SlideShare a Scribd company logo

Acertigo AG on SBS Talk 2011

A
Acertigo

This document provides an overview of Payment Card Industry Data Security Standard (PCI DSS) compliance requirements. It discusses Acertigo, an experienced PCI assessor and consultant. It covers the basics of PCI standards including PCI DSS and PA-DSS, stakeholders' responsibilities, and how to achieve PCI compliance through typical project tasks like analysis, remediation and maintaining compliance.

TechnologyEconomy & Finance
1 of 21
Download to read offline
Payment Card Industry Data Security Standard PCI Compliance requirements and approach 27. May 2011, Salzburg © 2011 Acertigo AG
CONTENT 1. COMPANY PROFILE 2. BASICS PAYMENT CARD INDUSTRY STANDARDS 3. BASICS PCI DSS / PA-DSS 4. HOW TO ACHIEVE PCI COMPLIANCE 5. PROJECT EXAMPLE 6. CONTACT © 2011 Acertigo AG
COMPANY PROFILE  Experienced and professional partner for our customers in the PCI field since 2004  Since 2004 accredited Assessor for most of the PCI standards, like PCI DSS, PA-DSS, PCI PIN Security  Accreditation for the regions of Europe, Middle East and Africa  More than 150 PCI audit customers in about 20 countries  More than 3.000 merchants as portal customers  Locations: Stuttgart, Zurich  Partner offices in several countries © 2011 Acertigo AG
COMPANY PROFILE Expertise in PCI compliance work  PA-DSS customers in several industries:  parking management software  hotel & spa management software  ATM network providers  POS network providers  petrol station  payment gateway software  PCI DSS customers across all type of customers  processors and banks  network operators  payment service providers  merchants © 2011 Acertigo AG
CONTENT 1. COMPANY PROFILE 2. BASICS PAYMENT CARD INDUSTRY STANDARDS 3. BASICS PCI DSS / PA-DSS 4. HOW TO ACHIEVE PCI COMPLIANCE 5. PROJECT EXAMPLE 6. CONTACT © 2011 Acertigo AG
BASICS PAYMENT CARD INDUSTRY STANDARDS Focus of the different standards Vendor Service Provider Card Issuing PCI PA-DSS PCI DSS Member Bank Acquiring Member Bank Issuing © 2011 Acertigo AG
BASICS PAYMENT CARD INDUSTRY STANDARDS PCI standards and brand‘s compliance programmes  PCI DSS and PA-DSS are not a Compliance Program  PCI DSS and PA-DSS are a global standard as security baseline  Compliance programs, like AIS, SDP, DSOP  are maintained and promoted by each brand  determine to whom the standards applies  defines the classification criteria  determine changes in agreements  defines deadlines  defines fees and penalties © 2011 Acertigo AG
BASICS PAYMENT CARD INDUSTRY STANDARDS The PCI DSS standard  Comprehensive requirements to enhance the security of cardholder data.  Standard covers requirements for security management, policies, procedures, infrastructure architecture, software development and other protective measures.  Intent is that companies implement a proactive protection of cardholder data.  Consists of twelve sections defining requirements with regard to peoples, processes and IT infrastructure.  Validation is performed according to version 2.0 which is effective since October 2010. © 2011 Acertigo AG
BASICS PAYMENT CARD INDUSTRY STANDARDS The PA-DSS standard  Comprehensive requirements to enhance the security of payment applications handling cardholder data.  Standard covers requirements for Development Guidelines and Procedures, Encryption, Secure remote management, Implementation Guide, Access Control.  Intent is that software vendors provide an application which is aligned with PCI DSS requirements and do not hinder a PCI DSS compliant usage by the customer.  Consists of fourteen sections defining requirements with regard to software development, processes and implementation guiding.  Validation is performed according to version 2.0 which is effective since October 2010. © 2011 Acertigo AG
BASICS PAYMENT CARD INDUSTRY STANDARDS Data objectives storage protection cryptography data elements allowed required required Cardholder Data PAN YES YES YES Expiration Date* YES YES NO Service Code* YES YES NO Cardholder Name* YES YES NO Sensitive Full Magnetic Strip** NO N/A N/A Authentification Data CVC2/CVV/CID** NO N/A N/A PIN/PIN block** NO N/A N/A * Data to be protected if stored with PAN ** Storage after authorization Handling of preauth data is according to card scheme © 2011 Acertigo AG
CONTENT 1. COMPANY PROFILE 2. BASICS PAYMENT CARD INDUSTRY STANDARDS 3. BASICS PCI DSS / PA-DSS 4. HOW TO ACHIEVE PCI COMPLIANCE 5. PROJECT EXAMPLE 6. CONTACT © 2011 Acertigo AG
BASICS PCI DSS / PA-DSS Stakeholders  Software Vendor Software vendors (“vendors”) develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, and then sell, distribute, or license these payment applications to third parties (customers or resellers/integrators).  Reseller and Integrators Resellers and integrators are those entities that sell, install, and/or service payment applications on behalf of software vendors or others.  Customer Customers are merchants, service providers, or others who buy or receive a third-party payment application to store, process, or transmit cardholder data as part of authorizing or settling of payment transactions.  PA-QSA PA-QSAs are QSAs that have been qualified and trained by PCI SSC to perform PA-DSS reviews. © 2011 Acertigo AG
