Richa Goel, profile picture
Uploaded byRicha Goel
PPTX, PDF12 views

PCI DSS Compliance introduction explanation

PCI DSS Compliance introduction explanation

Embed presentation

Download to read offline
C PCI DSS COMPLIANCE Richa Goel
C PAYMENT CARD INDUSTRY, DATA SECURITY STANDARD PCI DSS
PCI DSS • Developed by the five major card brands, to address potential areas of vulnerability and guide organizations in best practices to maintain the integrity of cardholder data. • Anyone handling payment card details must adhere to. • Failure to comply could result in: • Significant fines from the card brands • Inability to accept credit cards for payment • Damage to brand/reputation
PCI DSS • The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements intended to ensure that all companies that process, store, or transmit credit card information maintain a secure environment. • The PCI DSS applies to all entities that store, process, and/or transmit cardholder data. It covers technical and operational system components included in or connected to cardholder data. If you are a merchant who accepts or processes payment cards, you must comply with the PCI DSS. • All organizations that retain, process, and transmit cardholder data, such as merchants who are members of card issuing companies and any other service providers should all consider compliance with PCI DSS.
History • The Payment Card Industry Data Security Standard (PCI DSS) is the unified global standard for cardholder data security established by five international payment card brands (VISA, MasterCard, JCB, AMEX and Discover). This is the data security standard that multilaterally specifies requirements of security management, policies, procedures and methods, network configurations and software design to protect other cardholder data. • Each of these five international payment card brands support compliance with PCI DSS and strives to promote the adoption.
C PCI DATA SECURITY STANDARD What does this mean for you?
7 What is PCI-DSS? Common set of industry tools and measurements to ensure safe handling of sensitive information. The PCI-DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. Established by the credit card industry in response to an increase in identity theft and credit card fraud. Every merchant who handles credit card data is responsible for safeguarding that information and can be held liable for security compromises and must comply with PCI-DSS. Applicable on Credit Card as well as Debit Card.
Background • 1/9/2006 - PCI DSS v1.1 • 1/10/2010 – PCI DSS v2.0 • 1/11/2013 – PCI DSS v3.0 • The current (May 2018) version of PCI DSS is 3.2.1, released in May 2018 1.0 was released on December 15, 2004. 1.1 in September 2006 provide clarification and minor revisions. 1.2 was released on October 1, 2008. It enhanced clarity, improved flexibility, and addressed evolving risks and threats. 2.0 was released in October 2010. 3.0 was released in November 2013 and was active from January 1, 2014 to June 31, 2015. 3.2.1 was released in May 2018.
Why?
Verify Card Elements & Security Features
When processing a credit card transaction…  Verify the following:  The card is signed.  The expiration date has not passed.  The signature on the receipt matches the card signature.  The receipt does not show the full 16- digit account number or card validation code.
12 requirements 1. Protect your system with firewalls 2. Configure passwords and settings 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks 5. Use and regularly update anti-virus software 6. Regularly update and patch systems 7. Restrict access to cardholder data to business need to know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to workplace and cardholder data 10. Implement logging and log management 11. Conduct vulnerability scans and penetration tests 12. Documentation and risk assessments
PCI DSS Requirements
Compliance Levels All companies who are subject to PCI DSS standards must be PCI compliant. There are four levels of PCI Compliance and these are based on how much you process per year, as well as other details about the level of risk assessed by payment brands. At a high level, the levels are following: • Level 1 – Over 6 million transactions annually • Level 2 – Between 1 and 6 million transactions annually • Level 3 – Between 20,000 and 1 million transactions annually • Level 4 – Less than 20,000 transactions annually
What can I do? 1) Never see, store or have access to cardholder data 2) Never tokenize credit card information 3) Never use third-party payment gateway 4) Logging, testing, audit trials before launching website 5) Strictly follow security policies set by payment partners
Application • PCI compliance can be achieved by completing the Self- Assessment Questionnaire (SAQ). The test you take depends on how you integrate payment gateway and cardholder data. • However, PCI certification requires a severe self-audit and a special audit conducted by Qualified Security Assessor (QSA).
C THANK YOU!

More Related Content

PDF
Pci ssc quick reference guide
byMohammad Makchudul Alam (Arif)
 
PDF
Quick Reference Guide to the PCI Data Security Standard
by- Mark - Fullbright
 
PDF
PCI-DSS_Overview
bysameh Abulfotooh
 
PPTX
PCI DSS Compliance Readiness
byAl Abbas, PMP, CISSP, MBA, MSc
 
DOCX
PCI DSS 6 Key Objectives You Must Know for Compliance.docx
byBORNSEC CONSULTING
 
PPTX
PruebaJLF.pptx
byJoseLuna802663
 
PDF
Pcidss qr gv3_1
byleon bonilla
 
PDF
a Guide for quick pci dss and payment security
bysuridhalder
 
Pci ssc quick reference guide
byMohammad Makchudul Alam (Arif)
 
Quick Reference Guide to the PCI Data Security Standard
by- Mark - Fullbright
 
PCI-DSS_Overview
bysameh Abulfotooh
 
PCI DSS Compliance Readiness
byAl Abbas, PMP, CISSP, MBA, MSc
 
PCI DSS 6 Key Objectives You Must Know for Compliance.docx
byBORNSEC CONSULTING
 
PruebaJLF.pptx
byJoseLuna802663
 
Pcidss qr gv3_1
byleon bonilla
 
a Guide for quick pci dss and payment security
bysuridhalder
 

Similar to PCI DSS Compliance introduction explanation

PDF
PCI-DSS for IDRBT
byShanmugavel Sankaran
 
PPT
pci-comp pci requirements and controls.ppt
bygealehegn
 
PPT
eCommerce Summit Atlanta Mountain Media
byeCommerce Merchants
 
PPTX
SFISSA - PCI DSS 3.0 - A QSA Perspective
byMark Akins
 
PDF
Pci standards, from participation to implementation and review
byisc2-hellenic
 
PDF
Credit Card Processing for Small Business
byMark Ginnebaugh
 
PDF
Understanding Your PCI DSS Guidelines: Successes and Failures
by- Mark - Fullbright
 
PPTX
Payment Card Industry Security Standards
byAshintha Rukmal
 
PDF
PCI DSS: What it is, and why you should care
bySean D. Goodwin
 
PDF
Reduce PCI Scope - Maximise Conversion - Whitepaper
byShaun O'keeffe
 
PPT
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
byMelanie Beam
 
PDF
PCI DSS introduction by khaled mosharraf,
byKhaled Mosharraf
 
PPTX
What Everybody Ought to Know About PCI DSS and PA-DSS
byLondon School of Cyber Security
 
PPTX
Payment Card Industry Introduction CMTA APR 2010
byDonald E. Hester
 
PPTX
PCI Compliance for Community Colleges @One CISOA 2011
byDonald E. Hester
 
PPTX
Payment Card Industry CMTA NOV 2010
byDonald E. Hester
 
PDF
MTBiz May-June 2019
byMutual Trust Bank Ltd.
 
DOCX
Online_Transactions_PCI
byKelly Lam
 
PDF
Adventures in PCI Wonderland
byMichele Chubirka
 
PDF
Requirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
byOlivia Grey
 
PCI-DSS for IDRBT
byShanmugavel Sankaran
 
pci-comp pci requirements and controls.ppt
bygealehegn
 
eCommerce Summit Atlanta Mountain Media
byeCommerce Merchants
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
byMark Akins
 
Pci standards, from participation to implementation and review
byisc2-hellenic
 
Credit Card Processing for Small Business
byMark Ginnebaugh
 
Understanding Your PCI DSS Guidelines: Successes and Failures
by- Mark - Fullbright
 
Payment Card Industry Security Standards
byAshintha Rukmal
 
PCI DSS: What it is, and why you should care
bySean D. Goodwin
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
byShaun O'keeffe
 
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
byMelanie Beam
 
PCI DSS introduction by khaled mosharraf,
byKhaled Mosharraf
 
What Everybody Ought to Know About PCI DSS and PA-DSS
byLondon School of Cyber Security
 
Payment Card Industry Introduction CMTA APR 2010
byDonald E. Hester
 
PCI Compliance for Community Colleges @One CISOA 2011
byDonald E. Hester
 
Payment Card Industry CMTA NOV 2010
byDonald E. Hester
 
MTBiz May-June 2019
byMutual Trust Bank Ltd.
 
Online_Transactions_PCI
byKelly Lam
 
Adventures in PCI Wonderland
byMichele Chubirka
 
Requirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
byOlivia Grey
 

More from Richa Goel

PPTX
Web Application Testing
byRicha Goel
 
PPTX
8D problem solving in 6 examples - recap
byRicha Goel
 
PPTX
Quality in software industry
byRicha Goel
 
PPTX
Cyber Law & Act-UK & IRELAND - leagal acts
byRicha Goel
 
PPT
HIPAA Volunteer Training - for awareness
byRicha Goel
 
PPTX
PHP 2
byRicha Goel
 
PPTX
Responsive web design
byRicha Goel
 
PPTX
Cyber Laws & IT Acts-Lithunia - legal acts
byRicha Goel
 
PPTX
Microsoft excel features formulas effective
byRicha Goel
 
PPTX
Wordpress Intro
byRicha Goel
 
PPTX
Php
byRicha Goel
 
Web Application Testing
byRicha Goel
 
8D problem solving in 6 examples - recap
byRicha Goel
 
Quality in software industry
byRicha Goel
 
Cyber Law & Act-UK & IRELAND - leagal acts
byRicha Goel
 
HIPAA Volunteer Training - for awareness
byRicha Goel
 
PHP 2
byRicha Goel
 
Responsive web design
byRicha Goel
 
Cyber Laws & IT Acts-Lithunia - legal acts
byRicha Goel
 
Microsoft excel features formulas effective
byRicha Goel
 
Wordpress Intro
byRicha Goel
 
Php
byRicha Goel
 

Recently uploaded

PPTX
How to Track a Link Using Odoo 18 SMS Marketing
byCeline George
 
PDF
IMANI Africa files RTI request seeking full disclosure on 2026 SIM registrati...
bynservice241
 
PDF
Micro Economics for class 12 and class 11
bysurajbajaj4116
 
PPTX
TAMIS & TEMS - HOW, WHY and THE STEPS IN PROCTOLOGY
byJohn Thanakumar
 
PDF
Most Imp Chapters & Weightage for Boards 2025.pdf
byTamannaSagar
 
PPTX
Overview of how to Create a Model in Odoo 18
byCeline George
 
PPTX
3 G8_Q3_L3_ (Cartoon as Representation in Opinion Editorial Article).pptx
byNorafeSahagun
 
PDF
Biology Practical Class 12th 2025 PDF(2)-2-52.pdf
bySCPRPWomenCollegeChi
 
PPTX
AN EXTREMELY BORING GENERAL QUIZ FOR UG.pptx
bySriramG47
 
PPTX
Basics in Phytochemistry, Extraction, Isolation methods, Characterisation etc.
byD. Y. Patil College of Pharmacy, Kolhapur.
 
PDF
Risk management in Moroccan public hospitals_ a literature review
byMan_Ebook
 
PPTX
Steve Hale - Developing Elite Young Goalkeepers 2024.pptx
bypjmfd
 
PPTX
Details of Epithelial and Connective Tissue.pptx
byAshish Umale
 
PDF
M.Sc. Nonchordates Complete Syllabus PPT | All Important Topics Covered
byKNIPSS SULTANPUR
 
PPTX
Multiple Linear Regression - Least Square Method X₁ on X₂ and X₃
bySundar B N
 
PPTX
Introduction-to-Anatomy-and-Physiology.pptx
byAshish Umale
 
PPTX
Growth & Development MILESTONES (ADOLESCENTS ).pptx
byAneetaSharma15
 
PPTX
Partial Correlation of Coefficient - Values of r₁₂.₃, r₂₃.₁ & r₁₃.₂
bySundar B N
 
PDF
Cultivating Greatness Pune's Best Preschools and Schools.pdf
byWellington College
 
PPTX
Semester 6 Unit 2 Club foot (talipes).pptx
bysachin7989
 
How to Track a Link Using Odoo 18 SMS Marketing
byCeline George
 
IMANI Africa files RTI request seeking full disclosure on 2026 SIM registrati...
bynservice241
 
Micro Economics for class 12 and class 11
bysurajbajaj4116
 
TAMIS & TEMS - HOW, WHY and THE STEPS IN PROCTOLOGY
byJohn Thanakumar
 
Most Imp Chapters & Weightage for Boards 2025.pdf
byTamannaSagar
 
Overview of how to Create a Model in Odoo 18
byCeline George
 
3 G8_Q3_L3_ (Cartoon as Representation in Opinion Editorial Article).pptx
byNorafeSahagun
 
Biology Practical Class 12th 2025 PDF(2)-2-52.pdf
bySCPRPWomenCollegeChi
 
AN EXTREMELY BORING GENERAL QUIZ FOR UG.pptx
bySriramG47
 
Basics in Phytochemistry, Extraction, Isolation methods, Characterisation etc.
byD. Y. Patil College of Pharmacy, Kolhapur.
 
Risk management in Moroccan public hospitals_ a literature review
byMan_Ebook
 
Steve Hale - Developing Elite Young Goalkeepers 2024.pptx
bypjmfd
 
Details of Epithelial and Connective Tissue.pptx
byAshish Umale
 
M.Sc. Nonchordates Complete Syllabus PPT | All Important Topics Covered
byKNIPSS SULTANPUR
 
Multiple Linear Regression - Least Square Method X₁ on X₂ and X₃
bySundar B N
 
Introduction-to-Anatomy-and-Physiology.pptx
byAshish Umale
 
Growth & Development MILESTONES (ADOLESCENTS ).pptx
byAneetaSharma15
 
Partial Correlation of Coefficient - Values of r₁₂.₃, r₂₃.₁ & r₁₃.₂
bySundar B N
 
Cultivating Greatness Pune's Best Preschools and Schools.pdf
byWellington College
 
Semester 6 Unit 2 Club foot (talipes).pptx
bysachin7989
 

PCI DSS Compliance introduction explanation

  • 1.
  • 2.
    C PAYMENT CARD INDUSTRY, DATASECURITY STANDARD PCI DSS
  • 3.
    PCI DSS • Developedby the five major card brands, to address potential areas of vulnerability and guide organizations in best practices to maintain the integrity of cardholder data. • Anyone handling payment card details must adhere to. • Failure to comply could result in: • Significant fines from the card brands • Inability to accept credit cards for payment • Damage to brand/reputation
  • 4.
    PCI DSS • ThePayment Card Industry Data Security Standard (PCI DSS) is a set of requirements intended to ensure that all companies that process, store, or transmit credit card information maintain a secure environment. • The PCI DSS applies to all entities that store, process, and/or transmit cardholder data. It covers technical and operational system components included in or connected to cardholder data. If you are a merchant who accepts or processes payment cards, you must comply with the PCI DSS. • All organizations that retain, process, and transmit cardholder data, such as merchants who are members of card issuing companies and any other service providers should all consider compliance with PCI DSS.
  • 5.
    History • The PaymentCard Industry Data Security Standard (PCI DSS) is the unified global standard for cardholder data security established by five international payment card brands (VISA, MasterCard, JCB, AMEX and Discover). This is the data security standard that multilaterally specifies requirements of security management, policies, procedures and methods, network configurations and software design to protect other cardholder data. • Each of these five international payment card brands support compliance with PCI DSS and strives to promote the adoption.
  • 6.
    C PCI DATA SECURITY STANDARD Whatdoes this mean for you?
  • 7.
    7 What is PCI-DSS? Commonset of industry tools and measurements to ensure safe handling of sensitive information. The PCI-DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. Established by the credit card industry in response to an increase in identity theft and credit card fraud. Every merchant who handles credit card data is responsible for safeguarding that information and can be held liable for security compromises and must comply with PCI-DSS. Applicable on Credit Card as well as Debit Card.
  • 8.
    Background • 1/9/2006 -PCI DSS v1.1 • 1/10/2010 – PCI DSS v2.0 • 1/11/2013 – PCI DSS v3.0 • The current (May 2018) version of PCI DSS is 3.2.1, released in May 2018 1.0 was released on December 15, 2004. 1.1 in September 2006 provide clarification and minor revisions. 1.2 was released on October 1, 2008. It enhanced clarity, improved flexibility, and addressed evolving risks and threats. 2.0 was released in October 2010. 3.0 was released in November 2013 and was active from January 1, 2014 to June 31, 2015. 3.2.1 was released in May 2018.
  • 9.
  • 10.
    Verify Card Elements& Security Features
  • 11.
    When processing acredit card transaction…  Verify the following:  The card is signed.  The expiration date has not passed.  The signature on the receipt matches the card signature.  The receipt does not show the full 16- digit account number or card validation code.
  • 12.
    12 requirements 1. Protectyour system with firewalls 2. Configure passwords and settings 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks 5. Use and regularly update anti-virus software 6. Regularly update and patch systems 7. Restrict access to cardholder data to business need to know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to workplace and cardholder data 10. Implement logging and log management 11. Conduct vulnerability scans and penetration tests 12. Documentation and risk assessments
  • 13.
  • 14.
    Compliance Levels All companieswho are subject to PCI DSS standards must be PCI compliant. There are four levels of PCI Compliance and these are based on how much you process per year, as well as other details about the level of risk assessed by payment brands. At a high level, the levels are following: • Level 1 – Over 6 million transactions annually • Level 2 – Between 1 and 6 million transactions annually • Level 3 – Between 20,000 and 1 million transactions annually • Level 4 – Less than 20,000 transactions annually
  • 16.
    What can Ido? 1) Never see, store or have access to cardholder data 2) Never tokenize credit card information 3) Never use third-party payment gateway 4) Logging, testing, audit trials before launching website 5) Strictly follow security policies set by payment partners
  • 17.
    Application • PCI compliancecan be achieved by completing the Self- Assessment Questionnaire (SAQ). The test you take depends on how you integrate payment gateway and cardholder data. • However, PCI certification requires a severe self-audit and a special audit conducted by Qualified Security Assessor (QSA).
  • 18.

Editor's Notes

  • #8 The history of PCI-DSS begins in 2004. As payment fraud began to rise, credit card industry leaders convened to develop a common set of security standards. The PCI’s founding members—American Express, Discover Financial Services, JCB International, Mastercard and Visa—introduced PCI DSS 1.0 in December 2004.
  • #12 1. Protect your system with firewalls- The first and foremost requirement of the PCI DSS is to protect your system with firewalls. Ensuring proper configuration of firewalls shall ensure the protection of your card data environment. 2. Configure passwords and settings – Ensure you avoid keeping vendor-supplied passwords as your default password. Default passwords could pose a great threat to your system security. 3. Protect stored cardholder data- Protect and secure stored cardholder data and prevent a data breach. Card data stored in the system should be encrypted along with the encryption keys themselves being protected. 4. Encrypt transmission of cardholder data across networks- You need to use encryption and have security policies in place when you transmit cardholder data over open, public networks. 5. Use and regularly update an anti-virus software- Anti-virus software should be installed on all systems. Further, ensure anti-virus or anti-malware programs are updated regularly to detect known malware 6. Regularly update and patch systems- One should frequently release updates to patch security holes. This is very crucial to your security posture. 7. Restrict access to cardholder data- Access to cardholder data should be only provided to those who are appointed as an authorized person. this will secure data from being misused. 8. Assign a unique ID to each person with computer access- As a part of the security process, assigns a unique ID to every person who has access to computer access. This will ensure controlled access to sensitive data. 9. Restrict physical access to cardholder data- One should implement and strictly restrict physical access to cardholder data. This will prevent a data breach or misuse of data. 10. Implement logging and log management – Regularly review logs to identify errors, anomalies, and suspicious activities. You are also required to have a process in place to respond to these anomalies and exceptions. Use Security Information and Event Monitoring tools (SIEM), for monitoring systems regularly, oversee network activity, inspect system events, identify suspicious activity, inside your systems. 11. Conduct vulnerability scans and penetration tests- Conduct Vulnerability scans and pen test to detect unknow risks and threats. This should safeguard your system from any potential threats or risks. 12. Documentation and risk assessments- The final requirement for PCI compliance is to keep documentation, policies, procedures, and evidence relating to your company’s security practices in place for easy audit and remediation.