payment Card Industry Internal Security Assessor: Quick Reference V1.0

2012PHILIPPINES ECC International :: MALAYSIA :: VIETNAM :: INDONESIA :: INDIA :: CHINA

Sage Data Security Services Directory

Will you be PCI DSS Compliant by September 2010?

Cyber Criminal Methods & Prevention Techniques. By

GUIDE TO STAYING OUT OF PCI SCOPE

Data Sheet The PCI DSS

TRUE SECURITY-AS-A-SERVICE

Welcome ControlCase Conference. Kishor Vaswani, CEO

DeMystifying Data Breaches and Information Security Compliance

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

2017 Annual Meeting of Members and Board of Directors Meeting

Designing Polycom SpectraLink VoWLAN Solutions to Comply with Payment Card Industry (PCI) Data Security Standard (DSS)

PCI DSS. Compliance and Validation Guide VERSION PCI DSS. Compliance and Validation Guide

Daxko s PCI DSS Responsibilities

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

HITRUST CSF Assurance Program HITRUST, Frisco, TX. All Rights Reserved.

Payment Card Industry (PCI) Data Security Standard

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) banksa.com.au

Securing Information Systems

PCI compliance the what and the why Executing through excellence

Payment Card Industry (PCI) Compliance

Cybersecurity The Evolving Landscape

Data Security Standard

EC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

Twilio cloud communications SECURITY

Payment Card Industry (PCI) Data Security Standard

External Supplier Control Obligations. Cyber Security

PCI DSS and VNC Connect

Layer Security White Paper

ENDNOTE SECURITY OVERVIEW INCLUDING ENDNOTE DESKTOP AND ONLINE

PCI DSS Compliance. Verba SOLUTION GUIDE. Introduction. Verba and the Payment Card Industry Data Security Standard

Altius IT Policy Collection Compliance and Standards Matrix

SoftLayer Security and Compliance:

The Honest Advantage

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

Background FAST FACTS

PCI Compliance Updates

SIP Trunks. PCI compliance paired with agile and cost-effective telephony

Altius IT Policy Collection Compliance and Standards Matrix

How to become PCI DSS Compliant: The complete roadmap

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

Cyber Security and Data Protection: Huge Penalties, Nowhere to Hide

Using GRC for PCI DSS Compliance

WHITE PAPER. Achieve PCI Compliance and Protect Against Data Breaches with LightCyber

SECURITY & PRIVACY DOCUMENTATION

Business continuity management and cyber resiliency

Total Security Management PCI DSS Compliance Guide

Key Findings from the Global State of Information Security Survey 2017 Indonesian Insights

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

IBM Global Technology Services Provide around-the-clock expertise and protect against Internet threats.

June 2013 PCI DSS COMPLIANCE GUIDE. Look out for the tips in the blue boxes if you use Fetch TM payment solutions.

PCI DATA SECURITY STANDARDS VERSION 3.2. What's Next?

90% of data breaches are caused by software vulnerabilities.

in PCI Regulated Environments

Google Cloud Platform: Customer Responsibility Matrix. April 2017

Protect Comply Thrive. The PCI DSS: Challenge or opportunity?

Information Security Controls Policy

Cybersecurity Conference Presentation North Bay Business Journal. September 27, 2016

Vendor Security Questionnaire

Payment Card Industry (PCI) Data Security Standard

CISO View: Top 4 Major Imperatives for Enterprise Defense

Payment Card Industry (PCI) Data Security Standard

PROFESSIONAL SERVICES (Solution Brief)

Google Cloud Platform: Customer Responsibility Matrix. December 2018

Protecting your data. EY s approach to data privacy and information security

Reducing Liability and Threats through Effective Cybersecurity Risk Measurement. Does Your Security Posture Stand Up to Tomorrow s New Threat?

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

PDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.2)

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

Transcription:

Payment Card Compliance and Challenges MICHELLE GREELEY SOCIETY OF CORPORATE COMPLIANCE AND ETHICS MEETING MARCH 11, 2016 Agenda 2 Data security interpretations Security vs. compliance Payment Card Industry (PCI) Data security risk trends What can you do 1

Does data security sound like this to you? Security Insurance File Transfer Protocol TLS Ping Investigation Data Mining Access Controls Internet Protocol VPN Governance Chain of Custody Password Cracking HTTPS Router Backdoor Egress Point PKI Secure Socket Triple DES Vulnerability Virus Zero Day Worm Policies Standards Defense in Depth Firewall Trojan Horse Identity Cryptography Kernel ISO Botnet URL Defacement Encryption Cyber Biometrics Spoofing SQL Injection Malicious Code Network OSI Layers Root Registry Switch Threat Data Compliance PPTP TCP/IP Data Custodian Risk Cache Demilitarized Zone Third Parties Brute Force 3 Ease dropping Disaster Honey Pot Malware Assessment Tunnel Penetration Testing Segment Spam War Dialing Patch Phishing Scan Log Incident Synchronization SSL User Continuity Gateway Or does data security feel like this? 4 2

How about like this?* 5 Worlds biggest data breaches *informationisbeautiful.net Finally, does data security sound like this to you? Certified Penetration Testing Consultant Certified Ethical HITRUST Internal Security Assessor Certified Expert Penetration Tester Safe Harbor National Hacker Certified Security Testing Institute of Standards for Associate Standards and Attestation Payment Card Technology Engagements Industry (PCI) (NIST) (SSAE 16) Service HIPAA Qualified Security Assessor Organization EC-Council Certified Penetration Testing Engineer Certified Security Controls (SOC) Analyst International Organization for Standardization (ISO) 6 CSA STAR Sarbanes Oxley Gramm- Leach Bliley 3

