SlideShare a Scribd company logo

PCI_Presentation_OASIS

D
Dermot Clarke
1 of 22
Download to read offline
Payment Card Industry DSS (PCI) Presented By: Claire Gallagher EVP, OASIS Group November 11th, 2013
Payment Card Industry DSS (PCI) What is PCI DSS? Payment Card Industry Digital Security Standards A collaborative effort to achieve a common set of security standards for use by entities that process, store or transport payment card data.
Agenda •  Overview of PCI DSS •  Compliance Levels and Requirements •  How we Achieved PCI Compliance •  Benefits of PCI to you & your Clients •  Lessons Learnt •  Discussion, Questions
Overview of PCI Topics in this section •  PCI-DSS Defined •  Merchant Level •  Service Provider Levels •  PCI Assessments •  PCI Enforcement
PCI Defined Payment Card Industry Digital Security Standards: A collaborative effort to achieve a common set of security standards for use by entities that process, store or transport, payment card data.
Multiple Credit Card Organisations Participating in PCI Efforts: Members Include • Visa • MasterCard • American Express (Amex) • Diner’s Club • Discover Card • JCB.
Merchant Levels Level Conditions Level 1 Any Merchant processing over 6,000,000 transactions per year, compromised in the last year, or identified by another payment card brand as Level 1 Level 2 Any Merchant processing between 150,000 and 6,000,000 e-commerce transactions per year, or identified by another payment card brand as Level 2 Level 3 Any Merchant processing between 20,000 and 150,000 ecommerce transactions per year, or identified by another payment card brand as Level 3 Level 4 Any Merchant processing less than 20,000 e-commerce transactions per year, and all other Merchants processing up to 6,000,000 transactions per year
Service Provider Levels Level Conditions Level 1 Criteria: Visa System Processors or any service provider that stores, processes and/or transmits over 300,000 transactions per year Validation Requirements: Annual Report on Compliance (ROC) by QSA, Quarterly network scan by Approved Scanning Vendor (ASV), Attestation of Compliance (AOC) Form Result: Included on Visa Europe’s List of PCI DSS validated service providers Level 2 Criteria: Any service provider that stores, processes and/or transmits less than 300,000 transactions per year Validation Requirements: Annual Self-Assessment Questionnaire (SAQ), Quarterly network scan by Approved Scanning Vendor (ASV), Attestation of Compliance (AOC) Result: Not included on Visa Europe’s List of PCI DSS validated service providers
Merchant Requirements Level QSA Onsite Review Self Assessment Network Security Scan Level 1 REQUIRED (Annually) Not Required REQUIRED (Quarterly) Level 2 Not Required REQUIRED (Annually) REQUIRED (Quarterly) Level 3 Not Required REQUIRED (Annually) REQUIRED (Quarterly) Level 4 Not Required Recommended (Annually) Recommended (Annually)
Service Provider Requirements QSA Onsite Review Self Assessment Network Security Scan Level 1 REQUIRED (Annually) Not Required REQUIRED (Quarterly) Level 2 REQUIRED (Annually) REQUIRED (Annually) REQUIRED (Quarterly) Level 3 Not Required REQUIRED (Annually) REQUIRED (Quarterly)
PCI DSS Structure Six Key Sections: •  Build and Maintain a Secure Network •  Protect Cardholder Data •  Maintain a Vulnerability Management Program •  Implement Strong Control Measures •  Regularly Monitor and Test Networks •  Maintain an Information Security Policy
Network Scanning Targets Internet Facing Devices, Systems and Applications Including : •  Routers and Firewalls •  Servers and Hosts (Including Virtual!) •  Applications
Self Assessment A selected subset of the full Onsite Audit criteria completed by the Merchant or Service Provider Submitted to Acquirer(s) (eg: Visa, Mastercard) Made up mainly of Yes/No/Not Applicable responses Is broken into five of the six sections from PCI DSS: •  Build and Maintain a Secure Network •  Protect Cardholder Data •  Implement Strong Control Measures •  Regularly Monitor and Test Networks •  Maintain an Information Security Policy
QSA Onsite Review •  Is a detailed audit against the PCI Data Security Standard •  Potentially targets all systems and networks that store, process and/or transmit cardholder information •  Includes review of contractual relationships, but not assessment of the Third Parties themselves •  Biggest difficulties in having onsite reviews are the initial scoping and the subsequent cost of correction to compliant levels •  QSA provides a Report on Compliance when compliant for Submission to the Acquirer. Interim reports may be asked for by the Acquirer
PCI Enforcement •  Visa and MasterCard require their Acquirers to ensure the compliance of their Merchants and Service Providers. •  Visa and MasterCard are able to penalise their Acquirers for having Merchants or Service Providers that are noncompliant. •  Acquirers can pass on penalties to their Merchants and Service Providers through their contractual relationships. •  Penalties can presently be financial against the Acquirer and restrict a Merchant’s / Service Provider’s ability to accept transactions.
How OASIS Achieved Compliance •  Engaged a third party Qualified Security Assessor (QSA’S). •  Undertook a Gap Analysis. •  A Gap Analysis identifies the measurable gap between current policies, procedures and practices and the Payment Card Industry Data Security Standard. A Gap Analysis is the preferred route for identifying mechanisms to reduce risks and costs and processes associated with achieving compliance •  Scored 82% on the Gap Analysis. •  ISO 27001 covered a lot of the requirements in the PCI. •  1 week to close off issues raised in Gap Analysis, eg: Data Classification Policy, Abandoned Boxes Policy, Annual Information Security Training Program.
Benefits of PCI to You & Your Clients •  Benefit #1: Decreased Risk of Security Breaches PCI compliance isn't just about satisfying a list of guidelines -- it's a very real and proven way to protect you and your customers' data from outside attacks. In fact, a recent Verizon study found that compliant businesses are 50% more likely to successfully withstand a breach. •  Benefit #2: Peace of Mind For You (and Your Clients) With breaches much less likely to happen, you'll have one less thing to worry about in the daily course of running your business. You'll appreciate this peace of mind, and over time, your customers will, too (see the next benefit below).
Benefits of PCI to You & Your Clients Continued… Benefit #3: Boost In Customer Confidence Your customers may not currently understand every detail about what it means to be compliant, but their awareness about the issue is growing. Every day, more and more of your customers are growing savvy about how their data is protected when they use their credit cards. It's only a matter of time before customers see PCI compliance as a sign that your business follows best practices. That feeling of security will directly increase buyers' confidence, and make them more likely to choose you over a non-compliant competitor.
Benefits of PCI to You & Your Clients Continued… Benefit #4: Avoid Costly Fines PCI compliance dramatically lowers your likelihood of getting breached, but it doesn't completely eliminate the possibility. If you are breached, fines can grow as high as $500,000 per incident. Companies who are PCI compliant significantly reduce their risk of a breach, and therefore, their likelihood of receiving a fine. If a company is breached, regardless of their state of compliance, they must immediately inform customers and their processor of the data breach in writing. The processor or bank will initiate an audit on that company to see if the merchant was in fact PCI DSS compliant at the time of the breach. Benefit #5: Relatively Quick and Easy This is one benefit that comes from what PCI compliance doesn't do: with the right partner, you won't have to make any substantial changes or disruptions to your business while attaining compliance. The process may seem complicated (and in many ways, it is), but a good compliance partner will shield you from the complexities and make it seem simple.
Lessons Learned •  Already having the ISO 27001 was a huge advantage as the majority of the work was done as proven in our Gap Analysis. •  Unless it is a definite requirement for your client it is easier not to process credit card information, and remain a Merchant user. •  Take the time to choose the right QSA
Download Presentation www.oasisgroup.eu
Questions???

Recommended

Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - Whitepaper
Shaun O'keeffe
 
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
Melanie Beam
 
Payment card industry data security standard
Payment card industry data security standardPayment card industry data security standard
Payment card industry data security standard
sallychiu
 
Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010
Donald E. Hester
 
PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011
Donald E. Hester
 
Evolution Pci For Pod1
Evolution Pci For Pod1Evolution Pci For Pod1
Evolution Pci For Pod1
Amanda Squires@Pod1
 
What Everybody Ought to Know About PCI DSS and PA-DSS
What Everybody Ought to Know About PCI DSS and PA-DSSWhat Everybody Ought to Know About PCI DSS and PA-DSS
What Everybody Ought to Know About PCI DSS and PA-DSS
London School of Cyber Security
 
P0 Pcidss Overview
P0 Pcidss OverviewP0 Pcidss Overview
P0 Pcidss Overview
b28stu
 

Recommended

Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - Whitepaper
Shaun O'keeffe
 
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
Melanie Beam
 
Payment card industry data security standard
Payment card industry data security standardPayment card industry data security standard
Payment card industry data security standard
sallychiu
 
Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010
Donald E. Hester
 
PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011
Donald E. Hester
 
Evolution Pci For Pod1
Evolution Pci For Pod1Evolution Pci For Pod1
Evolution Pci For Pod1
Amanda Squires@Pod1
 
What Everybody Ought to Know About PCI DSS and PA-DSS
What Everybody Ought to Know About PCI DSS and PA-DSSWhat Everybody Ought to Know About PCI DSS and PA-DSS
What Everybody Ought to Know About PCI DSS and PA-DSS
London School of Cyber Security
 
P0 Pcidss Overview
P0 Pcidss OverviewP0 Pcidss Overview
P0 Pcidss Overview
b28stu
 
PCI-DSS for IDRBT
PCI-DSS for IDRBTPCI-DSS for IDRBT
PCI-DSS for IDRBT
Shanmugavel Sankaran
 
Payment Card Industry Introduction CMTA APR 2010
Payment Card Industry Introduction CMTA APR 2010Payment Card Industry Introduction CMTA APR 2010
Payment Card Industry Introduction CMTA APR 2010
Donald E. Hester
 
Adventures in PCI Wonderland
Adventures in PCI WonderlandAdventures in PCI Wonderland
Adventures in PCI Wonderland
Michele Chubirka
 
eCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain Media
eCommerce Merchants
 
PCI Certification and remediation services
PCI Certification and remediation servicesPCI Certification and remediation services
PCI Certification and remediation services
Tariq Juneja
 
A practical guides to PCI compliance
A practical guides to PCI complianceA practical guides to PCI compliance
A practical guides to PCI compliance
Jisc
 
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAININGPCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
himalya sharma
 
Alcumus ISOQAR PCIDSS Compliance Presentation
Alcumus ISOQAR PCIDSS Compliance PresentationAlcumus ISOQAR PCIDSS Compliance Presentation
Alcumus ISOQAR PCIDSS Compliance Presentation
Bhargav Upadhyay
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSS
Saumya Vishnoi
 
Introduction To SAQ 4 U
Introduction To SAQ 4 UIntroduction To SAQ 4 U
Introduction To SAQ 4 U
RAlcala65
 
PCI Compliance - How To Keep Your Business Safe From Credit Card Criminals
PCI Compliance - How To Keep Your Business Safe From Credit Card CriminalsPCI Compliance - How To Keep Your Business Safe From Credit Card Criminals
PCI Compliance - How To Keep Your Business Safe From Credit Card Criminals
Fit Small Business
 
Introduction to the Payment Card Industry Data Security Standard (PCI DSS) - ...
Introduction to the Payment Card Industry Data Security Standard (PCI DSS) - ...Introduction to the Payment Card Industry Data Security Standard (PCI DSS) - ...
Introduction to the Payment Card Industry Data Security Standard (PCI DSS) - ...
AtoZ Compliance
 
PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...
John Baines
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guide
Mohammad Makchudul Alam (Arif)
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overview
sameh Abulfotooh
 
Pci compliance overview earth link business
Pci compliance overview earth link businessPci compliance overview earth link business
Pci compliance overview earth link business
Mike Shelah
 
Short term possabilities for eKYC improvments
Short term possabilities for eKYC improvmentsShort term possabilities for eKYC improvments
Short term possabilities for eKYC improvments
Ronny Khan
 
Short term possabilities for eKYC improvments
Short term possabilities for eKYC improvmentsShort term possabilities for eKYC improvments
Short term possabilities for eKYC improvments
Ronny Khan
 
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
Miminten
 
The Easy WAy to Accept & Protect Credit Card Data
The Easy WAy to Accept & Protect Credit Card DataThe Easy WAy to Accept & Protect Credit Card Data
The Easy WAy to Accept & Protect Credit Card Data
Tyler Hannan
 
PCI DSS
PCI DSSPCI DSS
PCI DSS
Duy Do Phan
 
PruebaJLF.pptx
PruebaJLF.pptxPruebaJLF.pptx
PruebaJLF.pptx
JoseLuna802663
 

More Related Content

What's hot

A practical guides to PCI compliance
A practical guides to PCI complianceA practical guides to PCI compliance
A practical guides to PCI compliance
Jisc
 
Alcumus ISOQAR PCIDSS Compliance Presentation
Alcumus ISOQAR PCIDSS Compliance PresentationAlcumus ISOQAR PCIDSS Compliance Presentation
Alcumus ISOQAR PCIDSS Compliance Presentation
Bhargav Upadhyay
 
PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...
John Baines
 
Pci compliance overview earth link business
Pci compliance overview earth link businessPci compliance overview earth link business
Pci compliance overview earth link business
Mike Shelah
 
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
Miminten
 

What's hot (20)

PCI-DSS for IDRBT
PCI-DSS for IDRBTPCI-DSS for IDRBT
PCI-DSS for IDRBT
 
Payment Card Industry Introduction CMTA APR 2010
Payment Card Industry Introduction CMTA APR 2010Payment Card Industry Introduction CMTA APR 2010
Payment Card Industry Introduction CMTA APR 2010
 
Adventures in PCI Wonderland
Adventures in PCI WonderlandAdventures in PCI Wonderland
Adventures in PCI Wonderland
 
eCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain Media
 
PCI Certification and remediation services
PCI Certification and remediation servicesPCI Certification and remediation services
PCI Certification and remediation services
 
A practical guides to PCI compliance
A practical guides to PCI complianceA practical guides to PCI compliance
A practical guides to PCI compliance
 
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAININGPCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
 
Alcumus ISOQAR PCIDSS Compliance Presentation
Alcumus ISOQAR PCIDSS Compliance PresentationAlcumus ISOQAR PCIDSS Compliance Presentation
Alcumus ISOQAR PCIDSS Compliance Presentation
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSS
 
Introduction To SAQ 4 U
Introduction To SAQ 4 UIntroduction To SAQ 4 U
Introduction To SAQ 4 U
 
PCI Compliance - How To Keep Your Business Safe From Credit Card Criminals
PCI Compliance - How To Keep Your Business Safe From Credit Card CriminalsPCI Compliance - How To Keep Your Business Safe From Credit Card Criminals
PCI Compliance - How To Keep Your Business Safe From Credit Card Criminals
 
Introduction to the Payment Card Industry Data Security Standard (PCI DSS) - ...
Introduction to the Payment Card Industry Data Security Standard (PCI DSS) - ...Introduction to the Payment Card Industry Data Security Standard (PCI DSS) - ...
Introduction to the Payment Card Industry Data Security Standard (PCI DSS) - ...
 
PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guide
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overview
 
Pci compliance overview earth link business
Pci compliance overview earth link businessPci compliance overview earth link business
Pci compliance overview earth link business
 
Short term possabilities for eKYC improvments
Short term possabilities for eKYC improvmentsShort term possabilities for eKYC improvments
Short term possabilities for eKYC improvments
 
Short term possabilities for eKYC improvments
Short term possabilities for eKYC improvmentsShort term possabilities for eKYC improvments
Short term possabilities for eKYC improvments
 
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
 
The Easy WAy to Accept & Protect Credit Card Data
The Easy WAy to Accept & Protect Credit Card DataThe Easy WAy to Accept & Protect Credit Card Data
The Easy WAy to Accept & Protect Credit Card Data
 

Similar to PCI_Presentation_OASIS

Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptx
gealehegn
 
Payment card industry data security standard 1
Payment card industry data security standard 1Payment card industry data security standard 1
Payment card industry data security standard 1
wardell henley
 
Secrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance ProjectsSecrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance Projects
Christopher Foot
 
Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The Essentials
Risk Crew
 
You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…
Rochester Security Summit
 
Symbiotic Consulting Group LLC - PCI Compliance Overview
Symbiotic Consulting Group LLC - PCI Compliance OverviewSymbiotic Consulting Group LLC - PCI Compliance Overview
Symbiotic Consulting Group LLC - PCI Compliance Overview
Rosy Kaur
 
Understanding Your PCI DSS Guidelines: Successes and Failures
Understanding Your PCI DSS Guidelines: Successes and FailuresUnderstanding Your PCI DSS Guidelines: Successes and Failures
Understanding Your PCI DSS Guidelines: Successes and Failures
- Mark - Fullbright
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892
Risk Crew
 
pci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.pptpci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.ppt
gealehegn
 
Tripwire pci basics_wp
Tripwire pci basics_wpTripwire pci basics_wp
Tripwire pci basics_wp
Edward Lam
 

Similar to PCI_Presentation_OASIS (20)

PCI DSS
PCI DSSPCI DSS
PCI DSS
 
PruebaJLF.pptx
PruebaJLF.pptxPruebaJLF.pptx
PruebaJLF.pptx
 
PCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should carePCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should care
 
PCI DSS Compliance Readiness
PCI DSS Compliance ReadinessPCI DSS Compliance Readiness
PCI DSS Compliance Readiness
 
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
 
Merchant Services Audit 03 2011
Merchant Services Audit 03 2011Merchant Services Audit 03 2011
Merchant Services Audit 03 2011
 
Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptx
 
Payment card industry data security standard 1
Payment card industry data security standard 1Payment card industry data security standard 1
Payment card industry data security standard 1
 
PCI FAQs and Myths - BluePay
PCI FAQs and Myths - BluePayPCI FAQs and Myths - BluePay
PCI FAQs and Myths - BluePay
 
Secrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance ProjectsSecrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance Projects
 
Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The Essentials
 
You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…
 
PCI FAQs and Myths
PCI FAQs and MythsPCI FAQs and Myths
PCI FAQs and Myths
 
Symbiotic Consulting Group LLC - PCI Compliance Overview
Symbiotic Consulting Group LLC - PCI Compliance OverviewSymbiotic Consulting Group LLC - PCI Compliance Overview
Symbiotic Consulting Group LLC - PCI Compliance Overview
 
Understanding Your PCI DSS Guidelines: Successes and Failures
Understanding Your PCI DSS Guidelines: Successes and FailuresUnderstanding Your PCI DSS Guidelines: Successes and Failures
Understanding Your PCI DSS Guidelines: Successes and Failures
 
PCI DSS Data Security Compliance Program Overview
PCI DSS Data Security Compliance Program OverviewPCI DSS Data Security Compliance Program Overview
PCI DSS Data Security Compliance Program Overview
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892
 
pci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.pptpci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.ppt
 
Gradeon PCI Annual Validation.pptx
Gradeon PCI Annual Validation.pptxGradeon PCI Annual Validation.pptx
Gradeon PCI Annual Validation.pptx
 
Tripwire pci basics_wp
Tripwire pci basics_wpTripwire pci basics_wp
Tripwire pci basics_wp
 

PCI_Presentation_OASIS

  • 1. Payment Card Industry DSS (PCI) Presented By: Claire Gallagher EVP, OASIS Group November 11th, 2013
  • 2. Payment Card Industry DSS (PCI) What is PCI DSS? Payment Card Industry Digital Security Standards A collaborative effort to achieve a common set of security standards for use by entities that process, store or transport payment card data.
  • 3. Agenda •  Overview of PCI DSS •  Compliance Levels and Requirements •  How we Achieved PCI Compliance •  Benefits of PCI to you & your Clients •  Lessons Learnt •  Discussion, Questions
  • 4. Overview of PCI Topics in this section •  PCI-DSS Defined •  Merchant Level •  Service Provider Levels •  PCI Assessments •  PCI Enforcement
  • 5. PCI Defined Payment Card Industry Digital Security Standards: A collaborative effort to achieve a common set of security standards for use by entities that process, store or transport, payment card data.
  • 6. Multiple Credit Card Organisations Participating in PCI Efforts: Members Include • Visa • MasterCard • American Express (Amex) • Diner’s Club • Discover Card • JCB.
  • 7. Merchant Levels Level Conditions Level 1 Any Merchant processing over 6,000,000 transactions per year, compromised in the last year, or identified by another payment card brand as Level 1 Level 2 Any Merchant processing between 150,000 and 6,000,000 e-commerce transactions per year, or identified by another payment card brand as Level 2 Level 3 Any Merchant processing between 20,000 and 150,000 ecommerce transactions per year, or identified by another payment card brand as Level 3 Level 4 Any Merchant processing less than 20,000 e-commerce transactions per year, and all other Merchants processing up to 6,000,000 transactions per year
  • 8. Service Provider Levels Level Conditions Level 1 Criteria: Visa System Processors or any service provider that stores, processes and/or transmits over 300,000 transactions per year Validation Requirements: Annual Report on Compliance (ROC) by QSA, Quarterly network scan by Approved Scanning Vendor (ASV), Attestation of Compliance (AOC) Form Result: Included on Visa Europe’s List of PCI DSS validated service providers Level 2 Criteria: Any service provider that stores, processes and/or transmits less than 300,000 transactions per year Validation Requirements: Annual Self-Assessment Questionnaire (SAQ), Quarterly network scan by Approved Scanning Vendor (ASV), Attestation of Compliance (AOC) Result: Not included on Visa Europe’s List of PCI DSS validated service providers
  • 9. Merchant Requirements Level QSA Onsite Review Self Assessment Network Security Scan Level 1 REQUIRED (Annually) Not Required REQUIRED (Quarterly) Level 2 Not Required REQUIRED (Annually) REQUIRED (Quarterly) Level 3 Not Required REQUIRED (Annually) REQUIRED (Quarterly) Level 4 Not Required Recommended (Annually) Recommended (Annually)
  • 10. Service Provider Requirements QSA Onsite Review Self Assessment Network Security Scan Level 1 REQUIRED (Annually) Not Required REQUIRED (Quarterly) Level 2 REQUIRED (Annually) REQUIRED (Annually) REQUIRED (Quarterly) Level 3 Not Required REQUIRED (Annually) REQUIRED (Quarterly)
  • 11. PCI DSS Structure Six Key Sections: •  Build and Maintain a Secure Network •  Protect Cardholder Data •  Maintain a Vulnerability Management Program •  Implement Strong Control Measures •  Regularly Monitor and Test Networks •  Maintain an Information Security Policy
  • 12. Network Scanning Targets Internet Facing Devices, Systems and Applications Including : •  Routers and Firewalls •  Servers and Hosts (Including Virtual!) •  Applications
  • 13. Self Assessment A selected subset of the full Onsite Audit criteria completed by the Merchant or Service Provider Submitted to Acquirer(s) (eg: Visa, Mastercard) Made up mainly of Yes/No/Not Applicable responses Is broken into five of the six sections from PCI DSS: •  Build and Maintain a Secure Network •  Protect Cardholder Data •  Implement Strong Control Measures •  Regularly Monitor and Test Networks •  Maintain an Information Security Policy
  • 14. QSA Onsite Review •  Is a detailed audit against the PCI Data Security Standard •  Potentially targets all systems and networks that store, process and/or transmit cardholder information •  Includes review of contractual relationships, but not assessment of the Third Parties themselves •  Biggest difficulties in having onsite reviews are the initial scoping and the subsequent cost of correction to compliant levels •  QSA provides a Report on Compliance when compliant for Submission to the Acquirer. Interim reports may be asked for by the Acquirer
  • 15. PCI Enforcement •  Visa and MasterCard require their Acquirers to ensure the compliance of their Merchants and Service Providers. •  Visa and MasterCard are able to penalise their Acquirers for having Merchants or Service Providers that are noncompliant. •  Acquirers can pass on penalties to their Merchants and Service Providers through their contractual relationships. •  Penalties can presently be financial against the Acquirer and restrict a Merchant’s / Service Provider’s ability to accept transactions.
  • 16. How OASIS Achieved Compliance •  Engaged a third party Qualified Security Assessor (QSA’S). •  Undertook a Gap Analysis. •  A Gap Analysis identifies the measurable gap between current policies, procedures and practices and the Payment Card Industry Data Security Standard. A Gap Analysis is the preferred route for identifying mechanisms to reduce risks and costs and processes associated with achieving compliance •  Scored 82% on the Gap Analysis. •  ISO 27001 covered a lot of the requirements in the PCI. •  1 week to close off issues raised in Gap Analysis, eg: Data Classification Policy, Abandoned Boxes Policy, Annual Information Security Training Program.
  • 17. Benefits of PCI to You & Your Clients •  Benefit #1: Decreased Risk of Security Breaches PCI compliance isn't just about satisfying a list of guidelines -- it's a very real and proven way to protect you and your customers' data from outside attacks. In fact, a recent Verizon study found that compliant businesses are 50% more likely to successfully withstand a breach. •  Benefit #2: Peace of Mind For You (and Your Clients) With breaches much less likely to happen, you'll have one less thing to worry about in the daily course of running your business. You'll appreciate this peace of mind, and over time, your customers will, too (see the next benefit below).
  • 18. Benefits of PCI to You & Your Clients Continued… Benefit #3: Boost In Customer Confidence Your customers may not currently understand every detail about what it means to be compliant, but their awareness about the issue is growing. Every day, more and more of your customers are growing savvy about how their data is protected when they use their credit cards. It's only a matter of time before customers see PCI compliance as a sign that your business follows best practices. That feeling of security will directly increase buyers' confidence, and make them more likely to choose you over a non-compliant competitor.
  • 19. Benefits of PCI to You & Your Clients Continued… Benefit #4: Avoid Costly Fines PCI compliance dramatically lowers your likelihood of getting breached, but it doesn't completely eliminate the possibility. If you are breached, fines can grow as high as $500,000 per incident. Companies who are PCI compliant significantly reduce their risk of a breach, and therefore, their likelihood of receiving a fine. If a company is breached, regardless of their state of compliance, they must immediately inform customers and their processor of the data breach in writing. The processor or bank will initiate an audit on that company to see if the merchant was in fact PCI DSS compliant at the time of the breach. Benefit #5: Relatively Quick and Easy This is one benefit that comes from what PCI compliance doesn't do: with the right partner, you won't have to make any substantial changes or disruptions to your business while attaining compliance. The process may seem complicated (and in many ways, it is), but a good compliance partner will shield you from the complexities and make it seem simple.
  • 20. Lessons Learned •  Already having the ISO 27001 was a huge advantage as the majority of the work was done as proven in our Gap Analysis. •  Unless it is a definite requirement for your client it is easier not to process credit card information, and remain a Merchant user. •  Take the time to choose the right QSA