SlideShare a Scribd company logo

PCI DSS Merchant Levels, SAQs, AoC & RoC

VISTA InfoSec
VISTA InfoSec

For a better understanding of PCI DSS Merchant levels and to know how it affects your compliance efforts, we conducted a very informative webinar that works as a comprehensive guide for merchants. The informative webinar also provides details on applicable PCI SAQ for small merchants and service providers who are not required to submit a compliance report, but rather use the Self-Assessment Questionnaire (SAQ) which is designed as a self-validation tool to assess security for cardholder data.

Technology
1 of 57
PCI DSS MERCHANT LEVELS, VALIDATIONS AND APPLICABLE SAQs
Webinar Objective Briefly understand the PCI DSS Compliance Requirements. Learn about the different Merchant levels of Compliance & Service Provider levels of Compliance. Understand what is an SAQ and to which Merchant is a specific type of SAQ applicable. Learn what is an AoC and RoC and understand their importance in PCI DSS Compliance.
Topic Covered in the Webinar A Quick Introduction to PCI DSS PCI DSS Validation Requirements PCI Merchant and Service Provider Levels. What are SAQs, what is applicable to whom? What is RoC? What is AoC?
Gain CPE Points Attending the Webinar! •Attend the entire session of the Webinar and gain Continued Professional Education points. •It can be used for various certification such as CISA, CISSP, CRISC, CISM, PCI QSA, etc.
Free Informative Resources •Subscribe to our YouTube channel: https://www.youtube.com/c/vistainfosecofficial •Get access to free informative videos on •PCI DSS •HIPAA •GDPR •SOC1 & SOC2 •Ethical Hacking
•PCI DSS - Managing your outsourced vendor. •Log Management and reporting for the PCI environment. •Best practices in Ecommerce security. •PCI DSS and the Cloud – Top risks and Mitigations •Wireless in the PCI environment – Top risks and Mitigations •PCI DSS in the virtualized environment – Top risks and Mitigations •Targeted attacks: Spear Phishing and Social Engineering. •PCI DSS Scoping and Segmentation. Past Webinars
•Managing Data Leakage in your PCI environment. •Strategies for migration from early TLS and SSL. •Using PCI DSS for GDPR Compliance •Using ISO27001 for PCI DSS •SOC2 and YOU •GDPR – Are you ready •SOC2 – Beyond the myth •GDPR – Steps to a successful DPIA Past Webinars
•Block chain – A crash course – What is it, potential uses and pitfalls •Tackling Security in the Cloud: CASB to the rescue •HIPAA – Basics and Beyond… •Using SOC2 for HIPAA Compliance •Developing a Cyber Security framework using NIST •SOC for Cyber Security •Rights of Data Subjects – GDPR and PDPA Past Webinars
•SOC2 Compliance and the Cloud •Debunking Top 10 myths of PCI DSS •Achieving PCI DSS in 90 days •FDA CFR Part 11 – What’s the hype all about •Achieving SOC2 Compliance in 90 days – Is it possible? •Step by step approach to PDPA compliance •7 steps for Compliance with NIST 800-171 compliance Past Webinars
•PCI DSS - 5 Simple Techniques to reduce scope •SOC2 and CCM •In talks with Nitin Bhatnagar (PCI Council) - Meeting Payment Security Needs Now and for the Future •Covid-19 and Business Continuity •PA DSS and PCI SSF – How they match up and how they map •PCI PIN, PCI Cryptography & Key Management Past Webinars
Past Webinars •NESA – How it matters to you •SOC 2 and GDPR - How to integrate in one audit process •GDPR & CCPA - Is your organization ready to synchronize •MAS TRM - Managing the compliance process •CPRA and CCPA – implications for your business Four year Anniversary Four years to the day
As We Go Along •Do type in your queries in the query box and I will answer as much as possible during the webinar. If due to time constraints, I will surely write directly to you. •Feel free to share a topic of your interest that you would like to learn more about from our team ( Information Security- Compliance, Regulatory Standards, Risk Assessment Services related topic).
DE Couvertes It is not the answer that enlightens, but the question.
