London School of Cyber Security, profile picture
Uploaded byLondon School of Cyber Security
PPTX, PDF935 views

What Everybody Ought to Know About PCI DSS and PA-DSS

This document discusses navigating PCI compliance and payment security standards. It provides an overview of the PCI Security Standards Council, the development of the PCI Data Security Standard (PCI DSS) and Payment Application Data Security Standard. It outlines requirements for companies that accept credit cards, including adhering to PCI compliance standards, conducting quarterly vulnerability scans, and the consequences of non-compliance such as fines and legal liability. The document stresses the importance of security training to address the human element of data breaches and provides tips to reduce risk such as not storing card data, using validated payment systems, strong passwords, and updating software.

Education
Related topics:
PCI DSS Training

Embed presentation

Downloaded 52 times
Navigating PCI Compliance: A Risk Avoidance Strategy Google Hangout Session July 23, 2014
This Is Where it All Began December 15, 2004 PCI DSS V1.0 is launced
Payment Credit Card Security Standards Who is the PCI Security Standards Council? • The PCI Security Standards Council is an open global forum responsible for the development, management, education, and awareness of the PCI Security Standards • Work closely with the five founding global payment brands: American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc. • PCI Council official launch occurred in 2006 • Current Data Security Standard is V3.0 published in November 2013 • Standards Committee has established: Data Security Standard (PCI DSS), Payment Application Data Security Standard (PA-DSS), and PIN Transaction Security (PTS) requirements.
What is PCI DSS and PA-DSS? • PCI Data Security Standard (PCI DSS) provides an actionable framework for developing a robust payment card data security process including prevention, detection and appropriate reaction to security incidents. • This applies to any organization with a Merchant ID (MID) • PCI DSS V3.0 requirements must be completed by December 31st • Payment Application Data Security Standard (PA-DSS) is the global security standard created by the PCI Council in an effort to provide the definitive data standard for software vendors that develop payment applications • (ie. POS application or website ecommerce)
How Does This Affect My Business? Managing the Requirements: • Companies that accept, process, transmit, or store payment credit cardholder data must adhere to PCI Compliance requirements • Having a SSL certificate for your website is not enough as this doesn’t prevent malicious attacks or intrusions from occurring • If you electronically store cardholder data post authorization or if your processing systems have any internet connectivity, a quarterly scan by a PCI SSC Approved Scanning Vendor (ASV) is required Positive Impact and Benefits: • Compliance with the PCI DSS means that your systems are secure, and you earn customer’s trust in managing their personal information resulting in future business potential • Helps you to be better prepared to comply with other regulations as they come along, such as HIPAA, SOX, etc. • Establishes a baseline corporate security strategy • Assists in identification of methods to improve the efficiency of your IT infrastructure
What Happens if I don’t Comply? • Payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations • Banks will also most likely either terminate your relationship or increase transaction fees if your organization is non PCI compliant • Potential for lost revenues, customer transitions, and an overall negative image in the marketplace could negatively impact future earnings potential • Liable for lawsuits, insurance claims, cancelled accounts, payment card issuer fines, along with government fines
Security Training Requirements for PCI DSS V3.0
Current State of Data Security • Breaches make headlines • Businesses at risk regardless of size • The enemy is getting smarter • Companies must: • Understand the threats • Take steps to protect themselves and their customers.
• Industry demand has never been higher • The weakest link: The human • Social engineering • Lost/compromised login credentials • Careless behavior accounts for most incidents Need for Training
Reduce the Risk – Don’t Store Data • Don’t store any payment card data • The less you have, the smaller a target you’ll be • Know what your vendors are storing.
Reducing Risk – 3rd Party Data Security • Use PCI validated Point of Sale systems • Confirm that your vendors follow the PCI DSS and the PA DSS • Talk to your bank about reviewing your technology and data storage practices
Reducing Risk – Strong Passwords • Changing default passwords could have helped avoid the majority of compromises. • Nearly 80% of breaches of confidential consumer information involved compromised passwords.
Reducing Risk – Updating Software • Hackers take advantage of software bugs • Product vendors deal with this by releasing software updates and patches • Use automated alert services
Become Part of the Solution 1. Understanding of PCI Compliance and Requirements 2. Ongoing Education and Awareness 3. Take Steps to Safeguard your Business 4. Get Involved 5. Have a Plan

More Related Content

PPTX
The Easy WAy to Accept & Protect Credit Card Data
byTyler Hannan
 
PDF
Introduction to the Payment Card Industry Data Security Standard (PCI DSS) - ...
byAtoZ Compliance
 
PDF
PCI_Presentation_OASIS
byDermot Clarke
 
PPTX
Introduction To SAQ 4 U
byRAlcala65
 
PPT
Pci compliance overview earth link business
byMike Shelah
 
PDF
Manage a Recurring Gift Process and Implement PCI Compliance with The Raiser’...
byBlackbaud Pacific
 
PPTX
PCI Compliance for Community Colleges @One CISOA 2011
byDonald E. Hester
 
PPT
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
byMelanie Beam
 
The Easy WAy to Accept & Protect Credit Card Data
byTyler Hannan
 
Introduction to the Payment Card Industry Data Security Standard (PCI DSS) - ...
byAtoZ Compliance
 
PCI_Presentation_OASIS
byDermot Clarke
 
Introduction To SAQ 4 U
byRAlcala65
 
Pci compliance overview earth link business
byMike Shelah
 
Manage a Recurring Gift Process and Implement PCI Compliance with The Raiser’...
byBlackbaud Pacific
 
PCI Compliance for Community Colleges @One CISOA 2011
byDonald E. Hester
 
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
byMelanie Beam
 

What's hot

PPTX
Payment Card Industry CMTA NOV 2010
byDonald E. Hester
 
PPTX
Payment Card Industry Introduction CMTA APR 2010
byDonald E. Hester
 
PDF
PCI-DSS for IDRBT
byShanmugavel Sankaran
 
PPTX
A practical guides to PCI compliance
byJisc
 
PDF
PCI Certification and remediation services
byTariq Juneja
 
PDF
Customer Due Dilligence - Is your organisation Compliant?
byrosspemberton69
 
PPT
eCommerce Summit Atlanta Mountain Media
byeCommerce Merchants
 
PDF
Pci ssc quick reference guide
byMohammad Makchudul Alam (Arif)
 
PDF
HTNG Secure Payments Advertisement
byBrian Larson
 
PPTX
Reducing cardholder data footprint with tokenization and other techniques
byVISTA InfoSec
 
DOCX
Pci dss compliance
bypcidss14s
 
PPTX
Payment Card Acceptance PCI Compliance for Local Governments 2012
byDonald E. Hester
 
PPTX
Is your business PCI DSS compliant? You’re digging your own grave if not
byCheapSSLsecurity
 
PDF
PCI-DSS_Overview
bysameh Abulfotooh
 
PPTX
Managed IT Services: Overview, Importance, Business Benefits
byVeritis Group, Inc
 
PDF
MasterSnacks Cryptocurrency: Operational and Internal Considerations for Comp...
byCitrin Cooperman
 
PDF
Payment card industry data security standard 1
bywardell henley
 
PDF
PCI DSS brochure
byKnowledgehut
 
Payment Card Industry CMTA NOV 2010
byDonald E. Hester
 
Payment Card Industry Introduction CMTA APR 2010
byDonald E. Hester
 
PCI-DSS for IDRBT
byShanmugavel Sankaran
 
A practical guides to PCI compliance
byJisc
 
PCI Certification and remediation services
byTariq Juneja
 
Customer Due Dilligence - Is your organisation Compliant?
byrosspemberton69
 
eCommerce Summit Atlanta Mountain Media
byeCommerce Merchants
 
Pci ssc quick reference guide
byMohammad Makchudul Alam (Arif)
 
HTNG Secure Payments Advertisement
byBrian Larson
 
Reducing cardholder data footprint with tokenization and other techniques
byVISTA InfoSec
 
Pci dss compliance
bypcidss14s
 
Payment Card Acceptance PCI Compliance for Local Governments 2012
byDonald E. Hester
 
Is your business PCI DSS compliant? You’re digging your own grave if not
byCheapSSLsecurity
 
PCI-DSS_Overview
bysameh Abulfotooh
 
Managed IT Services: Overview, Importance, Business Benefits
byVeritis Group, Inc
 
MasterSnacks Cryptocurrency: Operational and Internal Considerations for Comp...
byCitrin Cooperman
 
Payment card industry data security standard 1
bywardell henley
 
PCI DSS brochure
byKnowledgehut
 

Viewers also liked

PDF
Key features of budget 2013 _14
byRathnakar Sarma
 
PPTX
Budget Operation For Field Operations
byjbreeling
 
PPTX
Business Process Management in Sports Organizations: A case study in the Euro...
byPedro Sobreiro
 
PDF
Kidetzako v kongresua imagen
bykidetza1
 
KEY
Performance and Objective Evaluations Week 3
bydamonhulsey
 
PPT
How To Sell PCI Compliance (External)
byGreg Naderi
 
PDF
PCI Myths
bySasha Nunke
 
PDF
Pci dss in retail now and into the future
byVisionID
 
PDF
HIPAA Preso
byJoseph Schorr
 
PPSX
Retail security-services--client-presentation
byJoseph Schorr
 
PPT
Experience for implement PCI DSS
byNhat Phan Canh
 
PDF
Open-E DSS V7 Asynchronous Data Replication over a LAN
byopen-e
 
PPTX
PCI DSS Reporting Requirements for People Who Hate PCI DSS Reporting
byAlienVault
 
PPTX
How to Simplify PCI DSS Compliance with AlienVault USM
byAlienVault
 
PPTX
Health Insurance Portability and Accountability Act (HIPAA) Compliance
byControlCase
 
PDF
Security Trends in the Retail Industry
byIBM Security
 
PPTX
QSA Shares PCI 3.0 Advice & Checklist
byTripwire
 
PPTX
PCI DSS v 3.0 and Oracle Security Mapping
byTroy Kitch
 
PPT
Sergey Gordeychik, Security Metrics for PCI DSS Compliance
byqqlan
 
PPTX
PCI DSS v3.0: How to Adapt Your Compliance Strategy
byAlienVault
 
Key features of budget 2013 _14
byRathnakar Sarma
 
Budget Operation For Field Operations
byjbreeling
 
Business Process Management in Sports Organizations: A case study in the Euro...
byPedro Sobreiro
 
Kidetzako v kongresua imagen
bykidetza1
 
Performance and Objective Evaluations Week 3
bydamonhulsey
 
How To Sell PCI Compliance (External)
byGreg Naderi
 
PCI Myths
bySasha Nunke
 
Pci dss in retail now and into the future
byVisionID
 
HIPAA Preso
byJoseph Schorr
 
Retail security-services--client-presentation
byJoseph Schorr
 
Experience for implement PCI DSS
byNhat Phan Canh
 
Open-E DSS V7 Asynchronous Data Replication over a LAN
byopen-e
 
PCI DSS Reporting Requirements for People Who Hate PCI DSS Reporting
byAlienVault
 
How to Simplify PCI DSS Compliance with AlienVault USM
byAlienVault
 
Health Insurance Portability and Accountability Act (HIPAA) Compliance
byControlCase
 
Security Trends in the Retail Industry
byIBM Security
 
QSA Shares PCI 3.0 Advice & Checklist
byTripwire
 
PCI DSS v 3.0 and Oracle Security Mapping
byTroy Kitch
 
Sergey Gordeychik, Security Metrics for PCI DSS Compliance
byqqlan
 
PCI DSS v3.0: How to Adapt Your Compliance Strategy
byAlienVault
 

Similar to What Everybody Ought to Know About PCI DSS and PA-DSS

PDF
MTBiz May-June 2019
byMutual Trust Bank Ltd.
 
PDF
PCI DSS: What it is, and why you should care
bySean D. Goodwin
 
PPTX
PCI DSS Compliance introduction explanation
byRicha Goel
 
PDF
Adventures in PCI Wonderland
byMichele Chubirka
 
PDF
Reduce PCI Scope - Maximise Conversion - Whitepaper
byShaun O'keeffe
 
PPTX
PCI DSS Compliance Readiness
byAl Abbas, PMP, CISSP, MBA, MSc
 
DOCX
PCI DSS 6 Key Objectives You Must Know for Compliance.docx
byBORNSEC CONSULTING
 
PPTX
Chapter 15: PCI Compliance for Merchants
byNada G.Youssef
 
PDF
a Guide for quick pci dss and payment security
bysuridhalder
 
PPTX
Payment Card Industry Security Standards
byAshintha Rukmal
 
PDF
Credit Card Processing for Small Business
byMark Ginnebaugh
 
PPTX
PruebaJLF.pptx
byJoseLuna802663
 
PPT
PCI DSS Certification
byhodonoghue
 
DOCX
Online_Transactions_PCI
byKelly Lam
 
PDF
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
byssuserbcc088
 
DOCX
Requirement of PCI-DSS in India.
byCA Priyadarshan Behera
 
PPTX
SFISSA - PCI DSS 3.0 - A QSA Perspective
byMark Akins
 
PDF
Quick Reference Guide to the PCI Data Security Standard
by- Mark - Fullbright
 
PDF
Protect Cardholder Data and Maintain PCI Compliance with PCI Penetration Testing
byTraceSecurity
 
PDF
Pcidss qr gv3_1
byleon bonilla
 
MTBiz May-June 2019
byMutual Trust Bank Ltd.
 
PCI DSS: What it is, and why you should care
bySean D. Goodwin
 
PCI DSS Compliance introduction explanation
byRicha Goel
 
Adventures in PCI Wonderland
byMichele Chubirka
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
byShaun O'keeffe
 
PCI DSS Compliance Readiness
byAl Abbas, PMP, CISSP, MBA, MSc
 
PCI DSS 6 Key Objectives You Must Know for Compliance.docx
byBORNSEC CONSULTING
 
Chapter 15: PCI Compliance for Merchants
byNada G.Youssef
 
a Guide for quick pci dss and payment security
bysuridhalder
 
Payment Card Industry Security Standards
byAshintha Rukmal
 
Credit Card Processing for Small Business
byMark Ginnebaugh
 
PruebaJLF.pptx
byJoseLuna802663
 
PCI DSS Certification
byhodonoghue
 
Online_Transactions_PCI
byKelly Lam
 
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
byssuserbcc088
 
Requirement of PCI-DSS in India.
byCA Priyadarshan Behera
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
byMark Akins
 
Quick Reference Guide to the PCI Data Security Standard
by- Mark - Fullbright
 
Protect Cardholder Data and Maintain PCI Compliance with PCI Penetration Testing
byTraceSecurity
 
Pcidss qr gv3_1
byleon bonilla
 

More from London School of Cyber Security

PDF
The Panama Papers Hack
byLondon School of Cyber Security
 
PDF
ISIS and Cyber Terrorism
byLondon School of Cyber Security
 
PDF
Silk Road & Online Narcotic Distribution
byLondon School of Cyber Security
 
PDF
Ashely Madison Hack
byLondon School of Cyber Security
 
PDF
How To Protect Your Website From Bot Attacks
byLondon School of Cyber Security
 
PDF
How To Defeat Advanced Malware. New Tools for Protection and Forensics
byLondon School of Cyber Security
 
PDF
How To Catch a Phish: User Awareness and Training
byLondon School of Cyber Security
 
PDF
Advanced Threat Detection in ICS – SCADA Environments
byLondon School of Cyber Security
 
PDF
Building an Effective Cyber Intelligence Program
byLondon School of Cyber Security
 
PDF
Crowdsourced Vulnerability Testing
byLondon School of Cyber Security
 
PDF
Memory forensics and incident response
byLondon School of Cyber Security
 
PDF
Gauntlt Rugged By Example
byLondon School of Cyber Security
 
PPTX
Application Hackers Have A Handbook. Why Shouldn't You?
byLondon School of Cyber Security
 
PDF
Website Impersonation Attacks. Who is REALLY Behind That Mask?
byLondon School of Cyber Security
 
PDF
Sploitego
byLondon School of Cyber Security
 
PDF
Legal Issues in Mobile Security Research
byLondon School of Cyber Security
 
PDF
Blind XSS
byLondon School of Cyber Security
 
PDF
Changing the Mindset: Creating a Risk-Conscious Culture - Hacker Hotshots
byLondon School of Cyber Security
 
PPTX
Sploitego
byLondon School of Cyber Security
 
PPT
Bulletproof IT Security
byLondon School of Cyber Security
 
The Panama Papers Hack
byLondon School of Cyber Security
 
ISIS and Cyber Terrorism
byLondon School of Cyber Security
 
Silk Road & Online Narcotic Distribution
byLondon School of Cyber Security
 
Ashely Madison Hack
byLondon School of Cyber Security
 
How To Protect Your Website From Bot Attacks
byLondon School of Cyber Security
 
How To Defeat Advanced Malware. New Tools for Protection and Forensics
byLondon School of Cyber Security
 
How To Catch a Phish: User Awareness and Training
byLondon School of Cyber Security
 
Advanced Threat Detection in ICS – SCADA Environments
byLondon School of Cyber Security
 
Building an Effective Cyber Intelligence Program
byLondon School of Cyber Security
 
Crowdsourced Vulnerability Testing
byLondon School of Cyber Security
 
Memory forensics and incident response
byLondon School of Cyber Security
 
Gauntlt Rugged By Example
byLondon School of Cyber Security
 
Application Hackers Have A Handbook. Why Shouldn't You?
byLondon School of Cyber Security
 
Website Impersonation Attacks. Who is REALLY Behind That Mask?
byLondon School of Cyber Security
 
Sploitego
byLondon School of Cyber Security
 
Legal Issues in Mobile Security Research
byLondon School of Cyber Security
 
Blind XSS
byLondon School of Cyber Security
 
Changing the Mindset: Creating a Risk-Conscious Culture - Hacker Hotshots
byLondon School of Cyber Security
 
Sploitego
byLondon School of Cyber Security
 
Bulletproof IT Security
byLondon School of Cyber Security
 

Recently uploaded

PPTX
Appreciations - Jan 26 01.pptxkkkmmkmkmkmkm
bypreetheshparmar
 
PPTX
West Hatch High School - GCSE Media Studies
byWestHatch
 
PPTX
West Hatch High School -- GCSE Geography
byWestHatch
 
PPTX
Powerpoint for testing in embed test with Sway
byjeanpierrefort3
 
PPTX
Central Line Associated Bloodstream Infection
bynabinabhaila40
 
PDF
Information about the author Shashi Deshpande
bydarshanaparmar6522
 
PDF
U.S. Departments of Education and Treasury fact sheet
byMebane Rash
 
PPTX
COMMUNICATION ITS PROCESS ELEMENTS & BARRIER .pptx
byPoojaSen20
 
PPTX
Definition of communication skills and it's process.
bypurvrajsinhsarvaiya0
 
PPTX
Mohan - "A man of silence and authority"
bynidhibachauhan46
 
PPTX
literary theory and criticism by Vivek p
byvivekrathodborda
 
PPTX
Toba Tek Singh - Visualising Partition through Manto's Lens
bymiraljoshi48
 
PPTX
YSPH VMOC Special Report - Measles - The Americas 1-25-2026
byYale School of Public Health - The Virtual Medical Operations Center (VMOC)
 
PPTX
'Colonial Mentality and Social Identity in Karma by Khushwant Singh'
byKrishnarajsinh Parmar
 
PDF
Bishan_Singh_Presentation - Toba tek Singh
bygopalsinhchauhan9313
 
PPTX
West Hatch High School: Year 9 Art Course
byWestHatch
 
PPTX
Grade 9 and 10 learner Fuse and Switch.pptx
byCarlJohnCabayao
 
PPTX
Drug Distribution in Pharmacology: Mechanisms, Barriers, Factors & Volume of ...
byamrin3379
 
PPTX
Day 2 ppt english.powerpoint presentation ppt
byJeahMaeMedez
 
PDF
Darwinism: Theory of Natural Selection and Origin of Species
byIPGDCWA,NAMPALLY
 
Appreciations - Jan 26 01.pptxkkkmmkmkmkmkm
bypreetheshparmar
 
West Hatch High School - GCSE Media Studies
byWestHatch
 
West Hatch High School -- GCSE Geography
byWestHatch
 
Powerpoint for testing in embed test with Sway
byjeanpierrefort3
 
Central Line Associated Bloodstream Infection
bynabinabhaila40
 
Information about the author Shashi Deshpande
bydarshanaparmar6522
 
U.S. Departments of Education and Treasury fact sheet
byMebane Rash
 
COMMUNICATION ITS PROCESS ELEMENTS & BARRIER .pptx
byPoojaSen20
 
Definition of communication skills and it's process.
bypurvrajsinhsarvaiya0
 
Mohan - "A man of silence and authority"
bynidhibachauhan46
 
literary theory and criticism by Vivek p
byvivekrathodborda
 
Toba Tek Singh - Visualising Partition through Manto's Lens
bymiraljoshi48
 
YSPH VMOC Special Report - Measles - The Americas 1-25-2026
byYale School of Public Health - The Virtual Medical Operations Center (VMOC)
 
'Colonial Mentality and Social Identity in Karma by Khushwant Singh'
byKrishnarajsinh Parmar
 
Bishan_Singh_Presentation - Toba tek Singh
bygopalsinhchauhan9313
 
West Hatch High School: Year 9 Art Course
byWestHatch
 
Grade 9 and 10 learner Fuse and Switch.pptx
byCarlJohnCabayao
 
Drug Distribution in Pharmacology: Mechanisms, Barriers, Factors & Volume of ...
byamrin3379
 
Day 2 ppt english.powerpoint presentation ppt
byJeahMaeMedez
 
Darwinism: Theory of Natural Selection and Origin of Species
byIPGDCWA,NAMPALLY
 

What Everybody Ought to Know About PCI DSS and PA-DSS

  • 1.
    Navigating PCI Compliance: ARisk Avoidance Strategy Google Hangout Session July 23, 2014
  • 2.
    This Is Whereit All Began December 15, 2004 PCI DSS V1.0 is launced
  • 3.
    Payment Credit CardSecurity Standards Who is the PCI Security Standards Council? • The PCI Security Standards Council is an open global forum responsible for the development, management, education, and awareness of the PCI Security Standards • Work closely with the five founding global payment brands: American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc. • PCI Council official launch occurred in 2006 • Current Data Security Standard is V3.0 published in November 2013 • Standards Committee has established: Data Security Standard (PCI DSS), Payment Application Data Security Standard (PA-DSS), and PIN Transaction Security (PTS) requirements.
  • 4.
    What is PCIDSS and PA-DSS? • PCI Data Security Standard (PCI DSS) provides an actionable framework for developing a robust payment card data security process including prevention, detection and appropriate reaction to security incidents. • This applies to any organization with a Merchant ID (MID) • PCI DSS V3.0 requirements must be completed by December 31st • Payment Application Data Security Standard (PA-DSS) is the global security standard created by the PCI Council in an effort to provide the definitive data standard for software vendors that develop payment applications • (ie. POS application or website ecommerce)
  • 5.
    How Does ThisAffect My Business? Managing the Requirements: • Companies that accept, process, transmit, or store payment credit cardholder data must adhere to PCI Compliance requirements • Having a SSL certificate for your website is not enough as this doesn’t prevent malicious attacks or intrusions from occurring • If you electronically store cardholder data post authorization or if your processing systems have any internet connectivity, a quarterly scan by a PCI SSC Approved Scanning Vendor (ASV) is required Positive Impact and Benefits: • Compliance with the PCI DSS means that your systems are secure, and you earn customer’s trust in managing their personal information resulting in future business potential • Helps you to be better prepared to comply with other regulations as they come along, such as HIPAA, SOX, etc. • Establishes a baseline corporate security strategy • Assists in identification of methods to improve the efficiency of your IT infrastructure
  • 6.
    What Happens ifI don’t Comply? • Payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations • Banks will also most likely either terminate your relationship or increase transaction fees if your organization is non PCI compliant • Potential for lost revenues, customer transitions, and an overall negative image in the marketplace could negatively impact future earnings potential • Liable for lawsuits, insurance claims, cancelled accounts, payment card issuer fines, along with government fines
  • 7.
  • 8.
    Current State ofData Security • Breaches make headlines • Businesses at risk regardless of size • The enemy is getting smarter • Companies must: • Understand the threats • Take steps to protect themselves and their customers.
  • 9.
    • Industry demandhas never been higher • The weakest link: The human • Social engineering • Lost/compromised login credentials • Careless behavior accounts for most incidents Need for Training
  • 10.
    Reduce the Risk– Don’t Store Data • Don’t store any payment card data • The less you have, the smaller a target you’ll be • Know what your vendors are storing.
  • 11.
    Reducing Risk –3rd Party Data Security • Use PCI validated Point of Sale systems • Confirm that your vendors follow the PCI DSS and the PA DSS • Talk to your bank about reviewing your technology and data storage practices
  • 12.
    Reducing Risk –Strong Passwords • Changing default passwords could have helped avoid the majority of compromises. • Nearly 80% of breaches of confidential consumer information involved compromised passwords.
  • 13.
    Reducing Risk –Updating Software • Hackers take advantage of software bugs • Product vendors deal with this by releasing software updates and patches • Use automated alert services
  • 14.
    Become Part ofthe Solution 1. Understanding of PCI Compliance and Requirements 2. Ongoing Education and Awareness 3. Take Steps to Safeguard your Business 4. Get Involved 5. Have a Plan

Editor's Notes

  • #4 The PCI Security Standards Council is an open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection. PCI Council is a non profit organization whose mission is to enhance payment account data security by driving education and awareness of the PCI Security Standards. The organization was founded by American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc. The standard includes 12 requirements for any business that stores, processes or transmits payment cardholder data. These requirements specify the framework for a secure payments environment; for purposes of PCI compliance, their essence is three steps: Assess, Remediate and Report.
  • #5 The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data. Build and Maintain a Secure Network and Systems 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5. Protect all systems against malware and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need to know 8. Identify and authenticate access to system components 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel
  • #6 Compliance is an ongoing process, not a one-time event. It helps prevent security breaches and theft of payment card data, not just today, but in the future: As data compromise becomes ever more sophisticated, it becomes ever more difficult for an individual merchant to stay ahead of the threats The PCI Security Standards Council is constantly working to monitor threats and improve the industry’s means of dealing with them, through enhancements to PCI Security Standards and by the training of security professionals When you stay compliant, you are part of the solution – a united, global response to fighting payment card data compromise
  • #7 But if you are not compliant, it could be disastrous: Compromised data negatively affects consumers, merchants, and financial institutions Just one incident can severely damage your reputation and your ability to conduct business effectively, far into the future Account data breaches can lead to catastrophic loss of sales, relationships and standing in your community, and depressed share price if yours is a public company
  • #8 One area that continues to grow in importance is the need for user training as people whom are involved in the processing, store, managing, or handling of personal credit cardholder information this affects everything from updating your passwords to avoiding phishing techniques and social engineering ploys to protecting your mobile devices by keeping software current. There are numerous real world examples that highlight the need for ongoing training and education so that users don’t fall prey or become victims to these potential threats. One organization that provides some good insights into this topic is the Ponemon Institute- an independent research firm that focuses on education to advance responsible information and privacy management practices within business and government. Our mission is to conduct high quality, empirical studies on critical issues affecting the management and security of sensitive information about people and organizations. In a recent research report prepared by the Ponemon Institute ‘Exposing the Cybersecurity Cracks: A Global Perspective’ the following information was presented: Raising the Human Security IQ: Fifty-two percent of companies do not provide cybersecurity education to their employees, with only 4 percent planning to do so in the next 12 months. Under half (42 percent) had undergone a cyber threat modelling process in their present role. Of those that did, nearly all, (94 percent) found it to be important in terms of managing their cyber risk. In a recent UK survey of financial services cyber security skills programs: almost all employers are looking for experienced staff, not trainees - and few have the skills in-house to organize a training program. There is, however, serious interest in using the frameworks on a modular basis to upgrade the skills of those in post and to cross-train users who understand the business.”
  • #9 With criminals looking to steal valuable payment card information, businesses of all sizes are at risk. And persistent hackers are growing increasingly sophisticated and creative, so it’s important to clearly understand the nature of the threats that face us and take the necessary steps to protect our businesses and our customers.
  • #10  Employees are the first line of defense against security attacks. But a lack of proper training and awareness can turn employees from assets into liabilities. In fact, a recent forensics report highlights the importance of educating employees on best security practices, including strong password creation and awareness of social engineering techniques like phishing… However an Enterprise Management Association report states that 54% of employees have not received any security Awareness education – so you can see there’s quite a need for in additional education the market
  • #11 So in addition to improving training and education, there are other steps you can take to reduce your risk. Most businesses don’t need to store any payment card data, so the number one thing you can do to limit your risk is to not store it unless absolutely necessary for business purposes!! The less you have, the less of a target you’ll be for hackers - so you need to make sure that you are not storing this data in your computers or on paper. In addition to knowing what data you store, it’s important to know what your technology vendors are storing.
  • #12 If you are using commercially available point-of-sale, or POS systems, ask your payment software vendor to confirm that your software version has been PCI validated as not storing this data. Or, even better, go to the PCI Council’s website yourself and check the listing of validated payment software to see if yours is on there. Also confirm with your payment processor that they are following the PCI Data Security Standard and the Payment Application Data Security Standard – and that all cardholder data storage is necessary and appropriate for the transaction type. And don’t forget to talk to your bank about reviewing your technology and data storage practices.
  • #13 Data breach reports continue to highlight that simple security measures such as changing passwords could have helped companies avoid the majority of compromises. Are you still using the blank or default password that came with your computer or payment software or device? Or are you using 12345 or password1? By using easy or default passwords, you leave the door wide open for attacks on your business. It’s been estimated that nearly 80% of breaches of confidential consumer information involved compromised passwords.
  • #14 Hackers are always looking to take advantage of the latest known software bugs as well as uncover unknown problems with commercially available software products. Product vendors deal with this by releasing software updates or patches - but these are only good if you’re actually using them! Not doing your security software updates is like having locks on your doors but not locking them! Without the latest protections for your computer against viruses, spyware and other malicious software that can compromise your business, you’re leaving the door wide open for hackers. Many vendors now offer automated alert services that provide prompt notification to their clients. Some vendors also provide automated patching mechanisms. Take these alerts seriously and make sure you’re taking advantage of the latest updates to protect your computers and your business.
  • #15 The best way to learn more about PCI Compliance is to keep current with industry news by keeping you and your teams educated on the latest threats and learn how to avoid these risks. In many cases the easiest way to prevent an attack is by having users trained on what to watch out for and consider implementing a security awareness training program for your company. The PCI Council has some great free resources on their website which you can leverage and you have the opportunity to participate via planning committees, community meetings, and updates via ongoing communications.