Payment Card Industry Security Standards


Published on

Presentation on Payment Card Industry Security Standards

Published in: Technology
  • Be the first to comment

Payment Card Industry Security Standards

  1. 1. PaymentCards IndustrySecurity Standards
  2. 2. What is a payment card?“A card that can be used by a cardholder andaccepted by a merchant to make a payment”Types of payment cards • Credit cards • Debit cards • Prepaid cards
  3. 3. What is a payment card industry standard?“An information security standard for organizationsthat handle cardholder information for the majorpayment cards”Defined by the Payment Card Industry SecurityStandards Council
  4. 4. Payment card security standards PIN Entry Device Security RequirementsPCI Data PaymentSecurity Application DataStandard PCI Security Standard standards
  5. 5. Payment Card Industry Data Security StandardPCI DSS consists of six categories – Build and maintain a secure network – Protect cardholder data – Maintain vulnerability program – Implement strong access control measures – Regularly monitor and test networks – Maintain an information security policy
  6. 6. Advantages of Complying with PCI DSS• Secure the systems• Trust of customers• Improves your reputation with acquirers and payment brands• Helps to prevent security breaches• Helps to prevent theft of payment card data• Indirect benefits – Have a basis for a corporate security strategy – Can identify ways to improve the efficiency of IT infrastructure
  7. 7. Effectiveness and Cost of PCI DSS• Larger and well-budgeted companies are able to achieve better compliance• smaller companies often have difficulty in interpreting the standards because of having fewer resources
  8. 8. Technologies Involved• Firewalls• Anti-virus• Anti-malware solutions• Encryption for data at rest and in motion
  9. 9. Threats of Giving Payment Card Information• Unauthorized payments• Misuse for illegal transactions• Identity theft• Tracking the transactions
  10. 10. How PCI DSS helps to Safeguard Customers by Frauds• Install and maintain a firewall configuration to protect cardholder data• Encrypt transmission of cardholder data across open, public networks• Use and regularly update anti-virus software or programs• Develop and maintain secure systems and applications
  11. 11. How PCI DSS helps to Safeguard Customers by Frauds cont.• Restrict physical access to cardholder data• Track and monitor all access to network resources and cardholder data• Regularly test security systems and processes• Maintain a policy that addresses information security for employees and contractors
  12. 12. How to detect a security incidentDetection techniques – Decision tree – Genetic algorithms and other algorithms – Clustering techniques – Neural networks – Examine security event logs on
  13. 13. How to prevent a security incident“No such a thing as perfect security”• Implement an incident handling process• Change default passwords & don’t reuse passwords• Examine security logs• Regular network scans• Patch and update regularly• Raise user awareness about information security
  14. 14. How to provide appropriate response to the security incidents• Verify incident and impact• Evidence collection from suspected hosts• Forensic Acquisitions• Assemble required personnel and determine escalation procedures• Identify regulatory or legal requirements• Effectively contain and segment affected areas• Learn from the incident
  15. 15. PCI Data Security Standard for Merchants & Processors• Build and Maintain a Secure Network• Protect Cardholder Data• Maintain a Vulnerability Management Program• Implement Strong Access Control Measures• Regularly Monitor and Test Networks• Maintain an Information Security Policy
  16. 16. How to Comply with PCI DSS• Compliant technical and operational requirements set by the PCI Security Standards Council• Compliant requirements are vary depend on the brand of the payment card - Ex: visa card, Master card
  17. 17. Payment Application Data Security Standard for Developers• The PA-DSS minimizes vulnerabilities in payment applications• PA-DSS covers commercial payment applications, integrators and service providers
  18. 18. Payment Application Data Security Standard for Developers cont.• Do not retain full magnetic stripe, card validation code or value or PIN block data• Provide secure password features• Protect stored cardholder data• Log application activity• Develop secure applications• Protect wireless transmissions• Test applications to address vulnerabilities
  19. 19. PIN Entry Device Security Requirements for Manufacturers• Applies to companies which make devices that accept PIN entry for all PIN-based transactions• PED Security Requirements – Device Characteristics • Physical Security Characteristics • Logical Security Characteristics – Device Management • Device Management during Manufacturing • Device Management between Manufacturing and Initial Key Loading
  20. 20. Conclusion• PCI DSS enhanced the security over cardholders’ data to a great extent• Helped raise awareness of data security in the business world• has improved consumer confidence over the security of personal information