SlideShare a Scribd company logo

PCI-DSS Introduction and Requirements

Duy Do Phan
Duy Do Phan
1 of 29
PCI-DSS INTRODUCTION Nguyen Ngo, Ninh Dang
Agenda PCI-DSS Fundamental  What is PCI-DSS • Why are the PCI Security Standards Important? • Key Definitions  PCI Standards Boundary  Recommended Understanding Instruction  Determine PCI-Level  Validate Requirement  Choose SAQ Implementation  Principles  PCI-DSS-Requirements  PA-DSS Requirements  Self Assessment Questionnaire  Report
PCI-DSS Fundamental
Payment Card Data Issues 4
What is PCI ??? PCI stands for the Payment Card Industry and is used to refer to: The PCI Security Standards Council ™(PCI SSC), an industry body founded by the major card brands to protect cardholder data. Founders: The global Security Standards created and maintained by the PCI SSC to protect cardholder payment data. • Key Learning Point: Compliance with PCI Security Standards is mandatory for merchants and their service providers, and is enforced by the major card brands who established the PCI SSC 5
What is PCI DSS? “The PCI Data Security Standard represents a common set of industry tools and measurements to help ensure the safe handling of sensitive information…the standard provides an actionable framework for developing a robust account data security process - including preventing, detecting and reacting to security incidents.” – PCI Standards Council –
Why are the PCI Security Standards Important? The Standards are important because they: Protect cardholder data in order to help prevent data compromises and subsequent fraud activity… • Customers expect merchants and their acquirers to keep their card account data safe • Data compromises can result in significant fines and losses for merchants and can damage the merchant’s reputation with customers • The number of data compromise incidents is increasing annually – organized criminal enterprises are targeting vulnerable merchants 7
PCI-DSS Object
Key Definitions Data definitions • Cardholder data: PAN (Primary Account Number), Cardholder Name, Service Code. Expiration Code. • Sensitive authentication data: Full Magnetic Stripe Data, CCV, PIN (Personal identification number). Keywords • PCI-DSS: Payment Card Industry Data Security Standards • PA-DSS : Payment Applications Data Security Standards • PTS: PIN Transaction Security • QSA: Qualified Security Assessor • SAQ: Self Assessment Questionnaire • ASV: Approved Scanning Vendor 9
PCI Standards Boundary • The PCI Data Security Standard (PCI DSS) If a business accepts or processes payment cards, it must comply with the PCI DSS. It is the standard merchants, processors, and service providers must meet for the complete protection of payment cardholder data. • The Payment Application-Data Security Standard (PA-DSS) and PIN Transaction Security (PTS) (previously known as PIN Entry Device (PED)) security requirements support the overall implementation of PCI DSS by allowing merchants to choose from Council certified payment application software and PIN entry devices. 10
Recommended Understanding PCI DSS tells you what you need to do; what standards you need to meet to be compliant PCI DSS does not tell you how to become compliant. That is individual to your situation and your environment - Your system - Your processes - Your vendors - Your customers Being compliant does necessary make you secure Being secure leads to compliance – not the other way around 11
Instructions
Instruction •Determining your PCI Level •Validation requirements •Selecting the SAQ that Best Applies to Your Organization 13
Determining your PCI Level You need to assess where you are on the scale of risk: Level 1 All Channels 6MM Visa or MC transactions per year Level 2 All Channels 1MM - 6MM Visa or MC transactions per year E-Commerce - >150,000 - 6 MM MC transactions per year Level 3 20,000 - 150,000 e-commerce MC transactions per year 20,000 - 999,999 e-commerce Visa transactions per year Level 4 <20,000 Visa or MC e-commerce transactions per year <1MM non-e-commerce Visa or MC transactions per year 14
Validation requirements Level 1 Merchants Complete an Annual On-Site PCI Data Security Assessment in accordance with PCI Audit Procedures (Visa website). You can use this template for your Report on Compliance (ROC). Engage a Visa-approved Qualified Data Security Company to complete your ROC. Validate the ROC by the due date (preferably sooner in case issues arise in the ROC. This will help eliminate assessment of fines.) Provide the ROC to Bank of America Merchant Services. Merchant’s internal auditor may prepare the ROC, which must be accompanied by a letter signed by an executive-level officer of Merchant’s organization validating the ROC. Complete quarterly network scans to check your systems for vulnerabilities. Complete annual penetration testing to test that your systems are hacker-resistant. Ensure that these security scans are performed by a qualified independent scan vendor. Level 2, 3 and 4 Merchants Complete and validate an Annual PCI Self-Assessment Questionnaire. Complete Quarterly Network Scans to check your systems for vulnerabilities. Complete annual penetration testing to test that your systems are hacker-resistant. Ensure that these security scans are performed by a qualified independent scan vendor. 15
Selecting the SAQ that Best Applies to Your Organization SAQ Description A Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to- face merchants. B Imprint Only merchants with no electronic cardholder data storage, or standalone, dial out terminal merchant with no electronic cardholder data storage C-VT Merchant using only web-based virtual terminals, no cardholder data storage C Merchants with payment application systems connected to the internet, no electronic cardholder data storage D All other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by a payment brand as eligible to complete an SAQ 16
Implements
Implement •Determine Scope •Rebuild system base on requirements •Self Assessment Questionnaires •Report 18
Determining Scope – Network Segmented
Determining Scope – Network Segmented
Determining Scope – Network Segmented
Principles SECURE  TRACK  AUDIT • You need to ensure that your data is first secured … both physical and electronically. • You need to ensure you have mechanism in place to track who access your data and when • You need to review your tracking (audit) to look for anomalies 22
PCI DSS – Requirements Six Goals, Twelve Requirements Build and Maintain a 1. Install and maintain a firewall configuration to protect Secure Network cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability 5. Use and regularly update anti-virus software or programs Management Program 6. Develop and maintain secure systems and applications Implement Strong 7. Restrict access to cardholder data by business need-to-know Access Control Measures 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and 10.Track and monitor all access to network resources and Test Networks cardholder data 11.Regularly test security systems and processes Maintain an Information 12.Maintain a policy that addresses information security for Security Policy employees and contractors 23
PA-DSS Introduction Formerly known as -PABP (Payment Application Best Practices) supervised by Visa Goals Develop secure payment applications that do not store prohibited data, such as full magnetic stripe, CVV2 or PIN data Ensure their payment applications support compliance with the PCI DSS The requirements for the PA-DSS are derived from the PCI DSS Why focus on software? Vulnerable payment applications are currently the leading cause of data compromise incidents, particularly for small merchants. 24
PA-DSS Requirements Fourteen Requirements Requirement 1 Do not retain full magnetic stripe, card validation code or value (CAV2, CID, CVC2, CVV2), or PIN block data Requirement 2 Protect stored cardholder data Requirement 3 Provide secure authentication features Requirement 4 Log payment application activity Requirement 5 Develop secure payment applications (5.2 - OWASP Guide, SANS CWE Top 25, CERT Secure Coding) Requirement 6 Protect wireless transmissions Requirement 7 Test payment applications to address vulnerabilities Requirement 8 Facilitate secure network implementation Requirement 9 Cardholder data must never be stored on a server connected to the Internet Requirement 10 Facilitate secure remote software updates Requirement 11 Facilitate secure remote access to payment application Requirement 12 Encrypt sensitive traffic over public networks Requirement 13 Encrypt all non-console administrative access Requirement 14 Maintain instructional documentation and training programs for customers, resellers, and integrators 25
SAQ Objectives Self Assessment Questionnaires • Based on industry feedback • Flexibility for multiple merchant Self-Assessment Questionnaire (SAQ) A types • Providing guidance for the intent and applicability of the underlying requirements 26
Self Assessment Questionnaires SAQ Validatio Description SAQ n Type Card-Not-Present (e-commerce or MO/TO) merchants, all A 1 cardholder data functions outsourced. This would never apply to face-to-face merchants <11 Questions B 2 Imprint-only merchants with no cardholder data storage 21 Questions B Stand alone dial-up terminal merchants, no cardholder data 3 storage 21 Questions C Merchants with payment application systems connected to 4 the Internet, no cardholder data storage 38 Questions All other merchants (not included in descriptions for SAQs A, D 5 B or C above) and all service providers defined by a payment brand as eligible to complete an SAQ Full DSS 27
Reports Regular reports are required for PCI DSS compliance. All merchants, service providers and processors may be required to submit quarterly scan reports, All reports must be performed by a PCI SSC approved ASV 28
THANK YOU

Recommended

Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSSSaumya Vishnoi
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overviewsameh Abulfotooh
 
PCI DSS Compliance Checklist
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance ChecklistControlCase
 
A practical guides to PCI compliance
A practical guides to PCI complianceA practical guides to PCI compliance
A practical guides to PCI complianceJisc
 
PCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfPCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfControlCase
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS ComplianceSaumya Vishnoi
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuideAlienVault
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overviewokrantz
 

Recommended

Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSSSaumya Vishnoi
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overviewsameh Abulfotooh
 
PCI DSS Compliance Checklist
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance ChecklistControlCase
 
A practical guides to PCI compliance
A practical guides to PCI complianceA practical guides to PCI compliance
A practical guides to PCI complianceJisc
 
PCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfPCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfControlCase
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS ComplianceSaumya Vishnoi
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuideAlienVault
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overviewokrantz
 
Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates VISTA InfoSec
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2Kimberly Simon MBA
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfControlCase
 
Looking Forward to PCI DSS v4.0
Looking Forward to PCI DSS v4.0Looking Forward to PCI DSS v4.0
Looking Forward to PCI DSS v4.0Kriangkrai Chumsaktrakul
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowPECB
 
ISO 27001
ISO 27001ISO 27001
ISO 27001n|u - The Open Security Community
 
Webinar-Spanish-PCI DSS-4.0.pdf
Webinar-Spanish-PCI DSS-4.0.pdfWebinar-Spanish-PCI DSS-4.0.pdf
Webinar-Spanish-PCI DSS-4.0.pdfControlCase
 
PCI DSS for Penetration Testing
PCI DSS for Penetration TestingPCI DSS for Penetration Testing
PCI DSS for Penetration TestingNetwork Intelligence India
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Cybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesCybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesSlideTeam
 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementationRalf Braga
 
Introduction: CISSP Certification
Introduction: CISSP CertificationIntroduction: CISSP Certification
Introduction: CISSP CertificationSam Bowne
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxDr Madhu Aman Sharma
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013scttmcvy
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...PECB
 
PCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should carePCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should careSean D. Goodwin
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My OrganisationVigilant Software
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness TrainingDr Madhu Aman Sharma
 
PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowAlienVault
 
Twitter Bootstrap Presentation
Twitter Bootstrap PresentationTwitter Bootstrap Presentation
Twitter Bootstrap PresentationDuy Do Phan
 

More Related Content

What's hot

Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates VISTA InfoSec
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfControlCase
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowPECB
 
Webinar-Spanish-PCI DSS-4.0.pdf
Webinar-Spanish-PCI DSS-4.0.pdfWebinar-Spanish-PCI DSS-4.0.pdf
Webinar-Spanish-PCI DSS-4.0.pdfControlCase
 
Cybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesCybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesSlideTeam
 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementationRalf Braga
 
Introduction: CISSP Certification
Introduction: CISSP CertificationIntroduction: CISSP Certification
Introduction: CISSP CertificationSam Bowne
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxDr Madhu Aman Sharma
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013scttmcvy
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...PECB
 
PCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should carePCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should careSean D. Goodwin
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My OrganisationVigilant Software
 

What's hot (20)

Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdf
 
Looking Forward to PCI DSS v4.0
Looking Forward to PCI DSS v4.0Looking Forward to PCI DSS v4.0
Looking Forward to PCI DSS v4.0
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
 
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
 
ISO 27001
ISO 27001ISO 27001
ISO 27001
 
Webinar-Spanish-PCI DSS-4.0.pdf
Webinar-Spanish-PCI DSS-4.0.pdfWebinar-Spanish-PCI DSS-4.0.pdf
Webinar-Spanish-PCI DSS-4.0.pdf
 
PCI DSS for Penetration Testing
PCI DSS for Penetration TestingPCI DSS for Penetration Testing
PCI DSS for Penetration Testing
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
 
Cybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesCybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation Slides
 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementation
 
Introduction: CISSP Certification
Introduction: CISSP CertificationIntroduction: CISSP Certification
Introduction: CISSP Certification
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptx
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
 
Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
 
PCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should carePCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should care
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My Organisation
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness Training
 

Viewers also liked

PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowAlienVault
 
Twitter Bootstrap Presentation
Twitter Bootstrap PresentationTwitter Bootstrap Presentation
Twitter Bootstrap PresentationDuy Do Phan
 
PCI DSS Essential Guide
PCI DSS Essential GuidePCI DSS Essential Guide
PCI DSS Essential GuideKim Jensen
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualKimberly Simon MBA
 
Retail IT 2013: Data Security & PCI Compliance Briefing
Retail IT 2013: Data Security & PCI Compliance BriefingRetail IT 2013: Data Security & PCI Compliance Briefing
Retail IT 2013: Data Security & PCI Compliance BriefingKaseya
 
BlackBerry Basic
BlackBerry BasicBlackBerry Basic
BlackBerry BasicDuy Do Phan
 
PCI DSS & PA DSS Version 3.0
PCI DSS & PA DSS Version 3.0PCI DSS & PA DSS Version 3.0
PCI DSS & PA DSS Version 3.0ControlCase
 
PCI DSS - Payment Card Industry Data Security Standard
PCI DSS - Payment Card Industry Data Security StandardPCI DSS - Payment Card Industry Data Security Standard
PCI DSS - Payment Card Industry Data Security StandardAlvaro Machaca Tola
 
PCI DSS & PA DSS Version 3.0 Changes Webinar
PCI DSS & PA DSS Version 3.0 Changes WebinarPCI DSS & PA DSS Version 3.0 Changes Webinar
PCI DSS & PA DSS Version 3.0 Changes WebinarControlCase
 
Using the PDCA model to improve cervical cancer
Using the PDCA model to improve cervical cancerUsing the PDCA model to improve cervical cancer
Using the PDCA model to improve cervical cancerDana D. Hines, PhD
 
Introduction to Tokenization
Introduction to TokenizationIntroduction to Tokenization
Introduction to TokenizationNabeel Yoosuf
 
PCI DSS and Logging: What You Need To Know by Dr. Anton Chuvakin
PCI DSS and Logging: What You Need To Know by Dr. Anton ChuvakinPCI DSS and Logging: What You Need To Know by Dr. Anton Chuvakin
PCI DSS and Logging: What You Need To Know by Dr. Anton ChuvakinAnton Chuvakin
 
ISO 27001 2013 A12 Operations Security Part 2 - by Software development compa...
ISO 27001 2013 A12 Operations Security Part 2 - by Software development compa...ISO 27001 2013 A12 Operations Security Part 2 - by Software development compa...
ISO 27001 2013 A12 Operations Security Part 2 - by Software development compa...iFour Consultancy
 
Iso 27001 2013 clause 6 - planning - by Software development company in india
Iso 27001 2013 clause 6 - planning - by Software development company in indiaIso 27001 2013 clause 6 - planning - by Software development company in india
Iso 27001 2013 clause 6 - planning - by Software development company in indiaiFour Consultancy
 
ISO 27001 2013 Clause 4 - context of an organization - by Software developmen...
ISO 27001 2013 Clause 4 - context of an organization - by Software developmen...ISO 27001 2013 Clause 4 - context of an organization - by Software developmen...
ISO 27001 2013 Clause 4 - context of an organization - by Software developmen...iFour Consultancy
 

Viewers also liked (18)

PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to Know
 
Twitter Bootstrap Presentation
Twitter Bootstrap PresentationTwitter Bootstrap Presentation
Twitter Bootstrap Presentation
 
WCF
WCFWCF
WCF
 
PCI DSS Essential Guide
PCI DSS Essential GuidePCI DSS Essential Guide
PCI DSS Essential Guide
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as Usual
 
Retail IT 2013: Data Security & PCI Compliance Briefing
Retail IT 2013: Data Security & PCI Compliance BriefingRetail IT 2013: Data Security & PCI Compliance Briefing
Retail IT 2013: Data Security & PCI Compliance Briefing
 
BlackBerry Basic
BlackBerry BasicBlackBerry Basic
BlackBerry Basic
 
SSL
SSLSSL
SSL
 
PCI DSS & PA DSS Version 3.0
PCI DSS & PA DSS Version 3.0PCI DSS & PA DSS Version 3.0
PCI DSS & PA DSS Version 3.0
 
PCI DSS - Payment Card Industry Data Security Standard
PCI DSS - Payment Card Industry Data Security StandardPCI DSS - Payment Card Industry Data Security Standard
PCI DSS - Payment Card Industry Data Security Standard
 
PCI DSS & PA DSS Version 3.0 Changes Webinar
PCI DSS & PA DSS Version 3.0 Changes WebinarPCI DSS & PA DSS Version 3.0 Changes Webinar
PCI DSS & PA DSS Version 3.0 Changes Webinar
 
Using the PDCA model to improve cervical cancer
Using the PDCA model to improve cervical cancerUsing the PDCA model to improve cervical cancer
Using the PDCA model to improve cervical cancer
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
 
Introduction to Tokenization
Introduction to TokenizationIntroduction to Tokenization
Introduction to Tokenization
 
PCI DSS and Logging: What You Need To Know by Dr. Anton Chuvakin
PCI DSS and Logging: What You Need To Know by Dr. Anton ChuvakinPCI DSS and Logging: What You Need To Know by Dr. Anton Chuvakin
PCI DSS and Logging: What You Need To Know by Dr. Anton Chuvakin
 
ISO 27001 2013 A12 Operations Security Part 2 - by Software development compa...
ISO 27001 2013 A12 Operations Security Part 2 - by Software development compa...ISO 27001 2013 A12 Operations Security Part 2 - by Software development compa...
ISO 27001 2013 A12 Operations Security Part 2 - by Software development compa...
 
Iso 27001 2013 clause 6 - planning - by Software development company in india
Iso 27001 2013 clause 6 - planning - by Software development company in indiaIso 27001 2013 clause 6 - planning - by Software development company in india
Iso 27001 2013 clause 6 - planning - by Software development company in india
 
ISO 27001 2013 Clause 4 - context of an organization - by Software developmen...
ISO 27001 2013 Clause 4 - context of an organization - by Software developmen...ISO 27001 2013 Clause 4 - context of an organization - by Software developmen...
ISO 27001 2013 Clause 4 - context of an organization - by Software developmen...
 

Similar to PCI-DSS Introduction and Requirements

Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxgealehegn
 
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantMelanie Beam
 
eCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Merchants
 
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)Miminten
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperShaun O'keeffe
 
Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Crew
 
pci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.pptpci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.pptgealehegn
 
PCI Certification and remediation services
PCI Certification and remediation servicesPCI Certification and remediation services
PCI Certification and remediation servicesTariq Juneja
 
Visa Compliance Mark National Certification
Visa Compliance Mark National CertificationVisa Compliance Mark National Certification
Visa Compliance Mark National CertificationMark Pollard
 
PCI_Presentation_OASIS
PCI_Presentation_OASISPCI_Presentation_OASIS
PCI_Presentation_OASISDermot Clarke
 
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...Stephanie Gutowski
 
PCI Compliance: What You Need to Know
PCI Compliance: What You Need to KnowPCI Compliance: What You Need to Know
PCI Compliance: What You Need to KnowSasha Nunke
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS ComplianceControlCase
 
PCI DSS Data Security Compliance Program Overview
PCI DSS Data Security Compliance Program OverviewPCI DSS Data Security Compliance Program Overview
PCI DSS Data Security Compliance Program Overview- Mark - Fullbright
 

Similar to PCI-DSS Introduction and Requirements (20)

Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptx
 
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
 
eCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain Media
 
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
 
PruebaJLF.pptx
PruebaJLF.pptxPruebaJLF.pptx
PruebaJLF.pptx
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - Whitepaper
 
Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The Essentials
 
PCI DSS Compliance Readiness
PCI DSS Compliance ReadinessPCI DSS Compliance Readiness
PCI DSS Compliance Readiness
 
pci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.pptpci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.ppt
 
PCI-DSS for IDRBT
PCI-DSS for IDRBTPCI-DSS for IDRBT
PCI-DSS for IDRBT
 
PCI DSS for Pentesting
PCI DSS for PentestingPCI DSS for Pentesting
PCI DSS for Pentesting
 
PCI Certification and remediation services
PCI Certification and remediation servicesPCI Certification and remediation services
PCI Certification and remediation services
 
Payment System Risk. Visa
Payment System Risk. VisaPayment System Risk. Visa
Payment System Risk. Visa
 
Pci dss-for-it-providers
Pci dss-for-it-providersPci dss-for-it-providers
Pci dss-for-it-providers
 
Visa Compliance Mark National Certification
Visa Compliance Mark National CertificationVisa Compliance Mark National Certification
Visa Compliance Mark National Certification
 
PCI_Presentation_OASIS
PCI_Presentation_OASISPCI_Presentation_OASIS
PCI_Presentation_OASIS
 
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
 
PCI Compliance: What You Need to Know
PCI Compliance: What You Need to KnowPCI Compliance: What You Need to Know
PCI Compliance: What You Need to Know
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
PCI DSS Data Security Compliance Program Overview
PCI DSS Data Security Compliance Program OverviewPCI DSS Data Security Compliance Program Overview
PCI DSS Data Security Compliance Program Overview
 

More from Duy Do Phan

Location based AR & how it works
Location based AR & how it worksLocation based AR & how it works
Location based AR & how it worksDuy Do Phan
 
Linux Introduction
Linux IntroductionLinux Introduction
Linux IntroductionDuy Do Phan
 
Cryptography Fundamentals
Cryptography FundamentalsCryptography Fundamentals
Cryptography FundamentalsDuy Do Phan
 
Android Programming Basic
Android Programming BasicAndroid Programming Basic
Android Programming BasicDuy Do Phan
 
SMS-SMPP-Concepts
SMS-SMPP-ConceptsSMS-SMPP-Concepts
SMS-SMPP-ConceptsDuy Do Phan
 
One minute manager
One minute managerOne minute manager
One minute managerDuy Do Phan
 
Work life balance
Work life balanceWork life balance
Work life balanceDuy Do Phan
 

More from Duy Do Phan (9)

Location based AR & how it works
Location based AR & how it worksLocation based AR & how it works
Location based AR & how it works
 
Linux Introduction
Linux IntroductionLinux Introduction
Linux Introduction
 
Iso8583
Iso8583Iso8583
Iso8583
 
Cryptography Fundamentals
Cryptography FundamentalsCryptography Fundamentals
Cryptography Fundamentals
 
Android Programming Basic
Android Programming BasicAndroid Programming Basic
Android Programming Basic
 