About Me NARENDRASAHOO Designation Founder & Director of VISTA InfoSec Certifications- PCI QPA, PCI QSA, CISSP,CISA, CRISC, ISO27001 LA Industry Experience-25 Years Mr. Sahoo carries over 25 years of experience in the IT industry, out of which the last 15 years has been dedicated to VISTA InfoSec. His professional qualifications includes PCI QSA, CISA, CISSP, CRISC, ISO 27001 Lead Assessor. Starting off as an assembly language programmer, with the advent of networking and the Internet in India, he moved on into networking and IT management of which InfoSec was a natural progression. A very well versed professional with proficiency in globally recognized standards such as ISO27001, PCI DSS, ITIL/ISO 20000, COBIT and many international regulations such as HIPAA, CSV, SOX, SSAE16, SOC, etc., Mr. Sahoo has conducted IT consulting and assessments for large Banks, Software development organizations, Banks, Research & Development companies and BPOs in India and overseas. Well versed with strategy development and an astute Technical background, he has audited, designed and strategized for a wide variety of Information security and networking technologies. He has provided consulting services for premier organizations such as Tata Group, Shell Oil, Cipla, numerous payment processing organizations and a host of banks including the Reserve Bank of India and the Indian armed forces.He has recently been awarded the “Crest of Honor” by the Indian Navy for his contributions. He was inducted into the CSI – Hall of Fame for his significant contributions to the fraternity. Sectors: Worked in all vertical ranging from Government/PSU, BFSI, Pharma, Manufacturing, ITES etc.
Compliance & Governance Risk & Security Management Technical Advisory & Assessment Academia Compliance Standard Compliance (ISO27001/ ISO20000) Business Continuity Management. PCI DSS / PCI PIN/ PA DSS /PCI SSF Consulting & Certification Regulatory Compliance - SOC1/SOC2, GDPR, RBI/NPCI, HIPAA, SOX, NESA, MAS TRM, CCPA, PDPA... Cloud Risk Management GRC Consulting Software License Audit VA / PT Web/Mobile AppSec Assessment Virtualization Risk Assessment Secure Configuration Assessment Source Code Review SCADA Risk Assessment Social Engineering Infrastructure Design & Advisory Data Center Consulting Services Specialised Assessments WAF, SIEM, IPS, DAM, WIPS, MDM, NAC... InfoSec Training & Development © VISTA InfoSec ® Services Portfolio
Certification Services PCI DSS PCI SSF PCI PIN SOC 1/ SOC 2/ SOC 3 HIPAA GDPR CCM RBI Master Directions Audit NPCI Audit Rupay Perso Audit SEBI Audit
Partial Client Listing © VISTA InfoSec ®
Survey Participation Request We Value Your Feedback Request you to complete our brief survey at the end of the webinar and leave your valuable comments. Your Answer will allow us to meet your expectations better.
PCI History Late 90’s - Visa recognized a need to protect Card Data to prevent theft June, 2001 – Visa mandated rules to protect Card Data Later the other card associations followed Visa’s lead with their own programs The Four Programs Were Called: Visa: CISP – Cardholder Information Security Program MasterCard: SDP – Site Data Protection American Express: DSOP - Data Security Operating Policy Discover: DISC - Discover Information Security & Compliance
PCI History Once there were four programs Confusion ensued There were now four sets of rules, guidelines, penalties and fines
SOLUTION
PCI History The creation of a standards organization named Payment Card Industry Security Standards Council Also Known As: PCI The founding members were the five major card brands: American Express MasterCard Discover Visa JCB (Japan Credit Bureau) Primarily seen in Hawaii, California and other major T & E Markets in the USA
History in brief Visa, MasterCard, American Express, Discover and JCB decided to standardize on a common set of data security requirements for merchants and data processors – the PCI Data Security Standard (PCI DSS) PCI Security Standards Council was formed in 2004 as an independent organization in order to maintain and promote the PCI DSS Version 1.0 of the PCI DSS was published in January 2005 Version 1.1 published in September 2006 Version 1.2 released October 2008 Latest version… 3.1.2
PCI History Not The Perfect Solution The Good News The security guidelines have been consolidated under a single entity – PCI DSS: Data Security Standard Your Compliance and IT staff will appreciate this The Bad News Due to federal restraint of trade laws, the card brands can not collude on the rules, penalties and fines So we must still please multiple masters For the most part, Visa’s rules are the most restrictive and therefore are used as the bellweather guideline
