SlideShare a Scribd company logo

PCI-DSS_Overview

sameh Abulfotooh
sameh Abulfotooh

The document discusses the Payment Card Industry Data Security Standard (PCI-DSS). It provides a brief history of credit cards and the PCI oversight council. It then explains what constitutes cardholder data and outlines the payment transaction cycle. Finally, it summarizes the key sections and requirements of the PCI-DSS, including installing firewalls, defining the scope of assessments, transitioning away from SSL/TLS, enforcing multi-factor authentication, implementing change management controls, and oversight of service providers.

1 of 33
Download to read offline
Payment Card Industry Data Security Standard (PCI-DSS) By: Sameh Abulfotooh
Agenda • Credit Cards History • PCI Oversight and History • Cardholder Data • Payment Transaction Cycle • PCI DSS at a High Level (Sections)
Credit Cards History
Before Credit Card Charge Coin Charge Plates/Cards
PCI Oversight and History
• PCI SSC is a collaborative agreement between five members of credit card lending including: Visa, MasterCard, American Express, Discover Financial Services, and JCB International (referred to commonly as Brands). • The Council was founded in 2006 by American Express, Discover, JCB International, MasterCard and Visa Inc. They share equally in governance and execution of the Council's work. • They used before to use their own requirements for business partners: ✦ Mastercard: SDP ✦ Visa: CISP • The PCI Security Standards Council (PCI-SSC) is a global open body formed to develop, enhance, disseminate and assist with the understanding of security standards for payment account security. • The body formed as a unified framework for improving security and reducing the threat of breaches. • PCI SCC is committed to the development, awareness, and education of PCI • PCI SSC is also responsible for setting PCI standards to which merchants are to comply.
• 2004 -PCI Data Security Standards effectively started in when MasterCard, Visa, American Express, Discover, and JCB created and collaborated payment card practices. The companies referred with each other's standards to create a concise and singular set of compliance standards. • January 2005- The PCI SSC has estimated that 234 million records with sensitive data have been breached, thus noting the need for a regulatory body. • June, 30, 2005- Regulations took effect and were monitored collectively by the five PCI SSC founders. • 2008 - Particular instances have included breaches at large companies such as TJX, Shell, and Hannaford. The recent breach at Hannaford occurred in 2008, which has led to the development and implementation of PCI DSS version 1.2.
Versions: • 1.0 was released on December 15, 2004. • 1.1 in September 2006 provide clarification and minor revisions. • 1.2 was released on October 1, 2008. It enhanced clarity, improved flexibility, and addressed evolving risks and threats. • 1.2.1 in August 2009 made minor corrections designed to create more clarity and consistency among the standards and supporting documents. • 2.0 was released in October 2010. • 3.0 was released in November 2013 and is active from January 1, 2014 to December 31, 2017. • 3.1 was released in April 2015, and will be retired October 31 2016. • 3.2 was released in April 2016.
Terms and Acronyms • SSC: The governing body of PCI • DSS: Data Security Standard • QSA: Qualified Security Assessor • ASV: Approved Scanning Vendor (validated annually by SCC to perform external quarterly vulnerability scan) • SAQ: Self-Assessment Questionnaire • ROC: Report on Compliance • CDE: Cardholder Data Environment
WHY to Comply? • Protect Account data that consists of cardholder data and/or sensitive authentication data • Banks or Processors should be complainant with brands as a merchant or service provider. • Fines in case of not complaint or turn off your business
Major Breaches Target Evernote Sony Online Sony PSN JP Morgan Home Depot Living Social Anthem EBay
How to Comply? Assess: identifying all locations of cardholder data, taking an inventory of your IT assets and business processes for payment card processing and analyzing them for vulnerabilities that could expose cardholder data Repair: fixing identified vulnerabilities, securely removing any unnecessary cardholder data storage, and implementing secure business processes Report: documenting assessment and remediation details, and submitting compliance reports to the acquiring bank and card brands you do business with (or other requesting entity if you’re a service provider)
Manufacturers PCI PTS PIN Entry Devices Software Developers PCI PA-DSS Payment Applications Merchants & Service Providers PCI DSS Secure Environments Protection of Cardholder Payment Data P2PE Ecosystem of payment devices, applications, infrastructure and users
Penalties Potential cost of a security breach: • Fines of $500,000 per incident for being PCI non-compliant • Increased audit requirements • Cost of printing and postage for customer notification mailing • Cost of staff time (payroll) during security recovery • Cost of lost business during register or store closures and processing time • Decreased sales due to marred public image and loss of customer confidence
Cardholder Data
Cardholder Data
Cardholder Data – Cont. • Point-of-sale devices • Mobile devices, personal computers or servers • Wireless hotspots • Web shopping applications • Paper-based storage systems • Transmission of cardholder data to service providers • Remote access connections
Resources • PCI DSS – Summary of Changes from PCI DSS version 2.0 to 3.0 • PCI DSS Quick Reference Guide • PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms • Information Supplements and Guidelines • Prioritized Approach for PCI DSS • Report on Compliance (ROC) Reporting Template and Reporting Instructions • Self-assessment Questionnaires (SAQs) and SAQ Instructions and Guidelines • Attestations of Compliance (AOCs) • Frequently Asked Questions (FAQs) • PCI for Small Merchants website • PCI training courses and informational webinars • List of Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs) • List of PTS approved devices and PA-DSS validated payment applications Please refer to www.pcisecuritystandards.org for information about these and other resources.
Transaction Cycle
Card Brands PCI SSC Acquirers Merchants Created the SSC and responsible for approving the DSS controls framework Developed the DSS, PA-DSS, PIN standards, and conduct training and certification for QSAs and ASVs Banks and payment processors that own the responsibility for enforcing DSS Responsible for implementing DSS controls, as well as demonstrating and maintaining compliance Major Players
Credit Card Transaction Cycle Merchant Merchant’s Bank Issuing Bank Brands Cardholder
Brands Cardholder Merchant Merchant’s Bank Issuing Bank
PCI DSS at a High Level (Sections)
• Six major areas • Twelve requirements • about 50 pages of objectives • for each objective, as statement of what’s required, and associated testing procedure.
Ex:Install and maintain a firewall configuration to protect cardholder data PCI DSS Requirements Testing Procedures Guidance 1.1.3 Current diagram that shows all cardholder data flows across systems and networks 1.1.3 Examine data-flow diagram and interview personnel to verify the diagram: • Shows all cardholder data flows across systems and networks. • Is kept current and updated as needed upon changes to the environment. Cardholder data-flow diagrams identify the location of all cardholder data that is stored, processed, or transmitted within the network. Network and cardholder data-flow diagrams help an organization to understand and keep track of the scope of their environment, by showing how cardholder data flows across networks and between individual systems and devices.
Masking Primary Account Number (PAN) • 5555 9999 0000 8888 • 5555 99XX XXXX XXXX • XXXX XXXX XXXX 8888
Scope • Define scope assessment • Backup & restore assessment
SSL and TLS • No SSL for new systems (3.2) • NO SSL after 2018 • TLS 1.2 or above
Multi-Factor Authentication (MFA) • MFA required for remote network access by users, administrators, and vendors (3.0) • MFA required in local access for any payment data systems and network segments
Change Management • Formal process should exist • No significant change without passing through the change manageement.
Service Providers • Provide detailed documentation describing how authentication is used to protect payment card data • Quickly detect and report failures in any security control • Engage executive management • Perform at least quarterly review to confirm policy compliance.
Thank You J

Recommended

PCI DSS
PCI DSSPCI DSS
PCI DSS
Duy Do Phan
 
A practical guides to PCI compliance
A practical guides to PCI complianceA practical guides to PCI compliance
A practical guides to PCI compliance
Jisc
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS Compliance
Saumya Vishnoi
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSS
Saumya Vishnoi
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overview
okrantz
 
