PCI Certification Issues May 2008

May 2008

Evolution of PCI DSS 2000 Visa CISP(USA) and AIS (EU)‏ 2000 Mastercard SDP. 2004 – Visa, Mastercard, American Express and JCB agree PCI Standard. The objective of PCIDSS compliance is designed to protect the card companies, merchants and consumers from suffering financial and data loss because of unprotected network systems.

2000 Visa CISP(USA) and AIS (EU)‏

2000 Mastercard SDP.

2004 – Visa, Mastercard, American Express and JCB agree PCI Standard.

The objective of PCIDSS compliance is designed to protect the card companies, merchants and consumers from suffering financial and data loss because of unprotected network systems.

Validation Requirements

The Requirements

Recent Changes Self Assessment Questionnaire (SAQ)‏ Four SAQ's instead of one.

Self Assessment Questionnaire (SAQ)‏

Four SAQ's instead of one.

Recent Changes Payment Application Best Practices Launched in 2005 List of validated payment applications published monthly since January 2006. PABP to move to the Payment Application Security Standard (PASS) and will be administrated through the PCI SSC. Applicable to any third party payment application that is involved in authorisation and settlement of credit/debit card transactions. Is not applicable to dumb terminals, database or web server software. Does apply to applications built on DB & Web.

Payment Application Best Practices

Launched in 2005

List of validated payment applications published monthly since January 2006.

PABP to move to the Payment Application Security Standard (PASS) and will be administrated through the PCI SSC.

Applicable to any third party payment application that is involved in authorisation and settlement of credit/debit card transactions.

Is not applicable to dumb terminals, database or web server software. Does apply to applications built on DB & Web.

Top Reasons for Audit Failures

PCI Pitfalls Track2/CVV2/CVC2 logging. Implementing Policies that address each of the requirements of the PCI DSS. Restricting Access to Databases Performing Log review. File Integrity Monitoring

Track2/CVV2/CVC2 logging.

Implementing Policies that address each of the requirements of the PCI DSS.

Restricting Access to Databases

Performing Log review.

File Integrity Monitoring

Risk Reduction Strategies Data Elimination Tokenisation

Data Elimination

Tokenisation

Actions Only deploy third party applications on the PABP/PASS list Confirm all entities in the transaction chain are PCI certified and audited Ensure all current staff aware of their data security obligations Verify that no card data is extracted to be further analysed Check what happens sensitive data files after transmission/receipt

Only deploy third party applications on the PABP/PASS list

Confirm all entities in the transaction chain are PCI certified and audited

Ensure all current staff aware of their data security obligations

Verify that no card data is extracted to be further analysed

Check what happens sensitive data files after transmission/receipt

Actions Make PCI Compliance a year round activity Confirm that all new processes and procedures vetted against the PCI Data Security Standard Investigate opportunities for the elimination of card data.

Make PCI Compliance a year round activity

Confirm that all new processes and procedures vetted against the PCI Data Security Standard

Investigate opportunities for the elimination of card data.

Further Information Knowledge Base at http://www.o-cgroup.com PCI Validation Requirements http://www.o-cgroup.com/pci-requirements.php

Knowledge Base at

http://www.o-cgroup.com

PCI Validation Requirements

http://www.o-cgroup.com/pci-requirements.php