Facing the Challenges of PCI Compliance Presented by:
The Need
What is credit card compromise? <ul><li>To gain access to: </li></ul><ul><ul><li>Card Numbers </li></ul></ul><ul><ul><li>E...
Theft of Payment Card Data Is Thriving The Perpetrators <ul><li>Script Kiddies </li></ul><ul><li>International Crime Syndi...
And It’s Easier Than Many Think Breach investigations have located compromised cardholder data on popular public facing we...
Selling Cardholder Information is Lucrative CREDIT  CARDS  NUMBERS  ARE  SOLD   ON THE BLACK- MARKET  FOR  PROFIT Once com...
PCI DSS Participants Card Schemes Members (Acquirers) Service Providers Data Storage Entities 3 rd  Party Processors Merch...
Six Goals: Twelve Requirements – PCI DSS The “ Digital Dozen ” The Payment Card Industry Data Security Standard  Build and...
Non-Compliance: Risks, Fines, Fees, Costs, Loss Non-compliant, compromised business could expect the following:   <ul><ul>...
PCI Compliance: Sound Business Practice <ul><li>Fundamental Best Security Practices </li></ul><ul><ul><li>Avoid fraud </li...
<ul><li>  </li></ul>PCI DSS Compliance Can Protect Against Fines Members receive “ Safe Harbor ” For Compromised Merchants...
Upcoming SlideShare
Loading in...5
×

Chameleon PCI Presentation

844

Published on

Chameleon Payment Card Industry (PCI) Presentation

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
844
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Chameleon PCI Presentation

  1. 1. Facing the Challenges of PCI Compliance Presented by:
  2. 2. The Need
  3. 3. What is credit card compromise? <ul><li>To gain access to: </li></ul><ul><ul><li>Card Numbers </li></ul></ul><ul><ul><li>Expiration Dates </li></ul></ul><ul><ul><li>CVV2/CVC2/CID </li></ul></ul><ul><ul><li>Track Data </li></ul></ul>An unauthorized individual taking advantage of a flaw in a system that processes, transmits or stores cardholder data.
  4. 4. Theft of Payment Card Data Is Thriving The Perpetrators <ul><li>Script Kiddies </li></ul><ul><li>International Crime Syndicates </li></ul><ul><li>Malicious Third Parties </li></ul><ul><li>Employees </li></ul>The Tools <ul><li>Scanners * </li></ul><ul><li>Port </li></ul><ul><li>Vulnerability </li></ul><ul><li>Web Application </li></ul><ul><li>* Available online </li></ul>The Gaps <ul><li>Weak Configurations </li></ul><ul><li>Operating System Flaws </li></ul><ul><li>Programming Errors </li></ul><ul><li>Lack of Staff training </li></ul><ul><li>Flawed Policies </li></ul><ul><li>Negligence </li></ul><ul><li>Poor Change Control </li></ul><ul><li>Application-Induced </li></ul><ul><li>Backdoors </li></ul><ul><li>Nearby Systems/Networks </li></ul>Utilize To Find
  5. 5. And It’s Easier Than Many Think Breach investigations have located compromised cardholder data on popular public facing web sites:
  6. 6. Selling Cardholder Information is Lucrative CREDIT CARDS NUMBERS ARE SOLD ON THE BLACK- MARKET FOR PROFIT Once compromised…
  7. 7. PCI DSS Participants Card Schemes Members (Acquirers) Service Providers Data Storage Entities 3 rd Party Processors Merchants PCI DSS creation and maintenance
  8. 8. Six Goals: Twelve Requirements – PCI DSS The “ Digital Dozen ” The Payment Card Industry Data Security Standard Build and Maintain a Secure Network <ul><li>Install and maintain a firewall configuration to protect cardholder data </li></ul><ul><li>Do not use vendor-supplied defaults for system passwords and other security parameters </li></ul>Protect Cardholder Data <ul><li>Protect stored cardholder data </li></ul><ul><li>Encrypt transmission of cardholder data across open, public networks </li></ul>Maintain a Vulnerability Management Program <ul><li>Use and regularly update anti-virus software </li></ul><ul><li>Develop and maintain secure systems and applications </li></ul>Implement Strong Access Control Measures <ul><li>Restrict access to cardholder data by business need-to-know </li></ul><ul><li>Assign a unique ID to each person with computer access </li></ul><ul><li>Restrict physical access to cardholder data </li></ul>Regularly Monitor and Test Networks <ul><li>Track and monitor all access to network resources and cardholder data </li></ul><ul><li>Regularly test security systems and processes </li></ul>Maintain Information Security Policy <ul><li>Maintain a policy that addresses information security </li></ul>
  9. 9. Non-Compliance: Risks, Fines, Fees, Costs, Loss Non-compliant, compromised business could expect the following: <ul><ul><li>Damage to their brand/reputation </li></ul></ul><ul><ul><li>Investigation costs </li></ul></ul><ul><ul><li>Remediation costs </li></ul></ul><ul><ul><li>Fines and fees </li></ul></ul><ul><ul><ul><li>- Non-compliance (each brand issues separate fines) </li></ul></ul></ul><ul><ul><ul><li>-Re-issuance </li></ul></ul></ul><ul><ul><ul><li>-Fraud loss </li></ul></ul></ul><ul><ul><li>Ongoing compliance audits </li></ul></ul><ul><ul><li>Victim notification costs </li></ul></ul><ul><ul><li>Financial loss </li></ul></ul><ul><ul><li>Data loss </li></ul></ul><ul><ul><li>Charge-backs for fraudulent transactions </li></ul></ul><ul><ul><li>Operations disruption </li></ul></ul><ul><ul><li>Sensitive info disclosure </li></ul></ul><ul><ul><li>Denial of service to customers </li></ul></ul><ul><ul><li>Individual executives held liable </li></ul></ul><ul><ul><li>Possibility of business closure </li></ul></ul>
  10. 10. PCI Compliance: Sound Business Practice <ul><li>Fundamental Best Security Practices </li></ul><ul><ul><li>Avoid fraud </li></ul></ul><ul><ul><li>Maps that supports other compliance regimes </li></ul></ul><ul><li>Upholds Brand Name </li></ul><ul><ul><li>Adds value to name </li></ul></ul><ul><ul><li>Increases consumer confidence </li></ul></ul><ul><ul><li>Improves reputation </li></ul></ul>Clarifies Where Data Is Stored Helps to understand own system better
  11. 11. <ul><li>  </li></ul>PCI DSS Compliance Can Protect Against Fines Members receive “ Safe Harbor ” For Compromised Merchants Found To Be PCI-Compliant At Time Of Breach

×