SlideShare a Scribd company logo

Introduction to PCI DSS

Saumya Vishnoi
Saumya Vishnoi

This talk was presented in NULL Delhi chapter meet in 2014, as an insight into the world of PCI (Payment Card Industry) and the 12 requirements of PCI DSS

Technology
1 of 37
A Dive into Payment Card Industry (PCI) By Saumya Vishnoi
About me • Working as Security Consultant in SISA information Security • PCI-QSA
Why is this Important ? • 2013– Year of Braches • Biggest breaches– • Target credit card breach • US beauty products chain ’Sally Beauty’ breach • Adobe breach Credit Card Information!!!!
• Credit Card data is one of the most valuable target for cyber criminals WHY ? That is where the Money is ;)
Payment Card
Payments Brands
Banks • Issuer Bank • Acquirer Bank
How a card Transaction Works ? (Card Present) Cardholder Merchants Issuer Acquirer (Merchant Bank) Acqu. Processor Issuing Processor
How a card Transaction Works ? (Card Not Present) Cardholder Acquirer (Merchant Bank) Acqu. Processor Issuer Issuing Processor E-Commerce Merchant Payment Gateway
Three Core Processing Actions – Authentication • Validation of cardholders identity and card being used – Authorization • Issuer approves or declines purchase – Settlement • Transfer of funds into merchant account once product/service shipped or delivered
Protection of Card Information
PCI-SSC • PCI Security Standard Council--- An independent industry standards body providing oversight of the development and management of Payment Card Industry Security Standards on a global basis. • Founded by ---- American Express, Discoverer Financial Services, JCB International, MasterCard Worldwide, VISA Inc.
PCI-PTS • PCI Pin Transaction Security • Set of security requirements focused on characteristics and management of devices related to payment processing activities. • For manufactures to be followed during the design, manufacture and transport of the device.
PA-DSS • Payment Application Data Security Standard • For only software applications that store, process or transmit card holder data as part of authorization and settlement. • Applied to only off the shelf sold application
PCI DSS Data Security Standard
PCI DSS Applicability • It applies to- • Systems that Store, Process and Transmit Card holder data • Systems that provide security services or may impact the security of Card Data Environment (CDE) • Any other Components or devices located within or connected to CDE
Card Holder Data
PCI-DSS Assessments • Qualified Assessors: • Self-Assessments Questionnaire:
Global Merchant Levels Level American Express MasterCard Visa 1 Merchants processing 2.5 million American Express Card transactions annually or any merchant that American Express otherwise deems a Level 1. Merchants processing over 6 million MasterCard transaction (all channels) annually, identified by another payment card brand as Level 1 or compromised merchants Large Merchants processing over 6,000,000 Visa transactions annually (all channels), or global merchants identified as Level 1 by any VISA region. 2 Merchants processing 50,000 to 2.5 million American Express transactions annually or any merchant that American Express otherwise deems a Level 2 Merchants processing 1 million to 6 million MasterCard transactions annually All Merchants meeting the Level 2 criteria of competing payment brand Merchants processing 1 million to 6 million Visa Transactions annually (all channels). 3 Merchants processing less than 50,000 American Express transaction annually Merchants processing over 20,000 MasterCard e-commerce transactions annually. All Merchants meeting the level 3 criteria of competing brand Merchants processing 20,000 to 1 million Visa e- commerce transactions annually. 4 N/A All other MasterCard merchants Merchants processing less than 20,000 Visa e- commerce transactions annually and all other merchants processing up to 1 million transactions annually
Requirement 1 Install and maintain a firewall configuration to protect cardholder data • Firewall and Router hardening • Firewall rule review • Firewall rule justification
Requirement 2 Do not use vendor-supplied defaults for system passwords and other security parameters • Removal of defaults– settings, credentials • Hardening • Encrypted non-console access
Requirement 3 Protect stored cardholder data • Storage of card holder data • Not storing sensitive authentication data* • Security of data while storage • Masking of PAN*
Requirement 4 Encrypt transmission of cardholder data across open, public networks • Secure transmission – wired • Secure transmission – wireless • End user messaging
Requirement 5 Protect all systems against malware and regularly update anti-virus software or programs • Anti-Virus • Update and scan settings • Logs –generated , stored
Requirement 6 Develop and maintain secure systems and applications • Risk ranking • Patching • Change Control • Secure development • Web Application Firewall
Requirement 7 Restrict access to cardholder data by business need to know • Access rights assigned on need to know basis • User creation and deletion process
Requirement 8 Identify and authenticate access to system components • Unique user ID • User access review • 2-factor authentication for remote access
Requirement 9 Restrict physical access to cardholder data • Physical access control • CCTV • Visitor Policy • Physical security of Media • Secure Destruction of Media • Protecting POS devices from tempering
Requirement 10 Track and monitor all access to network resources and cardholder data • Enable Logs • Time synchronization • FIM on logs • Log review • Retention period
Requirement 11 Regularly test security systems and processes • Wireless scan • Internal VA • Internal PT • External VA • External PT • Application Testing • FIM
Requirement 12 Maintain a policy that addresses information security for all personnel • Information Security Policy • Risk assessment • Awareness training • Background verification
References • PCI_DSS Requirements and Security Assessment Procedure version 2.0 • PCI_DSS Requirements and Security Assessment Procedure version 3.0 • PCI Quick Reference Guide
Questions ?
Thank You saum98@gmail.com

