Payment Card Industry Compliance for Local Governments CSMFO 2009Donald E. Hester
Â
An introduction to PCI compliance and data security standard. Including attestation requirements, PCI merchant levels, reporting requirements. Steps to Document PCI Cardholder Data Environment CDE and to work toward compliance.
PCI DSS can be one of the most infuriating set of standards on the compliance landscape. While it seems simple--six domains and twelve requirements--the art of interpreting PCI can lead to full blown war in an organization--with the security team at the center. In this session weâll demystify some of the more difficult and misunderstood aspects of PCI DSS. Weâll cover the important changes from recently announced PCI DSS 3.0. Weâll also discuss the best practices for starting (and maintaining) a PCI DSS initiative in an organization and how to avoid battles with the QSA.
Don't Get Hacked! Know the Risks of Accepting Credit CardsBrown Smith Wallace
Â
Fundraising is the lifeblood of any not-for-profit organization. Advances in technology have made collecting contributions via credit card easier than ever for NPOs. Tools like Square offer simple solutions to help organizations of all sizes collect funds. But are you compromising security for convenience?
This presentation addresses how NPOs can prepare a secure environment for accepting donations before the gala and special events season starts.
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...Rapid7
Â
The Payment Card Industry Data Security Standards (PCI DSS), with its over 200 requirements, can seem like a daunting set of regulations. Nonetheless, if your organization handles any kind of credit card information, you must be PCI DSS compliant. As difficult as this can seem, you can get expert help with our new eBook: Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS Compliance.
MTBiz is for you if you are looking for contemporary information on business, economy and especially on banking industry of Bangladesh. You would also find periodical information on Global Economy and Commodity Markets.
Payment Card Industry Compliance for Local Governments CSMFO 2009Donald E. Hester
Â
An introduction to PCI compliance and data security standard. Including attestation requirements, PCI merchant levels, reporting requirements. Steps to Document PCI Cardholder Data Environment CDE and to work toward compliance.
PCI DSS can be one of the most infuriating set of standards on the compliance landscape. While it seems simple--six domains and twelve requirements--the art of interpreting PCI can lead to full blown war in an organization--with the security team at the center. In this session weâll demystify some of the more difficult and misunderstood aspects of PCI DSS. Weâll cover the important changes from recently announced PCI DSS 3.0. Weâll also discuss the best practices for starting (and maintaining) a PCI DSS initiative in an organization and how to avoid battles with the QSA.
Don't Get Hacked! Know the Risks of Accepting Credit CardsBrown Smith Wallace
Â
Fundraising is the lifeblood of any not-for-profit organization. Advances in technology have made collecting contributions via credit card easier than ever for NPOs. Tools like Square offer simple solutions to help organizations of all sizes collect funds. But are you compromising security for convenience?
This presentation addresses how NPOs can prepare a secure environment for accepting donations before the gala and special events season starts.
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...Rapid7
Â
The Payment Card Industry Data Security Standards (PCI DSS), with its over 200 requirements, can seem like a daunting set of regulations. Nonetheless, if your organization handles any kind of credit card information, you must be PCI DSS compliant. As difficult as this can seem, you can get expert help with our new eBook: Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS Compliance.
MTBiz is for you if you are looking for contemporary information on business, economy and especially on banking industry of Bangladesh. You would also find periodical information on Global Economy and Commodity Markets.
ECMTA 2009 PCI Compliance and the Ecommerce MerchantMelanie Beam
Â
Since the deadline for level 4 merchants to be in compliance is July 2010, I thought I\'d share this presentation I did in July of 2009 at the Ecommerce Summit.
Tactics, plans and the whole meaning of fraud is evolving from day to day. Controlling and improving the processes is one of the steps in the fight against fraud. But what is the key to be effective against fraud in the payment industry?
veryone's heard about the Target breach at the end of last year; some of you may have been affected. One way to understand this breach - to borrow a phrase from Deep Throat talking about the Watergate Scandal in "All The President's Men" - is to follow the money.
This webinar will do that. It will detail what we know about the Target breach and how it happened. But it will place particular emphasis on the money trail - not only in terms of how the bad guys turn the data into cash, but also who ends up footing the bill, the role insurance can play, the likelihood of lawsuits, and so on. As such, this webinar represents a powerful opportunity to learn what really goes down as a breach unwinds from a respected professional who has been in the trenches for decades.
Our featured speakers for this webinar will be:
- Ted Julian, Chief Marketing Officer, Co3 Systems
- Mark Rasch, Chief Privacy Officer, SAIC
company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
Proprietary and Confidential. Service Provider Overview. Mastercard does not object to a Customer's use of a third party, but does need to know what third party(ies) support a particular
Btl mastercard Customer, and the nature of the support provided. A Service Provider may only perform the Program Services it is registered to perform
Understanding the Card Fraud Lifecycle : A Guide For Private Label IssuersChristopher Uriarte
Â
With credit card fraud dramatically on the rise, particularly in the form of card-not-present (CNP) fraud across Internet and Mail Order/Telephone Order (MOTO) channels, it is important for private label issuers to understand the depth of this problem and how it affects their merchant portfolio and their ability to accept private label cards. Private label cards were often considered to be âlow riskâ, relative to traditional bank cards, but our current analysis has shown the contrary: fraudsters are increasingly using private label cards as the payment instrument in CNP channels and merchants are at great risk if specific strategies are not put in place to stop it.
Online Payment Services and the Role of BanksPaymentAsia
Â
Payment service providers represent an essential link in the global financial chain. However, most consumers never give them a second thought. Payment service providers connect merchants to the broader financial system so that they can accept debit and credit card payments from their customers.
