PCI DSS  Education & Compliance Seminar Many card accepting businesses have felt the pain associated with a network penetr...
What is PCI DSS? <ul><li>P ayment  C ard  I ndustry  D ata  S ecurity  S tandard </li></ul>
Is There a Single Standard  for the Payment Card Industry? <ul><li>Yes, this program was established through a collaborati...
To Whom Does PCI DSS Apply? <ul><li>“ PCI DSS compliance is required of  </li></ul><ul><li>all merchants   </li></ul><ul><...
How is Compliance Achieved? <ul><li>  Adherence to the requirements laid out under PCI DSS. </li></ul><ul><li>  Identifica...
Why Were the PCI Data Security Standards Established? <ul><li>Cyber crime is growing in diversity and sophistication </li>...
What are the Account Data Compromise Impacts? <ul><li>Counterfeit cards and fraud </li></ul><ul><li>Significant chargeback...
Fraud Loss Example SCENARIO: Merchant A is storing track data in its server.  Fraudster hacks into the system and steals c...
Fraud Loss Example SCENARIO: Merchant A is storing track data in its server.  Fraudster hacks into the system and steals c...
Fraud Loss Example Is Merchant A liable for losses that result from use of the counterfeit cards at Merchant B, C, or D?
Fraud Loss Example Is Merchant A liable for losses that result from use of the counterfeit cards at Merchant B, C, or D?  ...
Fraud Loss Example EXAMPLE:  500,000 cards stolen.  10,000 cards used fraudulently at each of Merchant B, C, and D = 10,00...
Example of Monetary Loss to Businesses  <ul><li>6 Credit Cards compromised </li></ul><ul><ul><li>Level 4 Merchant </li></u...
Example of Monetary Loss to Businesses  <ul><li>6 Credit Cards compromised </li></ul><ul><ul><li>Level 4 Merchant </li></u...
Example of Monetary Loss to Businesses  <ul><li>6 Credit Cards compromised </li></ul><ul><ul><li>Level 4 Merchant </li></u...
Example of Monetary Loss to Businesses  <ul><li>6 Credit Cards compromised </li></ul><ul><ul><li>Level 4 Merchant </li></u...
Fraud Costs <ul><li>Lost Goods & Services </li></ul><ul><li>Investigation Costs </li></ul><ul><li>Card Re-issuance </li></...
Merchant Classifications <ul><li>Level 1 </li></ul><ul><ul><li>All Channels </li></ul></ul><ul><ul><li>>6MM Visa or MC tra...
What is a Compromise? Incidents  involving an electronic or physical breach of cardholder information and/or card data
Types of Breaches <ul><li>E lectronic Breach:   Data vulnerability in transit and storage, application-level attacks via w...
Common Vulnerabilities <ul><li>1)  Inappropriate data storage (e.g. full track, CVV2, PIN blocks) </li></ul><ul><li>2)  In...
PCI DSS Basic Requirements <ul><li>Build and Maintain a Secure Network </li></ul><ul><li>1.  Install and maintain a firewa...
PCI DSS Basic Requirements <ul><li>Maintain a Vulnerability Management Program </li></ul><ul><li>5.  Use and regularly upd...
PCI DSS Basic Requirements <ul><li>Regularly Monitor and Test Networks </li></ul><ul><li>10.  Track and monitor all access...
What Does Each Merchant Need to Provide to Their Credit Card Processing Bank? <ul><ul><li>Complete and validate an Annual ...
Safe Harbor <ul><li>Safe harbor provides members protection from fines and compliance exposure in the event a merchant or ...
Keeping your Business Compliant <ul><li>DO NOT STORE TRACK, PIN OR CVV2 / CVC2 data.  </li></ul><ul><li>Educate your emplo...
Websites for More Information <ul><li>www.visa.com/cisp   </li></ul><ul><li>sdp.mastercardintl.com  for compliance tips an...
QUESTIONS?
Upcoming SlideShare
Loading in …5
×

