8. In 2006, 40 million Credit Card data was hacked due to breaches at third party payment processors
9. PCI DSS is a joint effort by Visa, MasterCard, American Express, Discover and JCB. PCI applies to all merchants and services providers that process, transmit, or store credit card information. The standard is enforced by the card companies and acquirer banks.
10. When Should I Act? “ All Deadlines had Passed” Bob Russo Director, PCI Security Standards Council
11. The Pressure is Here… Recently Visa has issued letters to service providers demanding them to be complied and certified by as early as June 2008 . This is a long-awaited final call to the industry. No more excuse of “I don’t know” or “PCI has nothing to do with my organization”.
13. 12 Key Requirements for All Organizations Protect Cardholder Data 1. Protect stored data (in both hardcopy and electronic copy) 2. Encrypt transmissions of cardholder data (electronic copy) Implement Strong Access Control Measures 3. Restrict access by need-to-know 4. Assign unique IDs to all users 5. Restrict physical access to cardholder data (hardcopy) Regularly Monitor and Test Networks 6. Track and monitor access to cardholder data 7. Regularly test security systems and processes Maintain an Information Security Policy 8. Maintain an information security policy Build and Maintain a Secure Network 9. Install and maintain a firewall 10. Do not use vendor default password Maintain a Vulnerability Management Program 11. Use and update antivirus software 12. Develop and maintain secure systems and applications
14. Guidelines for Credit Card Data Storage Data Element Storage Permitted Protection Required PCI DSS REQ. 3.4 Cardholder Data (in both hardcopy and electronic copy) Primary Account Number (PAN) Yes Yes Yes Cardholder Name Yes Yes No Service Code Yes Yes No Expiration Date Yes Yes No Sensitive Authentication Data Full Magnetic Stripe No N/A N/A CVC2 / CVV2 / CID No N/A N/A PIN / PIN Block No N/A N/A
20. 6-Step PCI Compliance Process Define which merchant level your business belongs to Map out the data flows in your business Conduct a Gap Analysis and scope the project Plan and implement remediation Obtain certification Staying compliant Step 2 Step 1 Step 4 Step 3 Step 6 Step 5
21. Evolution’s Full PCI Cycle Seeking assistance from QSA and Consultants Conducting Gap Analysis Prioritizing Remediation Implementing changes & safeguards Maintaining Compliance