The PCI Security Standards Council Members
PCI SSC Participating Organizations by Industry
Layouts and Jargons
Terminology BANK 1234 5678 0123 4567 VALID 01/25 C R ED IT C AR D Payment Brand Network Authorization Issuer Cardholder Merchant Acquirer Clearing Issuer and Acquirer exchange purchase and reconciliation information Settlement Issuer pays Acquirer Merchant receiver payment Cardholder gets charged Merchant requests and receives authorisation
More Terminologies Issuer BANK 1234 5678 0123 4567 VALID 01/25 C R ED IT C AR D Cardholder Merchant Acquirer Acquirer is also called: Merchant Bank ISO (sometimes) Payment Brand - Amex, Discover, JCB Never Visa or MasterCard Customer purchasing goods either as a “card Present” or “Card Not Present” transaction Receiver the payment card and bills from the issuer Bank or other organization issuing a payment card on behalf of a Payment Brand (e.g. MasterCard & Visa) Payment Brand issuing a payment card directly (e.g. Amex, Discover, JCB) Organization accepting the payment card for payment during a purchase Bank or entity the merchant uses to process their payment card transactions Receive authorization request from merchant and forward to issuer for approval Provide authorization, clearing and settlement services to merchants
Authorisation 1 Cardholder presents card Acquirer asks payment brand to determine issuer Payment brand network determines issuer and requests approval Issue approves purchase Acquirer sends approval to merchant Payment brand network sends approval to acquirer 2 3 4 5 6 7 Cardholder completes purchase and receives receipt Merchant requests and receives authorization from the issuer to allow the purchase to be conducted Authorization Code is provided
Clearing Payment brand network sends purchase information to issuer Issuer prepares data for cardholder statement Payment brand network provide complete reconciliation to acquirer Acquirer sends purchase information to the paymentbrand network 1 Acquirer and issuer exchange purchase information 2 3
Settlement Acquirer pays merchant for cardholder purchase 3 Issuer bills cardholder Issuer sends payment to acquirer 2 4 1 Issuer determines acquirer via the payment brand network Acquirer pays merchant for cardholder pruchase Issuer bills cardholder
Service Providers A service provider is a business that is not a payment brand, directly involved in the processing, storage or transmission of cardholder data on behalf of another entity. sometimes a service provider is a merchant Includes companies that provide services (to merchants, service providers or other entities) which control or could impact the security of cardholder data.
PCI DSS Drivers
PCI DSS Compliance Requirements
PCI DSS Merchant Levels Merchant dealing with card payments through any channel, whether at the point of sale (POS), over the phone, or through e-commerce, are required to comply with the PCI DSS Standards. However, there are four levels of PCI compliance based on which businesses need to meet the necessary requirements to remain compliant. Since, not all business process the same amount of card payments annually and each has a different level of risk to incidents of data breaches and security, the PCI SSC established four PCI compliance levels that are determines the merchant level.
Levels of PCI Compliance is classified based on the annual number of credit or debit card transactions a business processes. The classification levels are determined as given below- PCI DSS Merchant Levels
Merchant Levels and Requirements Explained
Service providers are third-party vendors who assist merchants with the storage, processing, or transmission of cardholder data. This way, they too are required comply with PCI DSS. PCI compliance is also applicable to those vendors who provide services and their controls have an impact on the security of cardholder data directly or indirectly in some way. So, similar to merchants, PCI Compliance to Service Providers are also determined based on their compliance levels. The compliance levels are based on the number of transactions they perform per year. There are only two levels of PCI compliance for service providers. Compliance Levels and Requirements for Service Providers