PCI Compliance Seminar

5,691 views

Published on

Published in: Economy & Finance
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
5,691
On SlideShare
0
From Embeds
0
Number of Embeds
4,063
Actions
Shares
0
Downloads
50
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

PCI Compliance Seminar

  1. 1. PCI DSS Education & Compliance Seminar Many card accepting businesses have felt the pain associated with a network penetration and data breach.   It can happen to you!   Learn how the bad guys are doing their dirty work and how you can protect your business!   David Frick, Phil Kluge and Jesse Snyder are Co-Founders of Transaction, Resources, Inc. (TRI)   TRI offers innovative payment processing solutions to merchants by combining the latest technologies with a passion for customer service and competitive rates.  Transaction Resources, Inc., doing business as TRI, is a registered ISO/MSP of Wells Fargo Bank, N.A., Walnut Creek, CA.
  2. 2. What is PCI DSS? <ul><li>P ayment C ard I ndustry D ata S ecurity S tandard </li></ul>
  3. 3. Is There a Single Standard for the Payment Card Industry? <ul><li>Yes, this program was established through a collaboration between Visa, MasterCard, American Express, JCB, Discover and Diners to create a single standard </li></ul>
  4. 4. To Whom Does PCI DSS Apply? <ul><li>“ PCI DSS compliance is required of </li></ul><ul><li>all merchants </li></ul><ul><li>and service providers </li></ul><ul><li>that store, process, or transmit Visa cardholder data. </li></ul><ul><li>The program applies to </li></ul><ul><li>all payment channels, </li></ul><ul><li>including retail (brick-and-mortar), mail/telephone order, and </li></ul><ul><li>e-commerce” no matter the size of the business </li></ul>All Merchants
  5. 5. How is Compliance Achieved? <ul><li> Adherence to the requirements laid out under PCI DSS. </li></ul><ul><li> Identification and remediation of vulnerabilities through the </li></ul><ul><li>compliance validation process </li></ul>
  6. 6. Why Were the PCI Data Security Standards Established? <ul><li>Cyber crime is growing in diversity and sophistication </li></ul><ul><li>Integrated POS Systems are increasingly targeted </li></ul><ul><ul><li>Frequently, magnetic stripe data is stolen from log files as opposed to traditional databases </li></ul></ul><ul><ul><li>Sensitive data is often unknowingly stored leading to risk </li></ul></ul><ul><ul><li>Hackers are targeting centralized servers with Internet connectivity, not just e-commerce merchants </li></ul></ul>
  7. 7. What are the Account Data Compromise Impacts? <ul><li>Counterfeit cards and fraud </li></ul><ul><li>Significant chargeback risk </li></ul><ul><li>Penalties, fines, losses </li></ul><ul><li>Negative media coverage </li></ul><ul><li>Damage to reputation </li></ul><ul><li>Re-issuance and monitoring of cards </li></ul><ul><li>Impacts to consumer confidence </li></ul><ul><li>Potential of new legislation </li></ul>
  8. 8. Fraud Loss Example SCENARIO: Merchant A is storing track data in its server. Fraudster hacks into the system and steals cardholder track data. Fraudster creates counterfeit plastics from stolen cardholder data and these plastics are subsequently used at Merchant A, B, C, and D QUESTIONS: Is Merchant A liable for losses that result from use of the counterfeit cards at Merchant A?
  9. 9. Fraud Loss Example SCENARIO: Merchant A is storing track data in its server. Fraudster hacks into the system and steals cardholder track data. Fraudster creates counterfeit plastics from stolen cardholder data and these plastics are subsequently used at Merchant A, B, C, and D QUESTIONS: Is Merchant A liable for losses that result from use of the counterfeit cards at Merchant A? Yes
  10. 10. Fraud Loss Example Is Merchant A liable for losses that result from use of the counterfeit cards at Merchant B, C, or D?
