Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação

3,000 views

Published on

Carlos Caetano – Associate Regional Director – Brazil (PCI Security Standards Council) . Palestra: Adoção do PCI no Brasil

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação

  1. 1. PCI Payment Protection Resources for Small Merchants Carlos Caetano Associate Regional Director – Brazil at PCI Security Standards Council
  2. 2. Agenda Background Resources Call to Action What’s Next Intro
  3. 3. Intro
  4. 4. What is the PCI Security Standards Council? Collaboration Education Simplified solutions for merchants
  5. 5. What does PCI Council Produce? Standards, Best Practices & Services Training – Assessors, Acquirers, Integrators Validation & Qualification – Equipment, Service Providers, Assessors, Investigators Payment Equipment Payment Software Merchant & Payment Service Provider Environments
  6. 6. What’s this all about?
  7. 7. Why? Small businesses around the world are increasing targets for payment data theft 77% believe that their company is safe from cyber attacks 80% of websites attacked everyday belong to small merchants Nearly half of global cyberattacks in 2015 were against small businesses 48% of small businesses have been hit by at least one cyber-attack in the past 12 months 20% see cyber security as a top business priority 10% have never invested in improving the security of their website 54% of SMEs who say they’re concerned their business could be at risk from an attack
  8. 8. Current Threats SQL Injection Weak Passwords Spear Phishing Malware / Ransomware Remote Attack Vector Poor Patching “No locale, industry or organization is bulletproof when it comes to the compromise of data” Verizon 2016 DBIR
  9. 9. Birth and Rebirth of a Data Breach Target phishing campaign against vendor Person clicks on email and malware installation occurs Keylogger deployed and client’s environment static auth credentials stolen for final target access Malware installed directly in final victm’s POS system Malware functionalities of scraping RAM and exporting data, establishment of control and persistence Source: Verizon 2016 Data Breach Investigations Report
  10. 10. Small Merchant Task Force
  11. 11. PCI Small Merchant Task Force Objective Collaborate with the PCI community to address the needs of the small merchant market segment by providing guidance that: • Is simple, easy to understand and relevant to the unique needs of small merchants • Helps small merchants understand their responsibility for protecting payment card data and to identify and mitigate areas of risk in their environment • Provides small merchants with the information needed when assessing their own environment, working with a QSA, and/or considering a new payment channel, vendor or service provider
  12. 12. Global Participation: Merchants & Merchant Partners “If the larger merchants and financial institutions themselves cannot be protected from data breaches, you can imagine how difficult protection is for independent small business owners.” “An issue that many small businesses have is that they do not have the in-house resources to be experts in all aspects of running a business. Small businesses rely on external expertise to simplify the complicated.”
  13. 13. Meet Mary, Ms. Small Business • “How do I sell more wine?” • “How do I differentiate my customers’ experience in a saturated market?” • “How do I find and keep good employees?” • Her bank. • The 1-800 number on the sticker that’s on her payment system. • To understand why/how she’s at risk. • The right questions to ask her bank and her payment system vendor for help. • Simple steps she can take. On her mind Her needsHer dilemma Who she calls Mary, wine bar owner • She wants to do the right thing for her customers and her business • BUT, she doesn’t have time to understand “SSL Rootkits”
  14. 14. Content Development Approach Audience Simple, not exhaustive Accessible Measurable
  15. 15. Simplifying Security
  16. 16. Simplifying Security Payment Protection Resources for Small Merchants
  17. 17. Simplifying Security Guide to Safe Payments
  18. 18. Simplifying Security Guide to Safe Payments – Understanding Your Risk
  19. 19. Simplifying Security Guide to Safe Payments – Understanding Your Risk
  20. 20. Simplifying Security Guide to Safe Payments – Protecting Your Business with Security Basics Cost Ease Risk Mitigation
  21. 21. Simplifying Security Guide to Safe Payments – Protecting Your Business with Security Basics
  22. 22. Simplifying Security Guide to Safe Payments – Where to Get Help Payment Brand List • List of Compliant Service Providers PCI DSS and Related Guidance • More about PCI DSS • PCI DSS Self-Assessment Questionnaires • Guide: Skimming Prevention: Overview of Best Practices for Merchants • List of Validated Payment Applications • List of Approved PTS Devices • List of Approved Scanning Vendors • List of Qualified Integrators/Resellers • List of P2PE Validated Solutions PCI Council Listings
  23. 23. Simplifying Security Common Payment Systems
  24. 24. Simplifying Security Common Payment Systems
  25. 25. Simplifying Security Common Payment Systems - Example YES This IS my setup. Show me the details. NO This IS NOT my setup. Show me the next step. BACK to previous diagram. Mag Stripe RISK PROFILE Chip TYPE 2 PROTECTIONS LOWER LOWER
  26. 26. Simplifying Security Common Payment Systems - Example
  27. 27. Simplifying Security E-commerce example YES This IS my setup. Show me the details. NO This IS NOT my setup. Show me the next step. BACK to previous diagram. RISK PROFILE TYPE 10 PROTECTIONS LOWER
  28. 28. Simplifying Security E-commerce example
  29. 29. Simplifying Security Questions to Ask Your Vendors
  30. 30. Simplifying Security Glossary of Payment Information Security Terms
  31. 31. How Can You Help?
  32. 32. Restaurateurs are not technology experts. They are skilled in culinary arts, general business management and hospitality. Like many small businesses, they are reliant on the expertise of others in the cybersecurity space. In order for small restaurants to thrive in the digital age, they will need significant help from the broader technology and security community. David Matthews, National Restaurant Association, PCI Small Merchant Taskforce Co-Chair “ “
  33. 33. Call to Action Visit PCI SSC website Download Share Co-brand https://www.pcisecuritystandards.org/pci_security/small_merchant How You Can Help
  34. 34. Regional Participant Organizations
  35. 35. Participating Organization Benefits • Advance review of standards and supporting materials before release, with the opportunity to provide feedback • Complimentary attendance at annual Community Meetings hosted by the Council • Substantial training discounts; courses are offered in instructor-led and eLearning formats • Nominate and vote for representatives to stand for election to the Council’s Board of Advisors • Drive the Special Interest Groups (SIGs) that provide the Council with understanding and guidance on particular topics or technologies 769 PCI Council Participating Organizations Join us: www.pcisecuritystandards.org/get_involved/participating_organizations
  36. 36. Attend South America Forum and Save We Need You! All attendees of the South America Forum will receive a $1,500 savings on a PCI Participation Organization membership. Discount Code will be provided at event. Check PCI website for more info on the August 2017 event
  37. 37. Get Trained and Ready to Support the Industry Become a PCI Professional – you’ll be in good company • Over 2,500 of your colleagues have become PCIPs - why not join them and show off your PCI knowledge? • Get the three-year credential that’s not tied to your employer. • When you do, you can show off your professional status since you’ll be listed on the PCI website! https://www.pcisecuritystandards.org/program_training_and_qualification/pci_professional_qualification
  38. 38. What’s Next?
  39. 39. Based on feedback, enhance current small merchant materials as needed Evaluate and propose simple- to-use alternate validation tools and/or SAQs Formalize communications strategy and determine effectiveness of dissemination methods 2016 / 2017 Focus
  40. 40. Resources Check Our Document Library for New Resources www.pcisecuritystandards.org
  41. 41. Thank You

×