PCI Compliance for Community Colleges @One CISOA 2011Donald E. Hester
Â
An introduction to PCI compliance and data security standard. Including attestation requirements, PCI merchant levels, reporting requirements. Steps to Document PCI Cardholder Data Environment CDE and to work toward compliance.
ECMTA 2009 PCI Compliance and the Ecommerce MerchantMelanie Beam
Â
Since the deadline for level 4 merchants to be in compliance is July 2010, I thought I\'d share this presentation I did in July of 2009 at the Ecommerce Summit.
Tactics, plans and the whole meaning of fraud is evolving from day to day. Controlling and improving the processes is one of the steps in the fight against fraud. But what is the key to be effective against fraud in the payment industry?
veryone's heard about the Target breach at the end of last year; some of you may have been affected. One way to understand this breach - to borrow a phrase from Deep Throat talking about the Watergate Scandal in "All The President's Men" - is to follow the money.
This webinar will do that. It will detail what we know about the Target breach and how it happened. But it will place particular emphasis on the money trail - not only in terms of how the bad guys turn the data into cash, but also who ends up footing the bill, the role insurance can play, the likelihood of lawsuits, and so on. As such, this webinar represents a powerful opportunity to learn what really goes down as a breach unwinds from a respected professional who has been in the trenches for decades.
Our featured speakers for this webinar will be:
- Ted Julian, Chief Marketing Officer, Co3 Systems
- Mark Rasch, Chief Privacy Officer, SAIC
company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
Proprietary and Confidential. Service Provider Overview. Mastercard does not object to a Customer's use of a third party, but does need to know what third party(ies) support a particular
Btl mastercard Customer, and the nature of the support provided. A Service Provider may only perform the Program Services it is registered to perform
Understanding the Card Fraud Lifecycle : A Guide For Private Label IssuersChristopher Uriarte
Â
With credit card fraud dramatically on the rise, particularly in the form of card-not-present (CNP) fraud across Internet and Mail Order/Telephone Order (MOTO) channels, it is important for private label issuers to understand the depth of this problem and how it affects their merchant portfolio and their ability to accept private label cards. Private label cards were often considered to be âlow riskâ, relative to traditional bank cards, but our current analysis has shown the contrary: fraudsters are increasingly using private label cards as the payment instrument in CNP channels and merchants are at great risk if specific strategies are not put in place to stop it.
Online Payment Services and the Role of BanksPaymentAsia
Â
Payment service providers represent an essential link in the global financial chain. However, most consumers never give them a second thought. Payment service providers connect merchants to the broader financial system so that they can accept debit and credit card payments from their customers.
PCI Compliance for Community Colleges @One CISOA 2011Donald E. Hester
Â
An introduction to PCI compliance and data security standard. Including attestation requirements, PCI merchant levels, reporting requirements. Steps to Document PCI Cardholder Data Environment CDE and to work toward compliance.
From the eCommerce Summit in Atlanta June 3-4, 2009 where Mountain Media explains the topic of PC Compliance for online merchants. Visit http://www.ecmta.org to find out more.
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...Stephanie Gutowski
Â
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in Drupal -
Stephen Bestbier (iATS), Aaron Crosman (Message Agency), Erik Mathy (Pantheon)
This talk was presented in NULL Delhi chapter meet in 2014, as an insight into the world of PCI (Payment Card Industry) and the 12 requirements of PCI DSS
What Everybody Ought to Know About PCI DSS and PA-DSS.
Learn how to comply with the training requirements of PCI DSS, protect cardholder data, avoiding social engineering and malicious downloads and how to update software and anti-virus programs.
Are you trying to wrap your head around PCI security requirements, how to securely manage payment card data and what types of credit card fraud to watch out for? This session is for you!
Learn more about the implications of PCI-DSS requirements, best practices around securely storing credit card data and how to put tools in place to prevent costly (and frustrating) credit card fraud at your organization. Be prepared, get informed and donât let the bad guys win!
PRESENTER
Patricia O'Connor â Partner Account Manager
iATS Payments (@iATSPayments) provides payment processing products and services to over 10,000 nonprofit organizations around the world. It 's not one of the things we do - it's the only thing we do
company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
Payment Card Industry (PCI) Data Security Standard (DSS) compliance is frequently misunderstood. Determining an effective strategy for the demonstration of compliance and its ongoing governance is critical to mitigate emerging payment security risks. Knowing when you need help, understanding which requirements are applicable, and determining the proper course of actions to adhere to the standard is often more complex than it may at first seem. Join Fortrex Technologies QSA Peter Spier and Senior Director of Information Security, Compliance and Fraud for PAETEC Holding Corporation, Jim Raub, for this discussion of common challenges and practical solutions.
Peter Spier, Senior Risk Management Consultant,Fortrex Technologies
Peter is President of the ISACA Western New York Chapter and is a Senior Risk Management Consultant at Fortrex Technologies based in Frederick, Maryland. Peter attained his graduate degree from Syracuse University's School of Information Studies and over the course of 12 years of experience has earned Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), Project Management Professional (PMP), Qualified Security Assessor (QSA), Information Technology Infrastructure Library (ITIL) Foundation version 3, and HITRUST CSF Assessor certifications.
Jim Raub
Senior Director of Information Security, Compliance and Fraud, PAETEC Holding Corporation
Jim has held a wide range of IT positions over the past 30 years, with a concentration on security for the past decade. He has presented at numerous conferences and taught many business and college courses as an adjunct faculty member. Jimâs certifications include Certified Information Systems Auditor (CISA) and Certified Information Systems Security Professional (CISSP). When heâs not working, he is an avid musician and volunteer at several non-profit organizations.
company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
Similar to Payment Card Industry Introduction 2010 (20)
Cybersecurity is important for local government. Understand the reasons why cybersecurity is so important for local governments. Includes statistics on cyber crime.
Ransomware is a threat that is growing exponentially is your organization ready? Learn what we know about the perpetrators, what they typical attack vectors are, who the typical victims are. What step you can take to protect and mitigate the risk along with the cost considerations. We will also cover some alarming statistics and predictions for the future.
This infographic depicts the relationship of Student Learning Outcomes/Objectives SLOs with the measurable objectives and course content for Las Positas College CNT 54 Administering Windows Client. This course aligns with Microsoft exam 70-698 Installing and Configuring Windows 10.
This session will provide information on some common fraud schemes relevant to most entities and provide examples of controls you can implement in your organization to decrease the risk of fraud. We will also provide an overview of the Internal Control Guidelines issued by the State Controller's Office.
Presenters David Alvey, CPA Audit Partner and Katherine Yuen, CPA, Audit Partner
2016 Maze Live Changes in Grant Management and How to Prepare for the Single ...Donald E. Hester
Â
Are you ready for the new Single Audit rules and requirements? In this session, we will go over the new Uniform Guidance to Federal Awards with a high level background and overview on the latest updates on the new single audit requirements. We will discuss how the Uniform Guidance will affect the planning considerations for year-end single audits. We will also discuss how you can successfully prepare for the single audit and comply with the new Uniform Guidance for Federal Awards.
Presenters Nikki Apura, Audit Supervisor and Mark Wong, CPA, Audit Partner
2016 Maze Live Cyber-security for Local GovernmentsDonald E. Hester
Â
Is your organization doing enough to reduce the risk of cyber threats? Cyber-security is more than compliance with credit card processing. What risks does your organization have? Cyber-security is a prime concern today and in this session we will cover what local governments can do to reduce risk. Presenter Donald E. Hester, CISA, CISSP, Director
How did your implementation go last year?⯠In this session, we will cover issues that we or our clients encountered during the implementation of GASB 68 and 71.⯠We will also cover anticipated challenges, new information from actuaries, as well as sample journal entries in this first year after implementation.⯠Presenter Amy Myer, CPA, Audit Partner
Implementing GASB 72: Fair Value Measurement and ApplicationDonald E. Hester
Â
In this session, we identify the impacts of GASB 72 for financial statement presentation purposes and be exposed to updated footnote tables and other pertinent footnote disclosures.⯠Other topics include: valuation techniques, reporting requirements and definitions related to the Statement.⯠Presenters Cody Smith, CPA, Audit Supervisor and Amy Myer, CPA, Audit Partner
Are you wondering what is down the pike for GASB implementation?⯠In this session we will cover the new GASB pronouncements for the upcoming years, including those addressing tax abatement disclosures and retiree healthcare benefits.⯠Presenter David Alvey, CPA Audit Partner
Annual Maze Live Event 2016 â GASB Updates & Best Practices Donald E. Hester
Â
Hosted by the City of San Leandro
Topics covered:
GASB Update
Implementing GASB 72: Fair Value Measurement and Application
GASB 68 and 71 Planning for the Second Year
Cyber-security for Local Governments
Changes in Grant Management and How to Prepare for the Single Audit
Fraud Environment
Payment Card Cashiering for Local Governments 2016Donald E. Hester
Â
Slides cover PCI compliance training for cashiers covering topics from Payment Card Industry Data Security Standard (PCI DSS), supplemental guidance provided by Payment Card Industry Security Standards Council (PCI SSC), Visa's Card Acceptance Guidelines for Visa Merchants, and MasterCardâs Security Rules and Procedures Merchant Edition 2011.
Dev Dives: Train smarter, not harder â active learning and UiPath LLMs for do...UiPathCommunity
Â
đĽ Speed, accuracy, and scaling â discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Miningâ˘:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing â with little to no training required
Get an exclusive demo of the new family of UiPath LLMs â GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
đ¨âđŤ Andras Palfi, Senior Product Manager, UiPath
đŠâđŤ Lenka Dulovicova, Product Program Manager, UiPath
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
Â
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Â
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But thereâs more:
In a second workflow supporting the same use case, youâll see:
Your campaign sent to target colleagues for approval
If the âApproveâ button is clicked, a Jira/Zendesk ticket is created for the marketing design team
Butâif the âRejectâ button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Â
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as âpredictable inferenceâ.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Â
Clients donât know what they donât know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clientsâ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Â
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
Â
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties â USA
Expansion of bot farms â how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks â Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Â
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
Â
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
Â
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
Â
Payment Card Industry Introduction 2010
1. Donald E. Hester
CISSP, CISA, CAP, PSP, MCT
Maze & Associates / San Diego City College
www.LearnSecurity.org
2. The Problem
Albert Gonzalez, 28
With accomplices, he was involved in data breaches of most of the major
data breaches:
Heartland, Hannaford Bros., 7-Eleven, T.J. Maxx, Marshalls, BJâs Wholesale
Club, OfficeMax, Barnes & Noble, Sports Authority, Dave & Busters, Boston
Market, Forever 21, DSW and others.
