PCI-DSSDON’T FALL IN ...
Agenda• Intro• Buzzwords• PCI – What is it?• PCI – Do’s and Donts• How to eat an Elephant• Divide & Conquer• Questions & A...
Intro … who is this clown?• Realex Payments … Platform Operations Security Lead• Certified … CISA. CISM. SSCP. CISSP.• For...
Buzzwords• Member organisations Card Schemes are made up of member organisations who can beAcquirers, Issuers, or both• Me...
Merchant Levels … 1 to 4Level Criteria Validation1 Process more than 6 Million txns ROC – Report on ComplianceQSA – Qualif...
PCI … What is it?• PCI DSS - Payment Card Industry Data Security Standard• Published by the PCI Security Standards Council...
PCI … Do’s• Visit the PCI-SCC website (www.pcisecuritystandards.org)• Read the FAQ (Frequently Asked Questions) Knowledge ...
PCI … Do’s … Prioritised Approach• Have a clear, accurate and relevant Network Diagram.• Inventory … cover your assets• Da...
PCI … Don’ts• Don’t PANIC - Don’t fall for the FUD. Don’t fall in The Hole.• Don’t boil the ocean – Scope and Segmentation...
How to eat an Elephant …
PCI … 6 Objectives / Milestones
PCI … Divide & Conquer• 225 individual tests, checks & proof points• 12 Requirements• 6 Objectives• Prioritised Approach D...
Questions & Answers …
For your further reading enjoyment …www.pcisecuritystandards.org/www.pcisecuritystandards.org/faq/www.pcisecuritystandards...
Upcoming SlideShare
Loading in …5
×

PCI DSS v 2.0 - Don't Fall In. Short & high level presentation for the Ecommerce group - June 2013.

356 views
163 views

Published on

Short and high level presentation for the Ecommerce group of external devs & business owners.

Customer facing - public information. Nothing sensitive.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
356
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

PCI DSS v 2.0 - Don't Fall In. Short & high level presentation for the Ecommerce group - June 2013.

  1. 1. PCI-DSSDON’T FALL IN ...
  2. 2. Agenda• Intro• Buzzwords• PCI – What is it?• PCI – Do’s and Donts• How to eat an Elephant• Divide & Conquer• Questions & Answers
  3. 3. Intro … who is this clown?• Realex Payments … Platform Operations Security Lead• Certified … CISA. CISM. SSCP. CISSP.• Former Chair of the Irish Information Security Forum• Current Item Writer for ISC2• Responsible for PCI Compliance in Realex Payments
  4. 4. Buzzwords• Member organisations Card Schemes are made up of member organisations who can beAcquirers, Issuers, or both• Merchant Merchants are entities that “accept” Card transactions.Levels 1 – 4, with varying requirements for validation (by volume)• Acquirer Acquiring Bank - handles Merchant lines of credit• Issuer Issuing Bank – offers cards to Cardholder• Cardholder Consumers. Customers … Punters• Service Provider Entities that service the processing, storing, transport of cardinformation on behalf of Merchants, Acquirers, or Issuers
  5. 5. Merchant Levels … 1 to 4Level Criteria Validation1 Process more than 6 Million txns ROC – Report on ComplianceQSA – Qualified Security AssessorASV – Approved Scanning VendorAttestation of Compliance2 Process 1 to 6 Million txns SAQ – Self Assessment QuestionnaireASC – Approved Scanning VendorAttestation of Compliance3 Process 20,000 to 1 Million txns SAQASV (if applicable)Attestation of Compliance4 All other merchants SAQ – recommendedASV (if applicable)Validation requirements typically set by Acquirer
  6. 6. PCI … What is it?• PCI DSS - Payment Card Industry Data Security Standard• Published by the PCI Security Standards Council (PCI-SSC)• PCI-SSC = Visa, MasterCard, Discover, American Express, JCB• Baseline Information Security Standard that applies to ANYbusiness that “accept, capture, store, transmit, or processCredit or Debit card data” – No exceptions.• Information Security BASELINE. PCI is a floor. Not a ceiling.
  7. 7. PCI … Do’s• Visit the PCI-SCC website (www.pcisecuritystandards.org)• Read the FAQ (Frequently Asked Questions) Knowledge Base• SAQ – Self Assessment Questionnaire• A – Mail Order Telephone Order Merchants• B – Imprint Only Merchants• CVT – Virtual Terminals• C – Merchants with Internet Payment Applications• D – All other merchant types
  8. 8. PCI … Do’s … Prioritised Approach• Have a clear, accurate and relevant Network Diagram.• Inventory … cover your assets• Data … where does it come from, and where does it go?The Holy Trinity• Policy Document• Prioritised Approach Document• Self Assessment Questionnaire
  9. 9. PCI … Don’ts• Don’t PANIC - Don’t fall for the FUD. Don’t fall in The Hole.• Don’t boil the ocean – Scope and Segmentation are crucial• Don’t forget that PCI applies to your organisation, not yourchosen hardware or software products and tools• Don’t think you can “buy” compliance with products• Don’t confuse “Compliant” for “Secure”• Don’t ignore PCI … it’s not going away
  10. 10. How to eat an Elephant …
  11. 11. PCI … 6 Objectives / Milestones
  12. 12. PCI … Divide & Conquer• 225 individual tests, checks & proof points• 12 Requirements• 6 Objectives• Prioritised Approach Document is your pal
  13. 13. Questions & Answers …
  14. 14. For your further reading enjoyment …www.pcisecuritystandards.org/www.pcisecuritystandards.org/faq/www.pcisecuritystandards.org/security_standards/getting_started.phpwww.visaeurope.com/en/businesses__retailers/payment_security/downloads__resources.aspwww.iisf.ieIrish Information Security Forum LinkedIn group … members only, just tell them I sent you!

×