SlideShare a Scribd company logo

PCI DSS v 2.0 - Don't Fall In. Short & high level presentation for the Ecommerce group - June 2013.

N
nostradelboy

Short and high level presentation for the Ecommerce group of external devs & business owners. Customer facing - public information. Nothing sensitive.

Technology
1 of 14
Download to read offline
PCI-DSS DON’T FALL IN ...
Agenda • Intro • Buzzwords • PCI – What is it? • PCI – Do’s and Don'ts • How to eat an Elephant • Divide & Conquer • Questions & Answers
Intro … who is this clown? • Realex Payments … Platform Operations Security Lead • Certified … CISA. CISM. SSCP. CISSP. • Former Chair of the Irish Information Security Forum • Current Item Writer for ISC2 • Responsible for PCI Compliance in Realex Payments
Buzzwords • Member organisations Card Schemes are made up of member organisations who can be Acquirers, Issuers, or both • Merchant Merchants are entities that “accept” Card transactions. Levels 1 – 4, with varying requirements for validation (by volume) • Acquirer Acquiring Bank - handles Merchant lines of credit • Issuer Issuing Bank – offers cards to Cardholder • Cardholder Consumers. Customers … Punters • Service Provider Entities that service the processing, storing, transport of card information on behalf of Merchants, Acquirers, or Issuers
Merchant Levels … 1 to 4 Level Criteria Validation 1 Process more than 6 Million txns ROC – Report on Compliance QSA – Qualified Security Assessor ASV – Approved Scanning Vendor Attestation of Compliance 2 Process 1 to 6 Million txns SAQ – Self Assessment Questionnaire ASC – Approved Scanning Vendor Attestation of Compliance 3 Process 20,000 to 1 Million txns SAQ ASV (if applicable) Attestation of Compliance 4 All other merchants SAQ – recommended ASV (if applicable) Validation requirements typically set by Acquirer
PCI … What is it? • PCI DSS - Payment Card Industry Data Security Standard • Published by the PCI Security Standards Council (PCI-SSC) • PCI-SSC = Visa, MasterCard, Discover, American Express, JCB • Baseline Information Security Standard that applies to ANY business that “accept, capture, store, transmit, or process Credit or Debit card data” – No exceptions. • Information Security BASELINE. PCI is a floor. Not a ceiling.
PCI … Do’s • Visit the PCI-SCC website (www.pcisecuritystandards.org) • Read the FAQ (Frequently Asked Questions) Knowledge Base • SAQ – Self Assessment Questionnaire • A – Mail Order Telephone Order Merchants • B – Imprint Only Merchants • CVT – Virtual Terminals • C – Merchants with Internet Payment Applications • D – All other merchant types
PCI … Do’s … Prioritised Approach • Have a clear, accurate and relevant Network Diagram. • Inventory … cover your assets • Data … where does it come from, and where does it go? The Holy Trinity • Policy Document • Prioritised Approach Document • Self Assessment Questionnaire
PCI … Don’ts • Don’t PANIC - Don’t fall for the FUD. Don’t fall in The Hole. • Don’t boil the ocean – Scope and Segmentation are crucial • Don’t forget that PCI applies to your organisation, not your chosen hardware or software products and tools • Don’t think you can “buy” compliance with products • Don’t confuse “Compliant” for “Secure” • Don’t ignore PCI … it’s not going away
How to eat an Elephant …
PCI … 6 Objectives / Milestones
PCI … Divide & Conquer • 225 individual tests, checks & proof points • 12 Requirements • 6 Objectives • Prioritised Approach Document is your pal
Questions & Answers …
For your further reading enjoyment … www.pcisecuritystandards.org/ www.pcisecuritystandards.org/faq/ www.pcisecuritystandards.org/security_standards/getting_started.php www.visaeurope.com/en/businesses__retailers/payment_security/downloads__resources.asp www.iisf.ie Irish Information Security Forum LinkedIn group … members only, just tell them I sent you!

Recommended

Descartes_Finance2.1
Descartes_Finance2.1Descartes_Finance2.1
Descartes_Finance2.1Per Strömbäck
 
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...Stephanie Gutowski
 
How to Comply with the PCI Data Security Standard
How to Comply with the PCI Data Security Standard How to Comply with the PCI Data Security Standard
How to Comply with the PCI Data Security Standard Allied Wallet
 
Docbyte Company Presentation
Docbyte Company PresentationDocbyte Company Presentation
Docbyte Company PresentationMaxime Vermeir
 
Ansarada vs DCirrus
Ansarada vs DCirrusAnsarada vs DCirrus
Ansarada vs DCirrusSargam Chhabra
 
Building powerful roadmaps
Building powerful roadmapsBuilding powerful roadmaps
Building powerful roadmapsGino Marckx
 
Finologee's PSD2 Value Proposition
Finologee's PSD2 Value Proposition Finologee's PSD2 Value Proposition
Finologee's PSD2 Value Proposition Finologee, Luxembourg
 
Customer Survey Proves IT Satisfaction in Key Performance Areas
Customer Survey Proves IT Satisfaction in Key Performance AreasCustomer Survey Proves IT Satisfaction in Key Performance Areas
Customer Survey Proves IT Satisfaction in Key Performance AreasNitro, Inc.
 

Recommended

Descartes_Finance2.1
Descartes_Finance2.1Descartes_Finance2.1
Descartes_Finance2.1Per Strömbäck
 
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...Stephanie Gutowski
 
How to Comply with the PCI Data Security Standard
How to Comply with the PCI Data Security Standard How to Comply with the PCI Data Security Standard
How to Comply with the PCI Data Security Standard Allied Wallet
 
Docbyte Company Presentation
Docbyte Company PresentationDocbyte Company Presentation
Docbyte Company PresentationMaxime Vermeir
 
Ansarada vs DCirrus
Ansarada vs DCirrusAnsarada vs DCirrus
Ansarada vs DCirrusSargam Chhabra
 
Building powerful roadmaps
Building powerful roadmapsBuilding powerful roadmaps
Building powerful roadmapsGino Marckx
 
Finologee's PSD2 Value Proposition
Finologee's PSD2 Value Proposition Finologee's PSD2 Value Proposition
Finologee's PSD2 Value Proposition Finologee, Luxembourg
 
Customer Survey Proves IT Satisfaction in Key Performance Areas
Customer Survey Proves IT Satisfaction in Key Performance AreasCustomer Survey Proves IT Satisfaction in Key Performance Areas
Customer Survey Proves IT Satisfaction in Key Performance AreasNitro, Inc.
 
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)Miminten
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSSSaumya Vishnoi
 
PCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should carePCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should careSean D. Goodwin
 
PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011Donald E. Hester
 
Adventures in PCI Wonderland
Adventures in PCI WonderlandAdventures in PCI Wonderland
Adventures in PCI WonderlandMichele Chubirka
 
pci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.pptpci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.pptgealehegn
 
Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010Donald E. Hester
 
Pci data security standards for bankcard transactions presentation
Pci data security standards for bankcard transactions presentationPci data security standards for bankcard transactions presentation
Pci data security standards for bankcard transactions presentationRetriever Powered by NPC
 
PCI DSS
PCI DSSPCI DSS
PCI DSSDuy Do Phan
 
What Everybody Ought to Know About PCI DSS and PA-DSS
What Everybody Ought to Know About PCI DSS and PA-DSSWhat Everybody Ought to Know About PCI DSS and PA-DSS
What Everybody Ought to Know About PCI DSS and PA-DSSLondon School of Cyber Security
 
Reducing cardholder data footprint with tokenization and other techniques
Reducing cardholder data footprint with tokenization and other techniquesReducing cardholder data footprint with tokenization and other techniques
Reducing cardholder data footprint with tokenization and other techniquesVISTA InfoSec
 
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdfpci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdfssuserbcc088
 
PCI DSS Compliance Readiness
PCI DSS Compliance ReadinessPCI DSS Compliance Readiness
PCI DSS Compliance ReadinessAl Abbas, PMP, CISSP, MBA, MSc
 
Payment Card Industry Introduction 2010
Payment Card Industry Introduction 2010Payment Card Industry Introduction 2010
Payment Card Industry Introduction 2010Donald E. Hester
 
Introduction to PCI APR 2010
Introduction to PCI APR 2010Introduction to PCI APR 2010
Introduction to PCI APR 2010Donald E. Hester
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overviewsameh Abulfotooh
 
Pci dss-for-it-providers
Pci dss-for-it-providersPci dss-for-it-providers
Pci dss-for-it-providersCalyptix Security
 
PCI compliance and fraud prevention for non profits
PCI compliance and fraud prevention for non profitsPCI compliance and fraud prevention for non profits
PCI compliance and fraud prevention for non profitsNetSquared Vancouver
 
PCI_Presentation_OASIS
PCI_Presentation_OASISPCI_Presentation_OASIS
PCI_Presentation_OASISDermot Clarke
 
Webinar - PCI DSS Merchant Levels validations and applicable
Webinar - PCI DSS Merchant Levels validations and applicableWebinar - PCI DSS Merchant Levels validations and applicable
Webinar - PCI DSS Merchant Levels validations and applicableVISTA InfoSec
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 

More Related Content

Similar to PCI DSS v 2.0 - Don't Fall In. Short & high level presentation for the Ecommerce group - June 2013.

PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)Miminten
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSSSaumya Vishnoi
 
PCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should carePCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should careSean D. Goodwin
 
PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011Donald E. Hester
 
Adventures in PCI Wonderland
Adventures in PCI WonderlandAdventures in PCI Wonderland
Adventures in PCI WonderlandMichele Chubirka
 
pci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.pptpci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.pptgealehegn
 
Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010Donald E. Hester
 
Pci data security standards for bankcard transactions presentation
Pci data security standards for bankcard transactions presentationPci data security standards for bankcard transactions presentation
Pci data security standards for bankcard transactions presentationRetriever Powered by NPC
 
Reducing cardholder data footprint with tokenization and other techniques
Reducing cardholder data footprint with tokenization and other techniquesReducing cardholder data footprint with tokenization and other techniques
Reducing cardholder data footprint with tokenization and other techniquesVISTA InfoSec
 
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdfpci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdfssuserbcc088
 
Payment Card Industry Introduction 2010
Payment Card Industry Introduction 2010Payment Card Industry Introduction 2010
Payment Card Industry Introduction 2010Donald E. Hester
 
Introduction to PCI APR 2010
Introduction to PCI APR 2010Introduction to PCI APR 2010
Introduction to PCI APR 2010Donald E. Hester
 
PCI compliance and fraud prevention for non profits
PCI compliance and fraud prevention for non profitsPCI compliance and fraud prevention for non profits
PCI compliance and fraud prevention for non profitsNetSquared Vancouver
 
PCI_Presentation_OASIS
PCI_Presentation_OASISPCI_Presentation_OASIS
PCI_Presentation_OASISDermot Clarke
 
Webinar - PCI DSS Merchant Levels validations and applicable
Webinar - PCI DSS Merchant Levels validations and applicableWebinar - PCI DSS Merchant Levels validations and applicable
Webinar - PCI DSS Merchant Levels validations and applicableVISTA InfoSec
 

Similar to PCI DSS v 2.0 - Don't Fall In. Short & high level presentation for the Ecommerce group - June 2013. (20)

PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSS
 
PCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should carePCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should care
 
PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011
 
Adventures in PCI Wonderland
Adventures in PCI WonderlandAdventures in PCI Wonderland
Adventures in PCI Wonderland
 
pci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.pptpci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.ppt
 
Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010
 
Pci data security standards for bankcard transactions presentation
Pci data security standards for bankcard transactions presentationPci data security standards for bankcard transactions presentation
Pci data security standards for bankcard transactions presentation
 
PCI DSS
PCI DSSPCI DSS
PCI DSS
 
What Everybody Ought to Know About PCI DSS and PA-DSS
What Everybody Ought to Know About PCI DSS and PA-DSSWhat Everybody Ought to Know About PCI DSS and PA-DSS
What Everybody Ought to Know About PCI DSS and PA-DSS
 
Reducing cardholder data footprint with tokenization and other techniques
Reducing cardholder data footprint with tokenization and other techniquesReducing cardholder data footprint with tokenization and other techniques
Reducing cardholder data footprint with tokenization and other techniques
 
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdfpci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
 
PCI DSS Compliance Readiness
PCI DSS Compliance ReadinessPCI DSS Compliance Readiness
PCI DSS Compliance Readiness
 
Payment Card Industry Introduction 2010
Payment Card Industry Introduction 2010Payment Card Industry Introduction 2010
Payment Card Industry Introduction 2010
 
Introduction to PCI APR 2010
Introduction to PCI APR 2010Introduction to PCI APR 2010
Introduction to PCI APR 2010
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overview
 
Pci dss-for-it-providers
Pci dss-for-it-providersPci dss-for-it-providers
Pci dss-for-it-providers
 
PCI compliance and fraud prevention for non profits
PCI compliance and fraud prevention for non profitsPCI compliance and fraud prevention for non profits
PCI compliance and fraud prevention for non profits
 
PCI_Presentation_OASIS
PCI_Presentation_OASISPCI_Presentation_OASIS
PCI_Presentation_OASIS
 
Webinar - PCI DSS Merchant Levels validations and applicable
Webinar - PCI DSS Merchant Levels validations and applicableWebinar - PCI DSS Merchant Levels validations and applicable
Webinar - PCI DSS Merchant Levels validations and applicable
 

Recently uploaded

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 

Recently uploaded (20)

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 

PCI DSS v 2.0 - Don't Fall In. Short & high level presentation for the Ecommerce group - June 2013.

  • 2. Agenda • Intro • Buzzwords • PCI – What is it? • PCI – Do’s and Don'ts • How to eat an Elephant • Divide & Conquer • Questions & Answers
  • 3. Intro … who is this clown? • Realex Payments … Platform Operations Security Lead • Certified … CISA. CISM. SSCP. CISSP. • Former Chair of the Irish Information Security Forum • Current Item Writer for ISC2 • Responsible for PCI Compliance in Realex Payments
  • 4. Buzzwords • Member organisations Card Schemes are made up of member organisations who can be Acquirers, Issuers, or both • Merchant Merchants are entities that “accept” Card transactions. Levels 1 – 4, with varying requirements for validation (by volume) • Acquirer Acquiring Bank - handles Merchant lines of credit • Issuer Issuing Bank – offers cards to Cardholder • Cardholder Consumers. Customers … Punters • Service Provider Entities that service the processing, storing, transport of card information on behalf of Merchants, Acquirers, or Issuers
  • 5. Merchant Levels … 1 to 4 Level Criteria Validation 1 Process more than 6 Million txns ROC – Report on Compliance QSA – Qualified Security Assessor ASV – Approved Scanning Vendor Attestation of Compliance 2 Process 1 to 6 Million txns SAQ – Self Assessment Questionnaire ASC – Approved Scanning Vendor Attestation of Compliance 3 Process 20,000 to 1 Million txns SAQ ASV (if applicable) Attestation of Compliance 4 All other merchants SAQ – recommended ASV (if applicable) Validation requirements typically set by Acquirer
  • 6. PCI … What is it? • PCI DSS - Payment Card Industry Data Security Standard • Published by the PCI Security Standards Council (PCI-SSC) • PCI-SSC = Visa, MasterCard, Discover, American Express, JCB • Baseline Information Security Standard that applies to ANY business that “accept, capture, store, transmit, or process Credit or Debit card data” – No exceptions. • Information Security BASELINE. PCI is a floor. Not a ceiling.
  • 7. PCI … Do’s • Visit the PCI-SCC website (www.pcisecuritystandards.org) • Read the FAQ (Frequently Asked Questions) Knowledge Base • SAQ – Self Assessment Questionnaire • A – Mail Order Telephone Order Merchants • B – Imprint Only Merchants • CVT – Virtual Terminals • C – Merchants with Internet Payment Applications • D – All other merchant types
  • 8. PCI … Do’s … Prioritised Approach • Have a clear, accurate and relevant Network Diagram. • Inventory … cover your assets • Data … where does it come from, and where does it go? The Holy Trinity • Policy Document • Prioritised Approach Document • Self Assessment Questionnaire
  • 9. PCI … Don’ts • Don’t PANIC - Don’t fall for the FUD. Don’t fall in The Hole. • Don’t boil the ocean – Scope and Segmentation are crucial • Don’t forget that PCI applies to your organisation, not your chosen hardware or software products and tools • Don’t think you can “buy” compliance with products • Don’t confuse “Compliant” for “Secure” • Don’t ignore PCI … it’s not going away
  • 10. How to eat an Elephant …
  • 11. PCI … 6 Objectives / Milestones
  • 12. PCI … Divide & Conquer • 225 individual tests, checks & proof points • 12 Requirements • 6 Objectives • Prioritised Approach Document is your pal
  • 14. For your further reading enjoyment … www.pcisecuritystandards.org/ www.pcisecuritystandards.org/faq/ www.pcisecuritystandards.org/security_standards/getting_started.php www.visaeurope.com/en/businesses__retailers/payment_security/downloads__resources.asp www.iisf.ie Irish Information Security Forum LinkedIn group … members only, just tell them I sent you!