0
PCI DSS in Retail
Now and into the Future

Presenter: Stephen O’Boyle, Head of Consultancy
© Espion Sept 2013

For more in...
Agenda
1. Current PCI process
– Challenges for
• Small retailers
• Large retailers

2. Point to Point Encryption (P2PE)
3....
Current PCI process
• PCI Standards - strong framework for protecting
payment card data
• Principles apply to various envi...
Challenges
• Small Retailers
– Awareness of compliance requirements
– Implications of non-compliance
• Fines, reputational...
Challenges
• Large Retailers
– Identifying scope
– Staff awareness
– Annual audits / SAQ
– Maintaining compliance
– P2PE

...
Point to Point Encryption
• Point-to-Point Encryption (P2P Encryption) designed to
– Reduce PCI DSS scope
– Protect cardho...
Point to Point Encryption
• Guidance produced on P2PE, compliant solution qualifies for
reduced scope. Guidance also state...
PCI DSS v3 – Change Highlights
• Types of changes to the Standards are
categorized as follows:
1. Clarification
2. Additio...
Clarification - PCI DSS v3
• Enhanced testing procedures to clarify the level of
validation expected for each requirement
...
Additional Guidance - PCI DSS v3
• Added guidance for all requirements with content from
the former Navigating PCI DSS Gui...
Evolving Requirement - PCI DSS v3
• Update list of common vulnerabilities in alignment with
OWASP, NIST, SANS, etc., for i...
Summary
• Current PCI process
• Point to Point Encryption (P2PE)
• Highlights of changes in PCI DSS v3

© Espion Sept 2013...
Questions

???

Contact: Stephen.oboyle@espiongroup.com
© Espion Sept 2013

For more information
visit www.espiongroup.com...
About Espion
Information Risk, Security & Compliance

Digital Investigations & Litigation Support

Insight, Intelligence &...
About Espion
Seven locations and
growing.

For more information
visit www.espiongroup.com

15
About Espion
57 consultants and hiring.

For more information
visit www.espiongroup.com
About Espion
Highly qualified and
continuously developing.

For more information
visit www.espiongroup.com
About Espion
A culture of achieving.

For more information
visit www.espiongroup.com
Upcoming SlideShare
Loading in...5
×

Pci dss in retail now and into the future

183

Published on

A presentation from Stephen O’Boyle, Head of Consultancy at Espion on Pci dss in retail now and into the future!

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
183
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
14
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Pci dss in retail now and into the future"

  1. 1. PCI DSS in Retail Now and into the Future Presenter: Stephen O’Boyle, Head of Consultancy © Espion Sept 2013 For more information visit www.espiongroup.com 1
  2. 2. Agenda 1. Current PCI process – Challenges for • Small retailers • Large retailers 2. Point to Point Encryption (P2PE) 3. PCI DSS v3 Highlights – Clarification – Additional Guidance – Evolving Requirement 4. Summary © Espion Sept 2013 For more information visit www.espiongroup.com 2
  3. 3. Current PCI process • PCI Standards - strong framework for protecting payment card data • Principles apply to various environments and industry verticals including small to large retailers – Cardholder data is processed, stored, or transmitted • Size & type of business will determine the specific compliance requirements that must be met • Enforcement and fines managed by payment brands / acquirers – Not the PCI Council © Espion Sept 2013 For more information visit www.espiongroup.com 3
  4. 4. Challenges • Small Retailers – Awareness of compliance requirements – Implications of non-compliance • Fines, reputational damage – Identifying correct scope – Performing a self assessment to the appropriate SAQ © Espion Sept 2013 For more information visit www.espiongroup.com 4
  5. 5. Challenges • Large Retailers – Identifying scope – Staff awareness – Annual audits / SAQ – Maintaining compliance – P2PE © Espion Sept 2013 For more information visit www.espiongroup.com 5
  6. 6. Point to Point Encryption • Point-to-Point Encryption (P2P Encryption) designed to – Reduce PCI DSS scope – Protect cardholder data throughout electronic payment processing cycle • Protects data as soon as it is collected from a card swipe until the payment settlement process is complete • Sometimes referred to as End-to-End Encryption • “...remember?no silver bullet to securing a payment environment,” said Bob Russo, general manager, PCI SSC – “Implementing one of these technologies will not automatically make you compliant with the PCI DSS”. © Espion Sept 2013 For more information visit www.espiongroup.com 6
  7. 7. Point to Point Encryption • Guidance produced on P2PE, compliant solution qualifies for reduced scope. Guidance also states: – P2PE solutions do not eliminate the need to maintain PCI DSS compliance for specific systems – Recognizes the need for a set of criteria to validate the effectiveness of P2PE solutions so that merchants can have confidence that the solution they deploy properly secures cardholder data • Previously no global standardization of point-to-point encryption technology or validation of its implementation exists in the industry. © Espion Sept 2013 For more information visit www.espiongroup.com 7
  8. 8. PCI DSS v3 – Change Highlights • Types of changes to the Standards are categorized as follows: 1. Clarification 2. Additional Guidance 3. Evolving Requirement © Espion Sept 2013 For more information visit www.espiongroup.com 8
  9. 9. Clarification - PCI DSS v3 • Enhanced testing procedures to clarify the level of validation expected for each requirement – To put more emphasis on the quality and consistency of assessments. • Clarified that sensitive authentication data must not be stored after authorization even if PAN is not present – To ensure better understanding of protection of sensitive authentication data. • Clarified the intent and scope of daily log reviews – To help entities focus log-review efforts on identifying suspicious activity and allow flexibility for review of lesscritical logs events, as defined by the entity’s © Espion Sept 2013 For more information visit www.espiongroup.com 9
  10. 10. Additional Guidance - PCI DSS v3 • Added guidance for all requirements with content from the former Navigating PCI DSS Guide – To assist understanding of security objectives and intent of each requirement • Added guidance for implementing security into businessas-usual (BAU) activities and best practices for maintaining on-going PCI DSS compliance – To address compromises where the organization had been PCI DSS compliant but did not maintain that status. – Recommends focus on helping organizations take a proactive approach to protect cardholder data that focuses on security, not compliance, and makes PCI DSS a business-as-usual practice. © Espion Sept 2013 For more information visit www.espiongroup.com 10
  11. 11. Evolving Requirement - PCI DSS v3 • Update list of common vulnerabilities in alignment with OWASP, NIST, SANS, etc., for inclusion in secure coding practices – To keep current with emerging threats • Evaluate evolving malware threats for systems not commonly affected by malware – To promote on-going awareness and due diligence to protect systems from malware © Espion Sept 2013 For more information visit www.espiongroup.com 11
  12. 12. Summary • Current PCI process • Point to Point Encryption (P2PE) • Highlights of changes in PCI DSS v3 © Espion Sept 2013 For more information visit www.espiongroup.com 12
  13. 13. Questions ??? Contact: Stephen.oboyle@espiongroup.com © Espion Sept 2013 For more information visit www.espiongroup.com 13
  14. 14. About Espion Information Risk, Security & Compliance Digital Investigations & Litigation Support Insight, Intelligence & Control Expertise, Innovation & IP Knowledge Transfer and Certification Technology & Product Distribution © Espion Sept 2013 For more information visit www.espiongroup.com 14
  15. 15. About Espion Seven locations and growing. For more information visit www.espiongroup.com 15
  16. 16. About Espion 57 consultants and hiring. For more information visit www.espiongroup.com
  17. 17. About Espion Highly qualified and continuously developing. For more information visit www.espiongroup.com
  18. 18. About Espion A culture of achieving. For more information visit www.espiongroup.com
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×