2. What is a payment card?
“A card that can be used by a cardholder and
accepted by a merchant to make a payment”
Types of payment cards
• Credit cards
• Debit cards
• Prepaid cards
3. What is a payment card industry standard?
“An information security standard for organizations
that handle cardholder information for the major
payment cards”
Defined by the Payment Card Industry Security
Standards Council
4. Payment card security standards
PIN Entry Device
Security
Requirements
PCI Data Payment
Security Application Data
Standard PCI Security Standard
standards
5. Payment Card Industry Data Security Standard
PCI DSS consists of six categories
– Build and maintain a secure network
– Protect cardholder data
– Maintain vulnerability program
– Implement strong access control measures
– Regularly monitor and test networks
– Maintain an information security policy
6. Advantages of Complying with PCI DSS
• Secure the systems
• Trust of customers
• Improves your reputation with acquirers and
payment brands
• Helps to prevent security breaches
• Helps to prevent theft of payment card data
• Indirect benefits
– Have a basis for a corporate security strategy
– Can identify ways to improve the efficiency of IT infrastructure
7. Effectiveness and Cost of PCI DSS
• Larger and well-budgeted companies are able to
achieve better compliance
• smaller companies often have difficulty in
interpreting the standards because of having
fewer resources
8. Technologies Involved
• Firewalls
• Anti-virus
• Anti-malware solutions
• Encryption for data at rest and in motion
9. Threats of Giving Payment Card Information
• Unauthorized payments
• Misuse for illegal transactions
• Identity theft
• Tracking the transactions
10. How PCI DSS helps to Safeguard Customers by
Frauds
• Install and maintain a firewall configuration to
protect cardholder data
• Encrypt transmission of cardholder data across
open, public networks
• Use and regularly update anti-virus software or
programs
• Develop and maintain secure systems and
applications
11. How PCI DSS helps to Safeguard Customers by
Frauds cont.
• Restrict physical access to cardholder data
• Track and monitor all access to network resources
and cardholder data
• Regularly test security systems and processes
• Maintain a policy that addresses information
security for employees and contractors
12. How to detect a security incident
Detection techniques
– Decision tree
– Genetic algorithms and other algorithms
– Clustering techniques
– Neural networks
– Examine security event logs on
13. How to prevent a security incident
“No such a thing as perfect security”
• Implement an incident handling process
• Change default passwords & don’t reuse passwords
• Examine security logs
• Regular network scans
• Patch and update regularly
• Raise user awareness about information security
14. How to provide appropriate response to the
security incidents
• Verify incident and impact
• Evidence collection from suspected hosts
• Forensic Acquisitions
• Assemble required personnel and determine
escalation procedures
• Identify regulatory or legal requirements
• Effectively contain and segment affected areas
• Learn from the incident
15. PCI Data Security Standard for Merchants &
Processors
• Build and Maintain a Secure Network
• Protect Cardholder Data
• Maintain a Vulnerability Management Program
• Implement Strong Access Control Measures
• Regularly Monitor and Test Networks
• Maintain an Information Security Policy
16. How to Comply with PCI DSS
• Compliant technical and operational requirements
set by the PCI Security Standards Council
• Compliant requirements are vary depend on the
brand of the payment card
- Ex: visa card, Master card
17. Payment Application Data Security Standard for
Developers
• The PA-DSS minimizes vulnerabilities in payment
applications
• PA-DSS covers commercial payment
applications, integrators and service providers
18. Payment Application Data Security Standard for
Developers cont.
• Do not retain full magnetic stripe, card validation
code or value or PIN block data
• Provide secure password features
• Protect stored cardholder data
• Log application activity
• Develop secure applications
• Protect wireless transmissions
• Test applications to address vulnerabilities
19. PIN Entry Device Security Requirements for
Manufacturers
• Applies to companies which make devices that
accept PIN entry for all PIN-based transactions
• PED Security Requirements
– Device Characteristics
• Physical Security Characteristics
• Logical Security Characteristics
– Device Management
• Device Management during Manufacturing
• Device Management between Manufacturing and Initial Key
Loading
20. Conclusion
• PCI DSS enhanced the security over cardholders’
data to a great extent
• Helped raise awareness of data security in the
business world
• has improved consumer confidence over the
security of personal information