Payment card industry data security standard


Published on

1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Payment card industry data security standard

  1. 1. Payment Card Industry Data Security Standard<br />By: Sally Chiu<br />ACC 626 <br />Section 002<br />
  2. 2. What is PCI DSS?<br />Is it effective?<br />Impact on the auditing profession<br />Overview<br />
  3. 3. “Payment Card Industry Data Security Standard”<br />industry-wide framework for developing a robust payment card data security process<br />aims to protect cardholder data <br />What is PCI DSS?<br />
  4. 4. response to the growing misuse of payment card information<br />Payment Card Industry (PCI) Security Standards Council - 5 global payment card companies: <br />American Express, Discover, JCB International, MasterCard, and Visa<br />applies to entities that store, process or transmit cardholder information <br />Retailers, on-line merchants, payment processing companies<br />History and Origins <br />
  5. 5. 6 principles, 12 major requirements, many sub-requirements and detailed requirements, and testing procedures <br />6 objectives:<br />Build and Maintain a Secure Network<br />Protect Cardholder Data<br />Maintain a Vulnerability Management Program<br />Implement Strong Access Control Measures<br />Regularly Monitor and Test Networks<br />Maintain an Information Security Policy<br />Components of PCI DSS:<br />
  6. 6. PCI Security Standards Council sets the overall high level requirements<br />each card issuer enforces the standard, sets validation requirements and penalties<br />different merchant / service provider levels, and requirements for each level<br />Eg: Level 1 – merchants with 6M+ transactions annually <br />most stringent requirements ASV scans, QSA audits<br />most recent version - PCI DSS v.2.0<br />continuously updated to as new threats emerge<br />PCI DSS Logistics <br />
  7. 7. Is PCI DSS Effective?<br />Effectiveness of PCI DSS<br />2011Ponemon Institute & Imperva study:<br />64% of compliant firms had no breaches over the past two years, vs only 38% of non-compliant firms <br />2011 Cisco study:<br />70% feel that their organizations are more secure <br />87% feel that PCI compliance is necessary<br />60% are using PCI compliance to drive other security network projects<br />appears that most organizations regard PCI DSS as an effective tool in improving cardholder security<br />
  8. 8. Ineffectiveness of PCI DSS<br />PCI DSS compliant firms still experience security breaches<br />Eg: Hannaford Bros, breach in 2008: <br /> theft of 4.2 million customer card numbers <br />Eg: Heartland Payment Systems, breach in 2008:<br /> 130 million credit card numbers exposed<br />Critics: PCI DSS ineffective as it has failed to prevent data breach incidents<br /> Is PCI DSS Effective?<br />
  9. 9. Is PCI DSS Effective?<br />Ineffectiveness of PCI DSS<br />developed by card companies to shift blame to retailers rather than actually preventing cybercrime<br />lack of standardization<br />high cost of compliance - $3.8M implementation cost for Level 1 merchants<br />Executives see PCI DSS as a burden, not an investment <br />ROI unknown <br />
  10. 10. PCI DSS: Effective guideline, but does not guarantee security <br />Breaches of PCI DSS compliant firms show that even compliance does not guarantee protection against security breaches<br />PCI DSS - only a framework for protecting cardholder data – will not 100% guarantee security<br />Effective from aspect of laying the groundwork for a secure system<br />Forces entities to be continuously compliant <br />
  11. 11. Canadians are among the most frequent users of debit and credit cards <br />Canada seen as vulnerable to hackers and data thieves due to:<br />lack of strong Canadian privacy legislation <br />inadequate IS security at Canadian SMEs<br />lag in adopting Chip & PIN technology on credit cards <br />Canada has relied upon PCI DSS to improve cardholder data security<br />PCI DSS and Canada<br />
  12. 12. Impact of PCI DSS on the Accounting Profession<br />opens numerous opportunities for the accounting profession <br />CAs can act as consultants to businesses <br />CAs can act as QSAs to assess PCI DSS compliance<br />CAs can work together with the PCI to achieve greater protection of cardholder data<br />
  13. 13. Impact of PCI DSS on the Accounting Profession<br />CAs acting as QSAs can offer integrated services to clients <br />PCI compliance & S. 5970 audit <br />efficiencies can be gained<br />However, should be aware of differences:<br />Framework<br />Testing period<br />Scope<br />
  14. 14. PCI DSS is a critical step towards improving the security of cardholder data in Canada and worldwide<br />presents new opportunities for the accounting profession<br />Conclusion<br />