BASICS PCI DSS / PA-DSS Stakeholders responsibility  Software Vendor  Creating PA-DSS compliant payment applications that facilitate and do not prevent their customers’ PCI DSS compliance (the application cannot require an implementation or configuration setting that violates a PCI DSS requirement)  Following PCI DSS requirements whenever the vendor stores, processes or transmits cardholder data (for example, during customer troubleshooting)  Creating a PA-DSS Implementation Guide, specific to each application, according to the requirements in the Payment Application Data Security Standard  Educating customers, resellers, and integrators on how to install and configure the payment applications in a PCI DSS-compliant manner  Ensuring payment applications meet PA-DSS requirements by successfully passing a PA-DSS review as specified in PCI PA-DSS Requirements and Security Assessment Procedures © 2011 Acertigo AG
BASICS PCI DSS / PA-DSS Stakeholders responsibility  Reseller and Integrators  Implementing only PA-DSS compliant payment applications into a PCI DSS compliant environment (or instructing the merchant to do so)  Configuring such payment applications (where configuration options are provided) according to the PA-DSS Implementation Guide provided by the vendor  Configuring such payment applications (or instructing the merchant to do so) in a PCI DSS compliant manner  Servicing such payment applications (for example, troubleshooting, delivering remote updates, and providing remote support) according to the PA-DSS Implementation Guide and PCI DSS. © 2011 Acertigo AG
BASICS PCI DSS / PA-DSS Stakeholders responsibility  Customers  Implementing a PA-DSS-compliant payment application into a PCI DSS-compliant environment;  Configuring the payment application (where configuration options are provided) according to the PA-DSS Implementation Guide provided by the vendor;  Configuring the payment application in a PCI DSS-compliant manner;  Maintaining the PCI DSS-compliant status for both the environment and the payment application configuration.  PA-QSA  Performing assessments on payment applications in accordance with the Security Assessment Procedures and the PA-QSA Validation Requirements  Providing an opinion regarding whether the payment application meets PA-DSS requirements  Providing adequate documentation within the ROV to demonstrate the payment application’s compliance to the PA-DSS  Submitting the ROV to PCI SSC, along with the Attestation of Validation (signed by both PA- QSA and vendor). © 2011 Acertigo AG
BASICS PCI DSS / PA-DSS Documentation for validation  Documents  Audit procedures  Program Guide  Compliance is validated against the current version 2.0 of these documents.  PCI DSS is referred in PA-DSS © 2011 Acertigo AG
CONTENT 1. COMPANY PROFILE 2. BASICS PAYMENT CARD INDUSTRY STANDARDS 3. BASICS PCI DSS / PA-DSS 4. HOW TO ACHIEVE PCI COMPLIANCE 5. PROJECT EXAMPLE 6. CONTACT © 2011 Acertigo AG
HOW TO ACHIEVE PCI COMPLIANCE Typical PCI compliance project tasks Remediation PA-DSS Review Maintain Compliance Analysis - improvement - implement technical changes - onsite audit by QSA - scope determination - awareness - implement procedures - final certification - gap analysis - integrate compliance issues - concept advisory - adjust documentation - ongoing review as a business as usual - action plan / timeline action items ready for review approval Periodical reviews © 2011 Acertigo AG
CONTENT 1. COMPANY PROFILE 2. BASICS PAYMENT CARD INDUSTRY STANDARDS 3. BASICS PCI DSS / PA-DSS 4. HOW TO ACHIEVE PCI COMPLIANCE 5. PROJECT EXAMPLE 6. CONTACT © 2011 Acertigo AG
Thank you for the attention! Ralph Wörn CEO Acertigo AG Wilhelmsplatz 8, 70182 Stuttgart, Germany phone + 49 711 620 30 300 fax + 49 711 620 30 200 email ralph.woern@acertigo.com © 2011 Acertigo AG
COPYRIGHT Acertigo AG – Stuttgart and its companies [“Acertigo”] retain all ownership rights to this document [the "Document"]. Use of the Document is governed by applicable copyright law. Acertigo may revise this Document from time to time without notice. This document is provided “as is” without warranty of any kind. In no event shall Acertigo be liable for indirect, special, incidental, or consequential damages of any kind arising from any error in this document, including without limitation any loss or interruption of business, profits, use or data. All contents provided in this document are protected by copyright. None of the material may be reproduced, copied or distributed in any form without the prior written permission of Acertigo AG. All rights are reserved including those in the translation. Trademarks: Most of the names and trade names, including hardware and software terms, mentioned in this document are either registered trademarks or should be considered as such. All information contained on this document has been published without regard to a possible patent protection. All names of goods are used without the guarantee of usability. All rights are reserved. Acertigo is a registered Trademark in Germany and other countries. © 2011 Acertigo AG

