PCI Data Security Standards information  for  Merchants by Evolution Security Systems
Agenda <ul><li>Company Background </li></ul><ul><li>Background of PCI </li></ul><ul><li>12 Key Requirements of PCI </li></...
Company Background <ul><li>Founded in 1999 in the UK, Evolution is a specialised network and Internet system security firm...
<ul><li>Enhance security posture by applying Preventive-Detective-Corrective optimization of assets and appropriate contro...
Valued Vendor Partners
Our Clients
Background of PCI
In 2006, 40 million Credit Card data was hacked due to  breaches at third party payment processors
PCI DSS is a joint effort by Visa, MasterCard, American Express, Discover and JCB. PCI applies to all merchants and servic...
When Should I Act? “ All Deadlines had Passed” Bob Russo Director, PCI Security Standards Council
The Pressure is Here… Recently Visa has issued letters to service providers demanding them to be complied and certified by...
12 Key Requirements of PCI
12 Key Requirements for All Organizations Protect Cardholder Data 1. Protect stored data (in both hardcopy and electronic ...
Guidelines for Credit Card Data Storage Data Element Storage Permitted Protection Required PCI DSS REQ. 3.4 Cardholder Dat...
What if I am not compliant?
What if my business is not PCI complaint? <ul><li>In case of compromise, your business is in risk of potential financial l...
By being PCI Compliant <ul><li>A compromise is less likely to happen </li></ul><ul><li>You obtained “Safe Harbor” status: ...
What should I do?
Merchant Levels <ul><li>Annual Self-Assessment Questionnaire </li></ul><ul><li>Quarterly network scan by ASV (if applicabl...
6-Step PCI Compliance Process Define which merchant level your business belongs to Map out the data flows in your business...
Evolution’s Full PCI Cycle Seeking assistance from QSA and Consultants Conducting  Gap Analysis Prioritizing Remediation I...
Summary
Work… <ul><li>Scanning  the required network with credit card information transaction </li></ul><ul><li>On-site  Audit  an...
Remember… <ul><li>All merchants  must comply with PCI DSS, regardless of size. The only difference is the type of validati...
Questions and Answers For more information, visit http://pci.evolve-online.com
Contact Us <ul><li>Global Headquarters and Other Locations   </li></ul>Global Headquarters 11 La Rue Grellier Rue des Pres...
Upcoming SlideShare
Loading in …5
×

Evolution Pci For Pod1

575 views

Published on

Evolution Presentation

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
575
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Evolution Pci For Pod1

  1. 1. PCI Data Security Standards information for Merchants by Evolution Security Systems
  2. 2. Agenda <ul><li>Company Background </li></ul><ul><li>Background of PCI </li></ul><ul><li>12 Key Requirements of PCI </li></ul><ul><li>What if I am not compliant? </li></ul><ul><li>What should I do? </li></ul><ul><li>Summary </li></ul><ul><li>Questions and Answers </li></ul>
  3. 3. Company Background <ul><li>Founded in 1999 in the UK, Evolution is a specialised network and Internet system security firm. </li></ul><ul><li>Headquarters of the group is located in London, and with offices in 7 locations worldwide. Hong Kong is the regional quarter for APAC. </li></ul><ul><li>Provides full range of System Security and Network Management solutions, including both the Products and Services aspects. </li></ul>
  4. 4. <ul><li>Enhance security posture by applying Preventive-Detective-Corrective optimization of assets and appropriate controls, Evolution's consultants have expertise with industry leading security solutions and services below, as your trusted partner: </li></ul>Product and Service Coverage <ul><ul><li>• Information Security Policy </li></ul></ul><ul><ul><li>• Incident Management (eSecure) </li></ul></ul><ul><ul><li>• Security Management </li></ul></ul><ul><ul><li>• Compliance (PCI, ISO27001) </li></ul></ul><ul><ul><li>• Vulnerability and Risk Assessment </li></ul></ul><ul><ul><li>• Web / Application Penetration Testing </li></ul></ul><ul><ul><li>• GAP Analysis </li></ul></ul><ul><ul><li>• Independent Assessment </li></ul></ul><ul><ul><li>• Incident Response Services </li></ul></ul><ul><ul><li>• Security Managed Services </li></ul></ul><ul><ul><li>• Professional Services and Consulting </li></ul></ul><ul><ul><li>• Firewall/Virtual Private Network (VPN) </li></ul></ul><ul><ul><li>• Access Control (Network & End-Point) </li></ul></ul><ul><ul><li>• Data Loss Prevention </li></ul></ul><ul><ul><li>Intrusion Prevention Solution </li></ul></ul><ul><ul><li>• Encryption </li></ul></ul><ul><ul><li>• Authentication </li></ul></ul><ul><ul><li>• Antivirus & AntiSpam </li></ul></ul><ul><ul><li>• Content Filtering </li></ul></ul><ul><ul><li>• Application Security </li></ul></ul>
  5. 5. Valued Vendor Partners
  6. 6. Our Clients
  7. 7. Background of PCI
  8. 8. In 2006, 40 million Credit Card data was hacked due to breaches at third party payment processors
  9. 9. PCI DSS is a joint effort by Visa, MasterCard, American Express, Discover and JCB. PCI applies to all merchants and services providers that process, transmit, or store credit card information. The standard is enforced by the card companies and acquirer banks.
  10. 10. When Should I Act? “ All Deadlines had Passed” Bob Russo Director, PCI Security Standards Council
  11. 11. The Pressure is Here… Recently Visa has issued letters to service providers demanding them to be complied and certified by as early as June 2008 . This is a long-awaited final call to the industry. No more excuse of “I don’t know” or “PCI has nothing to do with my organization”.
  12. 12. 12 Key Requirements of PCI
  13. 13. 12 Key Requirements for All Organizations Protect Cardholder Data 1. Protect stored data (in both hardcopy and electronic copy) 2. Encrypt transmissions of cardholder data (electronic copy) Implement Strong Access Control Measures 3. Restrict access by need-to-know 4. Assign unique IDs to all users 5. Restrict physical access to cardholder data (hardcopy) Regularly Monitor and Test Networks 6. Track and monitor access to cardholder data 7. Regularly test security systems and processes Maintain an Information Security Policy 8. Maintain an information security policy Build and Maintain a Secure Network 9. Install and maintain a firewall 10. Do not use vendor default password Maintain a Vulnerability Management Program 11. Use and update antivirus software 12. Develop and maintain secure systems and applications
  14. 14. Guidelines for Credit Card Data Storage Data Element Storage Permitted Protection Required PCI DSS REQ. 3.4 Cardholder Data (in both hardcopy and electronic copy) Primary Account Number (PAN) Yes Yes Yes Cardholder Name Yes Yes No Service Code Yes Yes No Expiration Date Yes Yes No Sensitive Authentication Data Full Magnetic Stripe No N/A N/A CVC2 / CVV2 / CID No N/A N/A PIN / PIN Block No N/A N/A
  15. 15. What if I am not compliant?
  16. 16. What if my business is not PCI complaint? <ul><li>In case of compromise, your business is in risk of potential financial liabilities (including the full cost of any fraud perpetrated on compromised card accounts) </li></ul><ul><li>In additional, your business may have to bare investigative and legal costs, as well as charges to re-issue compromised credit cards </li></ul><ul><li>Invasive media attention could cause significant damage to the image of your business </li></ul><ul><li>In some cases, a single compromise can cause enough damage to close down a business </li></ul><ul><li>PCI DSS protects cardholders and minimises the risk to your business </li></ul>
  17. 17. By being PCI Compliant <ul><li>A compromise is less likely to happen </li></ul><ul><li>You obtained “Safe Harbor” status: credit card companies will not levy compromise fees if confirmed that the organisation was PCI compliant at the time of compromise </li></ul><ul><li>Easily identify any risks in the way you store or transmit customer data </li></ul><ul><li>Provide a clear path of action and remediation to address any data security risks </li></ul><ul><li>Ensure that your service providers do not put your business at risk </li></ul><ul><li>Demonstrate to your customers that you are serious about their data </li></ul><ul><li>Most importantly, as a merchant, PCI compliant is compulsory </li></ul>
  18. 18. What should I do?
  19. 19. Merchant Levels <ul><li>Annual Self-Assessment Questionnaire </li></ul><ul><li>Quarterly network scan by ASV (if applicable) </li></ul><ul><li>Annual Self-Assessment Questionnaire </li></ul><ul><li>Quarterly network scan by ASV </li></ul><ul><li>Annual Self-Assessment Questionnaire </li></ul><ul><li>Quarterly network scan by ASV </li></ul><ul><li>Annual Onsite Review (optional) </li></ul><ul><li>Annual onsite assessment by QSA </li></ul><ul><li>Quarterly network scan by ASV </li></ul><ul><li>Self-assessment Questionnaire (optional) </li></ul>Others Processing 20,000 to 1,000,000 e-commerce transactions annually Processing 1,000,000 to 6,000,000 transactions annually Processing over 6,000,000 transactions annually OR Merchants that card company determines should meet the Level 1 merchant requirements
  20. 20. 6-Step PCI Compliance Process Define which merchant level your business belongs to Map out the data flows in your business Conduct a Gap Analysis and scope the project Plan and implement remediation Obtain certification Staying compliant Step 2 Step 1 Step 4 Step 3 Step 6 Step 5
  21. 21. Evolution’s Full PCI Cycle Seeking assistance from QSA and Consultants Conducting Gap Analysis Prioritizing Remediation Implementing changes & safeguards Maintaining Compliance
  22. 22. Summary
  23. 23. Work… <ul><li>Scanning the required network with credit card information transaction </li></ul><ul><li>On-site Audit and perform Interview session </li></ul><ul><li>Review all the related agreement with 3 rd party on credit card information handling </li></ul><ul><li>Review all the related procedure document and policy </li></ul>
  24. 24. Remember… <ul><li>All merchants must comply with PCI DSS, regardless of size. The only difference is the type of validation required </li></ul><ul><li>All deadline had passed. All parties that process credit card data must comply now . </li></ul><ul><li>A single compromise can cause significant damages to your company, or even put you out of business </li></ul><ul><li>Evolution provides a full cycle of PCI QSA services, helping you understand, assess, remediate, obtain certification, and stay compliant </li></ul>
  25. 25. Questions and Answers For more information, visit http://pci.evolve-online.com
  26. 26. Contact Us <ul><li>Global Headquarters and Other Locations </li></ul>Global Headquarters 11 La Rue Grellier Rue des Pres Trading Est St. Saviour JE1 3UP Jersey Tel: +44 (0)1534 728827 UK Headquarters 42 Bloomsbury Street London, United Kingdom WC1B 3QJ Tel: +44 (0)870 112 5434 EMEA Solutions and sales office Roseneath, The Grange St. Peter Port GY1 2QJ Guernsey Tel:+44 (0)870 112 5434 UK Solutions and sales (North) IC2, Keele University Science Park Keele, Staffordshire United Kingdom ST5 5NH Tel: +44 (0)870 112 5434 UK Solutions and sales (Midlands) Tochi House, Park Circle Swan Valley, Northampton NN4 9BH United Kingdom Tel: +44 (0)870 112 5434 UK Solutions and sales (South) Portsmouth Technopole Kingston Crescent Portsmouth, Hampshire, United Kingdom PO2 8FA Tel: +44 (0)870 112 5434

×