What Everybody Ought to Know About PCI DSS and PA-DSS


Published on

What Everybody Ought to Know About PCI DSS and PA-DSS.

Learn how to comply with the training requirements of PCI DSS, protect cardholder data, avoiding social engineering and malicious downloads and how to update software and anti-virus programs.

Published in: Education
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • The PCI Security Standards Council is an open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection. PCI Council is a non profit organization whose mission is to enhance payment account data security by driving education and awareness of the PCI Security Standards. The organization was founded by American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc. The standard includes 12 requirements for any business that stores, processes or transmits payment cardholder data.

    These requirements specify the framework for a secure payments environment; for purposes of PCI compliance, their essence is three steps: Assess, Remediate and Report.
  • The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data.

    Build and Maintain a Secure Network and Systems
    1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters

    Protect Cardholder Data
    3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks

    Maintain a Vulnerability Management Program
    5. Protect all systems against malware and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications

    Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need to know 8. Identify and authenticate access to system components 9. Restrict physical access to cardholder data

    Regularly Monitor and Test Networks
    10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes

    Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel
  • Compliance is an ongoing process, not a one-time event. It helps prevent security breaches and theft of payment card data, not just today, but in the future:
    As data compromise becomes ever more sophisticated, it becomes ever more difficult for an individual merchant to stay ahead of the threats
    The PCI Security Standards Council is constantly working to monitor threats and improve the industry’s means of dealing with them, through enhancements to PCI Security Standards and by the training of security professionals
    When you stay compliant, you are part of the solution – a united, global response to fighting payment card data compromise
  • But if you are not compliant, it could be disastrous:
    Compromised data negatively affects consumers, merchants, and financial institutions
    Just one incident can severely damage your reputation and your ability to conduct business effectively, far into the future
    Account data breaches can lead to catastrophic loss of sales, relationships and standing in your community, and depressed share price if yours is a public company
  • One area that continues to grow in importance is the need for user training as people whom are involved in the processing, store, managing, or handling of personal credit cardholder information this affects everything from updating your passwords to avoiding phishing techniques and social engineering ploys to protecting your mobile devices by keeping software current. There are numerous real world examples that highlight the need for ongoing training and education so that users don’t fall prey or become victims to these potential threats.

    One organization that provides some good insights into this topic is the Ponemon Institute- an independent research firm that focuses on education to advance responsible information and privacy management practices within business and government. Our mission is to conduct high quality, empirical studies on critical issues affecting the management and security of sensitive information about people and organizations. In a recent research report prepared by the Ponemon Institute ‘Exposing the Cybersecurity Cracks: A Global Perspective’ the following information was presented:

    Raising the Human Security IQ:
    Fifty-two percent of companies do not provide cybersecurity education to their employees, with only 4 percent planning to do so in the next 12 months.
    Under half (42 percent) had undergone a cyber threat modelling process in their present role. Of those that did, nearly all, (94 percent) found it to be important in terms of managing their cyber risk.

    In a recent UK survey of financial services cyber security skills programs: almost all employers are looking for experienced staff, not trainees - and few have the skills in-house to organize a training program. There is, however, serious interest in using the frameworks on a modular basis to upgrade the skills of those in post and to cross-train users who understand the business.”

  • With criminals looking to steal valuable payment card information, businesses of all sizes are at risk.
    And persistent hackers are growing increasingly sophisticated and creative, so it’s important to clearly understand the nature of the threats that face us and take the necessary steps to protect our businesses and our customers.

  • Employees are the first line of defense against security attacks. But a lack of proper training and awareness can turn employees from assets into liabilities.

    In fact, a recent forensics report highlights the importance of educating employees on best security practices, including strong password creation and awareness of social engineering techniques like phishing…

    However an Enterprise Management Association report states that 54% of employees have not received any security Awareness education – so you can see there’s quite a need for in additional education the market
  • So in addition to improving training and education, there are other steps you can take to reduce your risk.
    Most businesses don’t need to store any payment card data, so the number one thing you can do to limit your risk is to not store it unless absolutely necessary for business purposes!!
    The less you have, the less of a target you’ll be for hackers - so you need to make sure that you are not storing this data in your computers or on paper.
    In addition to knowing what data you store, it’s important to know what your technology vendors are storing.
  • If you are using commercially available point-of-sale, or POS systems, ask your payment software vendor to confirm that your software version has been PCI validated as not storing this data. Or, even better, go to the PCI Council’s website yourself and check the listing of validated payment software to see if yours is on there.
    Also confirm with your payment processor that they are following the PCI Data Security Standard and the Payment Application Data Security Standard – and that all cardholder data storage is necessary and appropriate for the transaction type.
    And don’t forget to talk to your bank about reviewing your technology and data storage practices.
  • Data breach reports continue to highlight that simple security measures such as changing passwords could have helped companies avoid the majority of compromises.
    Are you still using the blank or default password that came with your computer or payment software or device? Or are you using 12345 or password1?
    By using easy or default passwords, you leave the door wide open for attacks on your business.
    It’s been estimated that nearly 80% of breaches of confidential consumer information involved compromised passwords.
  • Hackers are always looking to take advantage of the latest known software bugs as well as uncover unknown problems with commercially available software products.
    Product vendors deal with this by releasing software updates or patches - but these are only good if you’re actually using them!
    Not doing your security software updates is like having locks on your doors but not locking them!
    Without the latest protections for your computer against viruses, spyware and other malicious software that can compromise your business, you’re leaving the door wide open for hackers.
    Many vendors now offer automated alert services that provide prompt notification to their clients.
    Some vendors also provide automated patching mechanisms.
    Take these alerts seriously and make sure you’re taking advantage of the latest updates to protect your computers and your business.
  • The best way to learn more about PCI Compliance is to keep current with industry news by keeping you and your teams educated on the latest threats and learn how to avoid these risks. In many cases the easiest way to prevent an attack is by having users trained on what to watch out for and consider implementing a security awareness training program for your company. The PCI Council has some great free resources on their website which you can leverage and you have the opportunity to participate via planning committees, community meetings, and updates via ongoing communications.
  • What Everybody Ought to Know About PCI DSS and PA-DSS

    1. 1. Navigating PCI Compliance: A Risk Avoidance Strategy Google Hangout Session July 23, 2014
    2. 2. This Is Where it All Began December 15, 2004 PCI DSS V1.0 is launced
    3. 3. Payment Credit Card Security Standards Who is the PCI Security Standards Council? • The PCI Security Standards Council is an open global forum responsible for the development, management, education, and awareness of the PCI Security Standards • Work closely with the five founding global payment brands: American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc. • PCI Council official launch occurred in 2006 • Current Data Security Standard is V3.0 published in November 2013 • Standards Committee has established: Data Security Standard (PCI DSS), Payment Application Data Security Standard (PA-DSS), and PIN Transaction Security (PTS) requirements.
    4. 4. What is PCI DSS and PA-DSS? • PCI Data Security Standard (PCI DSS) provides an actionable framework for developing a robust payment card data security process including prevention, detection and appropriate reaction to security incidents. • This applies to any organization with a Merchant ID (MID) • PCI DSS V3.0 requirements must be completed by December 31st • Payment Application Data Security Standard (PA-DSS) is the global security standard created by the PCI Council in an effort to provide the definitive data standard for software vendors that develop payment applications • (ie. POS application or website ecommerce)
    5. 5. How Does This Affect My Business? Managing the Requirements: • Companies that accept, process, transmit, or store payment credit cardholder data must adhere to PCI Compliance requirements • Having a SSL certificate for your website is not enough as this doesn’t prevent malicious attacks or intrusions from occurring • If you electronically store cardholder data post authorization or if your processing systems have any internet connectivity, a quarterly scan by a PCI SSC Approved Scanning Vendor (ASV) is required Positive Impact and Benefits: • Compliance with the PCI DSS means that your systems are secure, and you earn customer’s trust in managing their personal information resulting in future business potential • Helps you to be better prepared to comply with other regulations as they come along, such as HIPAA, SOX, etc. • Establishes a baseline corporate security strategy • Assists in identification of methods to improve the efficiency of your IT infrastructure
    6. 6. What Happens if I don’t Comply? • Payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations • Banks will also most likely either terminate your relationship or increase transaction fees if your organization is non PCI compliant • Potential for lost revenues, customer transitions, and an overall negative image in the marketplace could negatively impact future earnings potential • Liable for lawsuits, insurance claims, cancelled accounts, payment card issuer fines, along with government fines
    7. 7. Security Training Requirements for PCI DSS V3.0
    8. 8. Current State of Data Security • Breaches make headlines • Businesses at risk regardless of size • The enemy is getting smarter • Companies must: • Understand the threats • Take steps to protect themselves and their customers.
    9. 9. • Industry demand has never been higher • The weakest link: The human • Social engineering • Lost/compromised login credentials • Careless behavior accounts for most incidents Need for Training
    10. 10. Reduce the Risk – Don’t Store Data • Don’t store any payment card data • The less you have, the smaller a target you’ll be • Know what your vendors are storing.
    11. 11. Reducing Risk – 3rd Party Data Security • Use PCI validated Point of Sale systems • Confirm that your vendors follow the PCI DSS and the PA DSS • Talk to your bank about reviewing your technology and data storage practices
    12. 12. Reducing Risk – Strong Passwords • Changing default passwords could have helped avoid the majority of compromises. • Nearly 80% of breaches of confidential consumer information involved compromised passwords.
    13. 13. Reducing Risk – Updating Software • Hackers take advantage of software bugs • Product vendors deal with this by releasing software updates and patches • Use automated alert services
    14. 14. Become Part of the Solution 1. Understanding of PCI Compliance and Requirements 2. Ongoing Education and Awareness 3. Take Steps to Safeguard your Business 4. Get Involved 5. Have a Plan