Compliance Levels and Requirements for Service Providers
As the name suggests, PCI Self-Assessment Questionnaire is a self validation tool that assess the security of the cardholder data. It basically documents the merchant’s or service provider’s security practices concerning the cardholder data. It is a tool meant for small merchants and service providers who are not required to submit a report of PCI DSS Compliance. The Self-Assessment Questionnaire includes a series of yes-or-no questions for each applicable PCI DSS Standard requirement. If the answer is no, the merchants is required to provide future remediation date and associated plan of actions. Self Assessment Questionnaire
Self Assessment Questionnaire Every merchant environment has a different set of SAQ that describes how they accept payment cards. There are 9 different SAQs a merchant needs to select from depending on how they process, handle and store cardholder data. The questionnaire determines which PCI DSS compliance requirements apply to merchants and how their current systems align with the security requirements. Each of the SAQ types have different goals, and depending on what best applies to the merchants they can obtain an AoC.
The SAQ document comprises of two components which includes – A set of questions corresponding to the PCI Data Security Standard requirements designed for Service Providers and Merchants. An Attestation of Compliance or certification that you are eligible to perform and have performed the appropriate Self-Assessment. The document of Attestation of Compliance will be provided the QSA. Self Assessment Questionnaire
PCI Self Assessment Questionnaire Types
Report on Compliance is a PCI DSS requirement for all merchants who fall in the Visa and or MasterCard level 1 scope. Level 1 Merchants are those who process over 6 million Visa and/or MasterCard transaction a year. It is a document issued by the PCI Qualified Security Assessor after a PCI DSS Assessment detailing a Merchants security posture and the current security state of the environment in which they are operational. The Assessment includes both an onsite audit and review of controls after which the findings are documented in the final draft of RoC. The form is then submitted to the Merchant's Acquiring Bank for acceptance. Once the Merchant's Acquiring Bank accepts the RoC, it then sends the document to Visa/MasterCard for Compliance verification. Report on Compliance Documents
Similar to RoC, and SAQ, the requirement of AoC depends on the level of merchants compliance. PCI Attestation of Compliance (AoC) is a document that declares the merchants status of Compliance with PCI DSS Standard. It is a documented evidence for Merchants and/or Service Providers to show their clients and other stakeholders their adoption of best practices for securing cardholder data. The document is a written statement that states that the Merchant has dully completed the applicable SAQ and has been verified by Qualified Security Assessor. Attestation of Compliance
Achieving and maintaining PCI Compliance is the best way to protect business against cyber attacks. For achieving PCI DSS Compliance, Merchants and Service Providers must first determine Compliance level they fall into. The levels determines the amount of assessment and security validation required for clearing PCI DSS Assessment. Merchants/Service providers at every level must be sure of following the right PCI requirements for their particular levels. Key Takeaway
Once the Compliance levels are determined, they can then strategize their action to validate compliance with the twelve requirements. While the lower level of Compliance requirements may seem simpler, but Merchants may find it challenging to meet the requirements if they do not have internal IT infrastructure. Fortunately, Cyber Security Consulting Service providers like us at VISTA InfoSec can offer PCI Compliance Assistance to make the compliance journey easier and affordable. Key Takeaway
THANK YOU FOR SHARING YOUR VALUABLE TIME
PLEASE SHARE YOUR VALUABLE FEEDBACK YOUR OPINION IS IMPORTANT FOR US
Our official Facebook page
Our official LinkedIn page
PCI DSS Merchant Levels, SAQs, AoC & RoC

Recommended

Card fraud and compliance training
Card fraud and compliance trainingCard fraud and compliance training
Card fraud and compliance trainingethnos
 
PCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should carePCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should careSean D. Goodwin
 
Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates VISTA InfoSec
 
PCI-DSS explained
PCI-DSS explainedPCI-DSS explained
PCI-DSS explainedEdwin_Bos
 
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden WilliamsPCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden WilliamsAnton Chuvakin
 
PCI DSS Basics - The Twelve Steps
PCI DSS Basics - The Twelve StepsPCI DSS Basics - The Twelve Steps
PCI DSS Basics - The Twelve StepsTerra Verde
 
Alcumus ISOQAR PCIDSS Compliance Presentation
Alcumus ISOQAR PCIDSS Compliance PresentationAlcumus ISOQAR PCIDSS Compliance Presentation
Alcumus ISOQAR PCIDSS Compliance PresentationBhargav Upadhyay
 
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONPCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONhimalya sharma
 

Recommended

Card fraud and compliance training
Card fraud and compliance trainingCard fraud and compliance training
Card fraud and compliance trainingethnos
 
PCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should carePCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should careSean D. Goodwin
 
Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates VISTA InfoSec
 
PCI-DSS explained
PCI-DSS explainedPCI-DSS explained
PCI-DSS explainedEdwin_Bos
 
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden WilliamsPCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden WilliamsAnton Chuvakin
 
PCI DSS Basics - The Twelve Steps
PCI DSS Basics - The Twelve StepsPCI DSS Basics - The Twelve Steps
PCI DSS Basics - The Twelve StepsTerra Verde
 
Alcumus ISOQAR PCIDSS Compliance Presentation
Alcumus ISOQAR PCIDSS Compliance PresentationAlcumus ISOQAR PCIDSS Compliance Presentation
Alcumus ISOQAR PCIDSS Compliance PresentationBhargav Upadhyay
 
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONPCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONhimalya sharma
 
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAININGPCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAININGhimalya sharma
 
Pcidss
PcidssPcidss
Pcidssyazsapa
 
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarComsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarAriel Ben-Harosh
 
PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...John Baines
 
P0 Pcidss Overview
P0 Pcidss OverviewP0 Pcidss Overview
P0 Pcidss Overviewb28stu
 
Approach pci- dss
Approach pci- dssApproach pci- dss
Approach pci- dssVikrant Burbure
 
Pcidss qr gv3_1
Pcidss qr gv3_1Pcidss qr gv3_1
Pcidss qr gv3_1leon bonilla
 
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONPCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONhimalya sharma
 
PCI DSS
PCI DSSPCI DSS
PCI DSSDuy Do Phan
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overviewokrantz
 
PCI DSS Essential Guide
PCI DSS Essential GuidePCI DSS Essential Guide
PCI DSS Essential GuideKim Jensen
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSSSaumya Vishnoi
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualKimberly Simon MBA
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guideMohammad Makchudul Alam (Arif)
 
PCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder dataPCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder dataInMobi Technology
 
A practical guides to PCI compliance
A practical guides to PCI complianceA practical guides to PCI compliance
A practical guides to PCI complianceJisc
 
PCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to KnowPCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to KnowTerra Verde
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overviewsameh Abulfotooh
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS ComplianceSaumya Vishnoi
 
PA-DSS
PA-DSSPA-DSS
PA-DSSChristian Heinrich
 
Reducing cardholder data footprint with tokenization and other techniques
Reducing cardholder data footprint with tokenization and other techniquesReducing cardholder data footprint with tokenization and other techniques
Reducing cardholder data footprint with tokenization and other techniquesVISTA InfoSec
 
PCI DSS 4.0 Webinar Final.pptx
PCI DSS 4.0 Webinar Final.pptxPCI DSS 4.0 Webinar Final.pptx
PCI DSS 4.0 Webinar Final.pptxControlCase
 

More Related Content

What's hot

PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAININGPCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAININGhimalya sharma
 
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarComsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarAriel Ben-Harosh
 
PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...John Baines
 
P0 Pcidss Overview
P0 Pcidss OverviewP0 Pcidss Overview
P0 Pcidss Overviewb28stu
 
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONPCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONhimalya sharma
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overviewokrantz
 
PCI DSS Essential Guide
PCI DSS Essential GuidePCI DSS Essential Guide
PCI DSS Essential GuideKim Jensen
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSSSaumya Vishnoi
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualKimberly Simon MBA
 
PCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder dataPCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder dataInMobi Technology
 
A practical guides to PCI compliance
A practical guides to PCI complianceA practical guides to PCI compliance
A practical guides to PCI complianceJisc
 
PCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to KnowPCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to KnowTerra Verde
 

What's hot (20)

PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAININGPCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
 
Pcidss
PcidssPcidss
Pcidss
 
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarComsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
 
PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...
 