iOS Basic
iOS BasiciOS Basic
iOS Basic
 
SMS-SMPP-Concepts
SMS-SMPP-ConceptsSMS-SMPP-Concepts
SMS-SMPP-Concepts
 
One minute manager
One minute managerOne minute manager
One minute manager
 
Work life balance
Work life balanceWork life balance
Work life balance
 

PCI-DSS Introduction and Requirements

  • 2. Agenda PCI-DSS Fundamental  What is PCI-DSS • Why are the PCI Security Standards Important? • Key Definitions  PCI Standards Boundary  Recommended Understanding Instruction  Determine PCI-Level  Validate Requirement  Choose SAQ Implementation  Principles  PCI-DSS-Requirements  PA-DSS Requirements  Self Assessment Questionnaire  Report
  • 4. Payment Card Data Issues 4
  • 5. What is PCI ??? PCI stands for the Payment Card Industry and is used to refer to: The PCI Security Standards Council ™(PCI SSC), an industry body founded by the major card brands to protect cardholder data. Founders: The global Security Standards created and maintained by the PCI SSC to protect cardholder payment data. • Key Learning Point: Compliance with PCI Security Standards is mandatory for merchants and their service providers, and is enforced by the major card brands who established the PCI SSC 5
  • 6. What is PCI DSS? “The PCI Data Security Standard represents a common set of industry tools and measurements to help ensure the safe handling of sensitive information…the standard provides an actionable framework for developing a robust account data security process - including preventing, detecting and reacting to security incidents.” – PCI Standards Council –
  • 7. Why are the PCI Security Standards Important? The Standards are important because they: Protect cardholder data in order to help prevent data compromises and subsequent fraud activity… • Customers expect merchants and their acquirers to keep their card account data safe • Data compromises can result in significant fines and losses for merchants and can damage the merchant’s reputation with customers • The number of data compromise incidents is increasing annually – organized criminal enterprises are targeting vulnerable merchants 7
  • 9. Key Definitions Data definitions • Cardholder data: PAN (Primary Account Number), Cardholder Name, Service Code. Expiration Code. • Sensitive authentication data: Full Magnetic Stripe Data, CCV, PIN (Personal identification number). Keywords • PCI-DSS: Payment Card Industry Data Security Standards • PA-DSS : Payment Applications Data Security Standards • PTS: PIN Transaction Security • QSA: Qualified Security Assessor • SAQ: Self Assessment Questionnaire • ASV: Approved Scanning Vendor 9
  • 10. PCI Standards Boundary • The PCI Data Security Standard (PCI DSS) If a business accepts or processes payment cards, it must comply with the PCI DSS. It is the standard merchants, processors, and service providers must meet for the complete protection of payment cardholder data. • The Payment Application-Data Security Standard (PA-DSS) and PIN Transaction Security (PTS) (previously known as PIN Entry Device (PED)) security requirements support the overall implementation of PCI DSS by allowing merchants to choose from Council certified payment application software and PIN entry devices. 10
  • 11. Recommended Understanding PCI DSS tells you what you need to do; what standards you need to meet to be compliant PCI DSS does not tell you how to become compliant. That is individual to your situation and your environment - Your system - Your processes - Your vendors - Your customers Being compliant does necessary make you secure Being secure leads to compliance – not the other way around 11
  • 13. Instruction •Determining your PCI Level •Validation requirements •Selecting the SAQ that Best Applies to Your Organization 13
  • 14. Determining your PCI Level You need to assess where you are on the scale of risk: Level 1 All Channels 6MM Visa or MC transactions per year Level 2 All Channels 1MM - 6MM Visa or MC transactions per year E-Commerce - >150,000 - 6 MM MC transactions per year Level 3 20,000 - 150,000 e-commerce MC transactions per year 20,000 - 999,999 e-commerce Visa transactions per year Level 4 <20,000 Visa or MC e-commerce transactions per year <1MM non-e-commerce Visa or MC transactions per year 14
  • 15. Validation requirements Level 1 Merchants Complete an Annual On-Site PCI Data Security Assessment in accordance with PCI Audit Procedures (Visa website). You can use this template for your Report on Compliance (ROC). Engage a Visa-approved Qualified Data Security Company to complete your ROC. Validate the ROC by the due date (preferably sooner in case issues arise in the ROC. This will help eliminate assessment of fines.) Provide the ROC to Bank of America Merchant Services. Merchant’s internal auditor may prepare the ROC, which must be accompanied by a letter signed by an executive-level officer of Merchant’s organization validating the ROC. Complete quarterly network scans to check your systems for vulnerabilities. Complete annual penetration testing to test that your systems are hacker-resistant. Ensure that these security scans are performed by a qualified independent scan vendor. Level 2, 3 and 4 Merchants Complete and validate an Annual PCI Self-Assessment Questionnaire. Complete Quarterly Network Scans to check your systems for vulnerabilities. Complete annual penetration testing to test that your systems are hacker-resistant. Ensure that these security scans are performed by a qualified independent scan vendor. 15
