Demystifying Pci Dss


Published on

Rackspace PCI

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Demystifying Pci Dss

  1. 1. 1 Demystifying Payment Card Industry Data Security Standard Compliance Francis Ofungwu Manager of Security Strategy, Rackspace Rackspace Partner Network
  2. 2. 2 Agenda • What is PCI-DSS? • Why Should My Business or Clients Be PCI-DSS Compliant? • Penalties For Non-Compliance • Penalties For Security Breaches • Key Steps Towards PCI-DSS Compliance • How Rackspace Can Help • Rackspace’s PCI-DSS Position • Questions Rackspace Partner Network
  3. 3. 3 What is PCI-DSS? Rackspace Partner Network
  4. 4. 4 What is PCI-DSS? According to the PCI Security Standards Council: PCI-DSS is a set of comprehensive requirements for enhancing payment account data security. • The standard was developed by the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa. • The primary aim of the council was to help facilitate the broad adoption of consistent data security measures on a global basis. • “PCI DSS should now be considered Business As Usual for any merchant accepting cards.” (HSBC PCI-DSS Merchant Guide-January 2008) Rackspace Partner Network
  5. 5. 5 Why Should My Business Be PCI-DSS Compliant? Rackspace Partner Network
  6. 6. 6 Why Should my Business or Clients be PCI-DSS Compliant? If your business stores, processes, or transmits Cardholder data, there is a requirement to be PCI-DSS compliant. This also includes service providers that provide services for merchants who process, store, or transmit Cardholder data. Non-compliance to PCI-DSS could lead to: • Loss of reputation • Increased costs for accepting credit card transactions • Substantial fines associated with security breaches and non- compliance • Revocation of a merchant’s ability to accept credit card payments. Rackspace Partner Network
  7. 7. 7 Penalties for Non-Compliance Rackspace Partner Network
  8. 8. 8 Penalties for Non-Compliance Penalties for non-compliance will depend on the card scheme. Examples of non-compliance penalties are as follows: Event Penalty (Euro) Non-compliance after 30 days of notification 5,000 per incident of non-compliance letter Non-compliance after 90 days of notification 10,000 per incident of non-compliance letter Non-compliance after 120 days of notification 25,000 per incident of non-compliance letter Rackspace Partner Network
  9. 9. 9 Penalties For Security Breaches Rackspace Partner Network
  10. 10. 10 PENALTIES FOR SECURITY BREACHES When there is a breach, the card scheme will require an independent forensic investigation. As with the penalties for non-compliance, penalties levied for security breaches will depend on the card schemes. For Example, Number of compromised Penalty accounts 0 – 19,999 25,000 20,000 – 99,999 100,000 100,000-199,999 200,000 200,000-299,999 300,000 300,000-399,999 400,000 400,000-499,999 500,000 >500,000 750,000 Rackspace Partner Network
  11. 11. 11 Key Steps Towards PCI-DSS Compliance Rackspace Partner Network
  12. 12. 12 Key Steps Towards PCI-DSS Compliance • Contact your merchant bank • Conduct a scoping exercise • Review business processes • Utilise the information on the PCI-SSC Website • Engage a QSA (Qualified Security Assessor) • Engage an ASV (Approved Scanning Vendor) • Don’t rest on your laurels Rackspace Partner Network
  13. 13. 13 How Rackspace Can Help Rackspace Partner Network
  14. 14. 14 How Rackspace can help The Rackspace PCI-DSS Toolbox: Rackspace’s PCI Toolbox solution: Hardware, Software, and Services • Managed Cisco Firewalls • VPN System Management Access (included with all firewalls) • Sophos/Symantec Anti-virus protection • SSL Certificates • Alert Logic Intrusion Detection Services (IDS) • PCI ASV Network Scanning Service (included with IDS) • Physical System Security (included with standard support) • Patch Management Services (included with standard support) Rackspace Partner Network
  15. 15. 15 How Rackspace can help Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data • Fully Managed Cisco Firewalls • VPN System Management Access • Network Segmentation. Requirement 2: Do not use vendor-supplied defaults for systems passwords and other security requirements. Rackspace implements industry best practices in network device deployments to ensure system hardening specifications required by the standard are met. Rackspace Partner Network
  16. 16. 16 How Rackspace can help Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software. Rackspace provides a Managed Anti-Virus solution that provides proactive protection against viruses, worms, Trojans, spyware and other malware. Requirement 6: Develop and maintain secure systems and applications. Rackspace provides a reliable, and flexible Managed Patching services to help maintain secure systems. Rackspace Partner Network
  17. 17. 17 How Rackspace can help Implement Strong Access Control Measures Requirement 9: Restrict physical access to cardholder data Rackspace physical security controls are based on the best practices set out in the ISO/IEC 27002:2005 Information Security Standard. These controls include: • Data centre access limited to Rackspace data centre technicians • Biometric scanning for controlled data center access • Security camera monitoring at all data centre locations • 24x7 onsite staff provide additional protection against unauthorised entry • Unmarked facilities to help maintain low profile Rackspace Partner Network
  18. 18. 18 How Rackspace can help Regularly Monitor and Test Networks Requirement 11: Regularly test security systems and processes Rackspace offers an Intrusion Detection System (IDS) service that meets a number of sub-requirements set out in requirement 11 of the standard, including the requirement for PCI-SSC approved internal and external vulnerability scanning. Rackspace Partner Network
  19. 19. 19 Rackspace’s PCI-DSS Position Rackspace Partner Network
  20. 20. 20 Rackspace’s PCI-DSS Position On June 30, 2009, Visa USA accredited Rackspace Hosting as a Compliant Level 1 Payment Card Industry (PCI) Service Provider. The scope of Rackspace’s 2009 PCI Service Provider accreditation covers the following: -Physical Security for: - UK & US Data centres - U.S & U.K Offices - Network Infrastructure (Routers & Switches) - Rackspace employee access to Network Devices Rackspace Partner Network
  21. 21. 21 Summary Rackspace Partner Network
  22. 22. 22 Summary •If you store, process, or transmit cardholder data then you have a requirement to be PCI-DSS compliant. •There are penalties associated with non-compliance and data security breaches. •Rackspace can help you and your clients drive PCI-DSS compliance through the PCI-DSS Toolbox. •Review the information publically available on the PCI-SSC website. Rackspace Partner Network
  23. 23. 23 Questions Rackspace Partner Network