PCI DSS Compliance Checklist
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance Checklist
ControlCase
 
PCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfPCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdf
ControlCase
 
Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates
VISTA InfoSec
 

Recommended

PCI DSS
PCI DSSPCI DSS
PCI DSS
Duy Do Phan
 
A practical guides to PCI compliance
A practical guides to PCI complianceA practical guides to PCI compliance
A practical guides to PCI compliance
Jisc
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS Compliance
Saumya Vishnoi
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSS
Saumya Vishnoi
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overview
okrantz
 
PCI DSS Compliance Checklist
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance Checklist
ControlCase
 
PCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfPCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdf
ControlCase
 
Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates
VISTA InfoSec
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step Guide
AlienVault
 
Webinar-Spanish-PCI DSS-4.0.pdf
Webinar-Spanish-PCI DSS-4.0.pdfWebinar-Spanish-PCI DSS-4.0.pdf
Webinar-Spanish-PCI DSS-4.0.pdf
ControlCase
 
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
Jiunn-Jer Sun
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2
Kimberly Simon MBA
 
PCI PIN Security & Key Management Compliance
PCI PIN Security & Key Management CompliancePCI PIN Security & Key Management Compliance
PCI PIN Security & Key Management Compliance
ControlCase
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101
Erick Kish, U.S. Commercial Service
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdf
ControlCase
 
Wireless security using wpa2
Wireless security using wpa2Wireless security using wpa2
Wireless security using wpa2
Tushar Anand
 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementation
Ralf Braga
 
Cissp Training PPT
Cissp Training PPTCissp Training PPT
Cissp Training PPT
ADEPT TECHNOLOGY
 
Cyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in DepthCyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in Depth
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
CISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset SecurityCISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset Security
Karthikeyan Dhayalan
 
Payment Card Industry Security Standards
Payment Card Industry Security StandardsPayment Card Industry Security Standards
Payment Card Industry Security Standards
Ashintha Rukmal
 
Pcidss qr gv3_1
Pcidss qr gv3_1Pcidss qr gv3_1
Pcidss qr gv3_1
leon bonilla
 
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
PECB
 
ISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of Privacy
ControlCase
 
Security and Compliance
Security and ComplianceSecurity and Compliance
Security and Compliance
Amazon Web Services
 
Isms Implementer Course Module 1 Introduction To Information Security
Isms Implementer Course Module 1 Introduction To Information SecurityIsms Implementer Course Module 1 Introduction To Information Security
Isms Implementer Course Module 1 Introduction To Information Security
anilchip
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interprom
Mart Rovers
 
SOC2 Intro and Mindfulness
SOC2 Intro and MindfulnessSOC2 Intro and Mindfulness
SOC2 Intro and Mindfulness
EmilyGladstoneCole
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as Usual
Kimberly Simon MBA
 
CISA Overview
CISA OverviewCISA Overview
CISA Overview
sameh Abulfotooh
 

More Related Content

What's hot

PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step Guide
AlienVault
 
Webinar-Spanish-PCI DSS-4.0.pdf
Webinar-Spanish-PCI DSS-4.0.pdfWebinar-Spanish-PCI DSS-4.0.pdf
Webinar-Spanish-PCI DSS-4.0.pdf
ControlCase
 
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
Jiunn-Jer Sun
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2
Kimberly Simon MBA
 
PCI PIN Security & Key Management Compliance
PCI PIN Security & Key Management CompliancePCI PIN Security & Key Management Compliance
PCI PIN Security & Key Management Compliance
ControlCase
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101
Erick Kish, U.S. Commercial Service
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdf
ControlCase
 
Wireless security using wpa2
Wireless security using wpa2Wireless security using wpa2
Wireless security using wpa2
Tushar Anand
 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementation
Ralf Braga
 