  11. 11. Fraud Loss Example Is Merchant A liable for losses that result from use of the counterfeit cards at Merchant B, C, or D? Merchant A may become liable for the fraud losses which occurred from the compromised cards at Merchants B, C, and D through the compliance case process Yes
  12. 12. Fraud Loss Example EXAMPLE: 500,000 cards stolen. 10,000 cards used fraudulently at each of Merchant B, C, and D = 10,000 x 3 Merchants = 30,000 cards COMPLIANCE CASE PROCESS: 30,000 cards x $500 average ticket = $15,000,000 In addition, Merchant A will be responsible for fines and monitoring expenses
  13. 13. Example of Monetary Loss to Businesses <ul><li>6 Credit Cards compromised </li></ul><ul><ul><li>Level 4 Merchant </li></ul></ul><ul><ul><li>$36,000 </li></ul></ul>
  14. 14. Example of Monetary Loss to Businesses <ul><li>6 Credit Cards compromised </li></ul><ul><ul><li>Level 4 Merchant </li></ul></ul><ul><ul><li>$36,000 </li></ul></ul><ul><li>40 Million Credit Cards compromised </li></ul><ul><ul><li>Service Provider </li></ul></ul><ul><ul><li>Put out of business </li></ul></ul>
  15. 15. Example of Monetary Loss to Businesses <ul><li>6 Credit Cards compromised </li></ul><ul><ul><li>Level 4 Merchant </li></ul></ul><ul><ul><li>$36,000 </li></ul></ul><ul><li>40 Million Credit Cards compromised </li></ul><ul><ul><li>Service Provider </li></ul></ul><ul><ul><li>Put out of business </li></ul></ul><ul><li>Laptop Stolen with card data </li></ul><ul><ul><li>Level 4 merchant </li></ul></ul><ul><ul><li>$110,000 </li></ul></ul>
  16. 16. Example of Monetary Loss to Businesses <ul><li>6 Credit Cards compromised </li></ul><ul><ul><li>Level 4 Merchant </li></ul></ul><ul><ul><li>$36,000 </li></ul></ul><ul><li>40 Million Credit Cards compromised </li></ul><ul><ul><li>Service Provider </li></ul></ul><ul><ul><li>Put out of business </li></ul></ul><ul><li>Laptop Stolen with card data </li></ul><ul><ul><li>Level 4 merchant </li></ul></ul><ul><ul><li>$110,000 </li></ul></ul><ul><li>More Level 4 Merchants are compromised than any other group! </li></ul>
  17. 17. Fraud Costs <ul><li>Lost Goods & Services </li></ul><ul><li>Investigation Costs </li></ul><ul><li>Card Re-issuance </li></ul><ul><li>Fines </li></ul>
  18. 18. Merchant Classifications <ul><li>Level 1 </li></ul><ul><ul><li>All Channels </li></ul></ul><ul><ul><li>>6MM Visa or MC transactions per year </li></ul></ul><ul><li>Level 2 </li></ul><ul><ul><li>All Channels </li></ul></ul><ul><ul><ul><li>1MM to 6MM Visa or MC transactions per year </li></ul></ul></ul><ul><li>Level 3 </li></ul><ul><ul><li>20,000 - 999,999 e-commerce Visa or MC transactions per year </li></ul></ul><ul><li>Level 4 </li></ul><ul><ul><li><20,000 Visa or MC e-commerce transactions per year or </li></ul></ul><ul><ul><li><1MM non-e-commerce transactions Visa or MC transaction per year </li></ul></ul>
  19. 19. What is a Compromise? Incidents involving an electronic or physical breach of cardholder information and/or card data
  20. 20. Types of Breaches <ul><li>E lectronic Breach: Data vulnerability in transit and storage, application-level attacks via web servers or websites, private key mismanagement and unauthorized access to encryption keys, identity and access related to user ID/ password based security, misconfigurations and other administrative network performance problems </li></ul><ul><li>Physical Breach : Physical theft of documents or equipment (e.g., cardholder receipts, files, PC’s, POS terminals, etc.) </li></ul><ul><li>Skimming: Capturing magnetic stripe data using an external device (e.g., a card reader or pad attached to an ATM or POS terminal) to create counterfeit cards </li></ul>
  21. 21. Common Vulnerabilities <ul><li>1) Inappropriate data storage (e.g. full track, CVV2, PIN blocks) </li></ul><ul><li>2) Insecure wireless </li></ul><ul><li>3) Vendor default settings and passwords (PC Anywhere is </li></ul><ul><li>extremely vulnerable) </li></ul><ul><li>4) Lack of network segmentation (POS system on PC with external </li></ul><ul><li>internet) </li></ul><ul><li>5) Unnecessary and vulnerable services on servers </li></ul><ul><li>6) Missing or Outdated Security Patches </li></ul>
  22. 22. PCI DSS Basic Requirements <ul><li>Build and Maintain a Secure Network </li></ul><ul><li>1. Install and maintain a firewall configuration to protect data </li></ul><ul><li>2. Do not use vendor-supplied defaults for systems passwords and </li></ul><ul><li>other security parameters </li></ul><ul><li>Protect Cardholder Data </li></ul><ul><li>3. Protect Stored Data </li></ul><ul><li>4. Encrypt transmission of cardholder data and sensitive </li></ul><ul><li>information across public networks </li></ul>
  23. 23. PCI DSS Basic Requirements <ul><li>Maintain a Vulnerability Management Program </li></ul><ul><li>5. Use and regularly update anti-virus software </li></ul><ul><li>6. Develop and maintain secure systems and applications </li></ul><ul><li>Implement Strong Access Control Measures </li></ul><ul><li>7. Restrict access to data by business need-to-know </li></ul><ul><li>8. Assign a unique ID to each person with computer access </li></ul><ul><li>9. Restrict physical access to cardholder data </li></ul>
  24. 24. PCI DSS Basic Requirements <ul><li>Regularly Monitor and Test Networks </li></ul><ul><li>10. Track and monitor all access to network resources </li></ul><ul><li>and cardholder data </li></ul><ul><li>11. Regularly test security systems and processes </li></ul><ul><li>Maintain an Information Security Policy </li></ul><ul><li>12. Maintain a policy that addresses information </li></ul><ul><li>security that all employees are informed of </li></ul><ul><li>and adhere to </li></ul>
  25. 25. What Does Each Merchant Need to Provide to Their Credit Card Processing Bank? <ul><ul><li>Complete and validate an Annual PCI Self-Assessment Questionnaire </li></ul></ul><ul><ul><li>Complete Quarterly Network Scans to check your systems for vulnerabilities </li></ul></ul><ul><ul><li>Do annual penetration testing to test that your systems are hacker-resistant </li></ul></ul><ul><ul><li>Ensure that these security scans are performed by a qualified independent scan vendor </li></ul></ul>
  26. 26. Safe Harbor <ul><li>Safe harbor provides members protection from fines and compliance exposure in the event a merchant or service provider experiences a compromise. To attain safe harbor status: </li></ul><ul><li>A member, merchant, or service provider must maintain full compliance at all times, including at the time of breach as demonstrated during a forensic investigation </li></ul><ul><li>A member must demonstrate that prior to the compromise their merchant had already met the compliance validation requirements, demonstrating full compliance </li></ul><ul><li>It is important to note that the submission of compliance validation documentation, in and of itself, does not provide the member safe harbor status. The entity must have adhered to all the requirements at the time of the compromise </li></ul>
  27. 27. Keeping your Business Compliant <ul><li>DO NOT STORE TRACK, PIN OR CVV2 / CVC2 data. </li></ul><ul><li>Educate your employees on PCI DSS Compliance and associated </li></ul><ul><li>risks </li></ul><ul><li>Ensure your third party POS vendors are PCI DSS compliant (anyone touching your data for any purpose) </li></ul><ul><li>Utilize a Qualified Data Security Assessment Firm </li></ul>
  28. 28. Websites for More Information <ul><li>www.visa.com/cisp </li></ul><ul><li>sdp.mastercardintl.com for compliance tips and PCI DSS requirements </li></ul><ul><li>www.pcisecuritystandards.org </li></ul><ul><li>www.transactionresources.com/pci/ </li></ul>
  29. 29. QUESTIONS?

×