1




Demystifying Payment Card Industry
     Data Security Standard
            Compliance
                              ...
2




          Agenda

      •   What is PCI-DSS?
      •   Why Should My Business or Clients Be PCI-DSS Compliant?
     ...
3




                            What is PCI-DSS?




Rackspace Partner Network


www.rackspace.co.uk
4




       What is PCI-DSS?


          According to the PCI Security Standards Council:

                 PCI-DSS is a ...
5




                       Why Should My Business
                       Be PCI-DSS Compliant?




Rackspace Partner Net...
6




       Why Should my Business or Clients be PCI-DSS
       Compliant?
       If your business stores, processes, or ...
7




               Penalties for Non-Compliance




Rackspace Partner Network


www.rackspace.co.uk
8




       Penalties for Non-Compliance
       Penalties for non-compliance will depend on the card scheme.

       Exam...
9




            Penalties For Security Breaches




Rackspace Partner Network


www.rackspace.co.uk
10




      PENALTIES FOR SECURITY BREACHES
          When there is a breach, the card scheme will require an independent...
11




                            Key Steps Towards
                            PCI-DSS Compliance




Rackspace Partner ...
12




      Key Steps Towards PCI-DSS Compliance


       • Contact your merchant bank

       • Conduct a scoping exerci...
13




                       How Rackspace Can Help




Rackspace Partner Network


www.rackspace.co.uk
14




      How Rackspace can help

      The Rackspace PCI-DSS Toolbox:
      Rackspace’s PCI Toolbox solution: Hardware...
15




      How Rackspace can help


       Build and Maintain a Secure Network
       Requirement 1: Install and maintai...
16




      How Rackspace can help


       Maintain a Vulnerability Management
       Program

       Requirement 5: Use...
17




         How Rackspace can help


         Implement Strong Access Control Measures

         Requirement 9: Restri...
18




       How Rackspace can help


       Regularly Monitor and Test Networks

       Requirement 11: Regularly test s...
19




               Rackspace’s PCI-DSS Position




Rackspace Partner Network


www.rackspace.co.uk
20




       Rackspace’s PCI-DSS Position


       On June 30, 2009, Visa USA accredited Rackspace Hosting as a Compliant...
21




                            Summary




Rackspace Partner Network


www.rackspace.co.uk
22




           Summary


        •If you store, process, or transmit cardholder data then you have a
        requiremen...
23




                            Questions




Rackspace Partner Network


www.rackspace.co.uk
Upcoming SlideShare
Loading in …5
×

Demystifying Pci Dss

1,513 views

Published on

Rackspace PCI

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,513
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
62
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Demystifying Pci Dss

  1. 1. 1 Demystifying Payment Card Industry Data Security Standard Compliance Francis Ofungwu Manager of Security Strategy, Rackspace Rackspace Partner Network www.rackspace.co.uk
  2. 2. 2 Agenda • What is PCI-DSS? • Why Should My Business or Clients Be PCI-DSS Compliant? • Penalties For Non-Compliance • Penalties For Security Breaches • Key Steps Towards PCI-DSS Compliance • How Rackspace Can Help • Rackspace’s PCI-DSS Position • Questions Rackspace Partner Network www.rackspace.co.uk
  3. 3. 3 What is PCI-DSS? Rackspace Partner Network www.rackspace.co.uk
  4. 4. 4 What is PCI-DSS? According to the PCI Security Standards Council: PCI-DSS is a set of comprehensive requirements for enhancing payment account data security. • The standard was developed by the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa. • The primary aim of the council was to help facilitate the broad adoption of consistent data security measures on a global basis. • “PCI DSS should now be considered Business As Usual for any merchant accepting cards.” (HSBC PCI-DSS Merchant Guide-January 2008) Rackspace Partner Network www.rackspace.co.uk
  5. 5. 5 Why Should My Business Be PCI-DSS Compliant? Rackspace Partner Network www.rackspace.co.uk
  6. 6. 6 Why Should my Business or Clients be PCI-DSS Compliant? If your business stores, processes, or transmits Cardholder data, there is a requirement to be PCI-DSS compliant. This also includes service providers that provide services for merchants who process, store, or transmit Cardholder data. Non-compliance to PCI-DSS could lead to: • Loss of reputation • Increased costs for accepting credit card transactions • Substantial fines associated with security breaches and non- compliance • Revocation of a merchant’s ability to accept credit card payments. Rackspace Partner Network www.rackspace.co.uk
  7. 7. 7 Penalties for Non-Compliance Rackspace Partner Network www.rackspace.co.uk
  8. 8. 8 Penalties for Non-Compliance Penalties for non-compliance will depend on the card scheme. Examples of non-compliance penalties are as follows: Event Penalty (Euro) Non-compliance after 30 days of notification 5,000 per incident of non-compliance letter Non-compliance after 90 days of notification 10,000 per incident of non-compliance letter Non-compliance after 120 days of notification 25,000 per incident of non-compliance letter Rackspace Partner Network www.rackspace.co.uk
  9. 9. 9 Penalties For Security Breaches Rackspace Partner Network www.rackspace.co.uk
  10. 10. 10 PENALTIES FOR SECURITY BREACHES When there is a breach, the card scheme will require an independent forensic investigation. As with the penalties for non-compliance, penalties levied for security breaches will depend on the card schemes. For Example, Number of compromised Penalty accounts 0 – 19,999 25,000 20,000 – 99,999 100,000 100,000-199,999 200,000 200,000-299,999 300,000 300,000-399,999 400,000 400,000-499,999 500,000 >500,000 750,000 Rackspace Partner Network www.rackspace.co.uk
  11. 11. 11 Key Steps Towards PCI-DSS Compliance Rackspace Partner Network www.rackspace.co.uk
  12. 12. 12 Key Steps Towards PCI-DSS Compliance • Contact your merchant bank • Conduct a scoping exercise • Review business processes • Utilise the information on the PCI-SSC Website https://www.pcisecuritystandards.org/ • Engage a QSA (Qualified Security Assessor) • Engage an ASV (Approved Scanning Vendor) • Don’t rest on your laurels Rackspace Partner Network www.rackspace.co.uk
  13. 13. 13 How Rackspace Can Help Rackspace Partner Network www.rackspace.co.uk
  14. 14. 14 How Rackspace can help The Rackspace PCI-DSS Toolbox: Rackspace’s PCI Toolbox solution: Hardware, Software, and Services • Managed Cisco Firewalls • VPN System Management Access (included with all firewalls) • Sophos/Symantec Anti-virus protection • SSL Certificates • Alert Logic Intrusion Detection Services (IDS) • PCI ASV Network Scanning Service (included with IDS) • Physical System Security (included with standard support) • Patch Management Services (included with standard support) Rackspace Partner Network www.rackspace.co.uk
  15. 15. 15 How Rackspace can help Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data • Fully Managed Cisco Firewalls • VPN System Management Access • Network Segmentation. Requirement 2: Do not use vendor-supplied defaults for systems passwords and other security requirements. Rackspace implements industry best practices in network device deployments to ensure system hardening specifications required by the standard are met. Rackspace Partner Network www.rackspace.co.uk
  16. 16. 16 How Rackspace can help Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software. Rackspace provides a Managed Anti-Virus solution that provides proactive protection against viruses, worms, Trojans, spyware and other malware. Requirement 6: Develop and maintain secure systems and applications. Rackspace provides a reliable, and flexible Managed Patching services to help maintain secure systems. Rackspace Partner Network www.rackspace.co.uk
  17. 17. 17 How Rackspace can help Implement Strong Access Control Measures Requirement 9: Restrict physical access to cardholder data Rackspace physical security controls are based on the best practices set out in the ISO/IEC 27002:2005 Information Security Standard. These controls include: • Data centre access limited to Rackspace data centre technicians • Biometric scanning for controlled data center access • Security camera monitoring at all data centre locations • 24x7 onsite staff provide additional protection against unauthorised entry • Unmarked facilities to help maintain low profile Rackspace Partner Network www.rackspace.co.uk
  18. 18. 18 How Rackspace can help Regularly Monitor and Test Networks Requirement 11: Regularly test security systems and processes Rackspace offers an Intrusion Detection System (IDS) service that meets a number of sub-requirements set out in requirement 11 of the standard, including the requirement for PCI-SSC approved internal and external vulnerability scanning. Rackspace Partner Network www.rackspace.co.uk
  19. 19. 19 Rackspace’s PCI-DSS Position Rackspace Partner Network www.rackspace.co.uk
  20. 20. 20 Rackspace’s PCI-DSS Position On June 30, 2009, Visa USA accredited Rackspace Hosting as a Compliant Level 1 Payment Card Industry (PCI) Service Provider. The scope of Rackspace’s 2009 PCI Service Provider accreditation covers the following: -Physical Security for: - UK & US Data centres - U.S & U.K Offices - Network Infrastructure (Routers & Switches) - Rackspace employee access to Network Devices Rackspace Partner Network www.rackspace.co.uk
  21. 21. 21 Summary Rackspace Partner Network www.rackspace.co.uk
  22. 22. 22 Summary •If you store, process, or transmit cardholder data then you have a requirement to be PCI-DSS compliant. •There are penalties associated with non-compliance and data security breaches. •Rackspace can help you and your clients drive PCI-DSS compliance through the PCI-DSS Toolbox. •Review the information publically available on the PCI-SSC website. https://www.pcisecuritystandards.org/ Rackspace Partner Network www.rackspace.co.uk
  23. 23. 23 Questions Rackspace Partner Network www.rackspace.co.uk

×