Cissp Training PPT
Cissp Training PPTCissp Training PPT
Cissp Training PPT
ADEPT TECHNOLOGY
 
Cyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in DepthCyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in Depth
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
CISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset SecurityCISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset Security
Karthikeyan Dhayalan
 
Payment Card Industry Security Standards
Payment Card Industry Security StandardsPayment Card Industry Security Standards
Payment Card Industry Security Standards
Ashintha Rukmal
 
Pcidss qr gv3_1
Pcidss qr gv3_1Pcidss qr gv3_1
Pcidss qr gv3_1
leon bonilla
 
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
PECB
 
ISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of Privacy
ControlCase
 
Security and Compliance
Security and ComplianceSecurity and Compliance
Security and Compliance
Amazon Web Services
 
Isms Implementer Course Module 1 Introduction To Information Security
Isms Implementer Course Module 1 Introduction To Information SecurityIsms Implementer Course Module 1 Introduction To Information Security
Isms Implementer Course Module 1 Introduction To Information Security
anilchip
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interprom
Mart Rovers
 
SOC2 Intro and Mindfulness
SOC2 Intro and MindfulnessSOC2 Intro and Mindfulness
SOC2 Intro and Mindfulness
EmilyGladstoneCole
 

What's hot (20)

PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step Guide
 
Webinar-Spanish-PCI DSS-4.0.pdf
Webinar-Spanish-PCI DSS-4.0.pdfWebinar-Spanish-PCI DSS-4.0.pdf
Webinar-Spanish-PCI DSS-4.0.pdf
 
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2
 
PCI PIN Security & Key Management Compliance
PCI PIN Security & Key Management CompliancePCI PIN Security & Key Management Compliance
PCI PIN Security & Key Management Compliance
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdf
 
Wireless security using wpa2
Wireless security using wpa2Wireless security using wpa2
Wireless security using wpa2
 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementation
 
Cissp Training PPT
Cissp Training PPTCissp Training PPT
Cissp Training PPT
 
Cyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in DepthCyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in Depth
 
CISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset SecurityCISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset Security
 
Payment Card Industry Security Standards
Payment Card Industry Security StandardsPayment Card Industry Security Standards
Payment Card Industry Security Standards
 
Pcidss qr gv3_1
Pcidss qr gv3_1Pcidss qr gv3_1
Pcidss qr gv3_1
 
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
 
ISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of Privacy
 
Security and Compliance
Security and ComplianceSecurity and Compliance
Security and Compliance
 
Isms Implementer Course Module 1 Introduction To Information Security
Isms Implementer Course Module 1 Introduction To Information SecurityIsms Implementer Course Module 1 Introduction To Information Security
Isms Implementer Course Module 1 Introduction To Information Security
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interprom
 
SOC2 Intro and Mindfulness
SOC2 Intro and MindfulnessSOC2 Intro and Mindfulness
SOC2 Intro and Mindfulness
 

Viewers also liked

PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as Usual
Kimberly Simon MBA
 
CISA Overview
CISA OverviewCISA Overview
CISA Overview
sameh Abulfotooh
 
Whitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant EnvironmentsWhitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant Environments
Jason Dover
 
PCI DSS Success: Achieve Compliance and Increase Web Application Security
PCI DSS Success: Achieve Compliance and Increase Web Application SecurityPCI DSS Success: Achieve Compliance and Increase Web Application Security
PCI DSS Success: Achieve Compliance and Increase Web Application Security
Citrix
 
Integrated Compliance
Integrated ComplianceIntegrated Compliance
Integrated Compliance
Kimberly Simon MBA
 
Devops mycode devoxx-france-2015-v2
Devops mycode devoxx-france-2015-v2Devops mycode devoxx-france-2015-v2
Devops mycode devoxx-france-2015-v2
waizou
 
Presentation_Borne
Presentation_BornePresentation_Borne
Presentation_Borne
P. Neil Borne CISSP,CEH,CHFI
 