4. Top 10 Data Breaches
Date Organization Lost records
20-01-09 Heartland Payment Systems 130,000,000
17-01-07 TJX Companies Inc. 94,000,000
01-06-84 TRW, Sears Roebuck 90,000,000
05-10-09 National Archives and Records Administration 76,000,000
19-06-05 CardSystems, Visa, MasterCard, American Express 40,000,000
24-06-04 America Online 30,000,000
22-05-06 U.S. Department of Veterans Affairs 26,500,000
20-11-07 HM Revenue and Customs, TNT 25,000,000
06-10-08 T-Mobile, Deutsche Telekom 17,000,000
01-11-86 Canada Revenue Agency 16,000,000
Total: 544,500,000
Current US Population: 303 million
Source:
6. Highest IT Priorities for 2008
1. Information Security Management
2. IT Governance
3. Business Continuity Management and Disaster Recovery
Planning
4. Privacy Management
5. Business Process Improvement, Workflow and Process
Exceptions Alerts (new to list)
6. Identity and Access Management
7. Conforming to Assurance and Compliance Standards
8. Business Intelligence (new to list)
9. Mobile and Remote Computing
10. Document, Forms, Content and Knowledge Management
Source: AICPAâs 19th Annual Top Technology Initiatives survey
1, 2, 4, 6, & 7, are all PCI related
7. Highest IT Priorities for 2009
1. Information Security Management
2. Privacy Management
3. Secure Data File Storage, Transmission and Exchange
4. Business Process Improvement, Work Flow and
Process Exception Alerts
5. Mobile and Remote Computing
6. Training and Competency
7. Identity and Access Management
8. Improved Application and Data Integration
9. Document, Forms, Content and Knowledge
Management
10. Electronic Data Retention Strategy
Source: AICPAâs 20th Annual Top Technology Initiatives survey
1, 2, 3, 6, 7, & 10, are all PCI related
8. Players
⢠Acquirer (Merchant Bank)
â Bankcard association member that initiates
and maintains relationships with merchants
that accept payment cards
⢠Hosting Provider
â Offer various services to merchants and
other service providers.
⢠Merchant
â Provides goods and services for
compensation
⢠Cardholder
â Customer to whom a card is issued or
individual authorized to use the card
Card Brand
Acquirer
Hosting
Provider
Merchant
Cardholder
9. Players
⢠Card Brand
â Issue fines
â Determine compliance
requirements
⢠PCI Security Standards Council
â Maintain standards for PCI
â Administer ASV & QSA
⢠Qualified Security Assessors
â Certified to provide annual audits
⢠Approved Scanning Vendor
â Certified to provide quarterly
scans
Card
Brands
PCI SSC
QSA
ASV
12. What does the PCI Council do?
⢠Own and manage PCI DSS, including
maintenance, revisions, interpretation and
distribution
⢠Define common audit requirements to
validate compliance
⢠Manage certification process for security
assessors and network scanning vendors
⢠Establish minimum qualification requirements
⢠Maintain and publish a list of certified
assessors and vendors
14. What are the Standards?
⢠PCI DSS: PCI Data Security Standard
â Overall standard, applies to all
⢠PA DSS: Payment Application Data Security
Standard
â Supporting standard for payment applications
⢠PTS (was PED): PIN Transaction Security
Standard
â Supporting standard for PIN entry devices
â Supporting standard for unattended payment
terminals (UPT)
15. PCI DSS
ď The Payment Card Industry Data Security
Standard
ď 6 Objectives (Goals)
ď 12 Sections (Requirements)
ď 194 Controls
18. PA DSS
⢠âPA-DSS is the Council-managed program
formerly under the supervision of the Visa Inc.
program known as the Payment Application Best
Practices (PABP).
⢠The goal of PA-DSS is to help software vendors
and others develop secure payment applications
that do not store prohibited data, such as full
magnetic stripe, CVV2 or PIN data, and ensure
their payment applications support compliance
with the PCI DSS.â
â Payment Card Industry Security Standards Council
19. PIN Transaction Security
⢠âThe PCI PED security alignment initiative is
aimed at ensuring that the cardholderâs
PIN, and any sensitive information such as
resident keys, are protected consistently at
a PIN acceptance device.
⢠The objective of the requirements is the
provision of a single, consistent, and
stringent standard for all PIN acceptance
devices worldwide.â
â Payment Card Industry Security Standards
Council
20. Who must comply?
⢠With PCI DSS
â Any organization the processes, stores or transmits
credit card information.
⢠With PA DSS
â Payment application developers
â Merchants will be required to use only compliant
applications by July 2010.
⢠With PTS
â Manufactures of PIN entry devices
â Merchants will be required to use only compliant
hardware by July 2010.
â MasterCard PTS to incorporate into PCI SSC April 30,
2010
21. PCI Compliance
⢠This includes:
⢠Organizations who only use paper based
processing
⢠Organizations who outsource the credit
card processing
⢠Organizations that process credit cards in
house
22. Is PCI law?
ď The PCI DSS was developed by the
payment card brands
ď Compliancy is compulsory if a merchant
wishes to continue processing payment
card transactions
ď However, some States have enacted
legislation that has made PCI compliance
the law
23. What if we are a small
organization?
⢠âAll merchants, whether small or
large, need to be PCI compliant.
⢠The payment brands have collectively
adopted PCI DSS as the requirement
for organizations that process, store
or transmit payment cardholder
data.â
â PCI SSC
24. Cost?
⢠What happens when there is a data
breach?
â Depends if the merchant can reach safe
harbor.
25. Whatâs Safe Harbor?
Incident Evaluation
Safe
Harbor
$$$$$$
If compromised take immediate action.
âMerchants and service providers that have
experienced a suspected or confirmed security
breach must take immediate action to help prevent
additional damage and adhere to Visa CISP
requirements.â
26. Whatâs Safe Harbor?
Incident Evaluation
Safe
Harbor
$$$$$$
If there is a data breach, the card brands
will perform a forensic audit to determine if
the organization was PCI DSS compliant at
the time of the data breach.
27. Whatâs Safe Harbor?
Incident Evaluation
Safe
Harbor
$$$$$$
If the organization is found to be out of compliance
at the time of the breach they may be liable for the
full cost of the breach including the cost of the
forensics, losses of cardholders, losses to the
banks, losses to the card brand and in some states
fines will be assessed.
28. Whatâs Safe Harbor?
Incident Evaluation
Safe
Harbor
$$$$$$
In addition, the organization will be moved to the
highest merchant level and will be required to
meet the most stringent evidence requirements
and the credit card processing fees will increase.
29. Whatâs Safe Harbor?
Incident Evaluation
Safe
Harbor
$$$$$$
To obtain safe harbor status a merchant must
maintain full compliance at all times, including at
the time of the breach as demonstrated during a
forensic investigation.
30. Safe Harbor Notes:
⢠For a merchant to be considered
compliant, any Service Providers that
store, process or transmit credit card
account data on behalf of the merchant
must also be compliant.
⢠The submission of compliance validation
documentation alone does not provide
the merchant with safe harbor status.
31. Loss or theft of account
information
⢠Members, service providers or merchants must immediately
report the suspected or confirmed loss or theft of any
material or records that contain Visa cardholder data.
⢠If a member knows or suspects a security breach with a
merchant or service provider, the member must take
immediate action to investigate the incident and limit the
exposure of cardholder data.
⢠If a Visa member fails to immediately notify Visa Inc. Fraud
Control of the suspected or confirmed loss or theft of any
Visa transaction information, the member will be subject to
a penalty of $100,000 per incident.
⢠Members are subject to fines, up to $500,000 per incident,
for any merchant or service provider that is compromised
and not compliant at the time of the incident.
â Visa CISP program
32. Fines
Merchants may be subject to fines by the card associations if deemed non-
compliant. For your convenience fine schedules for Visa and MasterCard are
outlined below.
http://www.firstnationalmerchants.com/ms/html/en/pci_compliance/pci_data_secur_stand.html
33.
34. Action Items
⢠Document how your organization stores,
processes or transmits credit card information
⢠Determine your merchant level
⢠Determine your validation requirements
â Contact your merchant banks and acquirers
⢠Determine your SAQ validation type
⢠Find an ASV for compliance network
vulnerability scans
â Perform at least quarterly scans
⢠Annually fill out your SAQ
â turn in and/or keep on file
35. 10 Steps to Document
Cardholder Environment
1. Determine Merchant Level (number of
transactions)
2. List all Merchant Banks and Acquirers
3. List all outsourced processors, ASPs and third party
processors
4. Document all Payment Applications
5. Document all PEDs used (Point of Interaction)
6. List all physical locations that CHD is processed,
stored or transmitted
7. List all electronic storage of CHD
8. Document electronic transmission
9. Document policies that address PCI requirements
10. Implement applicable PCI DSS controls
36. Step 1: Determine Merchant Level
⢠List the number of all credit card
transactions for all Merchant Banks and
Acquirers
⢠List by card brand as well
⢠Determine your merchant level based on
total annual credit card transactions
⢠Number is based on the aggregate
number of transactions for a DBA
Note: Merchant levels are defined by the Card Brands and determined
by the Acquirer based on transaction volume.
37. Step 2: Document Acquirers
⢠List all Acquirers, Merchant Banks and/or
Acquiring Banks
⢠Included card brands when they act as
acquirer, e.g. Amex, Discover, JCB
⢠Would never be Visa or MasterCard
⢠They determine your merchant level and
reporting requirements
38. Step 2: Document Acquirers
⢠Contact Information
â Address
â Phone Number
⢠Incident Response Team
⢠Website
â Monitor for changes in requirements
⢠Any notes or document conversations
you have with them
39. Step 3: Determine Service
Providers
⢠A Service Provider is an business or
entity that is directly involved in the
processing, storage, transmission, and
switching of transaction data and/or
card holder data (CHD)
⢠Any service provider that has control or
could have a security impact on CHD
40. Example of Service Providers
⢠Transaction
Processors
⢠Customer Service
⢠Call Centers
⢠Payment Gateways
⢠Credit Reporting
⢠External Sales
⢠Remittance
Processing
⢠Card Embossing
Companies
⢠Information security
providers
⢠Offsite Data Storage
Providers
41. Manage Service Providers
⢠Maintain a list of service providers
⢠Maintain agreements that hold service
providers responsible for security of CHD
â Include reporting and breach notification
⢠Have a process to validate new service
providers before they become service
providers
⢠Have a program to monitor service
provider compliance at least annually
42. Step 4: Document
Payment Applications
⢠List all payment applications
⢠Document the business use of the
applications
⢠Determine if the application is compliant
⢠Determine if the application stores CHD
⢠Check PCI website for list of approved
applications
43. Action Items
⢠Contact the vendor, make sure payment
applications are PA DSS complaint or will
be.
⢠Contact your PIN device supplier, make
sure you have compliant PIN Entry
Devices.
https://www.pcisecuritystandards.org/security_standards/ped/pedapprovallist.ht
ml
https://www.pcisecuritystandards.org/security_standards/vpa/
44. Payment Applications
⢠In house
applications
â SDLC controls
â Code reviews
â Application
firewalls
â OWASP
45. Step 5: Document PED
⢠List all Points of Interaction (POI)
â List all PIN Entry Devices (PED)
â List all Point of Interaction devices
â List all Unattended Payment Terminals
(UPT)
â List all Point of Sale (POS) devices
⢠Document compliance for those devices
currently required to be PCI compliant
46.
47. PED
⢠PIN Entry Device
â Scope of the standard increasing
⢠PIN Transaction Security (PTS)
â Will include
⢠UPT (Unattended Payment Terminals)
⢠POI (Point of Interaction)
⢠POS (Point of Sale Devices)
â Standard addresses the vendors who make
devices
â Merchants must use approved devices
48. Step 6: Physical CHD
⢠List all physical locations that PAN is processed,
stored or transmitted
â Paper,
â Receipts,
â Imprints,
â Carbon Copies
â Locations of backup media
⢠Document Retention Period
â Justify with business need
⢠Document Destruction Policy
49. Step 7: Electronic Data Storage
⢠List all electronic storage of CHD
⢠Document business reason for storing
and retention period
⢠Requirements in PCI DSS
â Encryption
â Access Controls and Audit logs
â Never permitted to store full track data
50. Cardholder Data
Data Element Storage
Permitted
Protection
Required
PCI DSS 3.4
Cardholder
Data
Primary Account
Number (PAN)
Yes Yes Yes
Cardholder Name Yes Yes No
Service Code Yes Yes No
Expiration Date Yes Yes No
Sensitive
Authentication
Data
Full Magnetic
Stripe Data
No N/A N/A
CVC2 / CVV2 / CID /
CAV2
No N/A N/A
PIN / PIN Block No N/A N/A
51. Places to look for CHD
⢠Electronic Image
Files
⢠SANS
⢠Fax Servers
⢠Scan Archive
⢠Pinter Spool
⢠Laser Fiche
⢠Log Files
⢠Audio Recording:
customer service call
recordings
⢠Voicemail
⢠Email Server/Archive
⢠Backup Media
⢠Copier Scanner Cache
⢠Data bases
Perform a search for CHD every 6 months
52. Unknown Storage
⢠Fax Machine and Copy Machines may
store CHD
http://www.youtube.com/watch?v=iC38D5am7go
53. Step 8: Document Data
Transmission
⢠Not only do you need to know where you
data is stored but you also need to know
where it travels
⢠Create a Data Flow diagram
â Diagram with CHD flow superimposed over
network diagram
⢠Evaluate flow every 6 months or more
often if there has been a change
⢠Helps to determine the PCI scope and aids
in determining network segmentation
54. Document Data Flow
⢠With a network diagram document the
flow of credit card information
(transmission)
⢠Locate any places the information might
be stored along the data path (storage)
55. Step 9: Create Needed Policies
⢠What policies do you currently have that
address PCI related issues
⢠Create needed policies
⢠See section 12 of the PCI DSS
⢠You will need to create additional
subordinate policies, procedures or
administrative directives for specific PCI
control requirements
⢠Every PCI DSS control should be
documented in some policy, procedure,
administrative directive, SOP or schedule
59. PII Policy
⢠If you already have a policy for handling
confidential information or personally
identifiable information add credit card
information to confidential information
or PII.
60. PCI DSS
⢠Start implementing the data security
standard starting with policies
⢠Start with high level polices
â âThe City shall not store PAN (Credit Card
Numbers) electronically or physically.
Employees shall be trained on PCI standard
annually. Background checks will be
performed on all staff with access to credit
card information.â
61. PCI DSS
⢠Use the prioritized approach to
implement the most important controls
first.
62. Document Compliance
⢠Determine if all PEDs are PCI compliant
⢠Determine if all payment applications are
PCI compliant
⢠Determine if all 3rd party processors and 3rd
parties are PCI compliant
⢠Obtain documentation from each
⢠Annually renew documentation from 3rd
parties
⢠Annually check payment application and
PED list
63.
64. Merchant Levels
⢠Each merchant is placed in levels based upon the
number of transactions they process.
⢠These levels determine what evidence of
compliance must be submitted. (Validation
Requirements)
⢠Merchants with a low number of transactions
can complete self-assessment questionnaire.
⢠Merchants in the middle submit questionnaires
and have external scans.
⢠At the highest level merchants must have a full
independent audit and external scan.
65. Validation Requirements
⢠External Scans by an ASV, at least
quarterly
⢠Annually fill out SAQ
â Even if bank has not requested one
⢠If level 1 or 2 you will need an audit from
a QSA
⢠New Internal Security Assessor (ISA)
program
66. Merchant Levels
Merchant levels are determined by the annual
number of transactions not the dollar amount
of the transactions.
Merchant Level E-commerce transactions All other transactions
Level 1 Over 6 million annually Over 6 million annually
Level 2 1 to 6 million annually 1 to 6 million annually
Level 3 20,000 to 1 million annually N/A
Level 4 Up to 20,000 annually Up to 1 million annually
67. Merchant Levels:
American Express
Merchant levels are determined by the annual
number of transactions not the dollar amount
of the transactions.
Merchant Level Definition
Level 1 2.5 million American Express Card transactions or more per year; or any
Merchant that has had a data incident; or any Merchant that American
Express otherwise deems a Level 1
Level 2 50,000 to 2.5 million American Express Card transactions per year
Level 3 Less than 50,000 American Express Card transactions per year
68. Validation Requirements
⢠The merchant level of the entities
determines what the organization must do
to validate their compliance with PCI DSS.
⢠Validation is required for Level 1, Level 2,
and Level 3 merchants, and may be
required for Level 4 merchants in the near
future.
⢠Validation requirements are set by
Acquirers and Card Brands not PCI SSC
69. Validation Requirements
Merchant Level QSAAudit Quarterly Network
Scans
Self-Assessment
Questionnaire
Level 1 Yes Yes -
Level 2 * Yes Yes
Level 3 - Yes Yes
Level 4 - Yes Yes
Separate and distinct from the mandate to comply
with the PCI DSS is the validation of compliance
whereby entities verify and demonstrate their
compliance status.
* Starting 12-31-2010 MasterCard will require Annual
QSA Audits for Level 2 Merchants
70. Validation Requirements:
American Express
Merchant Level QSAAudit Quarterly Network
Scans
Self-Assessment
Questionnaire
Level 1 Yes Yes -
Level 2 - Yes Yes
Level 3 - Yes *
* Level 3 Merchants need not submit Validation
Documentation, but still must comply with all
other provisions of the DSOP.
71. Who do you report to?
⢠Acquirers (Merchant Banks) are responsible
for verifying compliance
⢠Some Acquirers (Merchant banks) are
already requiring merchants at level 4 to
comply
â âMerchants that store payment account data
should contact the acquiring financial
institutions with whom they have merchant
agreements to determine whether they must
validate compliance and the specific
requirements for compliance validation.â - PCI
SSC
72. Network Vulnerability Scans
⢠The PCI DSS requires that all merchants
with externally-facing IP addresses
perform external network scanning to
achieve compliance.
⢠Acquirers (Merchant Banks) require the
quarterly submission of scan reports
⢠Scans must be performed by a PCI
Approved Scanning Vendor (ASV)
73. Network Vulnerability Scans
⢠These scans are automated, non-
intrusive web scans.
⢠Internal Scans are also required by PCI
DSS, however no submission is required
for internal scans.
⢠See PCI SSC website for a list of
Approved Scanning Vendors (ASV)
74. Self Assessment Questionnaire
⢠The Payment Card Industry Security Standards
Council (PCS SSC) revised the original version of
the Self Assessment Questionnaire (SAQ) in
February 2008 in order to address the various
scenarios that can exist at a merchantâs point of
sale environment.
⢠As most Acquirerâs (Merchant Bank) require Self
Assessment Questionnaires on merchant levels
2, 3 and 4, it is important to know which version
of the SAQ your business may need to complete.
⢠There are five SAQ validation categories.
75. SAQâs
SAQ
Validation
Type
Description SAQ: V1.2
1
Card-not-present (e-commerce or mail/telephone-
order) merchants, all cardholder data functions
outsourced. This would never apply to face-to-face
merchants.
A
2
Imprint-only merchants with no electronic
cardholder data storage
B
3
Stand-alone terminal merchants, no electronic
cardholder data storage
B
4
Merchants with POS systems connected to the
Internet, no electronic cardholder data storage
C
5
All other merchants (not included in Types 1-4
above) and all service providers defined by a
payment brand as eligible to complete an SAQ.
D
76. QSA Audit
⢠For level 1 merchants an independent
audit by a Qualified Security Assessor
(QSA) is required
â Starting 12-31-2010 MasterCard will require
Annual QSA Audits for Level 2 Merchants
⢠The QSA will issue a Report on
Compliance (ROC) for the merchant
77.
78. Self Assessment Questionnaire
ď Merchants have different levels of SAQ,
depending upon the risk of the processing
environment.
ď Merchants who outsource processing or have
paper only processing have less questions to
answer.
ď Merchants who process in house on custom
application have to answer all the questions.
80. SAQ FAQ
⢠Do merchants have to be compliant only
with the questions on the SAQ?
â No merchants must comply with all of the PCI
DSS.
â The questions on the SAQ only reflect the
controls with the highest risk based upon the
merchants processing environment.
â Controls can be N/A depending upon the
merchants environment.
81. SAQ FAQ
⢠What if my Merchant Bank has not
required our organization to turn in our
SAQ?
â Contact your Merchant Banks and Acquirers
â Complete the SAQ annually
â Maintain a copy on file
82. SAQ FAQ
⢠How can my organization find
assistance in completing the SAQ?
â The Council encourages organizations to
seek professional guidance in achieving
compliance and completing the Self-
Assessment Questionnaire.
â You are free to use any security professional
of your choosing
â PCI SSC recommends QSA or ISA
83. SAQ FAQ
⢠What is an Attestation of Compliance?
â The Attestation is your certification that you
have performed the appropriate Self-
Assessment and attest to your
organizationâs compliance status with the
PCI DSS.
84. SAQ A
Merchant level is determined by total transactions of a business
(DBA) not by the number of transactions per acquirer. That is why
that have these questions.
85. SAQ A
Do you know if your outsourced 3rd party provider is compliant?
When you sign the Attestation of Compliance you sign off that
you confirmed third-parties are PCI DSS compliant.
86. SAQ A
When you select yes for PCI DSS Requirement 12 you are
effectively attesting that you are compliant with all controls in
section 12
87. All of PCI DSS
They added the following check box, just in case you want to plead
that you did not know checking yes for compliance to section 12
meant that you complied with all controls in section 12.
88. Items under section 12
⢠For Example
â 12.5.1 Establish, document, and distribute
security policies and procedures
â 12.6.1 Educate employees upon hire and at
least annually (for example, by letters, posters,
memos, meetings, and promotions)
â 12.8.1 Verify that the contract contains
provisions requiring adherence to the PCI DSS
requirements
â 12.3.6 Acceptable network locations for the
technologies
91. Continuous Process
⢠Many of the PCI requirements have
specific time interval requirements
⢠Create a schedule for time based
requirements
⢠Some organizations already have
âmaintenance calendarsâ for these type
of actions
92.
93. Common Findings
⢠Clients think they are compliant
â Because they do quarterly networks scans
â Because they filled out the SAQ
â Because they have too few transactions
⢠Reality
â Validation is not compliance
â Compliance is an ongoing process
â PCI DSS is required for all merchants,
regardless of the number of transactions
94. Common Findings
⢠Payment card information on paper
⢠No network segmentation
⢠Logging Access
⢠Shared Passwords
⢠Verifying compliance of outsourced
processing
⢠No one is assigned responsibility
⢠Not aware of PAN storage in
application
95. PCI Pitfalls
⢠PCI will not make an
organizationâs network or data
secure
⢠PCI DSS focuses on one type of
data: payment card transactions
⢠The organization runs the risk of
focusing on one class of data to
the detriment of everything else
96.
97. Cashiers
⢠Limit Access
⢠Background Checks
⢠Log access to CHD
⢠Fraud
â Look for tampering of PIN Entry Devices or
Point of Interaction devices
98. Merchants Should
⢠Be aware of the risks relating to skimming.
⢠Be aware of the vulnerabilities inherent the use of
point-of-sale terminals and terminal infrastructure.
⢠Be aware of the vulnerabilities associated with staff
that has access to consumer payment devices.
⢠Prevent or deter criminal attacks against point-of-sale
terminals and terminal infrastructure.
⢠Identify any compromised terminals as soon as
possible and notify the appropriate agencies to
respond and minimize the impact of a successful
attack.
99. Skimming
⢠Internal employees with criminal intent
⢠Skimming results from the capture of
payment data within the payment
infrastructure at the merchant location
⢠Focus on compromised POS terminals and
their respective infrastructures
⢠Criminals will insert electronic equipment,
by various means, into the terminal or the
terminal infrastructure, in order to capture
consumer account data
100. Criminal Methods
⢠Criminals will also target large multi-lane
retailers where, during less busy periods,
not all of the lanes are used and
terminals are effectively left unattended.
⢠Criminals will steal terminals,
compromise them, and then return
them to either the same store or to
another store in the same chain.
112. CCTV
⢠Use proper lighting for the cameras
⢠Should cover POS but not PIN if entered
⢠Store 90 days of video
⢠Facility coverage (exit / entrance)
⢠Problem with camera â review the
terminal
⢠Time Stamps
⢠Note Blackouts, Camera Incidents
113. Physical Security of Terminals
⢠Surrounding terminals
⢠Note the entire cable path from the
terminal to the point where it leaves
your merchant location
⢠Secure terminal cabling in public areas
⢠Consider cable locks
114. Employees
⢠Employers often feel employees are
trustworthy
⢠Trustworthiness needs to be validated
⢠Not all have criminal background when
hired
⢠Employees may develop criminal intent
over time
115. Criminal Activity
⢠Staff reporting criminal activity or if they
are approached by criminals
⢠Whistle blower provision
⢠Train your staff to be aware of the types
of fraud attacks criminals may attempt
and the risk to them
116. Background Check
⢠Background checks could and should
include
â Validation of employee data as supplied in
the hiring process
â A criminal check
â A financial/credit check
â An education check
â Previous employment history should also be
in scope when applicable
117. Staff Should Know
⢠How to protect the terminal environment
by being aware of what to look out for
⢠The procedure for escalating concerns
⢠Who to contact if they have concerns
⢠How to contact senior management
⢠How management or the employee should
contact local law enforcement if someone
threatens or attempts to bribe them to
compromise terminals or payment data
The standard has approximately 194 controls in 12 sections. The 12 sections are group into 6 objectives. The 6 objectives are; build and maintain a secure network, protect cardholder data, maintain a vulnerability management program, implement strong access control measures, regularly monitor and test networks, maintain an information security policy.
I make gas pumps with a PIN entry device, what do I need to do differently? With the introduction of UPTs into the PTS program this year Automated Fuel Dispensers (AFDâs) and similar devices such as kiosks may be subject to testing. AFDs and other unattended POS devices that are not directly used (e.g. do not contain a PIN pad for PIN entry) for PIN acceptance do not need to undergo testing against the UPT requirements
How does the integration of the MasterCard PTS program into PCI SSC affect me? (POS manufacturer or Merchant) ⢠The integration of the MasterCard PTS program will not be effective until April 30, 2010. Until that time, the program will continue as is under MasterCard. Additional details about the programâs integration into PCI SSC will be provided as the effective date becomes closer. ⢠For Vendors with POS Terminals currently under evaluation, this evaluation will continue and the report will be submitted to MasterCard for review and approval as per usual. Any changes to these procedures from April 30, 2010 will be communicated in advance of that date ⢠For Merchants wishing to purchase approved POS terminals please continue to use the PCI SSC list of approved devices for guidance.
This includes organizations who only use paper based processing, organizations who outsource the credit card processing, to organizations that process credit cards in house.
If there is a data breach, the card brands will perform a forensic audit to determine if the merchant was compliant at the time of the data breach. If the merchant is found not compliant at the time of the breach they will be liable for the full cost of the breach; the cost of the forensics, losses of cardholders, losses to the banks, losses to the card brand and in some states fines will be assessed.
 In addition, the merchant will be moved to the highest merchant level and will be required to meet the most stringent evidence requirements and their credit card processing fees will go up.
The standard has approximately 194 controls in 12 sections. The 12 sections are group into 6 objectives. The 6 objectives are; build and maintain a secure network, protect cardholder data, maintain a vulnerability management program, implement strong access control measures, regularly monitor and test networks, maintain an information security policy.
Level A 11 questions and attestation
Level B 21 questions and attestation
Level C 38 questions and attestation
Level D 226 questions and attestation