  • 16. Selecting the SAQ that Best Applies to Your Organization SAQ Description A Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to- face merchants. B Imprint Only merchants with no electronic cardholder data storage, or standalone, dial out terminal merchant with no electronic cardholder data storage C-VT Merchant using only web-based virtual terminals, no cardholder data storage C Merchants with payment application systems connected to the internet, no electronic cardholder data storage D All other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by a payment brand as eligible to complete an SAQ 16
  • 18. Implement •Determine Scope •Rebuild system base on requirements •Self Assessment Questionnaires •Report 18
  • 19. Determining Scope – Network Segmented
  • 20. Determining Scope – Network Segmented
  • 21. Determining Scope – Network Segmented
  • 22. Principles SECURE  TRACK  AUDIT • You need to ensure that your data is first secured … both physical and electronically. • You need to ensure you have mechanism in place to track who access your data and when • You need to review your tracking (audit) to look for anomalies 22
  • 23. PCI DSS – Requirements Six Goals, Twelve Requirements Build and Maintain a 1. Install and maintain a firewall configuration to protect Secure Network cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability 5. Use and regularly update anti-virus software or programs Management Program 6. Develop and maintain secure systems and applications Implement Strong 7. Restrict access to cardholder data by business need-to-know Access Control Measures 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and 10.Track and monitor all access to network resources and Test Networks cardholder data 11.Regularly test security systems and processes Maintain an Information 12.Maintain a policy that addresses information security for Security Policy employees and contractors 23
  • 24. PA-DSS Introduction Formerly known as -PABP (Payment Application Best Practices) supervised by Visa Goals Develop secure payment applications that do not store prohibited data, such as full magnetic stripe, CVV2 or PIN data Ensure their payment applications support compliance with the PCI DSS The requirements for the PA-DSS are derived from the PCI DSS Why focus on software? Vulnerable payment applications are currently the leading cause of data compromise incidents, particularly for small merchants. 24
  • 25. PA-DSS Requirements Fourteen Requirements Requirement 1 Do not retain full magnetic stripe, card validation code or value (CAV2, CID, CVC2, CVV2), or PIN block data Requirement 2 Protect stored cardholder data Requirement 3 Provide secure authentication features Requirement 4 Log payment application activity Requirement 5 Develop secure payment applications (5.2 - OWASP Guide, SANS CWE Top 25, CERT Secure Coding) Requirement 6 Protect wireless transmissions Requirement 7 Test payment applications to address vulnerabilities Requirement 8 Facilitate secure network implementation Requirement 9 Cardholder data must never be stored on a server connected to the Internet Requirement 10 Facilitate secure remote software updates Requirement 11 Facilitate secure remote access to payment application Requirement 12 Encrypt sensitive traffic over public networks Requirement 13 Encrypt all non-console administrative access Requirement 14 Maintain instructional documentation and training programs for customers, resellers, and integrators 25
  • 26. SAQ Objectives Self Assessment Questionnaires • Based on industry feedback • Flexibility for multiple merchant Self-Assessment Questionnaire (SAQ) A types • Providing guidance for the intent and applicability of the underlying requirements 26
  • 27. Self Assessment Questionnaires SAQ Validatio Description SAQ n Type Card-Not-Present (e-commerce or MO/TO) merchants, all A 1 cardholder data functions outsourced. This would never apply to face-to-face merchants <11 Questions B 2 Imprint-only merchants with no cardholder data storage 21 Questions B Stand alone dial-up terminal merchants, no cardholder data 3 storage 21 Questions C Merchants with payment application systems connected to 4 the Internet, no cardholder data storage 38 Questions All other merchants (not included in descriptions for SAQs A, D 5 B or C above) and all service providers defined by a payment brand as eligible to complete an SAQ Full DSS 27
  • 28. Reports Regular reports are required for PCI DSS compliance. All merchants, service providers and processors may be required to submit quarterly scan reports, All reports must be performed by a PCI SSC approved ASV 28

Editor's Notes

  1. Section divider 1
  2. Slide text 2
  3. Section divider 1
  4. Key Learning Point: Using PCI compliant equipment and software can support merchant efforts to become PCI DSS compliant, but does not make a merchant PCI DSS compliant. The PCI DSS covers all aspects of how a merchant protects cardholder data, which goes beyond using secure equipment and software.
  5. Section divider 1
  6. Key Learning Point : Not all PCI DSS requirements apply to all merchants. Merchants must review each requirement to determine applicability to the merchant’s card payment acceptance systems and business processes.
  7. Section divider 2