PCI DSS v 2.0 - Don't Fall In. Short & high level presentation for the Ecommerce group - June 2013.
PCI-DSSDON’T FALL IN ...
Agenda• Intro• Buzzwords• PCI – What is it?• PCI – Do’s and Donts• How to eat an Elephant• Divide & Conquer• Questions & Answers
Intro … who is this clown?• Realex Payments … Platform Operations Security Lead• Certified … CISA. CISM. SSCP. CISSP.• Former Chair of the Irish Information Security Forum• Current Item Writer for ISC2• Responsible for PCI Compliance in Realex Payments
Buzzwords• Member organisations Card Schemes are made up of member organisations who can beAcquirers, Issuers, or both• Merchant Merchants are entities that “accept” Card transactions.Levels 1 – 4, with varying requirements for validation (by volume)• Acquirer Acquiring Bank - handles Merchant lines of credit• Issuer Issuing Bank – offers cards to Cardholder• Cardholder Consumers. Customers … Punters• Service Provider Entities that service the processing, storing, transport of cardinformation on behalf of Merchants, Acquirers, or Issuers
Merchant Levels … 1 to 4Level Criteria Validation1 Process more than 6 Million txns ROC – Report on ComplianceQSA – Qualified Security AssessorASV – Approved Scanning VendorAttestation of Compliance2 Process 1 to 6 Million txns SAQ – Self Assessment QuestionnaireASC – Approved Scanning VendorAttestation of Compliance3 Process 20,000 to 1 Million txns SAQASV (if applicable)Attestation of Compliance4 All other merchants SAQ – recommendedASV (if applicable)Validation requirements typically set by Acquirer
PCI … What is it?• PCI DSS - Payment Card Industry Data Security Standard• Published by the PCI Security Standards Council (PCI-SSC)• PCI-SSC = Visa, MasterCard, Discover, American Express, JCB• Baseline Information Security Standard that applies to ANYbusiness that “accept, capture, store, transmit, or processCredit or Debit card data” – No exceptions.• Information Security BASELINE. PCI is a floor. Not a ceiling.
PCI … Do’s• Visit the PCI-SCC website (www.pcisecuritystandards.org)• Read the FAQ (Frequently Asked Questions) Knowledge Base• SAQ – Self Assessment Questionnaire• A – Mail Order Telephone Order Merchants• B – Imprint Only Merchants• CVT – Virtual Terminals• C – Merchants with Internet Payment Applications• D – All other merchant types
PCI … Do’s … Prioritised Approach• Have a clear, accurate and relevant Network Diagram.• Inventory … cover your assets• Data … where does it come from, and where does it go?The Holy Trinity• Policy Document• Prioritised Approach Document• Self Assessment Questionnaire
PCI … Don’ts• Don’t PANIC - Don’t fall for the FUD. Don’t fall in The Hole.• Don’t boil the ocean – Scope and Segmentation are crucial• Don’t forget that PCI applies to your organisation, not yourchosen hardware or software products and tools• Don’t think you can “buy” compliance with products• Don’t confuse “Compliant” for “Secure”• Don’t ignore PCI … it’s not going away
For your further reading enjoyment …www.pcisecuritystandards.org/www.pcisecuritystandards.org/faq/www.pcisecuritystandards.org/security_standards/getting_started.phpwww.visaeurope.com/en/businesses__retailers/payment_security/downloads__resources.aspwww.iisf.ieIrish Information Security Forum LinkedIn group … members only, just tell them I sent you!