What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards

Similar documents
PCI Compliance. What is it? Who uses it? Why is it important?

The Devil is in the Details: The Secrets to Complying with PCI Requirements. Michelle Kaiser Bray Faegre Baker Daniels

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

The Honest Advantage

Will you be PCI DSS Compliant by September 2010?

PCI Compliance: It's Required, and It's Good for Your Business

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) banksa.com.au

PCI DSS Compliance. Verba SOLUTION GUIDE. Introduction. Verba and the Payment Card Industry Data Security Standard

Site Data Protection (SDP) Program Update

PCI DSS 3.2 AWARENESS NOVEMBER 2017

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

PCI COMPLIANCE IS NO LONGER OPTIONAL

Navigating the PCI DSS Challenge. 29 April 2011

University of Sunderland Business Assurance PCI Security Policy

June 2013 PCI DSS COMPLIANCE GUIDE. Look out for the tips in the blue boxes if you use Fetch TM payment solutions.

GUIDE TO STAYING OUT OF PCI SCOPE

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Employee Security Awareness Training Program

Merchant Guide to PCI DSS

PCI DSS 3.1 is here. Are you ready? Mike Goldgof Sr. Director Product Marketing

A Perfect Fit: Understanding the Interrelationship of the PCI Standards

Addressing PCI DSS 3.2

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

Total Security Management PCI DSS Compliance Guide

PCI DSS and VNC Connect

PCI DSS. Compliance and Validation Guide VERSION PCI DSS. Compliance and Validation Guide

PCI DSS COMPLIANCE DATA

The Future of PCI: Securing payments in a changing world

Payment Card Industry (PCI) Data Security Standard

PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)

Table of Contents. PCI Information Security Policy

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

Effective Strategies for Managing Cybersecurity Risks

HIPAA Assessment. Prepared For: ABC Medical Center Prepared By: Compliance Department

Point ipos Implementation Guide. Hypercom P2100 using the Point ipos Payment Core Hypercom H2210/K1200 using the Point ipos Payment Core

AuthAnvil for Retail IT. Exploring how AuthAnvil helps to reach compliance objectives

PCI compliance the what and the why Executing through excellence

PCI Compliance Assessment Module with Inspector

FAQs. The Worldpay PCI Program. Help protect your business and your customers from data theft

2012PHILIPPINES ECC International :: MALAYSIA :: VIETNAM :: INDONESIA :: INDIA :: CHINA

Protect Comply Thrive. The PCI DSS: Challenge or opportunity?

PCI DSS Compliance for Healthcare

Commerce PCI: A Four-Letter Word of E-Commerce

The PCI Security Standards Council

Donor Credit Card Security Policy

A QUICK PRIMER ON PCI DSS VERSION 3.0

CN!Express CX-6000 Single User Version PCI Compliance Status Version June 2005

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

City of Portland Audit: Follow-Up on Compliance with Payment Card Industry Data Security Standard BY ALEXANDRA FERCAK SENIOR MANAGEMENT AUDITOR

Simple and Powerful Security for PCI DSS

Best Practices (PDshop Security Tips)

ISACA Kansas City Chapter PCI Data Security Standard v2.0 Overview

Juniper Vendor Security Requirements

GlobalSCAPE EFT Server. HS Module. High Security. Detail Review. Facilitating Enterprise PCI DSS Compliance

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Overview: Compliance and Security Management PCI-DSS Control Compliance Suite Overview

PCI DSS Illuminating the Grey 25 August Roger Greyling

PCI Compliance Security Awareness Program For Marine Corps Community Services Contacts: Paul Watson

Payment Card Industry Internal Security Assessor: Quick Reference V1.0

6 Vulnerabilities of the Retail Payment Ecosystem

mhealth SECURITY: STATS AND SOLUTIONS

Enforcing PCI Data Security Standard Compliance Marco Misitano, CISSP, CISA, CISM Business Development Manager Security Cisco Italy

Daxko s PCI DSS Responsibilities

VANGUARD WHITE PAPER VANGUARD INSURANCE INDUSTRY WHITEPAPER

LOGmanager and PCI Data Security Standard v3.2 compliance

WHITE PAPERS. INSURANCE INDUSTRY (White Paper)

University of Maine System Payment Card Industry Data Security Standard (PCI DSS) Guide for Completing Self Assessment Questionnaire (SAQ) SAQ C

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

PCI DSS Addressing Cyber-Security Threats. ETCAA June Gabriel Leperlier

Payment Card Industry Self-Assessment Questionnaire

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Easy-to-Use PCI Kit to Enable PCI Compliance Audits

Establish and Maintain Secure Cardholder Data with IBM Payment Card Industry Solutions

Best Practices Guide to Electronic Banking

Cybersecurity The Evolving Landscape

A (sample) computerized system for publishing the daily currency exchange rates

Carbon Black PCI Compliance Mapping Checklist

White paper PCI DSS. How do you manage your customers payment card details securely and responsibly?

How do you manage your customers payment card details securely and responsibly? White paper PCI DSS

WHITE PAPER. PCI and PA DSS Compliance with LogRhythm

COMPLETING THE PAYMENT SECURITY PUZZLE

Information Technology General Control Review

Protect Comply Thrive. The PCI DSS: Challenge or opportunity?

SECURITY PRACTICES OVERVIEW

PCI DSS and the VNC SDK

Clearing the Path to PCI DSS Version 2.0 Compliance

PCI Compliance Updates

Payment Card Industry Data Security Standards Version 1.1, September 2006

Achieving PCI Compliance: Long and Short Term Strategies

Comodo HackerGuardian PCI Approved Scanning Vendor

Web Cash Fraud Prevention Best Practices

SQL Security Whitepaper SECURITY AND COMPLIANCE SOLUTIONS FOR PCI DSS PAYMENT CARD INDUSTRY DATA SECURITY STANDARD

PCI PA-DSS Implementation Guide

VANGUARD WHITE PAPER VANGUARD GOVERNMENT INDUSTRY WHITEPAPER

Payment Card Industry Data Security Standard (PCI DSS)

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Copyright

Red Flags/Identity Theft Prevention Policy: Purpose

Google Cloud Platform: Customer Responsibility Matrix. April 2017

Today s Security Threats: Emerging Issues Keeping CFOs Up at Night Understanding & Protecting Against Information Security Breaches

Transcription:

PCI DSS

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards Definition: A multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures.

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards Purpose: Intended to help organizations proactively protect customer account data

PCI DSS Without proactive security controls you are left in a reactive security position.

History of PCI DSS

History of PCI DSS Originally developed by American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International to help facilitate the broad adoption of consistent data security measures on a global basis.

History of PCI DSS The PCI Security Standards Council is born. - an independent body formed to develop, enhance, disseminate and assist with implementation. PCI DSS Version 1.1 released September 2006.

PCI DSS Goals and Requirements Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy 1. Install and maintain a firewall configuration to protect data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored data 4. Encrypt transmission of cardholder data and sensitive information across public networks 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications 7. Restrict access to data by business need-to-know 8. Assign a unique ID to each person with computer access. 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security

Why do PCIDSS exist? BREACHES HAPPEN! There were 327 reported data breaches in 2006 48,419,936 records compromised in 2006 52 breaches in Higher Education There have been breaches at IU!

What is a credit card compromise? An unauthorized individual taking advantage of a flaw in a system that: Processes Transmits, or Stores cardholder data To gain access to: Card Numbers Expiration Dates CVV2/CVC2/CID Track Data

Compromise Statistics Cases by Card Acceptance Card Not Present 22% About 3 out of 4 cases is a traditional Brick and Mortar environment. Card Present Merchants are not aware of these risks! Card Present 78%

Compromise Statistics Cases by Industry Food Service Retail Universities Other Entertainment Web hosting Petroleum Government Payment Processing Media

Compromises Small merchants are the source of less than 5% of potentially exposed cardholder accounts from data thefts, however they are the source of 80% of identified compromises.

Theft of Payment Card Data is Thriving The Perpetrators The Tools The Gaps Utilize To Find International Crime Syndicates Malicious Third Parties Employees Scanners Port Vulnerability Web application Weak configurations Operating system flaws Programming errors Lack of staff training Flawed policies Negligence Poor change control procedures Application induced Backdoors Nearby systems/networks

Top Problems Mis-configuration Most compromises are a result of human error or interaction. Over 90% of security exploits are carried out through vulnerabilities for which there are known patches Gartner Group

Top Problems 1. Lack of firewall No firewall installed Firewall rules changed for troubleshooting Firewall hardware upgrades 2. Anti Virus not up to date or running 3. Systems/Application not patched or updated. Anti Virus expires after annual subscription IT department chooses not to put AV on some systems AV not loading properly during startup No IT staff Unaware of current security threats Patching not a priority Development doesn t want to make associated changes Users don t want downtime * Ambiron TrustWave, 2006

Top Ten Ways Criminals gain unauthorized access to cardholder data 1. Through a vulnerability created by malware (such as a backdoor or Trojan) downloaded on a system 2. Due to the lack of or improper configuration of a firewall 3. Via remote access programs with lax or improperly configured security controls 4. Querying a database using SQL injection 5. Launching a password brute force attack * Based on over 200 compromise investigation performed by Ambiron TrustWave.

Top Ten Ways Criminals gain unauthorized access to cardholder data 6. Using File Transfer Protocol (FTP) software to download cardholder data from an improperly configured FTP Server 7. Utilizing automated tools to exploit remote control software 8. Logging in with disclosed login credentials 9. By way of wireless access points with lax or improperly configured security controls 10. Stealing physical records or systems that contain cardholder data * Based on over 200 compromise investigation performed by Ambiron TrustWave.

Top Five Data Security Vulnerabilities Leading to Compromises 1. Storage of Track Data (and other sensitive data) 2. Missing or outdated security patches 3. Vendor-supplied default settings and passwords 4. SQL injections 5. Unnecessary and vulnerable services on servers * According to Visa USA

Breaches in Higher Education Ouside Hackers 18% Insider Malfeasance 15% 46% Human/Software Incompetence Theft (non-laptop) 19% 2% Laptop Theft

Challenges in Higher Education Open networks Large number of merchants Decentralized environments Leveraging of 3 rd Parties for various services Budgetary constraints

Best Practices Maintain open networks while securing assets Aim for segmentation of all critical data Need to know access for payment info Build boundaries around segments

Best Practices 3 rd Parties Ensure the 3 rd Party Entity signs an Agreement Require all 3 rd Parties to meet all PCI security standards Service Provider Compliance Audit Payment Application Best Practices Lists available at www.visa.com/cisp

Do PCIDSS apply to IU? Applies to all members, merchants, and service providers that store, process or transmit cardholder data

How do we comply with PCIDSS? REMEMBER: It is against University Policy VI-110 to store credit card numbers on any computer, server, or database If you store credit card numbers, please contact pmtcards@indiana.edu IMMEDIATELY for an assessment

PCI DSS - Why Comply? Required by our processing contract with US Bank. Receive Safe Harbor from card associations

PCI DSS - Why compliance matters Loss of data Disruption of operations Disclosure of sensitive info Damage to reputation Denial of service to customers Individual executive liability Risk of closure/loss of business

PCI DSS Risk of non-compliance Large monetary fines Impose restrictions on card acceptance Permanently prohibit card acceptance for department Permanently prohibit card acceptance for university Loss of faith in IU name

PCI DSS Risk of non-compliance Other possible costs: Coming into compliance Annual Audit Average Investigation Cost: $14,000 Average Remediation Cost: $35,000 Quarterly network scans Card replacement Notification mailings Credit monitoring for affected customers Fraudulent charges as a result of your breach Other?

PCI DSS The short term cost of action is always less than the long term cost of inaction.

PCI DSS Tips Manual swipers are not in compliance with Visa/MC rules and regulations Manual swiper receipts contain the full account number Manual swipers should be returned to Payment Card Services

PCI DSS Tips Treat credit card receipts like cash Keep credit card data secure and confidential Restrict access to card data to those who need to know Secure your terminal Have technology changes approved by Office of the Treasurer Don t store cardholder data on computers, networks, email, etc.

PCI DSS Tips Don t transmit cardholder data insecurely (email, unsecured fax, campus mail?) Store credit card receipts for no more than 2 years Destroy receipts so that account info is unreadable and can not be reconstructed Attend trainings! Report suspected or known security breaches.

PCI DSS Summary Data Security is critical to the success of the mission Security is actively supported by senior management Requirements are well communicated to everyone in the organization It is a management problem that cannot be solved with technology alone There is no silver bullet or quick fix - it is a process

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback