The PCI Security Standards Council

Similar documents
Site Data Protection (SDP) Program Update

A Perfect Fit: Understanding the Interrelationship of the PCI Standards

Will you be PCI DSS Compliant by September 2010?

PCI DSS 3.2 AWARENESS NOVEMBER 2017

PCI DSS COMPLIANCE 101

PCI COMPLIANCE IS NO LONGER OPTIONAL

Payment Card Industry Data Security Standards Version 1.1, September 2006

Payment Card Industry Data Security Standard (PCI DSS) Payment Application Data Security Standard (PA-DSS) Summary of 2012 Feedback

PCI Compliance: It's Required, and It's Good for Your Business

All the Latest Data Security News. Best Practices and Compliance Information From the PCI Council

Navigating the PCI DSS Challenge. 29 April 2011

The Devil is in the Details: The Secrets to Complying with PCI Requirements. Michelle Kaiser Bray Faegre Baker Daniels

Payment Card Industry (PCI) Data Security Standard

PDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.2)

The Future of PCI: Securing payments in a changing world

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

Payment Card Industry (PCI) Data Security Standard

ISACA Kansas City Chapter PCI Data Security Standard v2.0 Overview

Payment Card Industry (PCI) Data Security Standard

University of Sunderland Business Assurance PCI Security Policy

Payment Card Industry (PCI) Compliance

Payment Card Industry (PCI) Data Security Standard

Understanding PCI DSS Compliance from an Acquirer s Perspective

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) banksa.com.au

PCI compliance the what and the why Executing through excellence

Daxko s PCI DSS Responsibilities

Commerce PCI: A Four-Letter Word of E-Commerce

David Jenkins (QSA CISA) Director of PCI and Payment Services

Section 1: Assessment Information

2012PHILIPPINES ECC International :: MALAYSIA :: VIETNAM :: INDONESIA :: INDIA :: CHINA

Payment Card Industry (PCI) Data Security Standard

PCI DSS Addressing Cyber-Security Threats. ETCAA June Gabriel Leperlier

Overview: Compliance and Security Management PCI-DSS Control Compliance Suite Overview

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

INFORMATION SUPPLEMENT. Use of SSL/Early TLS for POS POI Terminal Connections. Date: June 2018 Author: PCI Security Standards Council

PCI DSS. Compliance and Validation Guide VERSION PCI DSS. Compliance and Validation Guide

Evolution of Cyber Attacks

AuthAnvil for Retail IT. Exploring how AuthAnvil helps to reach compliance objectives

Payment Card Industry - Data Security Standard (PCI-DSS)

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards

GUIDE TO STAYING OUT OF PCI SCOPE

Payment Card Industry (PCI) Qualified Integrator and Reseller (QIR)

Payment Card Industry (PCI) Data Security Standard

FAQs. The Worldpay PCI Program. Help protect your business and your customers from data theft

June 2013 PCI DSS COMPLIANCE GUIDE. Look out for the tips in the blue boxes if you use Fetch TM payment solutions.

Payment Card Industry (PCI) Data Security Standard

Customer Compliance Portal. User Guide V2.0

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Data Sheet The PCI DSS

The PCI Security Standards Council PCI DSS Virtualization Webinar

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Point-to-Point Encryption

Managing Risk in the Digital World. Jose A. Rodriguez, Director Visa Consulting and Analytics

Merchant Guide to PCI DSS

Payment Card Industry (PCI) Data Security Standard

Section 1: Assessment Information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire P2PE and Attestation of Compliance

Payment Card Industry Internal Security Assessor: Quick Reference V1.0

Compliance-driven Security Requirements Warzaw 12 Oct Bengt Berg, M.Sc, CISM, CISSP, QSA,...

PCI DSS v3. Justin

Request for Comments (RFC) Process Guide

PCI Implementation Workshop [CPISI] PCI Version 3.2

Self-Assessment Questionnaire A

What is PCI/DSS and What s new Presented by Brian Marshall Vanguard Professional Services

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version to 2.0

Security Requirements and Assessment Procedures for EMV 3-D Secure Core Components: ACS, DS, and 3DS Server

IT Audit and Risk Trends for Credit Union Internal Auditors. Blair Bautista, Director Bob Grill, Manager David Dyk, Manager

Enforcing PCI Data Security Standard Compliance Marco Misitano, CISSP, CISA, CISM Business Development Manager Security Cisco Italy

Payment Card Industry (PCI) Data Security Standard

Data Security Standard

How PayPal can help colleges and universities reduce PCI DSS compliance scope. Prepared by PayPal and Sikich LLP.

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Report on Compliance. PCI DSS v3.2.1 Template for Report on Compliance. Revision 1.

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

University of Maine System Payment Card Industry Data Security Standard (PCI DSS) Guide for Completing Self Assessment Questionnaire (SAQ) SAQ C

Payment Card Industry (PCI) Data Security Standard

Achieving PCI Compliance: Long and Short Term Strategies

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire P2PE and Attestation of Compliance

SAQ A AOC v3.2 Faria Systems LLC

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B-IP and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard

Credit Union Service Organization Compliance

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C-VT and Attestation of Compliance

Webinar: How to keep your hotel guest data secure

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

PCI DATA SECURITY STANDARDS VERSION 3.2. What's Next?

Payment Card Industry (PCI) Data Security Standard

Establish and Maintain Secure Cardholder Data with IBM Payment Card Industry Solutions

Whitepaper. Simplifying the Payment Card Industry Data Security Standard. Abstract. A Security-Assessment.com Publication. Special points of interest:

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

Transcription:

The PCI Security Standards Council 2/29/2008

Agenda The PCI SSC Roles and Responsibilities How To Get Involved PCI SSC Vendor Programs PCI SSC Standards PCI DSS Version 1.1 Revised SAQ 2/29/2008 2

The PCI SSC 2/29/2008

The PCI Security Standards Council An open global forum, launched in September 2006, for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection. 2/29/2008 4

The PCI Security Standards Council Members 2/29/2008 5

PCI Security Standards Council Objectives Issue new standards Enhance payment account security Create awareness and drive adoption Foster participation and gather feedback Manage the qualification and approval testing process for ASVs,QSAs and PED Labs Maintain a current list of approved QSAs, ASVs and PED Certified Devices 2/29/2008 6

Resources Provided by Council PCI DSS and supporting documents (PED & PA-DSS coming soon) PCI Security Standards Council FAQs Education & Outreach Programs One Global Voice for the Industry Participating Organization membership, Community Meetings, Feedback Roster of QSAs and ASVs vetted by Council (PED & PA-DSS listings coming soon) 2/29/2008 7

The PCI Data Security Standard The PCI DSS version 1.1 is a set of comprehensive requirements for enhancing payment account data security. The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer payment data. 2/29/2008 8

Six Goals, Twelve Requirements The Payment Card Industry Data Security Standard (PCI DSS) Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored data 4. Encrypt transmission of cardholder data across open, public networks 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security 2/29/2008 9

Additional Standards Pin Entry Device Standard All Brands will Grandfather previously approved POS PEDs Lab Qualification Approval Letters Approved Product Listings Approval Process 10 business days PA DSS (PABP) Assessor Training & Testing Approved Product Listings Possibly part of DSS 2/29/2008 10

How To Get Involved 2/29/2008

Global Participation & Representation More than 300 organizations have been accepted 2/29/2008 12

A Seat at the Table, Board Representation & SIGs Financial Institutions Merchants Gateways Processors Service Providers EFT Networks Associations Vendors 2/29/2008 13

Participating Organization Privileges Vote and Run for Participating Organization Board of Advisors. Comment on DSS, SAQ, PED and on other PCI SSC documentation, prior to public release. Attend Community Meetings Attend Quarterly Webinar Meetings Recommend new initiatives and standards Reserve Your Seat at the Table 2/29/2008 14

Participating Organizations Regions 2% 4% 20% 2% 69% United States Asia Pacific Canada 3% Central Europe /Middle East / Africa Europe Latin America / Caribbean 2/29/2008 15

Participating Organizations Categories 24% Processors 28% 13% Merchants Financial Institutions 35% Other 2/29/2008 16

Board of Advisors Financial Institutions Bank of America JP Morgan Chase and Co. Citibank N.A., Global Consumer Group Commonwealth Bank of Australia The Royal Bank of Scotland 2/29/2008 17

Board of Advisors Merchants British Airways, plc Exxon Mobil Corporation McDonalds Corporation Microsoft Tesco Stores Ltd. Wal-Mart Stores, Inc. 2/29/2008 18

Board of Advisors Associations & Vendors APACS EPC PayPal, Inc. VeriFone, Inc. 2/29/2008 19

Board of Advisors Processors Chase Paymentech Solutions First Data Corporation Interac Association Moneris Solutions Corporation SERVICIOS ELECTRONICOS GLOBALES S.A. DE C.V. TSYS Acquiring Solutions 2/29/2008 20

PCI SSC Community Meeting 2/29/2008

Community Meeting Merchants Acquirers Approved Scanning Vendors Qualified Security Assessors Community Meeting Service Providers Brands 2/29/2008 22

PCI SSC Inaugural Community Meeting September 17-19, 2007, Toronto Nearly 75% of membership in attendance 271 Participating Organization representatives from 177 companies 52 QSA/ASV/PED representatives from 50 companies Great Success! 2/29/2008 23

PCI SSC Inaugural Community Meeting What PCI SSC Heard: Consistency, Consistency, Consistency Standards Evolution and Life-Cycle Management Communications and Education Leverage Participating Organization Next Steps Analyze and action feedback Further engage all members of the community Develop and communicate roadmap 2/29/2008 24

PCI SSC Vendor Programs 2/29/2008

QSAs Organizations that validate an entity s adherence to PCI DSS requirements are known as Qualified Security Assessors (QSAs). Over 100 QSA companies https://www.pcisecuritystandards.org/resources/q ualified_security_assessors.htm 2/29/2008 26

Qualified Security Assessor Certification Prospective QSAs Apply as a company for qualification by providing documentation adhering to the Validation Requirements for Qualified Security Assessors (QSA) v 1.1 Qualify individual employees, through training and testing, to perform security assessments Execute agreement with the PCI Security Standards Council governing performance 2/29/2008 27

ASVs Organizations that validate adherence by performing vulnerability scans of internet facing environments of merchants and service providers are known as Approved Scanning Vendors (ASVs). Over 130 ASVs https://www.pcisecuritystandards.org/resources/a pproved_scanning_vendors.htm 2/29/2008 28

Approved Scanning Vendor Certification Prospective ASVs Apply for approval by providing documentation adhering to the Validation Requirements for Approved Scanning Vendors (ASVs) v 1.1 Successfully complete the security scanning vendor testing and approval process. Execute agreement with the PCI Security Standards Council governing performance 2/29/2008 29

PCI SSC Standards 2/29/2008

How has the PCI DSS changed? Updates are designed to foster broad adoption by acknowledging practical implementation issues, incorporating partner and customer feedback, while maintaining the robustness of security measures PCI DSS v1.1 revisions provide: Clarification and consistency Flexibility for technology or business constraints Additional measures to address latest attack trends 2/29/2008 31

PCI DSS v1.1 Revision examples Clarity and Consistency: Incorporated a clarification of data definitions, distinguishing between cardholder data that must be protected by PCI vs. sensitive authentication data that must never be stored Flexibility: Defined compensating controls for data encryption, and provided ability for compensating controls to be applied to various requirements based on technical and business constraints New Security Requirement: Created new application level requirement (6.6) to address significant trend in account data compromise cases, effective date June 30, 2008 2/29/2008 32

PCI DSS Drivers Industry Best Practices ADC Forensic s Results Security Scans Advisory Board PCI Data Security Standard On Site Audits Community Meeting Proactive feedback from QSAs, ASVs and POs Approved Scanning Vendors (ASVs) and Qualified Security Assessors (QSAs) Self- Assessment Questionnaire 2/29/2008 33

New SAQ Objectives Alignment with the PCI DSS v1.1 Based on industry feedback Flexibility for multiple merchant types Providing guidance for the intent and applicability of the underlying requirements May be used as a basis for an automated tool in the future 2/29/2008 34

PCI DSS v1.1 - Revisions Created new application level requirement (6.6) to address latest trend in account data compromise, implementation date set for June 30, 2008 Incorporated a clarification of data definitions, distinguishing between cardholder data that must be protected by PCI vs. sensitive authentication data that must never be stored Defined compensating controls for data encryption Provided flexibility for compensating controls to be applied to various requirements based on technical and business constraints 2/29/2008 35

PCI Update - Data Storage Clarification * Data elements must be protected when stored in conjunction with PAN 2/29/2008 36

Most Common PCI Requirements Not Met *Percentage of Compromised Merchants That Failed To Meet Each PCI DSS Requirement *Data gathered from more than 250 card compromise investigations conducted by ATW Requirement 1: Install and maintain a firewall to protect cardholder data Requirement 3: Protect stored data Requirement 6: Develop and maintain secure systems and applications Requirement 8: Assign a unique ID to each person with computer access Requirement 10: Track and monitor access to network and card data Requirement 11: Regularly test security systems and processes 2/29/2008 37

Compromise Cases By Industry Food Service Industry represents the majority of the compromises Retail is the next largest industry with compromises *Data gathered from more than 250 card compromise investigations conducted by ATW 2/29/2008 38

New Application Level Requirement Addresses SQL injection, cross-site scripting and other application level attacks Complements existing requirements for secure coding of web applications (6.5) and application level penetration testing (11.3.2) Seeks to provide added assurance that sites are not vulnerable, by either of the following methods: Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security. Installing an application layer firewall in front of web-facing applications 2/29/2008 39

Revised PCI Standard Revisions for Consideration Community Meeting Input from Participating Organizations, QSA s and ASV s Phase 1 Phase 2 Phase 3 PHASED APPROACH 2/29/2008 40

For more information Questions about the standards or supporting documents: info@pcisecuritystandards.org Questions that require interpretation from the Council's subject-matter experts may reflect the input of all five founding payment brands. We appreciate your patience as we work to craft your specific and individualized answer. 2/29/2008 41

Thank You! 2/29/2008

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback