More Related Content

Similar to Total FBO User Conference(20)


Total FBO User Conference

  1. The Need for PCI TotalFBO User Conference Presented by Branden R. Williams [email_address] September 17, 2009
  2. PCI Data Security Standard Overview 2001-3 Payment application best practices Program announced 2005 2004 Programs combined into Payment Card Industry (PCI) Data Security Standards (DSS) 12 core requirements Scanning requirements for public-facing systems PCI security standards Council formed and PCI DSS version 1.1 released 2006 PA-DSS released New SAQs released PCI version 1.2 2008 Separate Visa (2001) and MasterCard (2003) programs The History of PCI DSS
  3. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Branden R. Williams reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. Unpublished work of Branden R. Williams. © All rights reserved. This work is an unpublished work and contains confidential, proprietary and trade secret information of Branden R. Williams. Access to this work is restricted to Branden R. Williams and any employee who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected or adapted without the prior written consent of Branden R. Williams.

Editor's Notes

  1. 11/04/09
  2. PCI has been a long time in the making. The current standards are largely based on independent efforts made by Visa USA and MasterCard International. At the beginning of the century, credit card fraud was increasing at an astronomical rate. In order to combat the large losses suffered by member banks, Visa created the Cardholder Information Security Program (CISP). This program aimed to address weaknesses found in the structure of the payment card industry and implementations of large merchant systems. Two years later, MasterCard announced the Site Data Protection program (SDP) with a list of standards largely aimed at electronic commerce merchants. In December of 2004, Visa and MasterCard joined forces and released the Payment Card Industry Data Security Standard (PCI-DSS). This unified approach solved many problems related to two independent standards trying to address the same root problem. The PCI-DSS is made of 12 core requirements (sometimes called the 12 Pillars or Digital Dozen) and ongoing maintenance programs to ensure compliance is maintained on a day to day basis. In response to a large number of payment application compromises (largely Point of Sale and Shopping Cart based), Visa USA created the Payment Applications Best Practices program in 2005. The intent of this program was to combat large scale breaches based on poorly written payment application programs. This program has gained adoption and now more than 80 applications are certified. PABP has been superseded by the Payment Application Data Security Standard and is managed by the PCI Security Standards Council. On September 7, 2006, the PCI Security Standards Council was officially announced in conjunction with version 1.1 of the PCI Standard. During 2008, we’ve seen a new revision of the PCI-DSS, updated self assessment questionnaires (which are consequently now out of date with version 1.2 of the standard), and the release of the PA-DSS.
  3. 11/04/09