Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Payment Card Industry DSS
(PCI)
Presented By: Claire Gallagher EVP, OASIS Group
November 11th, 2013
Payment Card Industry DSS
(PCI)
What is PCI DSS?
Payment Card Industry Digital Security Standards
A collaborative effort t...
Agenda
•  Overview of PCI DSS
•  Compliance Levels and Requirements
•  How we Achieved PCI Compliance
•  Benefits of PCI t...
Overview of PCI
Topics in this section
•  PCI-DSS Defined
•  Merchant Level
•  Service Provider Levels
•  PCI Assessments
...
PCI Defined
Payment Card Industry Digital Security Standards:
A collaborative effort to achieve a common set of security
s...
Multiple Credit Card Organisations
Participating in PCI Efforts:
Members Include
• Visa
• MasterCard
• American Express (A...
Merchant Levels
Level Conditions
Level 1 Any Merchant processing over 6,000,000 transactions per
year, compromised in the ...
Service Provider Levels
Level Conditions
Level 1 Criteria: Visa System Processors or any service provider that
stores, pro...
Merchant Requirements
Level QSA Onsite
Review
Self
Assessment
Network
Security Scan
Level 1 REQUIRED
(Annually)
Not Requir...
Service Provider Requirements
QSA Onsite
Review
Self
Assessment
Network
Security Scan
Level 1 REQUIRED
(Annually)
Not Requ...
PCI DSS Structure
Six Key Sections:
•  Build and Maintain a Secure Network
•  Protect Cardholder Data
•  Maintain a Vulner...
Network Scanning
Targets Internet Facing Devices, Systems and
Applications Including :
•  Routers and Firewalls
•  Servers...
Self Assessment
A selected subset of the full Onsite Audit criteria
completed by the Merchant or Service Provider Submitte...
QSA Onsite Review
•  Is a detailed audit against the PCI Data Security Standard
•  Potentially targets all systems and net...
PCI Enforcement
•  Visa and MasterCard require their Acquirers to ensure the
compliance of their Merchants and Service Pro...
How OASIS Achieved Compliance
•  Engaged a third party Qualified Security Assessor (QSA’S).
•  Undertook a Gap Analysis.
•...
Benefits of PCI to You & Your Clients
•  Benefit #1: Decreased Risk of Security Breaches PCI
compliance isn't just about s...
Benefits of PCI to You & Your Clients
Continued…
Benefit #3: Boost In Customer Confidence
Your customers may not currently...
Benefits of PCI to You & Your Clients
Continued…
Benefit #4: Avoid Costly Fines
PCI compliance dramatically lowers your li...
Lessons Learned
•  Already having the ISO 27001 was a huge advantage
as the majority of the work was done as proven in our...
Download Presentation
www.oasisgroup.eu
Questions???
Upcoming SlideShare
Loading in …5
×

PCI_Presentation_OASIS

  • Login to see the comments

  • Be the first to like this

PCI_Presentation_OASIS

  1. 1. Payment Card Industry DSS (PCI) Presented By: Claire Gallagher EVP, OASIS Group November 11th, 2013
  2. 2. Payment Card Industry DSS (PCI) What is PCI DSS? Payment Card Industry Digital Security Standards A collaborative effort to achieve a common set of security standards for use by entities that process, store or transport payment card data.
  3. 3. Agenda •  Overview of PCI DSS •  Compliance Levels and Requirements •  How we Achieved PCI Compliance •  Benefits of PCI to you & your Clients •  Lessons Learnt •  Discussion, Questions
  4. 4. Overview of PCI Topics in this section •  PCI-DSS Defined •  Merchant Level •  Service Provider Levels •  PCI Assessments •  PCI Enforcement
  5. 5. PCI Defined Payment Card Industry Digital Security Standards: A collaborative effort to achieve a common set of security standards for use by entities that process, store or transport, payment card data.
  6. 6. Multiple Credit Card Organisations Participating in PCI Efforts: Members Include • Visa • MasterCard • American Express (Amex) • Diner’s Club • Discover Card • JCB.
  7. 7. Merchant Levels Level Conditions Level 1 Any Merchant processing over 6,000,000 transactions per year, compromised in the last year, or identified by another payment card brand as Level 1 Level 2 Any Merchant processing between 150,000 and 6,000,000 e-commerce transactions per year, or identified by another payment card brand as Level 2 Level 3 Any Merchant processing between 20,000 and 150,000 ecommerce transactions per year, or identified by another payment card brand as Level 3 Level 4 Any Merchant processing less than 20,000 e-commerce transactions per year, and all other Merchants processing up to 6,000,000 transactions per year
  8. 8. Service Provider Levels Level Conditions Level 1 Criteria: Visa System Processors or any service provider that stores, processes and/or transmits over 300,000 transactions per year Validation Requirements: Annual Report on Compliance (ROC) by QSA, Quarterly network scan by Approved Scanning Vendor (ASV), Attestation of Compliance (AOC) Form Result: Included on Visa Europe’s List of PCI DSS validated service providers Level 2 Criteria: Any service provider that stores, processes and/or transmits less than 300,000 transactions per year Validation Requirements: Annual Self-Assessment Questionnaire (SAQ), Quarterly network scan by Approved Scanning Vendor (ASV), Attestation of Compliance (AOC) Result: Not included on Visa Europe’s List of PCI DSS validated service providers
  9. 9. Merchant Requirements Level QSA Onsite Review Self Assessment Network Security Scan Level 1 REQUIRED (Annually) Not Required REQUIRED (Quarterly) Level 2 Not Required REQUIRED (Annually) REQUIRED (Quarterly) Level 3 Not Required REQUIRED (Annually) REQUIRED (Quarterly) Level 4 Not Required Recommended (Annually) Recommended (Annually)
  10. 10. Service Provider Requirements QSA Onsite Review Self Assessment Network Security Scan Level 1 REQUIRED (Annually) Not Required REQUIRED (Quarterly) Level 2 REQUIRED (Annually) REQUIRED (Annually) REQUIRED (Quarterly) Level 3 Not Required REQUIRED (Annually) REQUIRED (Quarterly)
  11. 11. PCI DSS Structure Six Key Sections: •  Build and Maintain a Secure Network •  Protect Cardholder Data •  Maintain a Vulnerability Management Program •  Implement Strong Control Measures •  Regularly Monitor and Test Networks •  Maintain an Information Security Policy
  12. 12. Network Scanning Targets Internet Facing Devices, Systems and Applications Including : •  Routers and Firewalls •  Servers and Hosts (Including Virtual!) •  Applications
  13. 13. Self Assessment A selected subset of the full Onsite Audit criteria completed by the Merchant or Service Provider Submitted to Acquirer(s) (eg: Visa, Mastercard) Made up mainly of Yes/No/Not Applicable responses Is broken into five of the six sections from PCI DSS: •  Build and Maintain a Secure Network •  Protect Cardholder Data •  Implement Strong Control Measures •  Regularly Monitor and Test Networks •  Maintain an Information Security Policy
  14. 14. QSA Onsite Review •  Is a detailed audit against the PCI Data Security Standard •  Potentially targets all systems and networks that store, process and/or transmit cardholder information •  Includes review of contractual relationships, but not assessment of the Third Parties themselves •  Biggest difficulties in having onsite reviews are the initial scoping and the subsequent cost of correction to compliant levels •  QSA provides a Report on Compliance when compliant for Submission to the Acquirer. Interim reports may be asked for by the Acquirer
  15. 15. PCI Enforcement •  Visa and MasterCard require their Acquirers to ensure the compliance of their Merchants and Service Providers. •  Visa and MasterCard are able to penalise their Acquirers for having Merchants or Service Providers that are noncompliant. •  Acquirers can pass on penalties to their Merchants and Service Providers through their contractual relationships. •  Penalties can presently be financial against the Acquirer and restrict a Merchant’s / Service Provider’s ability to accept transactions.
  16. 16. How OASIS Achieved Compliance •  Engaged a third party Qualified Security Assessor (QSA’S). •  Undertook a Gap Analysis. •  A Gap Analysis identifies the measurable gap between current policies, procedures and practices and the Payment Card Industry Data Security Standard. A Gap Analysis is the preferred route for identifying mechanisms to reduce risks and costs and processes associated with achieving compliance •  Scored 82% on the Gap Analysis. •  ISO 27001 covered a lot of the requirements in the PCI. •  1 week to close off issues raised in Gap Analysis, eg: Data Classification Policy, Abandoned Boxes Policy, Annual Information Security Training Program.
  17. 17. Benefits of PCI to You & Your Clients •  Benefit #1: Decreased Risk of Security Breaches PCI compliance isn't just about satisfying a list of guidelines -- it's a very real and proven way to protect you and your customers' data from outside attacks. In fact, a recent Verizon study found that compliant businesses are 50% more likely to successfully withstand a breach. •  Benefit #2: Peace of Mind For You (and Your Clients) With breaches much less likely to happen, you'll have one less thing to worry about in the daily course of running your business. You'll appreciate this peace of mind, and over time, your customers will, too (see the next benefit below).
  18. 18. Benefits of PCI to You & Your Clients Continued… Benefit #3: Boost In Customer Confidence Your customers may not currently understand every detail about what it means to be compliant, but their awareness about the issue is growing. Every day, more and more of your customers are growing savvy about how their data is protected when they use their credit cards. It's only a matter of time before customers see PCI compliance as a sign that your business follows best practices. That feeling of security will directly increase buyers' confidence, and make them more likely to choose you over a non-compliant competitor.
  19. 19. Benefits of PCI to You & Your Clients Continued… Benefit #4: Avoid Costly Fines PCI compliance dramatically lowers your likelihood of getting breached, but it doesn't completely eliminate the possibility. If you are breached, fines can grow as high as $500,000 per incident. Companies who are PCI compliant significantly reduce their risk of a breach, and therefore, their likelihood of receiving a fine. If a company is breached, regardless of their state of compliance, they must immediately inform customers and their processor of the data breach in writing. The processor or bank will initiate an audit on that company to see if the merchant was in fact PCI DSS compliant at the time of the breach. Benefit #5: Relatively Quick and Easy This is one benefit that comes from what PCI compliance doesn't do: with the right partner, you won't have to make any substantial changes or disruptions to your business while attaining compliance. The process may seem complicated (and in many ways, it is), but a good compliance partner will shield you from the complexities and make it seem simple.
  20. 20. Lessons Learned •  Already having the ISO 27001 was a huge advantage as the majority of the work was done as proven in our Gap Analysis. •  Unless it is a definite requirement for your client it is easier not to process credit card information, and remain a Merchant user. •  Take the time to choose the right QSA
  21. 21. Download Presentation www.oasisgroup.eu
  22. 22. Questions???

×