2012PHILIPPINES ECC International :: MALAYSIA :: VIETNAM :: INDONESIA :: INDIA :: CHINA

Similar documents
Merchant Guide to PCI DSS

PCI DSS 3.2 AWARENESS NOVEMBER 2017

June 2013 PCI DSS COMPLIANCE GUIDE. Look out for the tips in the blue boxes if you use Fetch TM payment solutions.

PCI Compliance: It's Required, and It's Good for Your Business

Navigating the PCI DSS Challenge. 29 April 2011

The Devil is in the Details: The Secrets to Complying with PCI Requirements. Michelle Kaiser Bray Faegre Baker Daniels

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) banksa.com.au

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

Payment Card Industry Data Security Standards Version 1.1, September 2006

PCI DSS COMPLIANCE 101

PCI COMPLIANCE IS NO LONGER OPTIONAL

University of Sunderland Business Assurance PCI Security Policy

Will you be PCI DSS Compliant by September 2010?

Commerce PCI: A Four-Letter Word of E-Commerce

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

Payment Card Industry (PCI) Data Security Standard

PDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.2)

Payment Card Industry (PCI) Data Security Standard

White paper PCI DSS. How do you manage your customers payment card details securely and responsibly?

How do you manage your customers payment card details securely and responsibly? White paper PCI DSS

Payment Card Industry (PCI) Data Security Standard

PCI DSS Illuminating the Grey 25 August Roger Greyling

ISACA Kansas City Chapter PCI Data Security Standard v2.0 Overview

PCI compliance the what and the why Executing through excellence

Payment Card Industry (PCI) Data Security Standard

The IT Search Company

Payment Card Industry (PCI) Data Security Standard

PCI DSS. Compliance and Validation Guide VERSION PCI DSS. Compliance and Validation Guide

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry Internal Security Assessor: Quick Reference V1.0

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Best Practices (PDshop Security Tips)

Understanding PCI DSS Compliance from an Acquirer s Perspective

Payment Card Industry (PCI) Data Security Standard

The PCI Security Standards Council

Site Data Protection (SDP) Program Update

Section 1: Assessment Information

Using GRC for PCI DSS Compliance

Payment Card Industry (PCI) Data Security Standard

Achieving PCI Compliance: Long and Short Term Strategies

PCI DSS Compliance. Verba SOLUTION GUIDE. Introduction. Verba and the Payment Card Industry Data Security Standard

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

Data Security Standard

Protect Comply Thrive. The PCI DSS: Challenge or opportunity?

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Compliance

Webinar: How to keep your hotel guest data secure

AuthAnvil for Retail IT. Exploring how AuthAnvil helps to reach compliance objectives

A QUICK PRIMER ON PCI DSS VERSION 3.0

SIP Trunks. PCI compliance paired with agile and cost-effective telephony

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards

GUIDE TO STAYING OUT OF PCI SCOPE

UCSB Audit and Advisory Services Internal Audit Report. Credit Cards PCI Compliance. July 1, 2016

A Perfect Fit: Understanding the Interrelationship of the PCI Standards

Establish and Maintain Secure Cardholder Data with IBM Payment Card Industry Solutions

PCI DSS 3.1 is here. Are you ready? Mike Goldgof Sr. Director Product Marketing

Understand and Implement Effective PCI Data Security Standard Compliance

Enforcing PCI Data Security Standard Compliance Marco Misitano, CISSP, CISA, CISM Business Development Manager Security Cisco Italy

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

FAQs. The Worldpay PCI Program. Help protect your business and your customers from data theft

PCI DSS Addressing Cyber-Security Threats. ETCAA June Gabriel Leperlier

INFORMATION SUPPLEMENT. Use of SSL/Early TLS for POS POI Terminal Connections. Date: June 2018 Author: PCI Security Standards Council

Protect Comply Thrive. The PCI DSS: Challenge or opportunity?

Managing Risk in the Digital World. Jose A. Rodriguez, Director Visa Consulting and Analytics

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Data Sheet The PCI DSS

Tokenisation for PCI-DSS Compliance

Payment Card Industry (PCI) Data Security Standard

Escaping PCI purgatory.

Section 1: Assessment Information

Attestation of Compliance for Onsite Assessments Service Providers

How PayPal can help colleges and universities reduce PCI DSS compliance scope. Prepared by PayPal and Sikich LLP.

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

SAQ A AOC v3.2 Faria Systems LLC

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Whitepaper. Simplifying the Payment Card Industry Data Security Standard. Abstract. A Security-Assessment.com Publication. Special points of interest:

PCI DSS v3. Justin

Overview: Compliance and Security Management PCI-DSS Control Compliance Suite Overview

Customer Compliance Portal. User Guide V2.0

City of Portland Audit: Follow-Up on Compliance with Payment Card Industry Data Security Standard BY ALEXANDRA FERCAK SENIOR MANAGEMENT AUDITOR

The Future of PCI: Securing payments in a changing world

Payment Card Industry (PCI) Data Security Standard. Requirements and Security Assessment Procedures. Version May 2018

Payment Card Industry (PCI) Data Security Standard

Evolution of Cyber Attacks

PCI DSS COMPLIANCE DATA

in PCI Regulated Environments

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire P2PE and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Merchants

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version to 2.0

PCI Compliance. What is it? Who uses it? Why is it important?

