• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
eCommerce Summit Atlanta Mountain Media
 

eCommerce Summit Atlanta Mountain Media

on

  • 2,544 views

From the eCommerce Summit in Atlanta June 3-4, 2009 where Mountain Media explains the topic of PC Compliance for online merchants. Visit http://www.ecmta.org to find out more.

From the eCommerce Summit in Atlanta June 3-4, 2009 where Mountain Media explains the topic of PC Compliance for online merchants. Visit http://www.ecmta.org to find out more.

Statistics

Views

Total Views
2,544
Views on SlideShare
2,529
Embed Views
15

Actions

Likes
0
Downloads
38
Comments
0

3 Embeds 15

http://therivertheranchandthebay.com 10
http://www.slideshare.net 4
http://www.health.medicbd.com 1

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    eCommerce Summit Atlanta Mountain Media eCommerce Summit Atlanta Mountain Media Presentation Transcript

    • PCI Compliance and the Online Merchant
    • PCI Compliance Explained Melanie Beam Director, Business Development
    • What does PCI DSS mean?
      • PCI DSS = P ayment C ard I ndustry D ata S ecurity S tandard
      • The standards were developed by the founding brands of the PCI Security Standards Council: American Express, Discover, JCB, MasterCard and Visa, to assist in the broad adoption of consistent data security measures globally.
      • It’s the set of security rules the card companies agreed upon after years of separate standards.
    • This is new, right?
      • The PCI DSS was introduced in 2004.
      • The Payment Card Industry Security Standards Council (PCI SSC) was launched in 2006 to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with focus on improving payment account security throughout the transaction process.
    • Do I have to be PCI Compliant?
      • PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data.
      • If customers pay you with credit or debit cards, then you need to be compliant at some level.
      • Acquirers (merchant account providers) are responsible for enforcing merchant compliance with the PCI requirements. If you have not yet, you will probably receive a letter from your merchant account provider detailing the what merchant level you are currently at. (with some exceptions; ie. Paypal)
    • PCI DSS Principles and Requirements Requirement 12: Maintain a policy that addresses information security Maintain an Information Security Policy Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Regularly Monitor and Test Networks Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data Implement Strong Access Control Measures Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications Maintain a Vulnerability Management Program Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Protect Cardholder Data Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Build and Maintain a Secure Network Associated Requirements Principle
    • What are the merchant levels? These are based on your annual transaction volumes MOST ECOMMERCE MERCHANTS FALL INTO LEVEL 3 OR 4 Any merchant processing fewer than 20,000 ecommerce card transactions per year, and all other merchants -- regardless of acceptance channel -- processing up to 1M transactions per year. Level 4 Any merchant processing 20,000 to 1M ecommerce credit card transactions per year. Level 3 Any merchant -- regardless of acceptance channel -- processing 1M to 6M card transactions per year. Level 2 Any merchant -- regardless of acceptance channel -- processing over 6M card transactions per year. Any merchant that the card companies, determine should meet the Level 1 merchant requirements to minimize risk. Level 1 Annual Transaction Volume Merchant Level
    • How do I become compliant?
      • Every merchant is required to complete a Self Assessment Questionnaire (SAQ) to become certified as PCI compliant.
      • There are five SAQ validation types that determine which of the four SAQ’s to complete.
    • Self Assessment Questionnaire Validation Must comply with requirements in SAQ-D. and may require a Report on Compliance from a Qualified Security Assessor.These are the same the requirements that are required of PCI certified service providers and are typically out of the financial and technical reach of most small ecommerce retailers. Cost to comply is well over $50,000 and requires written policies and procedures. Requires the operating service providers are PCI-DSS certified. This includes the web hosting provider and data center. Not required to perform quarterly scans, but recommended. Must comply with SAQ-C. Does not require PCI compliant web hosting, but may be necessary to complete the SAQ-A. Not required to perform a quarterly vulnerability scan, but recommended. Hosting Environment Managed PCI compliant product like Rack Space PCI hosting and PCI Compliant Ecommerce application. Card holder data can be stored for later use. Allows the customers to save cards for later purchases. Type 5 (The Hardest) Credit card payments are made at the merchant’s website. Using a shopping cart solution with Authorize.net is an example. Ecommerce merchants with shopping cart applications that transmit cardholder data via the Internet for processing. No cardholder data can be stored. Type 4 (Most Merchants) The purchaser must be redirected to the service provider’s website to complete the purchase. Using Paypal Payments Standard is an example. All cardholder data functions are performed by a PCI compliant third-party. No cardholder data can be stored or transmitted. Type 1 (The Easiest) Example Card holder Data SAQ Type
    • Now that you know, what do you do?
      • Fill out the SAQ that applies to your business.
      • If required ,( recommended for every level merchant ) sign up for quarterly external scans with an approved scanning vendor.
      • * Both the SAQ’s and approved vendors can be found at pcisecuritystandards.org*
      • Understand that that no single product or service will make you compliant-you have work to do too!
      • Be informed! Check your providers-hosting, ecommerce, and payment gateway
      • Ask for a copy of their ROC, CORA or check them against the CISP and PCI lists.
      • “ Within the standards of PCI” does not mean compliant.
    • The Time Is Now
      • PCI Compliance applies to you, right now.
      • Waiting until your bank asks you to prove compliance can prove very costly.
      • Look for help from compliant vendors, but make sure you use several solutions. There’s no silver bullet!
      • PCI Compliance seems difficult but requires good, sound security policies and should be part of your business plan
    • Mountain Media’s Ecommerce Platform and Data Center are PCI Level 1 Compliant
      • Mountain Media is one of only a handful of ecommerce companies to achieve the highest level of PCI DSS certification.
      • *All technicians that manage systems must have background checks before starting employment as well as adhere to a host of HR procedures.
      • * Physical access to the data center must have robust authentication systems in place
      • * Video surveillance of data center access points with 3-month storage
      • * Firewall systems with stringent rule sets
      • * Intrusion detection systems
      • * Host Intrusion detection systems
      • * Data servers must be on a private network (behind a second firewall with strict access rules)
      • * Server maintenance and upgrades must follow strict procedures and policies
      Please contact us for comprehensive PCI Compliant eCommerce at 877-583-0300 Or visit www.mountainmedia.com
    • PAYMENT CARD INDUSTRY (PCI) SECURITY STANDARDS Source: October 2008. Statistics based on data gathered from 443 account data compromise cases investigated since 2001. ACCOUNT DATA COMPROMISE STATISTICS John Jacobs Moneris Solutions Merchant Acquirer
    • ACCOUNT DATA COMPROMISE STATISTICS
      • Cases segmented by Payment Card Acceptance Channel
      • Majority of account compromises in North American occur at Brick & Mortar merchants
      • Brick & Mortar merchants are most commonly attacked in North America because unlike EMEA merchants are using outdated payment application and process their transactions over the Internet .
    • ACCOUNT DATA COMPROMISE STATISTICS
      • Cases Segmented by System Type
      • The majority of account compromises cases involve PC based POS software applications or e-commerce shopping carts.
      • Hardware based POS terminals remain the most secure way to process transactions
    • ACCOUNT DATA COMPROMISE STATISTICS
      • Cases Segmented by Responsibility for Payment System Administration
      • In North America the majority of the account compromises occur in environments where merchants utilizes third party payment applications and relies on third parties for support .
      • The result is outdated systems that are not configured and secured correctly.
    • NEW ACCOUNT DATA COMPROMISE TRENDS
      • In 2008 a notable new compromise trend surfaced in the industry – data in transit .
      • In the past attackers were looking for stored cardholder data.
      • Many merchants were and still are storing full magnetic strip data.
      • Through the card brands efforts to eliminate storage of prohibited data, less and less merchants are storing full magnetic stripe data.
      • Due to this the attack vectors have evolved and attackers are not only looking for stored data but are also looking to capture data in transit.
      • Though many merchants may not be storing data, many have insecure networks which allow an attacker to gain unauthorized access to systems and start capturing data in real-time.
      • The last two significant compromises reported in the US used this technique.
    • PCI SSC – SECURITY STANDARDS OVERVIEW
    • PCI DSS - VISA SERVICE PROVIDER LEVELS DEFINED
      • Below are the Service Provider levels and PCI DSS validation requirements that have been established by Visa.
      • The levels above went into effect on February 01, 2009.
      • Visa list of compliant Service Providers: http://usa.visa.com/merchants/risk_management/cisp_service_providers.html
      • As of February 01, 2009 only Service Providers that have validated their PCI DSS compliance as a Level 1 Service Provider listed.
      Service Provider Approved Scanning Vendor Annual PCI Self Assessment Questionnaire Quarterly Network Scan Any service provider that stores, processes and/or transmits less than 300,000 transactions per year 2 Annual On-Site PCI Data Security Assessment Quarterly Network Scan Validation Action VisaNet processors or any service provider that stores, processes and/or transmits over 300,000 transactions per year Level Description Qualified Security Assessor Approved Scanning Vendor 1 Validated By Level
    • PCI DSS - EFFECTS OF NOT COMPLYING
      • PCI DSS was put in place to protect cardholder data and reduce the risk of an account data compromise
      • Merchants that are not compliant with PCI DSS are at higher risk of experiencing a security breach.
      • Merchants that refuse to comply with PCI DSS or fail to demonstrate compliance with PCI DSS may face the following:
        • Fines due to non-compliance
        • Termination of card processing services
      • A Merchant or Service Provider that experiences a security breach that involves the compromise of cardholder data may face the following consequences:
        • Cost of forensic investigation
        • Fines due to non-compliance
        • Costs incurred by card issuers due to the breach (card monitoring & card replacement fees)
        • Liability for percentage of the fraud that occurred due to the breach
        • Termination of card processing services
        • Potential brand damage
    • Awarded To: June 4, 2009 eCom Merchant eCom Merchant ("Client") is enrolled in Compliance Validation Services to meet the Payment Card Industry Data Security Standard (PCI DSS). Validation Service has been accredited by all the major card associations' data security programs including: Etc……
    • ADDITIONAL INFORMATION
      • Moneris Solutions
      • Moneris USA Corporate Website – www. monerisusa . com/pcisecurity
      • Moneris Canada Corporate Website – www. moneris . com/pci
      • PCI Security Standards Council
      • PCI SSC Website – www. pcisecuritystandards .org
      • PCI DSS – www. pcisecuritystandards . org/security_standards/pci_dss . shtml
      • PCI PA-DSS – www. pcisecuritystandards . org/security_standards/pa_dss . shtml
      • PCI PED – www. pcisecuritystandards . org/security_standards/ped/index . shtml
      • PCI Security Assessor Listings – www. pcisecuritystandards . org/qsa_asv/find_one . shtml
      • PCI DSS Self Assessment Questionnaires – www. pcisecuritystandards . org/saq/index . shtml
      • Visa
      • Visa Cardholder Information Security Program (CISP) – www.visa. com/cisp
      • MasterCard
      • MasterCard Site & Data Protection (SDP) Program – www. mastercard . com/sdp