Recommended

Cisp Payment Application Best Practices
Cisp Payment Application Best PracticesCisp Payment Application Best Practices
Cisp Payment Application Best Practicesguestcc519e
 
SmartCard Forum 2010 - Secured Access for enterprise
SmartCard Forum 2010 - Secured Access for enterpriseSmartCard Forum 2010 - Secured Access for enterprise
SmartCard Forum 2010 - Secured Access for enterpriseOKsystem
 
Neumann 24727 B10.12 Update 20091029 AM R3
Neumann 24727 B10.12 Update 20091029 AM R3Neumann 24727 B10.12 Update 20091029 AM R3
Neumann 24727 B10.12 Update 20091029 AM R3Agile Set, LLC
 
Cidway Byod Authentication
Cidway Byod AuthenticationCidway Byod Authentication
Cidway Byod Authentication
lfilliat
 
Oberthur's 2009 CTST presentation on Generic ID-Card Command Set (GICS)
Oberthur's 2009 CTST presentation on Generic ID-Card Command Set (GICS)Oberthur's 2009 CTST presentation on Generic ID-Card Command Set (GICS)
Oberthur's 2009 CTST presentation on Generic ID-Card Command Set (GICS)
TrustBearer
 
TrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer - CTST 2009 - OpenID & Strong AuthenticationTrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patterns
Pieter Ennes
 
A case for identities - Etisalat, George Held at TADSummit
A case for identities - Etisalat, George Held at TADSummitA case for identities - Etisalat, George Held at TADSummit
A case for identities - Etisalat, George Held at TADSummit
Alan Quayle
 

Recommended

Cisp Payment Application Best Practices
Cisp Payment Application Best PracticesCisp Payment Application Best Practices
Cisp Payment Application Best Practicesguestcc519e
 
SmartCard Forum 2010 - Secured Access for enterprise
SmartCard Forum 2010 - Secured Access for enterpriseSmartCard Forum 2010 - Secured Access for enterprise
SmartCard Forum 2010 - Secured Access for enterpriseOKsystem
 
Neumann 24727 B10.12 Update 20091029 AM R3
Neumann 24727 B10.12 Update 20091029 AM R3Neumann 24727 B10.12 Update 20091029 AM R3
Neumann 24727 B10.12 Update 20091029 AM R3Agile Set, LLC
 
Cidway Byod Authentication
Cidway Byod AuthenticationCidway Byod Authentication
Cidway Byod Authentication
lfilliat
 
Oberthur's 2009 CTST presentation on Generic ID-Card Command Set (GICS)
Oberthur's 2009 CTST presentation on Generic ID-Card Command Set (GICS)Oberthur's 2009 CTST presentation on Generic ID-Card Command Set (GICS)
Oberthur's 2009 CTST presentation on Generic ID-Card Command Set (GICS)
TrustBearer
 
TrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer - CTST 2009 - OpenID & Strong AuthenticationTrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patterns
Pieter Ennes
 
A case for identities - Etisalat, George Held at TADSummit
A case for identities - Etisalat, George Held at TADSummitA case for identities - Etisalat, George Held at TADSummit
A case for identities - Etisalat, George Held at TADSummit
Alan Quayle
 
Identity and Access Management Provider
Identity and Access Management ProviderIdentity and Access Management Provider
Identity and Access Management Provider
Priyanka Agarwal
 
Mobile Cloud Identity
Mobile Cloud IdentityMobile Cloud Identity
Mobile Cloud Identity
Mark Diodati
 
Comodo Overview Presentation Read Only
Comodo Overview Presentation Read OnlyComodo Overview Presentation Read Only
Comodo Overview Presentation Read OnlyJayHicks
 
Mastercard CMU Capstone Midsummer Presentation
Mastercard CMU Capstone Midsummer PresentationMastercard CMU Capstone Midsummer Presentation
Mastercard CMU Capstone Midsummer Presentation
Scott Leinweber
 
ISS SA le presenta IdentityGuard de Entrust
ISS SA le presenta IdentityGuard de EntrustISS SA le presenta IdentityGuard de Entrust
ISS SA le presenta IdentityGuard de Entrust
Information Security Services SA
 
alltech profile
alltech profilealltech profile
alltech profileJOSEPH NJUGUNA
 
We Authenticate the World
We Authenticate the WorldWe Authenticate the World
We Authenticate the World
VASCO Data Security
 
Asseco See Massbu Profile&Product Portfolio
Asseco See Massbu Profile&Product PortfolioAsseco See Massbu Profile&Product Portfolio
Asseco See Massbu Profile&Product PortfolioAna Miladinovic
 
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden WilliamsPCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden WilliamsAnton Chuvakin
 
PCI DSS Basics - The Twelve Steps
PCI DSS Basics - The Twelve StepsPCI DSS Basics - The Twelve Steps
PCI DSS Basics - The Twelve Steps
Terra Verde
 
PCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed IntroductionPCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed Introduction
ControlCase
 
Determining Scope for PCI DSS Compliance
Determining Scope for PCI DSS ComplianceDetermining Scope for PCI DSS Compliance
Determining Scope for PCI DSS Compliance
Schellman & Company
 
Log Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringLog Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity Monitoring
Kimberly Simon MBA
 
PCIe and PCIe driver in WEC7 (Windows Embedded compact 7)
PCIe and PCIe driver in WEC7 (Windows Embedded compact 7)PCIe and PCIe driver in WEC7 (Windows Embedded compact 7)
PCIe and PCIe driver in WEC7 (Windows Embedded compact 7)
gnkeshava
 
PCI Compliance NOT for Dummies epb 30MAR2016
PCI Compliance NOT for Dummies epb 30MAR2016PCI Compliance NOT for Dummies epb 30MAR2016
PCI Compliance NOT for Dummies epb 30MAR2016Erika Powell-Burson, MSIA, CISSP, CISA
 
Pci express technology 3.0
Pci express technology 3.0Pci express technology 3.0
Pci express technology 3.0
Biddika Manjusree
 
PCI DSS and Other Related Updates
PCI DSS and Other Related UpdatesPCI DSS and Other Related Updates
PCI DSS and Other Related Updates
ControlCase
 
Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptx
gealehegn
 
PCI DSS
PCI DSSPCI DSS
PCI DSSDuy Do Phan
 
Visa Compliance Mark National Certification
Visa Compliance Mark National CertificationVisa Compliance Mark National Certification
Visa Compliance Mark National CertificationMark Pollard
 
PCI Compliance: What You Need to Know
PCI Compliance: What You Need to KnowPCI Compliance: What You Need to Know
PCI Compliance: What You Need to Know
Sasha Nunke
 
PruebaJLF.pptx
PruebaJLF.pptxPruebaJLF.pptx
PruebaJLF.pptx
JoseLuna802663
 

More Related Content

What's hot

Identity and Access Management Provider
Identity and Access Management ProviderIdentity and Access Management Provider
Identity and Access Management Provider
Priyanka Agarwal
 
Mobile Cloud Identity
Mobile Cloud IdentityMobile Cloud Identity
Mobile Cloud Identity
Mark Diodati
 
Comodo Overview Presentation Read Only
Comodo Overview Presentation Read OnlyComodo Overview Presentation Read Only
Comodo Overview Presentation Read OnlyJayHicks
 
Mastercard CMU Capstone Midsummer Presentation
Mastercard CMU Capstone Midsummer PresentationMastercard CMU Capstone Midsummer Presentation
Mastercard CMU Capstone Midsummer Presentation
Scott Leinweber
 
ISS SA le presenta IdentityGuard de Entrust
ISS SA le presenta IdentityGuard de EntrustISS SA le presenta IdentityGuard de Entrust
ISS SA le presenta IdentityGuard de Entrust
Information Security Services SA
 
We Authenticate the World
We Authenticate the WorldWe Authenticate the World
We Authenticate the World
VASCO Data Security
 
Asseco See Massbu Profile&Product Portfolio
Asseco See Massbu Profile&Product PortfolioAsseco See Massbu Profile&Product Portfolio
Asseco See Massbu Profile&Product PortfolioAna Miladinovic
 

What's hot (8)

Identity and Access Management Provider
Identity and Access Management ProviderIdentity and Access Management Provider
Identity and Access Management Provider
 
Mobile Cloud Identity
Mobile Cloud IdentityMobile Cloud Identity
Mobile Cloud Identity
 
Comodo Overview Presentation Read Only
Comodo Overview Presentation Read OnlyComodo Overview Presentation Read Only
Comodo Overview Presentation Read Only
 
Mastercard CMU Capstone Midsummer Presentation
Mastercard CMU Capstone Midsummer PresentationMastercard CMU Capstone Midsummer Presentation
Mastercard CMU Capstone Midsummer Presentation
 
ISS SA le presenta IdentityGuard de Entrust
ISS SA le presenta IdentityGuard de EntrustISS SA le presenta IdentityGuard de Entrust
ISS SA le presenta IdentityGuard de Entrust
 
alltech profile
alltech profilealltech profile
alltech profile
 
We Authenticate the World
We Authenticate the WorldWe Authenticate the World
We Authenticate the World
 
Asseco See Massbu Profile&Product Portfolio
Asseco See Massbu Profile&Product PortfolioAsseco See Massbu Profile&Product Portfolio
Asseco See Massbu Profile&Product Portfolio
 

Viewers also liked

PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden WilliamsPCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden WilliamsAnton Chuvakin
 
PCI DSS Basics - The Twelve Steps
PCI DSS Basics - The Twelve StepsPCI DSS Basics - The Twelve Steps
PCI DSS Basics - The Twelve Steps
Terra Verde
 
PCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed IntroductionPCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed Introduction
ControlCase
 
Determining Scope for PCI DSS Compliance
Determining Scope for PCI DSS ComplianceDetermining Scope for PCI DSS Compliance
Determining Scope for PCI DSS Compliance
Schellman & Company
 
Log Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringLog Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity Monitoring
Kimberly Simon MBA
 
PCIe and PCIe driver in WEC7 (Windows Embedded compact 7)
PCIe and PCIe driver in WEC7 (Windows Embedded compact 7)PCIe and PCIe driver in WEC7 (Windows Embedded compact 7)
PCIe and PCIe driver in WEC7 (Windows Embedded compact 7)
gnkeshava
 
Pci express technology 3.0
Pci express technology 3.0Pci express technology 3.0
Pci express technology 3.0
Biddika Manjusree
 

Viewers also liked (8)

PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden WilliamsPCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
 
PCI DSS Basics - The Twelve Steps
PCI DSS Basics - The Twelve StepsPCI DSS Basics - The Twelve Steps
PCI DSS Basics - The Twelve Steps
 
PCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed IntroductionPCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed Introduction
 
Determining Scope for PCI DSS Compliance
Determining Scope for PCI DSS ComplianceDetermining Scope for PCI DSS Compliance
Determining Scope for PCI DSS Compliance
 
Log Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringLog Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity Monitoring
 
PCIe and PCIe driver in WEC7 (Windows Embedded compact 7)
PCIe and PCIe driver in WEC7 (Windows Embedded compact 7)PCIe and PCIe driver in WEC7 (Windows Embedded compact 7)
PCIe and PCIe driver in WEC7 (Windows Embedded compact 7)
 
PCI Compliance NOT for Dummies epb 30MAR2016
PCI Compliance NOT for Dummies epb 30MAR2016PCI Compliance NOT for Dummies epb 30MAR2016
PCI Compliance NOT for Dummies epb 30MAR2016
 
Pci express technology 3.0
Pci express technology 3.0Pci express technology 3.0
Pci express technology 3.0
 

Similar to Acertigo AG on SBS Talk 2011

PCI DSS and Other Related Updates
PCI DSS and Other Related UpdatesPCI DSS and Other Related Updates
PCI DSS and Other Related Updates
ControlCase
 
Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptx
gealehegn
 
Visa Compliance Mark National Certification
Visa Compliance Mark National CertificationVisa Compliance Mark National Certification
Visa Compliance Mark National CertificationMark Pollard
 
PCI Compliance: What You Need to Know
PCI Compliance: What You Need to KnowPCI Compliance: What You Need to Know
PCI Compliance: What You Need to Know
Sasha Nunke
 
PruebaJLF.pptx
PruebaJLF.pptxPruebaJLF.pptx
PruebaJLF.pptx
JoseLuna802663
 
PA-DSS Certification
PA-DSS CertificationPA-DSS Certification
PA-DSS Certification
UnitedThinkers
 
Cisp payment application_best_practices
Cisp payment application_best_practicesCisp payment application_best_practices
Cisp payment application_best_practiceskcmani15
 
Sage Pay Pci Presentation (2
Sage Pay Pci Presentation (2Sage Pay Pci Presentation (2
Sage Pay Pci Presentation (2
Amanda Squires@Pod1
 
PCI-DSS for IDRBT
PCI-DSS for IDRBTPCI-DSS for IDRBT
PCI-DSS for IDRBT
Shanmugavel Sankaran
 
How to Comply with the PCI Data Security Standard
How to Comply with the PCI Data Security Standard How to Comply with the PCI Data Security Standard
How to Comply with the PCI Data Security Standard
Allied Wallet
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guide
Mohammad Makchudul Alam (Arif)
 
Quick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security StandardQuick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security Standard
- Mark - Fullbright
 
StandardsWritingExample-PSG_PA-DSS_Implementation_Guidepages1&3&6&18
StandardsWritingExample-PSG_PA-DSS_Implementation_Guidepages1&3&6&18StandardsWritingExample-PSG_PA-DSS_Implementation_Guidepages1&3&6&18
StandardsWritingExample-PSG_PA-DSS_Implementation_Guidepages1&3&6&18David Dinwoodie
 
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
Melanie Beam
 
eCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain Media
eCommerce Merchants
 
PCI DSS for Penetration Testing
PCI DSS for Penetration TestingPCI DSS for Penetration Testing
PCI DSS for Penetration Testing
Network Intelligence India
 
Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates
VISTA InfoSec
 
PCI DSS Compliance Checklist
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance Checklist
ControlCase
 
PCI DSS for Pentesting
PCI DSS for PentestingPCI DSS for Pentesting
PCI DSS for Pentesting
n|u - The Open Security Community
 

Similar to Acertigo AG on SBS Talk 2011 (20)

PCI DSS and Other Related Updates
PCI DSS and Other Related UpdatesPCI DSS and Other Related Updates
PCI DSS and Other Related Updates
 
Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptx
 
PCI DSS
PCI DSSPCI DSS
PCI DSS
 
Visa Compliance Mark National Certification
Visa Compliance Mark National CertificationVisa Compliance Mark National Certification
Visa Compliance Mark National Certification
 
PCI Compliance: What You Need to Know
PCI Compliance: What You Need to KnowPCI Compliance: What You Need to Know
PCI Compliance: What You Need to Know
 
PruebaJLF.pptx
PruebaJLF.pptxPruebaJLF.pptx
PruebaJLF.pptx
 
PA-DSS Certification
PA-DSS CertificationPA-DSS Certification
PA-DSS Certification
 
Cisp payment application_best_practices
Cisp payment application_best_practicesCisp payment application_best_practices
Cisp payment application_best_practices
 
Sage Pay Pci Presentation (2
Sage Pay Pci Presentation (2Sage Pay Pci Presentation (2
Sage Pay Pci Presentation (2
 
PCI-DSS for IDRBT
PCI-DSS for IDRBTPCI-DSS for IDRBT
PCI-DSS for IDRBT
 
How to Comply with the PCI Data Security Standard
How to Comply with the PCI Data Security Standard How to Comply with the PCI Data Security Standard
How to Comply with the PCI Data Security Standard
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guide
 
Quick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security StandardQuick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security Standard
 
StandardsWritingExample-PSG_PA-DSS_Implementation_Guidepages1&3&6&18
StandardsWritingExample-PSG_PA-DSS_Implementation_Guidepages1&3&6&18StandardsWritingExample-PSG_PA-DSS_Implementation_Guidepages1&3&6&18
StandardsWritingExample-PSG_PA-DSS_Implementation_Guidepages1&3&6&18
 
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
 
eCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain Media
 
PCI DSS for Penetration Testing
PCI DSS for Penetration TestingPCI DSS for Penetration Testing
PCI DSS for Penetration Testing
 
Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates
 
PCI DSS Compliance Checklist
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance Checklist
 
PCI DSS for Pentesting
PCI DSS for PentestingPCI DSS for Pentesting
PCI DSS for Pentesting
 

Recently uploaded

Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
g2nightmarescribd
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 

Recently uploaded (20)

Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 

Acertigo AG on SBS Talk 2011

  • 1. Payment Card Industry Data Security Standard PCI Compliance requirements and approach 27. May 2011, Salzburg © 2011 Acertigo AG
  • 2. CONTENT 1. COMPANY PROFILE 2. BASICS PAYMENT CARD INDUSTRY STANDARDS 3. BASICS PCI DSS / PA-DSS 4. HOW TO ACHIEVE PCI COMPLIANCE 5. PROJECT EXAMPLE 6. CONTACT © 2011 Acertigo AG
  • 3. COMPANY PROFILE  Experienced and professional partner for our customers in the PCI field since 2004  Since 2004 accredited Assessor for most of the PCI standards, like PCI DSS, PA-DSS, PCI PIN Security  Accreditation for the regions of Europe, Middle East and Africa  More than 150 PCI audit customers in about 20 countries  More than 3.000 merchants as portal customers  Locations: Stuttgart, Zurich  Partner offices in several countries © 2011 Acertigo AG
  • 4. COMPANY PROFILE Expertise in PCI compliance work  PA-DSS customers in several industries:  parking management software  hotel & spa management software  ATM network providers  POS network providers  petrol station  payment gateway software  PCI DSS customers across all type of customers  processors and banks  network operators  payment service providers  merchants © 2011 Acertigo AG
  • 5. CONTENT 1. COMPANY PROFILE 2. BASICS PAYMENT CARD INDUSTRY STANDARDS 3. BASICS PCI DSS / PA-DSS 4. HOW TO ACHIEVE PCI COMPLIANCE 5. PROJECT EXAMPLE 6. CONTACT © 2011 Acertigo AG
  • 6. BASICS PAYMENT CARD INDUSTRY STANDARDS Focus of the different standards Vendor Service Provider Card Issuing PCI PA-DSS PCI DSS Member Bank Acquiring Member Bank Issuing © 2011 Acertigo AG
  • 7. BASICS PAYMENT CARD INDUSTRY STANDARDS PCI standards and brand‘s compliance programmes  PCI DSS and PA-DSS are not a Compliance Program  PCI DSS and PA-DSS are a global standard as security baseline  Compliance programs, like AIS, SDP, DSOP  are maintained and promoted by each brand  determine to whom the standards applies  defines the classification criteria  determine changes in agreements  defines deadlines  defines fees and penalties © 2011 Acertigo AG
  • 8. BASICS PAYMENT CARD INDUSTRY STANDARDS The PCI DSS standard  Comprehensive requirements to enhance the security of cardholder data.  Standard covers requirements for security management, policies, procedures, infrastructure architecture, software development and other protective measures.  Intent is that companies implement a proactive protection of cardholder data.  Consists of twelve sections defining requirements with regard to peoples, processes and IT infrastructure.  Validation is performed according to version 2.0 which is effective since October 2010. © 2011 Acertigo AG
  • 9. BASICS PAYMENT CARD INDUSTRY STANDARDS The PA-DSS standard  Comprehensive requirements to enhance the security of payment applications handling cardholder data.  Standard covers requirements for Development Guidelines and Procedures, Encryption, Secure remote management, Implementation Guide, Access Control.  Intent is that software vendors provide an application which is aligned with PCI DSS requirements and do not hinder a PCI DSS compliant usage by the customer.  Consists of fourteen sections defining requirements with regard to software development, processes and implementation guiding.  Validation is performed according to version 2.0 which is effective since October 2010. © 2011 Acertigo AG
  • 10. BASICS PAYMENT CARD INDUSTRY STANDARDS Data objectives storage protection cryptography data elements allowed required required Cardholder Data PAN YES YES YES Expiration Date* YES YES NO Service Code* YES YES NO Cardholder Name* YES YES NO Sensitive Full Magnetic Strip** NO N/A N/A Authentification Data CVC2/CVV/CID** NO N/A N/A PIN/PIN block** NO N/A N/A * Data to be protected if stored with PAN ** Storage after authorization Handling of preauth data is according to card scheme © 2011 Acertigo AG
  • 11. CONTENT 1. COMPANY PROFILE 2. BASICS PAYMENT CARD INDUSTRY STANDARDS 3. BASICS PCI DSS / PA-DSS 4. HOW TO ACHIEVE PCI COMPLIANCE 5. PROJECT EXAMPLE 6. CONTACT © 2011 Acertigo AG
  • 12. BASICS PCI DSS / PA-DSS Stakeholders  Software Vendor Software vendors (“vendors”) develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, and then sell, distribute, or license these payment applications to third parties (customers or resellers/integrators).  Reseller and Integrators Resellers and integrators are those entities that sell, install, and/or service payment applications on behalf of software vendors or others.  Customer Customers are merchants, service providers, or others who buy or receive a third-party payment application to store, process, or transmit cardholder data as part of authorizing or settling of payment transactions.  PA-QSA PA-QSAs are QSAs that have been qualified and trained by PCI SSC to perform PA-DSS reviews. © 2011 Acertigo AG
  • 13. BASICS PCI DSS / PA-DSS Stakeholders responsibility  Software Vendor  Creating PA-DSS compliant payment applications that facilitate and do not prevent their customers’ PCI DSS compliance (the application cannot require an implementation or configuration setting that violates a PCI DSS requirement)  Following PCI DSS requirements whenever the vendor stores, processes or transmits cardholder data (for example, during customer troubleshooting)  Creating a PA-DSS Implementation Guide, specific to each application, according to the requirements in the Payment Application Data Security Standard  Educating customers, resellers, and integrators on how to install and configure the payment applications in a PCI DSS-compliant manner  Ensuring payment applications meet PA-DSS requirements by successfully passing a PA-DSS review as specified in PCI PA-DSS Requirements and Security Assessment Procedures © 2011 Acertigo AG
  • 14. BASICS PCI DSS / PA-DSS Stakeholders responsibility  Reseller and Integrators  Implementing only PA-DSS compliant payment applications into a PCI DSS compliant environment (or instructing the merchant to do so)  Configuring such payment applications (where configuration options are provided) according to the PA-DSS Implementation Guide provided by the vendor  Configuring such payment applications (or instructing the merchant to do so) in a PCI DSS compliant manner  Servicing such payment applications (for example, troubleshooting, delivering remote updates, and providing remote support) according to the PA-DSS Implementation Guide and PCI DSS. © 2011 Acertigo AG
  • 15. BASICS PCI DSS / PA-DSS Stakeholders responsibility  Customers  Implementing a PA-DSS-compliant payment application into a PCI DSS-compliant environment;  Configuring the payment application (where configuration options are provided) according to the PA-DSS Implementation Guide provided by the vendor;  Configuring the payment application in a PCI DSS-compliant manner;  Maintaining the PCI DSS-compliant status for both the environment and the payment application configuration.  PA-QSA  Performing assessments on payment applications in accordance with the Security Assessment Procedures and the PA-QSA Validation Requirements  Providing an opinion regarding whether the payment application meets PA-DSS requirements  Providing adequate documentation within the ROV to demonstrate the payment application’s compliance to the PA-DSS  Submitting the ROV to PCI SSC, along with the Attestation of Validation (signed by both PA- QSA and vendor). © 2011 Acertigo AG
  • 16. BASICS PCI DSS / PA-DSS Documentation for validation  Documents  Audit procedures  Program Guide  Compliance is validated against the current version 2.0 of these documents.  PCI DSS is referred in PA-DSS © 2011 Acertigo AG
  • 17. CONTENT 1. COMPANY PROFILE 2. BASICS PAYMENT CARD INDUSTRY STANDARDS 3. BASICS PCI DSS / PA-DSS 4. HOW TO ACHIEVE PCI COMPLIANCE 5. PROJECT EXAMPLE 6. CONTACT © 2011 Acertigo AG
  • 18. HOW TO ACHIEVE PCI COMPLIANCE Typical PCI compliance project tasks Remediation PA-DSS Review Maintain Compliance Analysis - improvement - implement technical changes - onsite audit by QSA - scope determination - awareness - implement procedures - final certification - gap analysis - integrate compliance issues - concept advisory - adjust documentation - ongoing review as a business as usual - action plan / timeline action items ready for review approval Periodical reviews © 2011 Acertigo AG
  • 19. CONTENT 1. COMPANY PROFILE 2. BASICS PAYMENT CARD INDUSTRY STANDARDS 3. BASICS PCI DSS / PA-DSS 4. HOW TO ACHIEVE PCI COMPLIANCE 5. PROJECT EXAMPLE 6. CONTACT © 2011 Acertigo AG
  • 20. Thank you for the attention! Ralph Wörn CEO Acertigo AG Wilhelmsplatz 8, 70182 Stuttgart, Germany phone + 49 711 620 30 300 fax + 49 711 620 30 200 email ralph.woern@acertigo.com © 2011 Acertigo AG
  • 21. COPYRIGHT Acertigo AG – Stuttgart and its companies [“Acertigo”] retain all ownership rights to this document [the "Document"]. Use of the Document is governed by applicable copyright law. Acertigo may revise this Document from time to time without notice. This document is provided “as is” without warranty of any kind. In no event shall Acertigo be liable for indirect, special, incidental, or consequential damages of any kind arising from any error in this document, including without limitation any loss or interruption of business, profits, use or data. All contents provided in this document are protected by copyright. None of the material may be reproduced, copied or distributed in any form without the prior written permission of Acertigo AG. All rights are reserved including those in the translation. Trademarks: Most of the names and trade names, including hardware and software terms, mentioned in this document are either registered trademarks or should be considered as such. All information contained on this document has been published without regard to a possible patent protection. All names of goods are used without the guarantee of usability. All rights are reserved. Acertigo is a registered Trademark in Germany and other countries. © 2011 Acertigo AG