Transcription:

Effective Data Security Measures on Payment Cards through PCI DSS 2012PHILIPPINES ECC International :: MALAYSIA :: VIETNAM :: INDONESIA :: INDIA :: CHINA

Learning Bites Comprehend the foundations, requirements, and benefits of PCI-DSS Recognize the need for compliance and the issues and challenges that come with it Understand the documentation and audit requirements of the standard Demonstrate compliance to all legal and regulatory requirements. 2

High Profile Data Breaches 3

In the Philippines There were an estimated 33 million debit cards and 8 million credit cards in circulation in The Philippines in 2009. The number of credit cards in circulation enjoyed healthy growth in 2010 as financial companies kept interest rates low, similar to 2009 levels. Also, industry players have introduced a pay later function, which creates a low interest rate climate to encourage usage of cards. With the growth of financial cards in circulation, the value of card transactions also increased, at the expense of cash transaction value as a proportion of total consumer expenditure. The value share growth of card payments is expected to continue in the forecast period as consumers increasingly becoming comfortable using financial cards. (Source: Euromonitor International, January 2010 & February 2011) 4

Data Breaches Statistics Hacking Statistics by Industry Hacking Statistics by Vector 5% 4% 4% 2% 1% 5% 3% 16% 13% 38% 14% 21% 55% 19% Hospitality Services Financial Services Retail food & Beverages Business Services Technology Others Education Manufacturing Outside Inside-Malicious Inside Inside-Accidental Unknown 5

Founders of PCI SSC 6

Payment Card Industry Security Standards PCI security standards are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. The standards apply to all entities that store, process or transmit cardholder data 7

Terminologies Visa & Mastercard Acquirers Issuers Merchants Cardholders Service Providers Member of organizations who can be either Acquirers of Issuers (or both) Members of the Visa or Mastercard organizations which handle merchants Members of the Visa or Mastercard organizations that issue the cards to Cardholders Those entities who accept card transactions Well, cardholders Entities that provide any service requiring the processing, storing or transport of card information on behalf of any of the above 8

Diagrammatically and/or is a member of is a member of Acquirer provides processing services to may or may not be the same as Issuer issues cards to Merchant uses card buy from to Cardholder 9

Key Regulations/Requirements by VISA 10

PCI DSS Versions 11

Outline of PCI DSS Requirements PCI DSS Requirements - Outlined About 130 individual requirements under the 12 requirements With the major exception of the requirement to encrypt cardholder data, the requirements only represent generally accepted good security practice. PCI does not represent an onerous ideal but very many organisations are still only fully compliant with a small proportion of the requirements The standard is very prescriptive (unlike eg SOX, ISO27001) but compensating controls are permitted in certain areas subject to acquirer s or Payment Brand s approval 12

PCI DSS General Information Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security PCI DSS is based on fundamental data security practices 13

PCI DSS Prioritized Approach PCI DSS Prioritized Approach The Prioritized Approach and its milestones are intended to provide the following benefits: Roadmap that an organization can use to address its risks in priority order Pragmatic approach that allows for quick wins Supports financial and operational planning Promotes objective and measurable progress indicators Helps promote consistency among Qualified Security Assessors 14

PCI DSS Requirements and Milestones 12 PCI DSS Requirements Build & Maintain a Secure Network (Requirement1 & 2) Implement Strong Access Control Measures (Requirement7, 8 & 9) Protect Cardholder Data (Requirement3 & 4) Regularly Monitor & Access Networks (Requirement 10 & 11) Maintain a Vulnerability Management Program (Requirement5 & 6) Maintain an Information Security Policy (Requirement12) Prioritized Approach Security Milestone # 1 If you don t need it, don t store it Security Milestone # 4 Control access to your systems Security Milestone # 2 Secure the perimeter Security Milestone # 5 Protect stored cardholder data Security Milestone # 3 Secure applications Security Milestone # 6 Finalize remaining compliance efforts & ensure all controls are in place 15

PCIPhases DSS Lifecycle PCI Compliance, & Deliverables On-site Assessment Self-Assessment Questionnaire (SAQ) Assess PCI DSS Framework and Scope of Assessment Gap Analysis Risk Assessment REPORT Remediate Plan and implement remediation Report Development of Remediation Plan Implementation of Remediation Plan PCI Security Scan (Pentest & Vulnerability Assessment) Physical Security Assessment On-Site Assessment & Attestation of Compliance Self Assessment Questionnaire (SAQ) Map out data flow Gap Analysis & Risk Assessment 16

PCI DSS Compliance: Difficult & Ongoing PCI (Payment Card Industry) compliance - a requirement for accepting credit card transactions can be difficult. About 65% of global enterprises are still working on their PCI compliance initiatives. But PCI compliance is an ongoing effort, not abounded IT security project. Forrester Research September 2008 17

Key Challenges Key Challenges Identifying data locations (PAN, track 2, CVV2/CVC2) Encryption of cardholder data Monitoring cardholder data access Changing business processes Changing technology Cost of compliance 18

Thank you very much! facebook.com/eccinternational linkedin.com/company/ecc-international eccinternational.wordpress.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback