Your SlideShare is downloading. ×
PCI DSS: Why it matters
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

PCI DSS: Why it matters

181
views

Published on

Presentación de Steve Wilson de VISA sobre la visión de esta marca del porqué de contemplar la implantación de PCI DSS dentro de la empresa y los beneficios que aporta su implantación.

Presentación de Steve Wilson de VISA sobre la visión de esta marca del porqué de contemplar la implantación de PCI DSS dentro de la empresa y los beneficios que aporta su implantación.

Published in: Technology, Business

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
181
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. For Visa Internal Use Only This information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities PCI DSS – Why it matters Steve Wilson Head of Information Security Compliance Visa Europe Madrid 7 November 2007
  • 2. Presentation Identifier.2Information Classification as NeededThis information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities 2PCI DSS – Why it matters For Visa Internal Use Only What is PCI DSS ? • ‘Common sense’ approach to data security • Closely linked to other standards • BS 7799 • ISO 27001 • Sarbannes Oxley etc • Focussed on card data • Owned and managed by PCI SSC (independent of the card schemes) • Any organisation can become a participant
  • 3. For Visa Internal Use Only This information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities Why is PCI DSS important ?
  • 4. Presentation Identifier.4Information Classification as NeededThis information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities 4PCI DSS – Why it matters For Visa Internal Use Only A simple equation Data = identity = money
  • 5. Presentation Identifier.5Information Classification as NeededThis information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities 5PCI DSS – Why it matters For Visa Internal Use Only A Visa card… Card number Expiry date
  • 6. Presentation Identifier.6Information Classification as NeededThis information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities 6PCI DSS – Why it matters For Visa Internal Use Only A Visa card…(cont.) CVV2 The card account number, plus a three-digit Card Verification Value 2 (CVV2) is indent-printed on the signature panel Magnetic Stripe made up of “Track 1” and “Track 2” data Track data and CVV2 should never be stored after authorisation
  • 7. Presentation Identifier.7Information Classification as NeededThis information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities 7PCI DSS – Why it matters For Visa Internal Use Only Card data is retained by companies for 3 weeks or longer after authorisation Reasons given include: – Marketing purposes – As a unique customer identifier – Fraud analysis – Customer profiling
  • 8. Presentation Identifier.8Information Classification as NeededThis information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities 8PCI DSS – Why it matters For Visa Internal Use Only Data security and your brand -How much would your brand be worth if you lose your consumers trust? -Would your consumers stay with you? -Would your shareholders stay with you?
  • 9. Presentation Identifier.9Information Classification as NeededThis information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities 9PCI DSS – Why it matters For Visa Internal Use Only Your brand needs security! -Compromises do happen everyday, everywhere -In the consumer’s view, consumers, card schemes and merchants share responsibility for protecting their card data ¹Source: Javelin Strategy and Research 2007 Yet… 63% of consumers views merchants as the weakest link when it comes to protecting their data…¹
  • 10. Presentation Identifier.10Information Classification as NeededThis information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities 10PCI DSS – Why it matters For Visa Internal Use Only Merchants as the weakest link
  • 11. Presentation Identifier.11Information Classification as NeededThis information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities 11PCI DSS – Why it matters For Visa Internal Use Only Consumer confidence seriously impacted by a data breach In the case of a breach…. 49% of consumers believe merchants to be the most likely source of the data breach 3 out of 4 consumers won’t shop again at a compromised merchant Investing in PCI DSS should be part of your consumer retention plans
  • 12. Presentation Identifier.12Information Classification as NeededThis information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities 12PCI DSS – Why it matters For Visa Internal Use Only Media and regulators are watching us… -National and European Government are showing increasing interest in the area of account information security • The European Commission is considering legislation on the duty to notify (suspicion of breach and actual compromise) – already adopted in California, Minnesota and Texas -Media increasingly questioning industry compliance and progress…..
  • 13. Presentation Identifier.13Information Classification as NeededThis information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities 13PCI DSS – Why it matters For Visa Internal Use Only Security and your corporate social responsibility strategy 84% of consumers want to shop at merchants who are security market leaders A secure merchant secures consumers trust! Can you retain your shareholders if you lose your customers?
  • 14. Presentation Identifier.14Information Classification as NeededThis information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities 14PCI DSS – Why it matters For Visa Internal Use Only Security/IT benefits A socially responsible merchant is fully aware of how its systems work and what it is doing to protect card data in their possession PCI DSS makes you aware of issues; -This enables you to fix them -This works towards protecting consumers and shareholders trust in your brand
  • 15. Presentation Identifier.15Information Classification as NeededThis information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities 15PCI DSS – Why it matters For Visa Internal Use Only Financial benefits -The sheer financial cost of a compromise may prove hard to bear -Large retailers indicate that their business case for investing in PCI DSS is based on the potential financial cost of reacting to a data breach
  • 16. Presentation Identifier.16Information Classification as NeededThis information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities 16PCI DSS – Why it matters For Visa Internal Use Only Costing the reaction to a data breach = € 10,000,000¹ +Hiring security firms to contain the compromise +Replacing systems +Increased customer service costs +Actual costs of internal investigations +Outside legal defence fees +Discounted services offered +Lost employee productivity +Financial hit from lost customers ¹Figure is based on the average cost of containing a compromise based on research by the Ponemon Institute
  • 17. Presentation Identifier.17Information Classification as NeededThis information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities 17PCI DSS – Why it matters For Visa Internal Use Only Some Tips from Large Merchants in Europe and US Sr. management sponsorship is mandatory • Assign dedicated people • PCI DSS is as much about people and business processes as it is systems • Map and document your business processes – Trace cardholder from point of sale to billing and settlement. – Map systems, applications and databases that support these processes – Re-engineer processes to remove duplicate or unnecessary data • Reduce the scope as much as possible – Segment cardholder data network from rest of network – If you don’t need it, don’t store it! • Engage a QSA early on in the project
  • 18. Presentation Identifier.18Information Classification as NeededThis information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities 18PCI DSS – Why it matters For Visa Internal Use Only Considerations -We need to reduce our information footprint -We need to rethink ways of achieving the same marketing ad fraud objectives without storing data unnecessarily -We need to prioritise the removal of magstripe and card verification data
  • 19. Presentation Identifier.19Information Classification as NeededThis information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities 19PCI DSS – Why it matters For Visa Internal Use Only Support from Visa Europe Collateral available from Visa Europe website http://www.visaeurope.com/aboutvisa/security/ais/main.jsp • Merchant implementation guides -Service Provider guides • Available in English, French, Spanish, German, Italian • List of certified Service Providers • Work with Acquiring banks to provide • Merchant training • Guidance on specific issues
  • 20. For Visa Internal Use Only This information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities Thank you