Recommended

PCI DSS
PCI DSSPCI DSS
PCI DSSDuy Do Phan
 
A practical guides to PCI compliance
A practical guides to PCI complianceA practical guides to PCI compliance
A practical guides to PCI complianceJisc
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS ComplianceSaumya Vishnoi
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overviewsameh Abulfotooh
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuideAlienVault
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overviewokrantz
 
PCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfPCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfControlCase
 
PCI DSS Compliance Checklist
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance ChecklistControlCase
 

Recommended

PCI DSS
PCI DSSPCI DSS
PCI DSSDuy Do Phan
 
A practical guides to PCI compliance
A practical guides to PCI complianceA practical guides to PCI compliance
A practical guides to PCI complianceJisc
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS ComplianceSaumya Vishnoi
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overviewsameh Abulfotooh
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuideAlienVault
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overviewokrantz
 
PCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfPCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfControlCase
 
PCI DSS Compliance Checklist
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance ChecklistControlCase
 
Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates VISTA InfoSec
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2Kimberly Simon MBA
 
SOC 2 and You
SOC 2 and YouSOC 2 and You
SOC 2 and YouSchellman & Company
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC FrameworkRishi Kant
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and CertificationControlCase
 
The information security audit
The information security auditThe information security audit
The information security auditDhani Ahmad
 
Security architecture
Security architectureSecurity architecture
Security architectureDuncan Unwin
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
PCI DSS for Penetration Testing
PCI DSS for Penetration TestingPCI DSS for Penetration Testing
PCI DSS for Penetration TestingNetwork Intelligence India
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 
SOC2 Intro and Mindfulness
SOC2 Intro and MindfulnessSOC2 Intro and Mindfulness
SOC2 Intro and MindfulnessEmilyGladstoneCole
 
NIST SP 800 30 Flow Chart
NIST SP 800 30 Flow ChartNIST SP 800 30 Flow Chart
NIST SP 800 30 Flow ChartJames W. De Rienzo
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsCybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsShawn Tuma
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 IntroductionAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Presentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMPresentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMShantanu Rai
 
CISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsCISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsKarthikeyan Dhayalan
 
Employee Security Awareness Training
Employee Security Awareness TrainingEmployee Security Awareness Training
Employee Security Awareness TrainingDenis kisina
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 Erick Kish, U.S. Commercial Service
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxDr Madhu Aman Sharma
 
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)Miminten
 
PCI DSS Compliance Readiness
PCI DSS Compliance ReadinessPCI DSS Compliance Readiness
PCI DSS Compliance ReadinessAl Abbas, PMP, CISSP, MBA, MSc
 

More Related Content

What's hot

Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates VISTA InfoSec
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC FrameworkRishi Kant
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and CertificationControlCase
 
The information security audit
The information security auditThe information security audit
The information security auditDhani Ahmad
 
Security architecture
Security architectureSecurity architecture
Security architectureDuncan Unwin
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsCybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsShawn Tuma
 
Presentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMPresentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMShantanu Rai
 
CISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsCISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsKarthikeyan Dhayalan
 
Employee Security Awareness Training
Employee Security Awareness TrainingEmployee Security Awareness Training
Employee Security Awareness TrainingDenis kisina
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxDr Madhu Aman Sharma
 

