PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)

Similar documents
GLBA. The Gramm-Leach-Bliley Act

SARBANES-OXLEY (SOX) ACT

Compliance in 5 Steps

Sarbanes-Oxley Act (SOX)

HIPAA Compliance & Privacy What You Need to Know Now

HIPAA AND SECURITY. For Healthcare Organizations

CipherPost Pro. Secure communications simplified. Feature Sheet

6 Vulnerabilities of the Retail Payment Ecosystem

USE CASE FINANCIAL SERVICES

A QUICK PRIMER ON PCI DSS VERSION 3.0

Secure E-Signature. The first truly secure way to easily and quickly sign and exchange digitally approved documents. Feature Sheet

Single Sign-On. Introduction. Feature Sheet

E-Share: Secure Large File Sharing

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

CipherPost Pro Enterprise Dedicated Cloud

Security in Law Firms. What you need to know and how you can use secure to win more clients

PCI Compliance. What is it? Who uses it? Why is it important?

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards

PCI DSS COMPLIANCE DATA

What is HIPPA/PCI? Understanding HIPAA. Understanding PCI DSS

Secure Messaging Large File Sharing

Secure communications simplified

GUIDE TO STAYING OUT OF PCI SCOPE

Protect Comply Thrive. The PCI DSS: Challenge or opportunity?

The Honest Advantage

PRIVACY AND ONLINE DATA: CAN WE HAVE BOTH?

PCI DSS and the VNC SDK

Employee Security Awareness Training Program

Merchant Guide to PCI DSS

Layer by Layer: Protecting from Attack in Office 365

Clearing the Path to PCI DSS Version 2.0 Compliance

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) banksa.com.au

PCI DSS and VNC Connect

Regulation P & GLBA Training

PCI DSS. Compliance and Validation Guide VERSION PCI DSS. Compliance and Validation Guide

VANGUARD WHITE PAPER VANGUARD GOVERNMENT INDUSTRY WHITEPAPER

Table of Contents. PCI Information Security Policy

What is Penetration Testing?

PCI COMPLIANCE IS NO LONGER OPTIONAL

for the Dental Industry

Getting ready for GDPR

PCI Compliance: It's Required, and It's Good for Your Business

Sales Training for DataMotion Products. March, 2014

Single Sign-On. Introduction

The Devil is in the Details: The Secrets to Complying with PCI Requirements. Michelle Kaiser Bray Faegre Baker Daniels

Tracking and Reporting

Overview: Compliance and Security Management PCI-DSS Control Compliance Suite Overview

SQL Security Whitepaper SECURITY AND COMPLIANCE SOLUTIONS FOR PCI DSS PAYMENT CARD INDUSTRY DATA SECURITY STANDARD

Cirius Secure Messaging Single Sign-On

Demonstrating Compliance in the Financial Services Industry with Veriato

2012PHILIPPINES ECC International :: MALAYSIA :: VIETNAM :: INDONESIA :: INDIA :: CHINA

PCI Data Security. Meeting the Challenges of PCI DSS Payment Card Security

University of Sunderland Business Assurance PCI Security Policy

PCI DSS 3.2 AWARENESS NOVEMBER 2017

Secure E-Signature. The first truly secure way to easily and quickly sign and exchange digitally approved documents

Cipherpost Pro is far more than traditional encryption.

Information Security in Corporation

Overview of Archiving. Cloud & IT Services for your Company. EagleMercury Archiving

CIPHERPOST PRO. A Profitable, Essential Value-Add for Office 365

Policy. Sensitive Information. Credit Card, Social Security, Employee, and Customer Data Version 3.4

City of Portland Audit: Follow-Up on Compliance with Payment Card Industry Data Security Standard BY ALEXANDRA FERCAK SENIOR MANAGEMENT AUDITOR

AuthAnvil for Retail IT. Exploring how AuthAnvil helps to reach compliance objectives

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

FairWarning Mapping to PCI DSS 3.0, Requirement 10

Cybersecurity in Higher Ed

Security and PCI Compliance for Retail Point-of-Sale Systems

Designing Polycom SpectraLink VoWLAN Solutions to Comply with Payment Card Industry (PCI) Data Security Standard (DSS)

AN IPSWITCH WHITEPAPER. 7 Steps to Compliance with GDPR. How the General Data Protection Regulation Applies to External File Transfers

Simple and Powerful Security for PCI DSS

IT Audit and Risk Trends for Credit Union Internal Auditors. Blair Bautista, Director Bob Grill, Manager David Dyk, Manager

6 Ways Office 365 Keeps Your and Business Secure

Retail Security in a World of Digital Touchpoint Complexity

Cirius Secure Messaging Enterprise Dedicated Cloud

PCI DSS Compliance. Verba SOLUTION GUIDE. Introduction. Verba and the Payment Card Industry Data Security Standard

COMPLETING THE PAYMENT SECURITY PUZZLE

IBM Internet Security Systems October Market Intelligence Brief

2018 Edition. Security and Compliance for Office 365

Fine-Grained Access Control

Why you MUST protect your customer data

E-Share: Secure Large File Sharing

Enabling compliance with the PCI Data Security Standards December 2007

Protecting from Attack in Office 365

Securing Information Systems

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

Securing Office 365 with SecureCloud

Google Cloud Platform: Customer Responsibility Matrix. April 2017

Commerce PCI: A Four-Letter Word of E-Commerce

Protect Comply Thrive. The PCI DSS: Challenge or opportunity?

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

The HITECH Act. 5 things you can do Right Now to pave the road to compliance. 1. Secure PHI in motion.

Complete document security

SECURE DATA EXCHANGE

Google Cloud Platform: Customer Responsibility Matrix. December 2018

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

June 2013 PCI DSS COMPLIANCE GUIDE. Look out for the tips in the blue boxes if you use Fetch TM payment solutions.

Top Five Privacy and Data Security Issues for Nonprofit Organizations

Security Using Digital Signatures & Encryption

Secure Messaging is far more than traditional encryption.

MESSAGING SECURITY GATEWAY. Solution overview

Teradata and Protegrity High-Value Protection for High-Value Data

Transcription:

PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)

Table of Contents Introduction 03 Who is affected by PCI DSS? 05 Why should my organization comply 06 with PCI DSS? Email security requirements 08 How can my organization meet these 09 requirements? Compliance doesn t have to be 11 complex How AppRiver CipherPost Pro 13 supports compliance APPRIVER.COM

Introduction As speed of business pushes ever forward, businesses around the world increasingly rely on near instantaneous credit transactions to make sales. In 2011, 135.33 billion transactions were made worldwide involving a credit, debit or prepaid card, up 12 percent over 2010 according to the Nilson Report. With the colossal amount of cardholder data whizzing between merchants, payment processors and banks, it s no wonder that cardholder data is often exchanged unsecured across high volume end user systems, like email. To prevent cardholders information from falling into the wrong hands, the Payment Card Industry Data Security Standard (PCI DSS) was established to hold organizations to a common standard for securing cardholder information against unauthorized exposure and exploitation. APPRIVER 3

First introduced in 2004 by the Card Industry Security Standards Council, The Payment Card Industry Data Security Standard (PCI DSS) is a stringent set of security standards that businesses must meet to transact using card information. Unlike compliance regulations administered by government organizations, PCI DSS defines specific security framework and technologies that businesses must implement to secure cardholder data wherever it resides, including email. This white paper briefly details how PCI DSS protocols apply to your organization, discusses email security and outlines what technologies your organization can implement to help ensure secure, PCI DSS-compliant email and file transfer. APPRIVER 4

Who is affected by PCI DSS? PCI DSS applies to all merchants, retailers and other businesses and organizations who transact using major credit, debit and prepaid cards. Additionally, PCI DSS applies to third parties, such as payment card processors, who store and access cardholder information to process transactions on behalf of organizations that accept card payments. APPRIVER 5

Why should my organization comply with PCI DSS? While businesses bear the burden of meeting multilayered PCI DSS protocols, the cost of compliance is far less than the alternative. Failure to comply with PCI DSS protocols has far reaching consequences that damage your business s bottom line and can cripple your ability to conduct future business. Consequences for non-compliance include: FINES Banks and credit card institutions may, at their discretion, fine offending merchants up to $500,000 per security incident, and up to $50,000 per day for every day a business is operating in violation of security standards. SUSPENSION OF MERCHANT ACCOUNTS Card providers such as Visa and MasterCard can refuse to do business with merchants and organizations who don t meet compliance requirements, reducing your ability to transact down to a cash only basis. PUBLIC NOTIFICATION Currently 38 states have laws requiring that data breaches exposing customer information (including cardholder data) be reported to customers affected. APPRIVER 6

LITIGATION Organizations that fail to secure cardholder information may face civil suits, damages and other costly legal proceedings as a result of cardholder data being exposed without authorization. LOSS OF REPUTATION, CUSTOMERS & BUSINESS It takes years to build a credible reputation but only a few minutes to ruin one, and a loss of credibility translates directly to an organization s bottom line. When consumers lose confidence, they switch to other services or brands, resulting in profit loss. A recent study by the Ponemon Institute showed that 31 percent of respondents terminated their relationship with an organization after receiving notification of a breach of data security. APPRIVER 7

Email security requirements Unlike the broad framework requirements of government regulations, PCI DSS is broken down into 12 major requirements that additionally specify policies and technologies business must implement to secure cardholder data. While not all requirements are relevant to email security, the following requirements directly impact organizations messaging security. In short, they charge organizations to: Protect stored cardholder data at rest and in transit Encrypt transmission of cardholder data across open, public networks including email systems Use and regularly update antivirus software on all systems commonly affected by malware Restrict access to cardholder data to a need-to-know basis Assign a unique ID to each person with computer access Track and monitor all access to network resources and cardholder data Regularly test security systems and processes Maintain a policy that addresses information security APPRIVER 8

PCI details further requirements and standards, dependent upon organization type and the volume of annual credit transactions, that determine the specific policies and technologies your organization should implement. While a complete list of technical and policy requirements can be viewed on the Security Standards Council website, the next section identifies core technologies necessary for all organizations to comply with PCI requirements affecting messaging security. How can my organization meet these requirements? GLBA (Gramm Leach Bliley Act) does not explicitly identify specific policies and email technologies organizations should implement as safeguards to achieve compliance; every institution is unique and uses NPI in different forms, for different reasons. Yet, several technologies and policy-best practices stand out as clear solutions to meet GLBA requirements in relation to email: END-TO-END ENCRYPTION To meet regulation requirements that mandate NPI be secured, an end-to-end encryption that can encrypt or block content is often necessary to ensure that data remains confidential and secure between the message sender and the intended recipient, preventing unauthorized access or loss. APPRIVER 9

DATA LEAK PREVENTION (DLP) A DLP solution for email is essential for GLBA compliance, providing enhanced mail security through content filtering, authentication, and permissions rules that limit access and transmission of sensitive information sent within and outside the organization. ARCHIVING An effective email archiving system will enable organizations to meet control objectives for message retention and auditing by capturing, preserving and making all email traffic easily searchable for compliance auditors to evaluate. When encrypted and backed up, archiving provides additional protections for information against loss and unauthorized exposure. ANTI-SPAM & ANTI-MALWARE PCI stipulates that organizations implement appropriate technologies to protect from phishing and malware at the email gateway that could compromise the email system and cardholder data. To protect against advanced malware and zeroday attacks, a firewall is essential but not enough. It becomes necessary to implement, regularly update and audit a firewall, email filter and antivirus software to protect the messaging system from unexpected threats at the email gateway. APPRIVER 10

USER TRAINING & AWARENESS While the right mix of email security technologies is necessary to achieve compliance, technologies are only as smart as the people using them. Educate users on acceptable use policies for email; train them to identify fraudulent email, phishing scams and other pretexting that threatens the security of messaging system and integrity of customer information floating within it. Compliance doesn t have to be complex Despite PCI DSS providing clear direction to the form businesses email security systems should take, many businesses struggle to secure cardholder information exchanged via email, and even when they do, data breaches still happen. The problem is often that the technologies designed to help meet complex compliance requirements are often as complicated as the regulations themselves, posing their own set of challenges to securing email: DIFFICULT TO USE, DIFFICULT TO ADOPT Often technologies created to ensure regulatory compliance inhibit email functionality and workflow, frustrating users. According to a 2011 study by the Ponemon Institute, over half of email encryption users were frustrated with their encryption solutions being inflexible and difficult to use. When technology is difficult to use, managers may have difficulty enforcing policy and users may opt not to use them, which can expose your organization to data leakage and compliance violations. APPRIVER 11

PKI KEY MANAGEMENT IS TIME CONSUMING & EXPENSIVE It s no secret that key management is costly. While a key management solution may be necessary for encryption with outdated technology, the cost and time involved to manage it is more than just an inconvenience eating into management productivity and your budget. Yet the alternative of selecting a cheap solution could result in unrecoverable data. According to a 2011 study, About 52 percent of the businesses said they have had serious key management problems, with about a third claiming that keys were lost or misplaced keys and another third citing key failure. DATA LEAKAGE CAN STILL OCCUR The understated truth is that compliance does not equal security. Businesses that implement vendors technologies for secure email, technologies that claim to conform to PCI DSS requirements, don t always have the features necessary to catch user mistakes and policy violations that result in data loss. Solutions for secure email should complement existing email rather than complicate it. It is important to implement a solution that conforms to requirements for PCI DSS and is powerful enough to prevent data loss without compromising the functionality and workflow of existing email that your business depends on. With many out-of-the-box solutions floating around the market, your organization should consider a solution that works well with existing email to simplify complexity of management, and encourages adoption use by end users. APPRIVER 12

How CipherPost Pro supports compliance CipherPost Pro is a cloud solution for email encryption, secure file transfer and DLP that helps address PCI DSS requirements, and lets you use your email just the way it is. With CipherPost Pro, you can: Send secure messages right from your existing email client including Microsoft Office 365, Google G-Suite, Outlook and from any mobile device Leverage the Delivery Slip on every message to add controls, authentication, track live updates, true message recall and full audit and ediscovery capabilities Conform to GLBA technical requirements for secure transmission of NPI Automate and securely deliver messages and file attachments decrypted to any email archive database or third party application through a secure API Secure communication and collaboration anytime, anywhere, by allowing users to send, track and receive secure email and attachments on any mobile device including ios, Android and Windows Phone APPRIVER 13

APPRIVER.COM OR CALL 1.866.223.4645 APPRIVER 14

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback