SlideShare a Scribd company logo

Chapter 15: PCI Compliance for Merchants

Download as PPTX, PDF
Nada G.Youssef
Nada G.Youssef

Security Program and Policies, Principles and Practices

Education
1 of 18
Security Program and Policies Principles and Practices by Sari Stern Greene Chapter 15: PCI Compliance for Merchants
Copyright 2014 Pearson Education, Inc. 2 Objectives ■ Describe the PCI Data Security Standard framework ■ Recognize merchant responsibilities ■ Explain the 12 top-level requirements ■ Understand the PCI DSS validation process ■ Implement practices related to PCI compliance
Copyright 2014 Pearson Education, Inc. 3 Introduction ■ Visa, MasterCard, Discover, JCB International and American Express formed the Payment Card Industry Security Standards Council and developed the Payment Card Industry Data Security Standard (PCI DSS) ❑ Version 1 was released December 15, 2005 ❑ Version 3 was released November 2013
Copyright 2014 Pearson Education, Inc. 4 Protecting Cardholder Data ■ PCI DDS applies to all system components where account data is stored ❑ Account data ■ Cardholder data plus sensitive authentication data ❑ System components ■ Any network component, server, or application that is included in, or connected to, the cardholder data environment ❑ Cardholder data environment ■ The people, processes, and technology that handle cardholder data or sensitive authentication data
Protecting Cardholder Data Cont. ■ Primary account number (PAN) must be stored in an unreadable (encrypted) format ■ Sensitive authentication data may never be stored post-authorization, even if encrypted ■ Utilizing a third party to store, process, and transmit cardholder data or manage system components does not relieve a covered entity of its PCI compliance obligation Copyright 2014 Pearson Education, Inc. 5
What Is the PCI DDS Framework? ■ The PCI DDS framework includes ❑ Stipulations regarding storage, transmission, and processing of payment card data ❑ Six core principles ❑ Required technical and operational security controls ❑ Testing requirements ❑ Certification process ■ Compliance is an ongoing process ❑ The organization must monitor required controls to ensure they are operating effectively Copyright 2014 Pearson Education, Inc. 6
What Are the PCI DDS Framework? Cont. ■ The Six PCI DSS core principles ❑ Build and maintain a secure network and systems ❑ Protect cardholder data ❑ Maintain a vulnerability management program ❑ Implement strong access control measures ❑ Regularly monitor and test networks ❑ Maintain an information security policy Copyright 2014 Pearson Education, Inc. 7
What Are the PCI Requirements? There are 12 top-level requirements that accompany the six core principles ■Build and maintain a secure network and systems ❑ Includes the following two requirements ■ Install and maintain a firewall configuration to protect cardholder data ■ Do not use vendor-supplied defaults for system passwords and security parameters Copyright 2014 Pearson Education, Inc. 8
What Are the PCI Requirements? Cont. ■ Protect Cardholder Data ❑ Includes the following two requirements ■ Protect stored card data ■ Encrypt transmission of cardholder data across open, public networks ■ Maintain a Vulnerability Management Program ❑ Includes the following two requirements ■ Protect all systems against malware and regularly update antivirus software or programs ■ Develop and maintain secure systems and architecture Copyright 2014 Pearson Education, Inc. 9
What Are the PCI Requirements? Cont. ■ Implement Strong Access Control Measures ❑ Includes the following three requirements ■ Restrict access to cardholder data by business need-to- know ■ Identify and authenticate access to system components ■ Restrict physical access to cardholder data ■ Regulatory Monitor and Test Networks ❑ Includes the following two requirements ■ Track and monitor all access to network resources and cardholder data ■ Regularly test security systems and processes Copyright 2014 Pearson Education, Inc. 10
What Are the PCI Requirements? Cont. ■ Maintain an Information Security Policy ❑ Includes the final requirement ■ Maintain a policy that addresses information security for all personnel Copyright 2014 Pearson Education, Inc. 11
PCI Compliance ■ PCI compliance is not a government regulation or law ■ It’s mandated by the payment card brands to accept card payments and/or be part of the payment system ■ Merchants are required to comply with PCI DSS ❑ A merchant is defined as any entity that accepts American Express, Discover, JCB, MasterCard, or Visa payment cards as payment for goods and/or services (including donations) ❑ Effectively, any company, organization, or individual that accepts card payments is a merchant Copyright 2014 Pearson Education, Inc. 12
PCI Compliance Cont. ■ PCI compliance validation is composed of four levels, based on the number of transactions processed per year and whether those transactions are performed from a physical location or over the Internet ❑ Level 1 ■ Processes more than 6 million Visa payment card transactions annually ❑ Level 2 ■ Processing 1million to 6million Visa transactions per year. ❑ Level 3 ■ Any merchant processing 20,000 to 1,000,000 Visa e-commerce transactions per year ❑ Level 4 ■ Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants—regardless of acceptance channel—processing up to 1million Visa transactions per year Copyright 2014 Pearson Education, Inc. 13
What Is a Data Security Compliance Assessment? ■ An annual onsite evaluation of compliance with the PCI DSS conducted by either a Qualified Security Assessor (QSA) or an Internal Security Assessor (ISA) ■ Assessment process begins with documenting the PCI DSS cardholder environment and confirming the scope of the assessment ■ QSA/ISA will initially conduct a GAP assessment to identify areas of noncompliance and provide remediation recommendations Copyright 2014 Pearson Education, Inc. 14
Report on Compliance ■ ROC standard template includes the following ❑ Section 1: Executive Summary ❑ Section 2: Description of Scope of Work and Approach Taken ❑ Section 3: Details About Reviewed Environment ❑ Section 4: Contact Information and Report Date ❑ Section 5: Quarterly Scan Results ❑ Section 6: Findings and Observations ❑ Compensating Controls Worksheets (if Applicable) Copyright 2014 Pearson Education, Inc. 15
What Is the SAQ? ■ A validation tool for merchants that are not required to submit to an onsite data security assessment ■ Has two parts ❑ Controls questionnaire ❑ Self-certified attestation Copyright 2014 Pearson Education, Inc. 16
Are There Penalties for Noncompliance? ■ Three type of fines ❑ PCI noncompliance ❑ Account Data Compromise Recovery (ADCR) for compromised domestic-issued cards ❑ Data Compromise Recovery Solution (DCRS) for compromised international-issued cards ■ Noncompliance penalties are discretionary and can vary greatly, depending on the circumstances Copyright 2014 Pearson Education, Inc. 17
Copyright 2014 Pearson Education, Inc. 18 Summary ■ The Payment Card Industry Data Security Standard, known as PCI DSS, applies to all entities involved in the payment card channel, including merchants, processors, financial institutions, and service providers, as well as all other entities that store, process, or transmit cardholder data and/or sensitive authentication data ■ The PCI DSS framework includes six core principles and 12 categories of required technical and operational security controls, testing requirements, and a validation and certification process ■ Compliance with PCI DSS is a payment card channel contractual obligation. It is not a government regulation or law

Recommended

Chapter 12: Business Continuity Management
Chapter 12: Business Continuity ManagementChapter 12: Business Continuity Management
Chapter 12: Business Continuity ManagementNada G.Youssef
 
Chapter 11: Information Security Incident Management
Chapter 11: Information Security Incident ManagementChapter 11: Information Security Incident Management
Chapter 11: Information Security Incident ManagementNada G.Youssef
 
Chapter 7: Physical & Environmental Security
Chapter 7: Physical & Environmental Security Chapter 7: Physical & Environmental Security
Chapter 7: Physical & Environmental Security Nada G.Youssef
 
Chapter 14: Regulatory Compliance for the Healthcare Sector
Chapter 14: Regulatory Compliance for the Healthcare SectorChapter 14: Regulatory Compliance for the Healthcare Sector
Chapter 14: Regulatory Compliance for the Healthcare SectorNada G.Youssef
 
Chapter 8: Communications and Operations Security
Chapter 8: Communications and Operations SecurityChapter 8: Communications and Operations Security
Chapter 8: Communications and Operations SecurityNada G.Youssef
 
Chapter 6: Human Resources Security
Chapter 6: Human Resources SecurityChapter 6: Human Resources Security
Chapter 6: Human Resources SecurityNada G.Youssef
 
Chapter 13: Regulatory Compliance for Financial Institutions
Chapter 13: Regulatory Compliance for Financial InstitutionsChapter 13: Regulatory Compliance for Financial Institutions
Chapter 13: Regulatory Compliance for Financial InstitutionsNada G.Youssef
 
Chapter 9: Access Control Management
Chapter 9: Access Control ManagementChapter 9: Access Control Management
Chapter 9: Access Control ManagementNada G.Youssef
 

Recommended

Chapter 12: Business Continuity Management
Chapter 12: Business Continuity ManagementChapter 12: Business Continuity Management
Chapter 12: Business Continuity ManagementNada G.Youssef
 
Chapter 11: Information Security Incident Management
Chapter 11: Information Security Incident ManagementChapter 11: Information Security Incident Management
Chapter 11: Information Security Incident ManagementNada G.Youssef
 
Chapter 7: Physical & Environmental Security
Chapter 7: Physical & Environmental Security Chapter 7: Physical & Environmental Security
Chapter 7: Physical & Environmental Security Nada G.Youssef
 
Chapter 14: Regulatory Compliance for the Healthcare Sector
Chapter 14: Regulatory Compliance for the Healthcare SectorChapter 14: Regulatory Compliance for the Healthcare Sector
Chapter 14: Regulatory Compliance for the Healthcare SectorNada G.Youssef
 
Chapter 8: Communications and Operations Security
Chapter 8: Communications and Operations SecurityChapter 8: Communications and Operations Security
Chapter 8: Communications and Operations SecurityNada G.Youssef
 
Chapter 6: Human Resources Security
Chapter 6: Human Resources SecurityChapter 6: Human Resources Security
Chapter 6: Human Resources SecurityNada G.Youssef
 
Chapter 13: Regulatory Compliance for Financial Institutions
Chapter 13: Regulatory Compliance for Financial InstitutionsChapter 13: Regulatory Compliance for Financial Institutions
Chapter 13: Regulatory Compliance for Financial InstitutionsNada G.Youssef
 
Chapter 9: Access Control Management
Chapter 9: Access Control ManagementChapter 9: Access Control Management
Chapter 9: Access Control ManagementNada G.Youssef
 
Chapter 5: Asset Management
Chapter 5: Asset ManagementChapter 5: Asset Management
Chapter 5: Asset ManagementNada G.Youssef
 
Chapter 10: Information Systems Acquisition, Development, and Maintenance
Chapter 10: Information Systems Acquisition, Development, and Maintenance Chapter 10: Information Systems Acquisition, Development, and Maintenance
Chapter 10: Information Systems Acquisition, Development, and MaintenanceNada G.Youssef
 
Chapter 2: Policy Elements and style
Chapter 2: Policy Elements and style Chapter 2: Policy Elements and style
Chapter 2: Policy Elements and style Nada G.Youssef
 
Human resources security
Human resources securityHuman resources security
Human resources securityCAS
 
Lesson 1- Information Policy
Lesson 1- Information PolicyLesson 1- Information Policy
Lesson 1- Information PolicyMLG College of Learning, Inc
 
Lesson 4
Lesson 4Lesson 4
Lesson 4MLG College of Learning, Inc
 
Lesson 2- Information Asset Valuation
Lesson 2- Information Asset ValuationLesson 2- Information Asset Valuation
Lesson 2- Information Asset ValuationMLG College of Learning, Inc
 
Lesson 3- Fair Approach
Lesson 3- Fair ApproachLesson 3- Fair Approach
Lesson 3- Fair ApproachMLG College of Learning, Inc
 
Lesson 2
Lesson 2Lesson 2
Lesson 2MLG College of Learning, Inc
 
Lesson 2
Lesson 2Lesson 2
Lesson 2MLG College of Learning, Inc
 
E Discovery Risks for Risk Managers
E Discovery Risks for Risk ManagersE Discovery Risks for Risk Managers
E Discovery Risks for Risk ManagersFred Travis
 
HIPAA omnibus rule update
HIPAA omnibus rule updateHIPAA omnibus rule update
HIPAA omnibus rule updateO'Connor Davies CPAs
 
Information Security Blueprint
Information Security BlueprintInformation Security Blueprint
Information Security BlueprintZefren Edior
 
FRSecure Sales Deck
FRSecure Sales DeckFRSecure Sales Deck
FRSecure Sales DeckEvan Francen
 
Lesson 1
Lesson 1Lesson 1
Lesson 1MLG College of Learning, Inc
 
Chapter 5
Chapter 5Chapter 5
Chapter 5sivadnolram
 
Information security
Information securityInformation security
Information securityPraveen Minz
 
Business Continuity Management: How to get started
Business Continuity Management: How to get startedBusiness Continuity Management: How to get started
Business Continuity Management: How to get startedIT Governance Ltd
 
Privacy and Security: Teamwork Required to Tackle Incident Response
Privacy and Security: Teamwork Required to Tackle Incident ResponsePrivacy and Security: Teamwork Required to Tackle Incident Response
Privacy and Security: Teamwork Required to Tackle Incident ResponseID Experts
 
Chapter 5 Planning for Security-students.ppt
Chapter 5 Planning for Security-students.pptChapter 5 Planning for Security-students.ppt
Chapter 5 Planning for Security-students.pptShruthi48
 
Chapter 3
Chapter 3Chapter 3
Chapter 3Nada G.Youssef
 
Chapter 4
Chapter 4Chapter 4
Chapter 4Nada G.Youssef
 

More Related Content

What's hot

Chapter 5: Asset Management
Chapter 5: Asset ManagementChapter 5: Asset Management
Chapter 5: Asset ManagementNada G.Youssef
 
Chapter 10: Information Systems Acquisition, Development, and Maintenance
Chapter 10: Information Systems Acquisition, Development, and Maintenance Chapter 10: Information Systems Acquisition, Development, and Maintenance
Chapter 10: Information Systems Acquisition, Development, and MaintenanceNada G.Youssef
 
Chapter 2: Policy Elements and style
Chapter 2: Policy Elements and style Chapter 2: Policy Elements and style
Chapter 2: Policy Elements and style Nada G.Youssef
 
Human resources security
Human resources securityHuman resources security
Human resources securityCAS
 
E Discovery Risks for Risk Managers
E Discovery Risks for Risk ManagersE Discovery Risks for Risk Managers
E Discovery Risks for Risk ManagersFred Travis
 
Information Security Blueprint
Information Security BlueprintInformation Security Blueprint
Information Security BlueprintZefren Edior
 
FRSecure Sales Deck
FRSecure Sales DeckFRSecure Sales Deck
FRSecure Sales DeckEvan Francen
 
Information security
Information securityInformation security
Information securityPraveen Minz
 
Business Continuity Management: How to get started
Business Continuity Management: How to get startedBusiness Continuity Management: How to get started
Business Continuity Management: How to get startedIT Governance Ltd
 
Privacy and Security: Teamwork Required to Tackle Incident Response
Privacy and Security: Teamwork Required to Tackle Incident ResponsePrivacy and Security: Teamwork Required to Tackle Incident Response
Privacy and Security: Teamwork Required to Tackle Incident ResponseID Experts
 
Chapter 5 Planning for Security-students.ppt
Chapter 5 Planning for Security-students.pptChapter 5 Planning for Security-students.ppt
Chapter 5 Planning for Security-students.pptShruthi48
 

What's hot (20)

Chapter 5: Asset Management
Chapter 5: Asset ManagementChapter 5: Asset Management
Chapter 5: Asset Management
 
Chapter 10: Information Systems Acquisition, Development, and Maintenance
Chapter 10: Information Systems Acquisition, Development, and Maintenance Chapter 10: Information Systems Acquisition, Development, and Maintenance
Chapter 10: Information Systems Acquisition, Development, and Maintenance
 
Chapter 2: Policy Elements and style
Chapter 2: Policy Elements and style Chapter 2: Policy Elements and style
Chapter 2: Policy Elements and style
 
Human resources security
Human resources securityHuman resources security
Human resources security
 
Lesson 1- Information Policy
Lesson 1- Information PolicyLesson 1- Information Policy
Lesson 1- Information Policy
 
Lesson 4
Lesson 4Lesson 4
Lesson 4
 
Lesson 2- Information Asset Valuation
Lesson 2- Information Asset ValuationLesson 2- Information Asset Valuation
Lesson 2- Information Asset Valuation
 
Lesson 3- Fair Approach
Lesson 3- Fair ApproachLesson 3- Fair Approach
Lesson 3- Fair Approach
 
Lesson 2
Lesson 2Lesson 2
Lesson 2
 
Lesson 2
Lesson 2Lesson 2
Lesson 2
 
E Discovery Risks for Risk Managers
E Discovery Risks for Risk ManagersE Discovery Risks for Risk Managers
E Discovery Risks for Risk Managers
 
HIPAA omnibus rule update
HIPAA omnibus rule updateHIPAA omnibus rule update
HIPAA omnibus rule update
 
Information Security Blueprint
Information Security BlueprintInformation Security Blueprint
Information Security Blueprint
 
FRSecure Sales Deck
FRSecure Sales DeckFRSecure Sales Deck
FRSecure Sales Deck
 
Lesson 1
Lesson 1Lesson 1
Lesson 1
 
Chapter 5
Chapter 5Chapter 5
Chapter 5
 
Information security
Information securityInformation security
Information security
 
Business Continuity Management: How to get started
Business Continuity Management: How to get startedBusiness Continuity Management: How to get started
Business Continuity Management: How to get started
 
Privacy and Security: Teamwork Required to Tackle Incident Response
Privacy and Security: Teamwork Required to Tackle Incident ResponsePrivacy and Security: Teamwork Required to Tackle Incident Response
Privacy and Security: Teamwork Required to Tackle Incident Response
 
Chapter 5 Planning for Security-students.ppt
Chapter 5 Planning for Security-students.pptChapter 5 Planning for Security-students.ppt
Chapter 5 Planning for Security-students.ppt
 

Viewers also liked

Chapter 1: Context of Health Care Financial Management
Chapter 1: Context of Health Care Financial ManagementChapter 1: Context of Health Care Financial Management
Chapter 1: Context of Health Care Financial ManagementNada G.Youssef
 
Chapter 4: Financial Statement Analysis
Chapter 4: Financial Statement AnalysisChapter 4: Financial Statement Analysis
Chapter 4: Financial Statement AnalysisNada G.Youssef
 
Chapter 10: Budgeting
Chapter 10: Budgeting Chapter 10: Budgeting
Chapter 10: Budgeting Nada G.Youssef
 
Chapter 1: Understanding Policy
Chapter 1: Understanding Policy Chapter 1: Understanding Policy
Chapter 1: Understanding Policy Nada G.Youssef
 

Viewers also liked (19)

Chapter 3
Chapter 3Chapter 3
Chapter 3
 
Chapter 4
Chapter 4Chapter 4
Chapter 4
 
Chapter 2
Chapter 2Chapter 2
Chapter 2
 
E commerce 2
E commerce 2E commerce 2
E commerce 2
 
Chapter 1: Context of Health Care Financial Management
Chapter 1: Context of Health Care Financial ManagementChapter 1: Context of Health Care Financial Management
Chapter 1: Context of Health Care Financial Management
 
Chapter 4: Financial Statement Analysis
Chapter 4: Financial Statement AnalysisChapter 4: Financial Statement Analysis
Chapter 4: Financial Statement Analysis
 
Chapter 10: Budgeting
Chapter 10: Budgeting Chapter 10: Budgeting
Chapter 10: Budgeting
 
Chapter 5
Chapter 5Chapter 5
Chapter 5
 
Chapter Three
Chapter ThreeChapter Three
Chapter Three
 
Chapter Two
Chapter TwoChapter Two
Chapter Two
 
Chapter Seven
Chapter SevenChapter Seven
Chapter Seven
 
Chapter Eight
Chapter Eight Chapter Eight
Chapter Eight
 
Chapter Five
Chapter FiveChapter Five
Chapter Five
 
Chapter Ten
Chapter TenChapter Ten
Chapter Ten
 
Chapter Eleven
Chapter ElevenChapter Eleven
Chapter Eleven
 
Chapter Four
Chapter FourChapter Four
Chapter Four
 
Chapter Nine
Chapter NineChapter Nine
Chapter Nine
 
Chapter 1: Understanding Policy
Chapter 1: Understanding Policy Chapter 1: Understanding Policy
Chapter 1: Understanding Policy
 
Chapter Six
Chapter SixChapter Six
Chapter Six
 

Similar to Chapter 15: PCI Compliance for Merchants

ECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantMelanie Beam
 
eCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Merchants
 
PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011Donald E. Hester
 
Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxgealehegn
 
Maze & Associates PCI Compliance Tracker for Local Governments
Maze & Associates PCI Compliance Tracker for Local GovernmentsMaze & Associates PCI Compliance Tracker for Local Governments
Maze & Associates PCI Compliance Tracker for Local GovernmentsDonald E. Hester
 
Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010Donald E. Hester
 
PCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should carePCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should careSean D. Goodwin
 
PCI Certification and remediation services
PCI Certification and remediation servicesPCI Certification and remediation services
PCI Certification and remediation servicesTariq Juneja
 
A practical guides to PCI compliance
A practical guides to PCI complianceA practical guides to PCI compliance
A practical guides to PCI complianceJisc
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperShaun O'keeffe
 
PCI_Presentation_OASIS
PCI_Presentation_OASISPCI_Presentation_OASIS
PCI_Presentation_OASISDermot Clarke
 
Pci compliance overview earth link business
Pci compliance overview earth link businessPci compliance overview earth link business
Pci compliance overview earth link businessMike Shelah
 
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...Stephanie Gutowski
 
PCI Compliance - Delving Deeper In The Standard
PCI Compliance - Delving Deeper In The StandardPCI Compliance - Delving Deeper In The Standard
PCI Compliance - Delving Deeper In The StandardJohn Bedrick
 
Payment Card Industry Introduction CMTA APR 2010
Payment Card Industry Introduction CMTA APR 2010Payment Card Industry Introduction CMTA APR 2010
Payment Card Industry Introduction CMTA APR 2010Donald E. Hester
 

Similar to Chapter 15: PCI Compliance for Merchants (20)

ECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
 
eCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain Media
 
PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011
 
PCI DSS
PCI DSSPCI DSS
PCI DSS
 
Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptx
 
Maze & Associates PCI Compliance Tracker for Local Governments
Maze & Associates PCI Compliance Tracker for Local GovernmentsMaze & Associates PCI Compliance Tracker for Local Governments
Maze & Associates PCI Compliance Tracker for Local Governments
 
PCI-DSS for IDRBT
PCI-DSS for IDRBTPCI-DSS for IDRBT
PCI-DSS for IDRBT
 
Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010
 
PCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should carePCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should care
 
PCI Certification and remediation services
PCI Certification and remediation servicesPCI Certification and remediation services
PCI Certification and remediation services
 
A practical guides to PCI compliance
A practical guides to PCI complianceA practical guides to PCI compliance
A practical guides to PCI compliance
 
PruebaJLF.pptx
PruebaJLF.pptxPruebaJLF.pptx
PruebaJLF.pptx
 
PCI DSS Compliance Readiness
PCI DSS Compliance ReadinessPCI DSS Compliance Readiness
PCI DSS Compliance Readiness
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - Whitepaper
 
PCI_Presentation_OASIS
PCI_Presentation_OASISPCI_Presentation_OASIS
PCI_Presentation_OASIS
 
Pci compliance overview earth link business
Pci compliance overview earth link businessPci compliance overview earth link business
Pci compliance overview earth link business
 
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
 
PCI Compliance - Delving Deeper In The Standard
PCI Compliance - Delving Deeper In The StandardPCI Compliance - Delving Deeper In The Standard
PCI Compliance - Delving Deeper In The Standard
 
Payment Card Industry Introduction CMTA APR 2010
Payment Card Industry Introduction CMTA APR 2010Payment Card Industry Introduction CMTA APR 2010
Payment Card Industry Introduction CMTA APR 2010
 
Evolution Pci For Pod1
Evolution Pci For Pod1Evolution Pci For Pod1
Evolution Pci For Pod1
 

More from Nada G.Youssef

Chapter 4: Governance and Risk Management
Chapter 4: Governance and Risk ManagementChapter 4: Governance and Risk Management
Chapter 4: Governance and Risk ManagementNada G.Youssef
 
Chapter 3: Information Security Framework
Chapter 3: Information Security FrameworkChapter 3: Information Security Framework
Chapter 3: Information Security FrameworkNada G.Youssef
 
Preparatory Year of Saudi Electronic University
Preparatory Year of Saudi Electronic University Preparatory Year of Saudi Electronic University
Preparatory Year of Saudi Electronic University Nada G.Youssef
 

More from Nada G.Youssef (8)

مجلة 1
مجلة 1مجلة 1
مجلة 1
 
Chapter Tewlve
Chapter TewlveChapter Tewlve
Chapter Tewlve
 
Chapter one
Chapter oneChapter one
Chapter one
 
Chapter 4: Governance and Risk Management
Chapter 4: Governance and Risk ManagementChapter 4: Governance and Risk Management
Chapter 4: Governance and Risk Management
 
Chapter 3: Information Security Framework
Chapter 3: Information Security FrameworkChapter 3: Information Security Framework
Chapter 3: Information Security Framework
 
Preparatory Year of Saudi Electronic University
Preparatory Year of Saudi Electronic University Preparatory Year of Saudi Electronic University
Preparatory Year of Saudi Electronic University
 
Chapter 12
Chapter 12Chapter 12
Chapter 12
 
Chapter 11
Chapter 11Chapter 11
Chapter 11
 

Recently uploaded

The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdfQucHHunhnh
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdfQucHHunhnh
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxSayali Powar
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docxPoojaSen20
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...Marc Dusseiller Dusjagr
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingTechSoup
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppCeline George
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfJayanti Pande
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxpboyjonauth
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactPECB
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxmanuelaromero2013
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 

Recently uploaded (20)

INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docx
 
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website App
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptx
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
 
Staff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSDStaff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSD
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptx
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 

Chapter 15: PCI Compliance for Merchants

  • 1. Security Program and Policies Principles and Practices by Sari Stern Greene Chapter 15: PCI Compliance for Merchants
  • 2. Copyright 2014 Pearson Education, Inc. 2 Objectives ■ Describe the PCI Data Security Standard framework ■ Recognize merchant responsibilities ■ Explain the 12 top-level requirements ■ Understand the PCI DSS validation process ■ Implement practices related to PCI compliance
  • 3. Copyright 2014 Pearson Education, Inc. 3 Introduction ■ Visa, MasterCard, Discover, JCB International and American Express formed the Payment Card Industry Security Standards Council and developed the Payment Card Industry Data Security Standard (PCI DSS) ❑ Version 1 was released December 15, 2005 ❑ Version 3 was released November 2013
  • 4. Copyright 2014 Pearson Education, Inc. 4 Protecting Cardholder Data ■ PCI DDS applies to all system components where account data is stored ❑ Account data ■ Cardholder data plus sensitive authentication data ❑ System components ■ Any network component, server, or application that is included in, or connected to, the cardholder data environment ❑ Cardholder data environment ■ The people, processes, and technology that handle cardholder data or sensitive authentication data
  • 5. Protecting Cardholder Data Cont. ■ Primary account number (PAN) must be stored in an unreadable (encrypted) format ■ Sensitive authentication data may never be stored post-authorization, even if encrypted ■ Utilizing a third party to store, process, and transmit cardholder data or manage system components does not relieve a covered entity of its PCI compliance obligation Copyright 2014 Pearson Education, Inc. 5
  • 6. What Is the PCI DDS Framework? ■ The PCI DDS framework includes ❑ Stipulations regarding storage, transmission, and processing of payment card data ❑ Six core principles ❑ Required technical and operational security controls ❑ Testing requirements ❑ Certification process ■ Compliance is an ongoing process ❑ The organization must monitor required controls to ensure they are operating effectively Copyright 2014 Pearson Education, Inc. 6
  • 7. What Are the PCI DDS Framework? Cont. ■ The Six PCI DSS core principles ❑ Build and maintain a secure network and systems ❑ Protect cardholder data ❑ Maintain a vulnerability management program ❑ Implement strong access control measures ❑ Regularly monitor and test networks ❑ Maintain an information security policy Copyright 2014 Pearson Education, Inc. 7
  • 8. What Are the PCI Requirements? There are 12 top-level requirements that accompany the six core principles ■Build and maintain a secure network and systems ❑ Includes the following two requirements ■ Install and maintain a firewall configuration to protect cardholder data ■ Do not use vendor-supplied defaults for system passwords and security parameters Copyright 2014 Pearson Education, Inc. 8
  • 9. What Are the PCI Requirements? Cont. ■ Protect Cardholder Data ❑ Includes the following two requirements ■ Protect stored card data ■ Encrypt transmission of cardholder data across open, public networks ■ Maintain a Vulnerability Management Program ❑ Includes the following two requirements ■ Protect all systems against malware and regularly update antivirus software or programs ■ Develop and maintain secure systems and architecture Copyright 2014 Pearson Education, Inc. 9
  • 10. What Are the PCI Requirements? Cont. ■ Implement Strong Access Control Measures ❑ Includes the following three requirements ■ Restrict access to cardholder data by business need-to- know ■ Identify and authenticate access to system components ■ Restrict physical access to cardholder data ■ Regulatory Monitor and Test Networks ❑ Includes the following two requirements ■ Track and monitor all access to network resources and cardholder data ■ Regularly test security systems and processes Copyright 2014 Pearson Education, Inc. 10
  • 11. What Are the PCI Requirements? Cont. ■ Maintain an Information Security Policy ❑ Includes the final requirement ■ Maintain a policy that addresses information security for all personnel Copyright 2014 Pearson Education, Inc. 11
  • 12. PCI Compliance ■ PCI compliance is not a government regulation or law ■ It’s mandated by the payment card brands to accept card payments and/or be part of the payment system ■ Merchants are required to comply with PCI DSS ❑ A merchant is defined as any entity that accepts American Express, Discover, JCB, MasterCard, or Visa payment cards as payment for goods and/or services (including donations) ❑ Effectively, any company, organization, or individual that accepts card payments is a merchant Copyright 2014 Pearson Education, Inc. 12
  • 13. PCI Compliance Cont. ■ PCI compliance validation is composed of four levels, based on the number of transactions processed per year and whether those transactions are performed from a physical location or over the Internet ❑ Level 1 ■ Processes more than 6 million Visa payment card transactions annually ❑ Level 2 ■ Processing 1million to 6million Visa transactions per year. ❑ Level 3 ■ Any merchant processing 20,000 to 1,000,000 Visa e-commerce transactions per year ❑ Level 4 ■ Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants—regardless of acceptance channel—processing up to 1million Visa transactions per year Copyright 2014 Pearson Education, Inc. 13
  • 14. What Is a Data Security Compliance Assessment? ■ An annual onsite evaluation of compliance with the PCI DSS conducted by either a Qualified Security Assessor (QSA) or an Internal Security Assessor (ISA) ■ Assessment process begins with documenting the PCI DSS cardholder environment and confirming the scope of the assessment ■ QSA/ISA will initially conduct a GAP assessment to identify areas of noncompliance and provide remediation recommendations Copyright 2014 Pearson Education, Inc. 14
  • 15. Report on Compliance ■ ROC standard template includes the following ❑ Section 1: Executive Summary ❑ Section 2: Description of Scope of Work and Approach Taken ❑ Section 3: Details About Reviewed Environment ❑ Section 4: Contact Information and Report Date ❑ Section 5: Quarterly Scan Results ❑ Section 6: Findings and Observations ❑ Compensating Controls Worksheets (if Applicable) Copyright 2014 Pearson Education, Inc. 15
  • 16. What Is the SAQ? ■ A validation tool for merchants that are not required to submit to an onsite data security assessment ■ Has two parts ❑ Controls questionnaire ❑ Self-certified attestation Copyright 2014 Pearson Education, Inc. 16
  • 17. Are There Penalties for Noncompliance? ■ Three type of fines ❑ PCI noncompliance ❑ Account Data Compromise Recovery (ADCR) for compromised domestic-issued cards ❑ Data Compromise Recovery Solution (DCRS) for compromised international-issued cards ■ Noncompliance penalties are discretionary and can vary greatly, depending on the circumstances Copyright 2014 Pearson Education, Inc. 17
  • 18. Copyright 2014 Pearson Education, Inc. 18 Summary ■ The Payment Card Industry Data Security Standard, known as PCI DSS, applies to all entities involved in the payment card channel, including merchants, processors, financial institutions, and service providers, as well as all other entities that store, process, or transmit cardholder data and/or sensitive authentication data ■ The PCI DSS framework includes six core principles and 12 categories of required technical and operational security controls, testing requirements, and a validation and certification process ■ Compliance with PCI DSS is a payment card channel contractual obligation. It is not a government regulation or law