What's hot (20)

Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2
 
SOC 2 and You
SOC 2 and YouSOC 2 and You
SOC 2 and You
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC Framework
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and Certification
 
The information security audit
The information security auditThe information security audit
The information security audit
 
Security architecture
Security architectureSecurity architecture
Security architecture
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
PCI DSS for Penetration Testing
PCI DSS for Penetration TestingPCI DSS for Penetration Testing
PCI DSS for Penetration Testing
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
SOC2 Intro and Mindfulness
SOC2 Intro and MindfulnessSOC2 Intro and Mindfulness
SOC2 Intro and Mindfulness
 
NIST SP 800 30 Flow Chart
NIST SP 800 30 Flow ChartNIST SP 800 30 Flow Chart
NIST SP 800 30 Flow Chart
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
 
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsCybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 Introduction
 
Presentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMPresentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCM
 
CISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsCISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security Concepts
 
Employee Security Awareness Training
Employee Security Awareness TrainingEmployee Security Awareness Training
Employee Security Awareness Training
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptx
 

Similar to Introduction to PCI DSS

PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)Miminten
 
Adventures in PCI Wonderland
Adventures in PCI WonderlandAdventures in PCI Wonderland
Adventures in PCI WonderlandMichele Chubirka
 
pci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.pptpci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.pptgealehegn
 
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdfpci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdfssuserbcc088
 
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...Stephanie Gutowski
 
PCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should carePCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should careSean D. Goodwin
 
PCI compliance and fraud prevention for non profits
PCI compliance and fraud prevention for non profitsPCI compliance and fraud prevention for non profits
PCI compliance and fraud prevention for non profitsNetSquared Vancouver
 
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantMelanie Beam
 
eCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Merchants
 
You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…Rochester Security Summit
 
PCI DSS Compliance for Web Applications
PCI DSS Compliance for Web ApplicationsPCI DSS Compliance for Web Applications
PCI DSS Compliance for Web ApplicationsSavan Gadhiya
 
Payment Card Industry Security Standards
Payment Card Industry Security StandardsPayment Card Industry Security Standards
Payment Card Industry Security StandardsAshintha Rukmal
 
Payment Card Industry Introduction 2010
Payment Card Industry Introduction 2010Payment Card Industry Introduction 2010
Payment Card Industry Introduction 2010Donald E. Hester
 
Introduction to PCI APR 2010
Introduction to PCI APR 2010Introduction to PCI APR 2010
Introduction to PCI APR 2010Donald E. Hester
 
Payment Card Industry Compliance for Local Governments CSMFO 2009
Payment Card Industry Compliance for Local Governments CSMFO 2009Payment Card Industry Compliance for Local Governments CSMFO 2009
Payment Card Industry Compliance for Local Governments CSMFO 2009Donald E. Hester
 
PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011Donald E. Hester
 
Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010Donald E. Hester
 
PCI DSS v 2.0 - Don't Fall In. Short & high level presentation for the Ecomme...
PCI DSS v 2.0 - Don't Fall In. Short & high level presentation for the Ecomme...PCI DSS v 2.0 - Don't Fall In. Short & high level presentation for the Ecomme...
PCI DSS v 2.0 - Don't Fall In. Short & high level presentation for the Ecomme...nostradelboy
 

Similar to Introduction to PCI DSS (20)

PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
 
PCI DSS Compliance Readiness
PCI DSS Compliance ReadinessPCI DSS Compliance Readiness
PCI DSS Compliance Readiness
 
Adventures in PCI Wonderland
Adventures in PCI WonderlandAdventures in PCI Wonderland
Adventures in PCI Wonderland
 
pci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.pptpci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.ppt
 
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdfpci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
 
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
 
Pci dss-for-it-providers
Pci dss-for-it-providersPci dss-for-it-providers
Pci dss-for-it-providers
 
PCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should carePCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should care
 
PCI compliance and fraud prevention for non profits
PCI compliance and fraud prevention for non profitsPCI compliance and fraud prevention for non profits
PCI compliance and fraud prevention for non profits
 
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
 
eCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain Media
 
You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…
 
PCI DSS Compliance for Web Applications
PCI DSS Compliance for Web ApplicationsPCI DSS Compliance for Web Applications
PCI DSS Compliance for Web Applications
 