Security vs. compliance 7 Compliance-based security rarely provides comprehensive protection against determined attacks Compliance requirements help bring awareness to basic security needs and when implemented reduce risk, but fail to provide flexibility or the means to adjust according to a company's overall security needs An effective information security program requires a framework that allows a company to adjust based upon both the risks faced by the company and the industry the company serves Simply meeting an industry compliance requirement, such as PCI, may be insufficient in meeting the reasonableness standard. Courts want to know whether companies have done what is reasonable for their firms or industries versus whether they have they simply met a compliance prerequisite What is PCI? 8 Originally began as five different programs Visa s Cardholder Information Security Program MasterCard s Site Data Protection American Express Data Security Operating Policy Discover s Information Security and Compliance JCB s Data Security Program Each company's intentions were similar: to create an additional level of protection for card issuers and reduce fraud by ensuring that merchants meet minimum levels of security when they store, process and transmit cardholder data The Payment Card Industry Security Standards Council (PCI SSC) was formed, and on December 15, 2004, these companies aligned their individual policies and released version 1.0 of the PCI Data Security Standard (PCI DSS) Resource https://www.pcisecuritystandards.org/ 4

PCI standards and cardholder data 9 Six standards PCI DSS Data Security Standard PCI PA-DSS Payment Application Data Security Standard PCI P2PE - Point-to-Point Encryption PCI PTS - PIN Transaction Security PCI Card Production PCI TSP Token Service Providers Cardholder data includes Primary Account Number (PAN) Cardholder Name Security Code (CID/CAV2/CVC2/CVV2) Expiration Date PCI DSS 10 PCI DSS is a collection of 12 security requirements with over 240 sub-requirements applicable to entities who store, process and/or transmit cardholder data Regardless of business size or quantity of payment cards accepted Business processes, IT processes, facilities, service providers and systems Control Objective Build and maintain a secure network Protect cardholder data Maintain a vulnerability management program Implement strong access control measures Regularly monitor and test networks Maintain an information security policy PCI DSS Requirement 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored data 4. Encrypt transmission of cardholder data across open, public networks 5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security for all personnel 5

PCI DSS compliance challenges 11 Executive commitment - PCI compliance is a business objective, not just a security objective Investment in certified Internal Security Assessors (ISA) and external Qualified Security Assessors (QSA) Knowing and routinely documenting your scope data flows, assets, physical locations, system interfaces, service providers and processes Creating and maintaining a knowledge base for critical decisions Maintaining compliance after achieving compliance it s a lifestyle, not just a project or a point in time Obtaining BAU budget for ongoing compliance costs remediation and testing Technology limitations and resource capacity Staying current with PCI DSS versions and interpretation changes from the PCI SSC Current data security risk trends* 12 Cybercrime Privacy and Regulation Threats From Third- Party Providers BYOx Trends in the Workplace Engagement With Your People Organizations must be prepared for the unpredictable so they have the resilience to withstand unforeseen, high impact events *CIO.com Organizations need to treat privacy as both a compliance and business risk issue, in order to reduce regulatory sanctions and business costs such as reputational damage and loss of customers due to privacy breaches. The patchwork nature of regulation around the world is likely to become an increasing burden on organizations in 2015 Third-party providers will continue to come under pressure from targeted attacks and are unlikely to be able to provide assurance of data confidentiality, integrity and/or availability. Organizations need to think about the consequences of a supplier providing accidental, but harmful, access to their intellectual property, customer or employee information, commercial plans or negotiations As the trend of employees bringing mobile devices, applications and cloud-based storage and access in the workplace continues to grow, businesses are seeing information security risks being exploited at a greater rate than ever before. These risks stem from both internal and external threats including mismanagement of the device itself, external manipulation of software vulnerabilities and the deployment of poorly tested, unreliable business applications Organizations need to shift from promoting awareness of the problem to creating solutions and embedding information security behaviors that affect risk positively. Many organizations recognize people as their biggest asset, yet many still fail to recognize the need to secure 'the human element' of information security. In essence, people should be an organization's strongest control. Embed positive information security behaviors that will result in 'stop and think' behavior becoming a habit and part of an organization's information security culture 6

Current data security risk trends* 13 40 trillion emails/day 30 trillion websites 317 million new malwares found in 2014 98% of US military communications go over the Internet 97 Fortune 500 companies admit to being breached lately; 90 of these companies admit to not being staffed to handle this 70% of executives have made cyber security decisions Cyber security fast growing business; expected to be a $160 billion business over the next 5 years Labor supply issue expected for the next 10 years demand greater than supply *Cyber Security Summit 2015 What can you do? 14 Continue to invest in your Security department and program practices Adopt industry security frameworks, such as ISO, for security program practices Establish comprehensive governance, risk and compliance security program disciplines policies, awareness training, vulnerability management, threat monitoring, proactive compliance reporting, incident response, etc. Collaborate - create teams / SMEs to routinely address pertinent security topics and issues from Business, HR, Legal, IT, Privacy and Security departments Share client security and privacy concerns with senior leadership Document and communicate - documenting creates consistency and efficiency Know and manage your vendors / service providers, and push for their security and privacy commitments Routinely review and approve how staff, clients and vendors access your physical locations and computing environments Be open to process and culture changes maturing security disciplines impact IT and business practices Use realized security and privacy disciplines / certifications to gain new business 7

Thank you 15 8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback