866 462 7774 <br />CSRSI.com<br />Data Compromises are on the Rise<br />A combination of increasing data breaches and stat...
866 462 7774 <br />CSRSI.com<br />What is PCI?<br />PCI stands for the Payment Card Industry Data Security Standard. The c...
866 462 7774 <br />CSRSI.com<br />VISA Compliance Mandate<br />Newly boarded level 4 merchants must be PCI DSS compliant a...
866 462 7774 <br />CSRSI.com<br />Who must comply?<br />All merchants who in any way accept, store, transmit or handle “cr...
866 462 7774 <br />CSRSI.com<br />Why comply now?<br />Compliance is mandatory. No PCI compliance you have no defense and ...
 Enhance consumer confidence
 Improve bottom line
 Reduce exposure to fraud losses</li></li></ul><li>866 462 7774 <br />CSRSI.com<br />What if a merchant does not comply?<b...
Permanent prohibition from processing
Financial fines
Violation of applicable federal and state laws
Fraud losses perpetrated using the account numbers compromised (Ongoing financial as well as security and replacement cost...
866 462 7774 <br />CSRSI.com<br />Where do attacks and breaches occur?    <br />Attacks and breaches occur everywhere at a...
866 462 7774 <br />CSRSI.com<br />Is my processor responsible for my fines?    <br />No! The merchant is responsible for f...
866 462 7774 <br />CSRSI.com<br />Is it true that if my software or terminal is compliant than I am compliant?<br />No! Co...
866 462 7774 <br />CSRSI.com<br />Is it true that no one will ever look at my answers to the self-assessment questionnaire...
Upcoming SlideShare
Loading in …5
×

Merchant Education: PCI Compliance by Merchants Is Required

937 views
883 views

Published on

Data compromises are on the rise. Merchants risk losing the ability to accept credit cards for non-compliance.

All merchants that process credit cards MUST be compliant. Learn what every merchant must do to comply with the PCI-DSS.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
937
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
23
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Merchant Education: PCI Compliance by Merchants Is Required

  1. 1. 866 462 7774 <br />CSRSI.com<br />Data Compromises are on the Rise<br />A combination of increasing data breaches and state disclosure laws has resulted in a sharp rise in reported security compromises<br /> 2003 50*<br /> 2004 162<br /> 2005 257<br /> 2006 223<br /> 2007 (10.31) 351<br />*Greater than 1,000,000 credit card numbers compromised<br />
  2. 2. 866 462 7774 <br />CSRSI.com<br />What is PCI?<br />PCI stands for the Payment Card Industry Data Security Standard. The current version is 1.1 which was introduced in September 2006.<br />
  3. 3. 866 462 7774 <br />CSRSI.com<br />VISA Compliance Mandate<br />Newly boarded level 4 merchants must be PCI DSS compliant as of October 1 2008.<br />
  4. 4. 866 462 7774 <br />CSRSI.com<br />Who must comply?<br />All merchants who in any way accept, store, transmit or handle “credit cards” must comply. There are no exceptions. This includes merchants who are store based, accept payments by telephone or mail or utilize the Internet.<br />Where is compliance required?<br />At every location that handles cardholder data. This includes at the store level, at the back office, at all remote locations and at corporate. <br />
  5. 5. 866 462 7774 <br />CSRSI.com<br />Why comply now?<br />Compliance is mandatory. No PCI compliance you have no defense and are subject to immediate termination of card accepting privileges. If you are not compliant and you try to change processors a growing list of processors will not accept your application. If you attempt to get a new merchant service account and you do not become compliant within six months you are at risk of losing your merchant service account.<br /><ul><li> Maintain positive image
  6. 6. Enhance consumer confidence
  7. 7. Improve bottom line
  8. 8. Reduce exposure to fraud losses</li></li></ul><li>866 462 7774 <br />CSRSI.com<br />What if a merchant does not comply?<br />The merchant is then subject to civil penalties, criminal prosecution and loss of credit card privileges. Fines can exceed $100,000 per month. In addition the processor can increase a merchant’s cost of credit card acceptance.<br /><ul><li>Restriction on processing
  9. 9. Permanent prohibition from processing
  10. 10. Financial fines
  11. 11. Violation of applicable federal and state laws
  12. 12. Fraud losses perpetrated using the account numbers compromised (Ongoing financial as well as security and replacement cost)</li></li></ul><li>866 462 7774 <br />CSRSI.com<br />Is it true that all breaches are from external attacks? <br />No! The vast majority of attacks occur at your location by trusted people. According to FBI/CSI data greater than 90% of all attacks are internal..<br />
  13. 13. 866 462 7774 <br />CSRSI.com<br />Where do attacks and breaches occur? <br />Attacks and breaches occur everywhere at anytime. No location or business is safe from attack.<br />
  14. 14. 866 462 7774 <br />CSRSI.com<br />Is my processor responsible for my fines? <br />No! The merchant is responsible for fines and penalties.<br />
  15. 15. 866 462 7774 <br />CSRSI.com<br />Is it true that if my software or terminal is compliant than I am compliant?<br />No! Compliant software and terminals are critical but not the entire answer.<br />Do not depend upon your software vendor to provide you with the compliance that you must have.<br />
  16. 16. 866 462 7774 <br />CSRSI.com<br />Is it true that no one will ever look at my answers to the self-assessment questionnaire (SAQ) or penetration scans? <br />No! Both the SAQ and the penetration scans are reported directly to your processor. If any issue arises or by random audit these results are examined. If you have fabricated results this is grounds for loss of credit card accepting privileges as well as civil fines and criminal prosecution.<br />
  17. 17. 866 462 7774 <br />CSRSI.com<br />Building blocks of PCI Compliance<br />WHAT YOU NEED TO HAVE:<br /><ul><li>Written Policies
  18. 18. Written Procedures
  19. 19. Employee Handouts
  20. 20. Training Program</li></li></ul><li>866 462 7774 <br />CSRSI.com<br />Building blocks of PCI Compliance<br />Written Policies required for the Self Assessment Questionnaire Include:<br /><ul><li>SECURITY STANDARD POLICY
  21. 21. AUDIT LOG POLICY
  22. 22. SOFTWARE APPLICATION DEVELOPMENT POLICY
  23. 23. PASSWORD POLICY
  24. 24. INFORMATION SECURITY POLICY
  25. 25. SECURITY INCIDENT RESPONSE POLICY </li></li></ul><li>866 462 7774 <br />CSRSI.com<br />Building blocks of PCI Compliance<br />Written Procedures required for the Self Assessment Questionnaire Include:<br /><ul><li>CHANGE CONTROL PROCEDURES
  26. 26. BACK-OUT PROCEDURES
  27. 27. PASSWORD PROCEDURES
  28. 28. DAILY OPERATIONAL SECURITY PROCEDURE
  29. 29. USAGE PROCEDURES FOR CRITICAL EMPLOYEE FACING TECHNOLOGIES </li></li></ul><li>866 462 7774 <br />CSRSI.com<br />Building blocks of PCI Compliance<br />PENETRATION SCANNING<br /><ul><li>Penetration Scanning is required quarterly.
  30. 30. Must be provided by an ASV(Approved Scanning Vendor)
  31. 31. Must remediate all high level issues identified in 30 days</li></li></ul><li>866 462 7774 <br />CSRSI.com<br />About CSRSI<br />Advising large retail and service companies $25M+ in sales since 1999, our consulting team tackles consumer data security issues.<br />Our PCI ToolKit web application serves banks, acquirers and payment processors to monitor and manage merchants through the PCI compliance process. See more at www.PCIToolKit.com.<br />If you have questions, we have answers. Learn more at www.CSRSI.com.<br />Ross Federgreen Jan Carroza<br />rfedergreen@csrsi.comjcarroza@csrsi.com<br />866-462-7774x1 866-462-7774x4<br />Jensen Beach, FL Seattle, WA<br />

×