Payment Card Industry Security Standards
Payment Card Industry Security StandardsPayment Card Industry Security Standards
Payment Card Industry Security Standards
 
Payment Card Industry Introduction 2010
Payment Card Industry Introduction 2010Payment Card Industry Introduction 2010
Payment Card Industry Introduction 2010
 
Introduction to PCI APR 2010
Introduction to PCI APR 2010Introduction to PCI APR 2010
Introduction to PCI APR 2010
 
Payment Card Industry Compliance for Local Governments CSMFO 2009
Payment Card Industry Compliance for Local Governments CSMFO 2009Payment Card Industry Compliance for Local Governments CSMFO 2009
Payment Card Industry Compliance for Local Governments CSMFO 2009
 
PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011
 
Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010
 
PCI DSS v 2.0 - Don't Fall In. Short & high level presentation for the Ecomme...
PCI DSS v 2.0 - Don't Fall In. Short & high level presentation for the Ecomme...PCI DSS v 2.0 - Don't Fall In. Short & high level presentation for the Ecomme...
PCI DSS v 2.0 - Don't Fall In. Short & high level presentation for the Ecomme...
 

More from Saumya Vishnoi

Kickstart your infosec career
Kickstart your infosec careerKickstart your infosec career
Kickstart your infosec careerSaumya Vishnoi
 
Privacy frameworks 101
Privacy frameworks 101Privacy frameworks 101
Privacy frameworks 101Saumya Vishnoi
 
GDPR for Security Professionals
GDPR for Security ProfessionalsGDPR for Security Professionals
GDPR for Security ProfessionalsSaumya Vishnoi
 
Taming the compliance beast in cloud
Taming the compliance beast in cloudTaming the compliance beast in cloud
Taming the compliance beast in cloudSaumya Vishnoi
 
Security Ecosystem of Digital Wallets
Security Ecosystem of Digital Wallets Security Ecosystem of Digital Wallets
Security Ecosystem of Digital Wallets Saumya Vishnoi
 
Beyond the Virtual World- Physical security and its importance
Beyond the Virtual World- Physical security and its importanceBeyond the Virtual World- Physical security and its importance
Beyond the Virtual World- Physical security and its importanceSaumya Vishnoi
 

More from Saumya Vishnoi (6)

Kickstart your infosec career
Kickstart your infosec careerKickstart your infosec career
Kickstart your infosec career
 
Privacy frameworks 101
Privacy frameworks 101Privacy frameworks 101
Privacy frameworks 101
 
GDPR for Security Professionals
GDPR for Security ProfessionalsGDPR for Security Professionals
GDPR for Security Professionals
 
Taming the compliance beast in cloud
Taming the compliance beast in cloudTaming the compliance beast in cloud
Taming the compliance beast in cloud
 
Security Ecosystem of Digital Wallets
Security Ecosystem of Digital Wallets Security Ecosystem of Digital Wallets
Security Ecosystem of Digital Wallets
 
Beyond the Virtual World- Physical security and its importance
Beyond the Virtual World- Physical security and its importanceBeyond the Virtual World- Physical security and its importance
Beyond the Virtual World- Physical security and its importance
 

Recently uploaded

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...apidays
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 

Recently uploaded (20)

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 

Introduction to PCI DSS

  • 1. A Dive into Payment Card Industry (PCI) By Saumya Vishnoi
  • 2. About me • Working as Security Consultant in SISA information Security • PCI-QSA
  • 3. Why is this Important ? • 2013– Year of Braches • Biggest breaches– • Target credit card breach • US beauty products chain ’Sally Beauty’ breach • Adobe breach Credit Card Information!!!!
  • 4. • Credit Card data is one of the most valuable target for cyber criminals WHY ? That is where the Money is ;)
  • 8. How a card Transaction Works ? (Card Present) Cardholder Merchants Issuer Acquirer (Merchant Bank) Acqu. Processor Issuing Processor
  • 9. How a card Transaction Works ? (Card Not Present) Cardholder Acquirer (Merchant Bank) Acqu. Processor Issuer Issuing Processor E-Commerce Merchant Payment Gateway
  • 10. Three Core Processing Actions – Authentication • Validation of cardholders identity and card being used – Authorization • Issuer approves or declines purchase – Settlement • Transfer of funds into merchant account once product/service shipped or delivered
  • 11. Protection of Card Information
  • 12. PCI-SSC • PCI Security Standard Council--- An independent industry standards body providing oversight of the development and management of Payment Card Industry Security Standards on a global basis. • Founded by ---- American Express, Discoverer Financial Services, JCB International, MasterCard Worldwide, VISA Inc.
  • 13.
  • 14. PCI-PTS • PCI Pin Transaction Security • Set of security requirements focused on characteristics and management of devices related to payment processing activities. • For manufactures to be followed during the design, manufacture and transport of the device.
  • 15. PA-DSS • Payment Application Data Security Standard • For only software applications that store, process or transmit card holder data as part of authorization and settlement. • Applied to only off the shelf sold application
  • 17.
  • 18. PCI DSS Applicability • It applies to- • Systems that Store, Process and Transmit Card holder data • Systems that provide security services or may impact the security of Card Data Environment (CDE) • Any other Components or devices located within or connected to CDE
  • 20. PCI-DSS Assessments • Qualified Assessors: • Self-Assessments Questionnaire:
  • 21.
  • 22. Global Merchant Levels Level American Express MasterCard Visa 1 Merchants processing 2.5 million American Express Card transactions annually or any merchant that American Express otherwise deems a Level 1. Merchants processing over 6 million MasterCard transaction (all channels) annually, identified by another payment card brand as Level 1 or compromised merchants Large Merchants processing over 6,000,000 Visa transactions annually (all channels), or global merchants identified as Level 1 by any VISA region. 2 Merchants processing 50,000 to 2.5 million American Express transactions annually or any merchant that American Express otherwise deems a Level 2 Merchants processing 1 million to 6 million MasterCard transactions annually All Merchants meeting the Level 2 criteria of competing payment brand Merchants processing 1 million to 6 million Visa Transactions annually (all channels). 3 Merchants processing less than 50,000 American Express transaction annually Merchants processing over 20,000 MasterCard e-commerce transactions annually. All Merchants meeting the level 3 criteria of competing brand Merchants processing 20,000 to 1 million Visa e- commerce transactions annually. 4 N/A All other MasterCard merchants Merchants processing less than 20,000 Visa e- commerce transactions annually and all other merchants processing up to 1 million transactions annually
  • 23. Requirement 1 Install and maintain a firewall configuration to protect cardholder data • Firewall and Router hardening • Firewall rule review • Firewall rule justification
  • 24. Requirement 2 Do not use vendor-supplied defaults for system passwords and other security parameters • Removal of defaults– settings, credentials • Hardening • Encrypted non-console access
  • 25. Requirement 3 Protect stored cardholder data • Storage of card holder data • Not storing sensitive authentication data* • Security of data while storage • Masking of PAN*
  • 26. Requirement 4 Encrypt transmission of cardholder data across open, public networks • Secure transmission – wired • Secure transmission – wireless • End user messaging
  • 27. Requirement 5 Protect all systems against malware and regularly update anti-virus software or programs • Anti-Virus • Update and scan settings • Logs –generated , stored
  • 28. Requirement 6 Develop and maintain secure systems and applications • Risk ranking • Patching • Change Control • Secure development • Web Application Firewall
  • 29. Requirement 7 Restrict access to cardholder data by business need to know • Access rights assigned on need to know basis • User creation and deletion process
  • 30. Requirement 8 Identify and authenticate access to system components • Unique user ID • User access review • 2-factor authentication for remote access
  • 31. Requirement 9 Restrict physical access to cardholder data • Physical access control • CCTV • Visitor Policy • Physical security of Media • Secure Destruction of Media • Protecting POS devices from tempering
  • 32. Requirement 10 Track and monitor all access to network resources and cardholder data • Enable Logs • Time synchronization • FIM on logs • Log review • Retention period
  • 33. Requirement 11 Regularly test security systems and processes • Wireless scan • Internal VA • Internal PT • External VA • External PT • Application Testing • FIM
  • 34. Requirement 12 Maintain a policy that addresses information security for all personnel • Information Security Policy • Risk assessment • Awareness training • Background verification
  • 35. References • PCI_DSS Requirements and Security Assessment Procedure version 2.0 • PCI_DSS Requirements and Security Assessment Procedure version 3.0 • PCI Quick Reference Guide

Editor's Notes

  1. OCTAVE Overview
  2. OCTAVE Overview