Visa Europe Public
Payment System Risk
Andrew Mulvenna
10th November 2010
Visa Europe Public
Agenda
• PCI DSS & PA-DSS v2.0 – What’s new?
• Visa Europe’s PCI Compliance Programme
• Vulnerability G...
Visa Europe Public
PCI DSS & PA-DSS v2.0 – What’s
new?
• Mainly clarifications to existing requirements.
• Certain require...
Visa Europe Public
The New Life-cycle
Visa Europe Public
Agenda
• PCI DSS & PA-DSS v2.0 – What’s new?
• Visa Europe’s PCI Compliance Programme
• Vulnerability G...
Visa Europe Public
The Current Environment
• Knowledge of cardholder and account data is (largely)
considered proof of own...
Visa Europe Public
Storing cardholder data
Basic principles:
• If you don’t need it don’t store it
• Delete sensitive auth...
Visa Europe Public
Merchant Levels and Validation
Requirements
Level Definition Validation requirements
1 Merchants proces...
Visa Europe Public
Merchant Levels and Validation Requirements (2)
Level Definition Validation requirements
3 Merchants pr...
Visa Europe Public
PCI DSS Prioritised Risk Based Approach
Phase PCI DSS Objective (defined by PCI SSC)
1
Remove Sensitive...
Visa Europe Public
Agenda
• PCI DSS & PA-DSS v2.0 – What’s new?
• Visa Europe’s PCI Compliance Programme
• Vulnerability G...
Visa Europe Public
Guidance Supplements
Visa Europe Public
Agenda
• PCI DSS & PA-DSS v2.0 – What’s new?
• Visa Europe’s PCI Compliance Programme
• Vulnerability G...
Visa Europe Public
New Payment Architectures
Encrypting Registers
Segmenting
Device
PCI Compliant Zone
Internal or Public
...
Visa Europe Public
The industry’s first specification for Data
Field Encryption
– A compressive guidance document
describi...
Visa Europe Public
SRED – Secure Read and Exchange of Data
• A new optional module within PCI PTS PoI v3.
• Describes secu...
Visa Europe Public
What is Tokenisation?
• Tokenisation defines a process
through which PANs are replaced
with surrogate v...
Visa Europe Public
Agenda
• PCI DSS & PA-DSS v2.0 – What’s new?
• Visa Europe’s PCI Compliance Programme
• Vulnerability G...
Visa Europe Public
Questions?
Visa Europe Public
Thank you
Upcoming SlideShare
Loading in …5
×

Payment System Risk. Visa

737 views

Published on

En este presentación Andrew Mulvenna, de VISA, desgranó algunos puntos básicos de las normativas PCI DSS y PA DSS como por ejemplo las novedades de las versiones 2.0, el nuevo ciclo de vida de las normas, la aproximación a PCI DSS basada en una priorización de riesgos o la importancia del cifrado y la tokenización en las nuevas arquitecturas de los medios de pago.

Published in: Technology, Economy & Finance
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
737
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
44
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Payment System Risk. Visa

  1. 1. Visa Europe Public Payment System Risk Andrew Mulvenna 10th November 2010
  2. 2. Visa Europe Public Agenda • PCI DSS & PA-DSS v2.0 – What’s new? • Visa Europe’s PCI Compliance Programme • Vulnerability Guidance • Encryption and Tokenisation • Questions and Answers 2
  3. 3. Visa Europe Public PCI DSS & PA-DSS v2.0 – What’s new? • Mainly clarifications to existing requirements. • Certain requirements will be based more on risk assessment rather than being overly perspective. • The standards will be moving to a three year standard lifecycle.
  4. 4. Visa Europe Public The New Life-cycle
  5. 5. Visa Europe Public Agenda • PCI DSS & PA-DSS v2.0 – What’s new? • Visa Europe’s PCI Compliance Programme • Vulnerability Guidance • Encryption and Tokenisation • Questions and Answers 5
  6. 6. Visa Europe Public The Current Environment • Knowledge of cardholder and account data is (largely) considered proof of ownership. Consequently, cardholder data is inherently valuable to a criminal. • Many retailers believe that there is a disproportionate onus on them to protect data. • What if we could make data less valuable such that it needs less protection? =
  7. 7. Visa Europe Public Storing cardholder data Basic principles: • If you don’t need it don’t store it • Delete sensitive authentication data after authorisation • If you store cardholder data you must do one or more of the following: – Truncate – Hash – Encrypt 7Retail Fraud Conference 20 April 2010
  8. 8. Visa Europe Public Merchant Levels and Validation Requirements Level Definition Validation requirements 1 Merchants processing more than six million Visa transactions annually via all channels or global merchants identified as level one by any Visa region.** ** Where merchants operate in more than one country or region, if they meet level one criteria in any Visa country or region, they are considered a global Level one merchant. An exception may apply to global merchants if there is no common infrastructure and if Visa data is not aggregated across borders. In such cases merchants are validated according to regional levels. Annual Report on Compliance (ROC) to follow an on- site audit by either a Qualified Security Assessor or qualified internal security resource Quarterly network scan by Approved Scan Vendor (ASV) Attestation of Compliance form 2 Merchants processing one million to six million Visa transactions annually via all channels. Annual Self-Assessment Questionnaire (SAQ) Quarterly network scan by ASV Attestation of Compliance form
  9. 9. Visa Europe Public Merchant Levels and Validation Requirements (2) Level Definition Validation requirements 3 Merchants processing 20,000 to one million Visa e- commerce transactions annually. Use a service provider that has certified PCI DSS compliance to process, store and transmit card and account data. OR Have certified their own PCI DSS compliance to the acquirer, who must, on request, be able to validate that compliance to Visa Europe 4 E-commerce merchants only Merchants processing fewer than 20,000 Visa e- commerce transactions annually. Use a service provider that has certified PCI DSS compliance to process, store and transmit card and account data OR Have certified their own PCI DSS compliance to the acquirer, who must, on request, be able to validate that compliance to Visa Europe 4 Non e-commerce merchants processing up to one million Visa transactions annually. Annual SAQ Quarterly network scan by an ASV Attestation of Compliance form
  10. 10. Visa Europe Public PCI DSS Prioritised Risk Based Approach Phase PCI DSS Objective (defined by PCI SSC) 1 Remove Sensitive Authentication Data and Limit Data Retention 2 Protect the Perimeter, Internal, and Wireless Networks 3 Secure Applications 4 Protect Through Monitoring and Access Control 5 Render Cardholder Data Unreadable 6 Achieve Final Compliance and Maintenance of PCI DSS Required Validation Merchant Discretion / Safe Harbour
  11. 11. Visa Europe Public Agenda • PCI DSS & PA-DSS v2.0 – What’s new? • Visa Europe’s PCI Compliance Programme • Vulnerability Guidance • Encryption And Tokenisation •Questions and Answers 11
  12. 12. Visa Europe Public Guidance Supplements
  13. 13. Visa Europe Public Agenda • PCI DSS & PA-DSS v2.0 – What’s new? • Visa Europe’s PCI Compliance Programme • Vulnerability Guidance • Encryption and Tokenisation • Questions and Answers 13
  14. 14. Visa Europe Public New Payment Architectures Encrypting Registers Segmenting Device PCI Compliant Zone Internal or Public Network Point of Decryption PCI Compliant Zone Segmenting Device Encrypting PEDs
  15. 15. Visa Europe Public The industry’s first specification for Data Field Encryption – A compressive guidance document describing the key management practices that would be necessary to support encryption solutions – Based on 5 key security objectives – Aimed at consolidating industry best practice 15
  16. 16. Visa Europe Public SRED – Secure Read and Exchange of Data • A new optional module within PCI PTS PoI v3. • Describes security requirements for the protection of account data originating from a secure PED.
  17. 17. Visa Europe Public What is Tokenisation? • Tokenisation defines a process through which PANs are replaced with surrogate values known as “tokens”. • The security of an individual token relies on the properties of uniqueness and the infeasibility to determine the original PAN knowing only the surrogate value.
  18. 18. Visa Europe Public Agenda • PCI DSS & PA-DSS v2.0 – What’s new? • Visa Europe’s PCI Compliance Programme • Vulnerability Guidance • Encryption and Tokenisation •Questions and Answers 18
  19. 19. Visa Europe Public Questions?
  20. 20. Visa Europe Public Thank you

×