Writing Secure Code – Threat Defense
Writing Secure Code – Threat DefenseWriting Secure Code – Threat Defense
Writing Secure Code – Threat Defense
amiable_indian
 
Monitoring threats for pci compliance
Monitoring threats for pci complianceMonitoring threats for pci compliance
Monitoring threats for pci compliance
Shiva Hullavarad
 
An Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power SystemsAn Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power Systems
HelpSystems
 
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...
Schellman & Company
 
How the latest trends in data security can help your data protection strategy...
How the latest trends in data security can help your data protection strategy...How the latest trends in data security can help your data protection strategy...
How the latest trends in data security can help your data protection strategy...
Ulf Mattsson
 
Determining Scope for PCI DSS Compliance
Determining Scope for PCI DSS ComplianceDetermining Scope for PCI DSS Compliance
Determining Scope for PCI DSS Compliance
Schellman & Company
 
Modern Security and Compliance Through Automation | AWS Public Sector Summit ...
Modern Security and Compliance Through Automation | AWS Public Sector Summit ...Modern Security and Compliance Through Automation | AWS Public Sector Summit ...
Modern Security and Compliance Through Automation | AWS Public Sector Summit ...
Amazon Web Services
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - Whitepaper
Shaun O'keeffe
 
Top PCI Pitfalls and How to Avoid Them: The QSA’s Perspective
Top PCI Pitfalls and How to Avoid Them: The QSA’s PerspectiveTop PCI Pitfalls and How to Avoid Them: The QSA’s Perspective
Top PCI Pitfalls and How to Avoid Them: The QSA’s Perspective
AlgoSec
 
PCI Compliance NOT for Dummies epb 30MAR2016
PCI Compliance NOT for Dummies epb 30MAR2016PCI Compliance NOT for Dummies epb 30MAR2016
PCI Compliance NOT for Dummies epb 30MAR2016
Erika Powell-Burson, MSIA, CISSP, CISA
 
Audit technique de code
Audit technique de codeAudit technique de code
Audit technique de code
Mehdi TAZI
 
AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...
AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...
AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...
Amazon Web Services
 
AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...
AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...
AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...
Amazon Web Services
 

Viewers also liked (20)

PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as Usual
 
CISA Overview
CISA OverviewCISA Overview
CISA Overview
 
Whitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant EnvironmentsWhitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant Environments
 
PCI DSS Success: Achieve Compliance and Increase Web Application Security
PCI DSS Success: Achieve Compliance and Increase Web Application SecurityPCI DSS Success: Achieve Compliance and Increase Web Application Security
PCI DSS Success: Achieve Compliance and Increase Web Application Security
 
Integrated Compliance
Integrated ComplianceIntegrated Compliance
Integrated Compliance
 
Devops mycode devoxx-france-2015-v2
Devops mycode devoxx-france-2015-v2Devops mycode devoxx-france-2015-v2
Devops mycode devoxx-france-2015-v2
 
Presentation_Borne
Presentation_BornePresentation_Borne
Presentation_Borne
 
Writing Secure Code – Threat Defense
Writing Secure Code – Threat DefenseWriting Secure Code – Threat Defense
Writing Secure Code – Threat Defense
 
Monitoring threats for pci compliance
Monitoring threats for pci complianceMonitoring threats for pci compliance
Monitoring threats for pci compliance
 
An Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power SystemsAn Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power Systems
 
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...
 
How the latest trends in data security can help your data protection strategy...
How the latest trends in data security can help your data protection strategy...How the latest trends in data security can help your data protection strategy...
How the latest trends in data security can help your data protection strategy...
 
Determining Scope for PCI DSS Compliance
Determining Scope for PCI DSS ComplianceDetermining Scope for PCI DSS Compliance
Determining Scope for PCI DSS Compliance
 
Modern Security and Compliance Through Automation | AWS Public Sector Summit ...
Modern Security and Compliance Through Automation | AWS Public Sector Summit ...Modern Security and Compliance Through Automation | AWS Public Sector Summit ...
Modern Security and Compliance Through Automation | AWS Public Sector Summit ...
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - Whitepaper
 
Top PCI Pitfalls and How to Avoid Them: The QSA’s Perspective
Top PCI Pitfalls and How to Avoid Them: The QSA’s PerspectiveTop PCI Pitfalls and How to Avoid Them: The QSA’s Perspective
Top PCI Pitfalls and How to Avoid Them: The QSA’s Perspective
 
PCI Compliance NOT for Dummies epb 30MAR2016
PCI Compliance NOT for Dummies epb 30MAR2016PCI Compliance NOT for Dummies epb 30MAR2016
PCI Compliance NOT for Dummies epb 30MAR2016
 
Audit technique de code
Audit technique de codeAudit technique de code
Audit technique de code
 
AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...
AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...
AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...
 
AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...
AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...
AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...
 

Similar to PCI-DSS_Overview

PruebaJLF.pptx
PruebaJLF.pptxPruebaJLF.pptx
PruebaJLF.pptx
JoseLuna802663
 
PCI-DSS for IDRBT
PCI-DSS for IDRBTPCI-DSS for IDRBT
PCI-DSS for IDRBT
Shanmugavel Sankaran
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and review
isc2-hellenic
 
Secrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance ProjectsSecrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance Projects
Christopher Foot
 
Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010
Donald E. Hester
 
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
Miminten
 
PCI DSS Compliance Readiness
PCI DSS Compliance ReadinessPCI DSS Compliance Readiness
PCI DSS Compliance Readiness
Al Abbas, PMP, CISSP, MBA, MSc
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA Perspective
Mark Akins
 
PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011
Donald E. Hester
 
Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The Essentials
Risk Crew
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guide
Mohammad Makchudul Alam (Arif)
 
Quick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security StandardQuick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security Standard
- Mark - Fullbright
 
Payment Card Industry Introduction 2010
Payment Card Industry Introduction 2010Payment Card Industry Introduction 2010
Payment Card Industry Introduction 2010
Donald E. Hester
 
Introduction to PCI APR 2010
Introduction to PCI APR 2010Introduction to PCI APR 2010
Introduction to PCI APR 2010
Donald E. Hester
 
Adventures in PCI Wonderland
Adventures in PCI WonderlandAdventures in PCI Wonderland
Adventures in PCI Wonderland
Michele Chubirka
 
pci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.pptpci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.ppt
gealehegn
 
Data Center Audit Standards
Data Center Audit StandardsData Center Audit Standards
Data Center Audit Standards
Keyur Thakore
 
PCI DSSand PA DSS
PCI DSSand PA DSSPCI DSSand PA DSS
PCI DSSand PA DSS
Kimberly Simon MBA
 
Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptx
gealehegn
 
PCI_Presentation_OASIS
PCI_Presentation_OASISPCI_Presentation_OASIS
PCI_Presentation_OASIS
Dermot Clarke
 

Similar to PCI-DSS_Overview (20)

PruebaJLF.pptx
PruebaJLF.pptxPruebaJLF.pptx
PruebaJLF.pptx
 
PCI-DSS for IDRBT
PCI-DSS for IDRBTPCI-DSS for IDRBT
PCI-DSS for IDRBT
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and review
 
Secrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance ProjectsSecrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance Projects
 
Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010
 
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
 
PCI DSS Compliance Readiness
PCI DSS Compliance ReadinessPCI DSS Compliance Readiness
PCI DSS Compliance Readiness
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA Perspective
 
PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011
 
Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The Essentials
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guide
 
Quick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security StandardQuick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security Standard
 
Payment Card Industry Introduction 2010
Payment Card Industry Introduction 2010Payment Card Industry Introduction 2010
Payment Card Industry Introduction 2010
 
Introduction to PCI APR 2010
Introduction to PCI APR 2010Introduction to PCI APR 2010
Introduction to PCI APR 2010
 
Adventures in PCI Wonderland
Adventures in PCI WonderlandAdventures in PCI Wonderland
Adventures in PCI Wonderland
 
pci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.pptpci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.ppt
 
Data Center Audit Standards
Data Center Audit StandardsData Center Audit Standards
Data Center Audit Standards
 
PCI DSSand PA DSS
PCI DSSand PA DSSPCI DSSand PA DSS
PCI DSSand PA DSS
 
Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptx
 
PCI_Presentation_OASIS
PCI_Presentation_OASISPCI_Presentation_OASIS
PCI_Presentation_OASIS
 

PCI-DSS_Overview

  • 1. Payment Card Industry Data Security Standard (PCI-DSS) By: Sameh Abulfotooh
  • 2. Agenda • Credit Cards History • PCI Oversight and History • Cardholder Data • Payment Transaction Cycle • PCI DSS at a High Level (Sections)
  • 4. Before Credit Card Charge Coin Charge Plates/Cards
  • 6. • PCI SSC is a collaborative agreement between five members of credit card lending including: Visa, MasterCard, American Express, Discover Financial Services, and JCB International (referred to commonly as Brands). • The Council was founded in 2006 by American Express, Discover, JCB International, MasterCard and Visa Inc. They share equally in governance and execution of the Council's work. • They used before to use their own requirements for business partners: ✦ Mastercard: SDP ✦ Visa: CISP • The PCI Security Standards Council (PCI-SSC) is a global open body formed to develop, enhance, disseminate and assist with the understanding of security standards for payment account security. • The body formed as a unified framework for improving security and reducing the threat of breaches. • PCI SCC is committed to the development, awareness, and education of PCI • PCI SSC is also responsible for setting PCI standards to which merchants are to comply.
  • 7. • 2004 -PCI Data Security Standards effectively started in when MasterCard, Visa, American Express, Discover, and JCB created and collaborated payment card practices. The companies referred with each other's standards to create a concise and singular set of compliance standards. • January 2005- The PCI SSC has estimated that 234 million records with sensitive data have been breached, thus noting the need for a regulatory body. • June, 30, 2005- Regulations took effect and were monitored collectively by the five PCI SSC founders. • 2008 - Particular instances have included breaches at large companies such as TJX, Shell, and Hannaford. The recent breach at Hannaford occurred in 2008, which has led to the development and implementation of PCI DSS version 1.2.
  • 8. Versions: • 1.0 was released on December 15, 2004. • 1.1 in September 2006 provide clarification and minor revisions. • 1.2 was released on October 1, 2008. It enhanced clarity, improved flexibility, and addressed evolving risks and threats. • 1.2.1 in August 2009 made minor corrections designed to create more clarity and consistency among the standards and supporting documents. • 2.0 was released in October 2010. • 3.0 was released in November 2013 and is active from January 1, 2014 to December 31, 2017. • 3.1 was released in April 2015, and will be retired October 31 2016. • 3.2 was released in April 2016.
  • 9. Terms and Acronyms • SSC: The governing body of PCI • DSS: Data Security Standard • QSA: Qualified Security Assessor • ASV: Approved Scanning Vendor (validated annually by SCC to perform external quarterly vulnerability scan) • SAQ: Self-Assessment Questionnaire • ROC: Report on Compliance • CDE: Cardholder Data Environment
  • 10. WHY to Comply? • Protect Account data that consists of cardholder data and/or sensitive authentication data • Banks or Processors should be complainant with brands as a merchant or service provider. • Fines in case of not complaint or turn off your business
  • 11. Major Breaches Target Evernote Sony Online Sony PSN JP Morgan Home Depot Living Social Anthem EBay
  • 12. How to Comply? Assess: identifying all locations of cardholder data, taking an inventory of your IT assets and business processes for payment card processing and analyzing them for vulnerabilities that could expose cardholder data Repair: fixing identified vulnerabilities, securely removing any unnecessary cardholder data storage, and implementing secure business processes Report: documenting assessment and remediation details, and submitting compliance reports to the acquiring bank and card brands you do business with (or other requesting entity if you’re a service provider)
  • 13. Manufacturers PCI PTS PIN Entry Devices Software Developers PCI PA-DSS Payment Applications Merchants & Service Providers PCI DSS Secure Environments Protection of Cardholder Payment Data P2PE Ecosystem of payment devices, applications, infrastructure and users
  • 14. Penalties Potential cost of a security breach: • Fines of $500,000 per incident for being PCI non-compliant • Increased audit requirements • Cost of printing and postage for customer notification mailing • Cost of staff time (payroll) during security recovery • Cost of lost business during register or store closures and processing time • Decreased sales due to marred public image and loss of customer confidence
  • 17. Cardholder Data – Cont. • Point-of-sale devices • Mobile devices, personal computers or servers • Wireless hotspots • Web shopping applications • Paper-based storage systems • Transmission of cardholder data to service providers • Remote access connections
  • 18. Resources • PCI DSS – Summary of Changes from PCI DSS version 2.0 to 3.0 • PCI DSS Quick Reference Guide • PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms • Information Supplements and Guidelines • Prioritized Approach for PCI DSS • Report on Compliance (ROC) Reporting Template and Reporting Instructions • Self-assessment Questionnaires (SAQs) and SAQ Instructions and Guidelines • Attestations of Compliance (AOCs) • Frequently Asked Questions (FAQs) • PCI for Small Merchants website • PCI training courses and informational webinars • List of Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs) • List of PTS approved devices and PA-DSS validated payment applications Please refer to www.pcisecuritystandards.org for information about these and other resources.
  • 20. Card Brands PCI SSC Acquirers Merchants Created the SSC and responsible for approving the DSS controls framework Developed the DSS, PA-DSS, PIN standards, and conduct training and certification for QSAs and ASVs Banks and payment processors that own the responsibility for enforcing DSS Responsible for implementing DSS controls, as well as demonstrating and maintaining compliance Major Players
  • 21. Credit Card Transaction Cycle Merchant Merchant’s Bank Issuing Bank Brands Cardholder
  • 23. PCI DSS at a High Level (Sections)
  • 24. • Six major areas • Twelve requirements • about 50 pages of objectives • for each objective, as statement of what’s required, and associated testing procedure.
  • 25.
  • 26. Ex:Install and maintain a firewall configuration to protect cardholder data PCI DSS Requirements Testing Procedures Guidance 1.1.3 Current diagram that shows all cardholder data flows across systems and networks 1.1.3 Examine data-flow diagram and interview personnel to verify the diagram: • Shows all cardholder data flows across systems and networks. • Is kept current and updated as needed upon changes to the environment. Cardholder data-flow diagrams identify the location of all cardholder data that is stored, processed, or transmitted within the network. Network and cardholder data-flow diagrams help an organization to understand and keep track of the scope of their environment, by showing how cardholder data flows across networks and between individual systems and devices.
  • 27. Masking Primary Account Number (PAN) • 5555 9999 0000 8888 • 5555 99XX XXXX XXXX • XXXX XXXX XXXX 8888
  • 28. Scope • Define scope assessment • Backup & restore assessment
  • 29. SSL and TLS • No SSL for new systems (3.2) • NO SSL after 2018 • TLS 1.2 or above
  • 30. Multi-Factor Authentication (MFA) • MFA required for remote network access by users, administrators, and vendors (3.0) • MFA required in local access for any payment data systems and network segments
  • 31. Change Management • Formal process should exist • No significant change without passing through the change manageement.
  • 32. Service Providers • Provide detailed documentation describing how authentication is used to protect payment card data • Quickly detect and report failures in any security control • Engage executive management • Perform at least quarterly review to confirm policy compliance.