P0 Pcidss Overview
P0 Pcidss OverviewP0 Pcidss Overview
P0 Pcidss Overview
 
Approach pci- dss
Approach pci- dssApproach pci- dss
Approach pci- dss
 
Pcidss qr gv3_1
Pcidss qr gv3_1Pcidss qr gv3_1
Pcidss qr gv3_1
 
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONPCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
 
PCI DSS
PCI DSSPCI DSS
PCI DSS
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overview
 
PCI DSS Essential Guide
PCI DSS Essential GuidePCI DSS Essential Guide
PCI DSS Essential Guide
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSS
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as Usual
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guide
 
PCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder dataPCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder data
 
A practical guides to PCI compliance
A practical guides to PCI complianceA practical guides to PCI compliance
A practical guides to PCI compliance
 
PCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to KnowPCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to Know
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overview
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS Compliance
 
PA-DSS
PA-DSSPA-DSS
PA-DSS
 

Similar to PCI DSS Merchant Levels, SAQs, AoC & RoC

Reducing cardholder data footprint with tokenization and other techniques
Reducing cardholder data footprint with tokenization and other techniquesReducing cardholder data footprint with tokenization and other techniques
Reducing cardholder data footprint with tokenization and other techniquesVISTA InfoSec
 
PCI DSS 4.0 Webinar Final.pptx
PCI DSS 4.0 Webinar Final.pptxPCI DSS 4.0 Webinar Final.pptx
PCI DSS 4.0 Webinar Final.pptxControlCase
 
Verderber Rothke What’s New With PCI
Verderber Rothke What’s New With PCIVerderber Rothke What’s New With PCI
Verderber Rothke What’s New With PCIBen Rothke
 
Introduction to the Payment Card Industry Data Security Standard (PCI DSS) - ...
Introduction to the Payment Card Industry Data Security Standard (PCI DSS) - ...Introduction to the Payment Card Industry Data Security Standard (PCI DSS) - ...
Introduction to the Payment Card Industry Data Security Standard (PCI DSS) - ...AtoZ Compliance
 
Secrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance ProjectsSecrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance ProjectsChristopher Foot
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperShaun O'keeffe
 
Payment Card Industry Data Security Standard
Payment Card Industry Data Security StandardPayment Card Industry Data Security Standard
Payment Card Industry Data Security StandardInfosec train
 
PCI DSS introduction by khaled mosharraf,
PCI DSS introduction by khaled mosharraf,PCI DSS introduction by khaled mosharraf,
PCI DSS introduction by khaled mosharraf,Khaled Mosharraf
 
Looking Forward: What to Expect With PCI 4.0
Looking Forward: What to Expect With PCI 4.0Looking Forward: What to Expect With PCI 4.0
Looking Forward: What to Expect With PCI 4.0SureCloud
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveMark Akins
 
PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011Donald E. Hester
 
Introduction To SAQ 4 U
Introduction To SAQ 4 UIntroduction To SAQ 4 U
Introduction To SAQ 4 URAlcala65
 
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAININGPCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAININGhimalya sharma
 
PCI_Presentation_OASIS
PCI_Presentation_OASISPCI_Presentation_OASIS
PCI_Presentation_OASISDermot Clarke
 
Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010Donald E. Hester
 

Similar to PCI DSS Merchant Levels, SAQs, AoC & RoC (20)

Reducing cardholder data footprint with tokenization and other techniques
Reducing cardholder data footprint with tokenization and other techniquesReducing cardholder data footprint with tokenization and other techniques
Reducing cardholder data footprint with tokenization and other techniques
 
PCI DSS 4.0 Webinar Final.pptx
PCI DSS 4.0 Webinar Final.pptxPCI DSS 4.0 Webinar Final.pptx
PCI DSS 4.0 Webinar Final.pptx
 
Verderber Rothke What’s New With PCI
Verderber Rothke What’s New With PCIVerderber Rothke What’s New With PCI
Verderber Rothke What’s New With PCI
 
PCI-DSS for IDRBT
PCI-DSS for IDRBTPCI-DSS for IDRBT
PCI-DSS for IDRBT
 
Introduction to the Payment Card Industry Data Security Standard (PCI DSS) - ...
Introduction to the Payment Card Industry Data Security Standard (PCI DSS) - ...Introduction to the Payment Card Industry Data Security Standard (PCI DSS) - ...
Introduction to the Payment Card Industry Data Security Standard (PCI DSS) - ...
 
Secrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance ProjectsSecrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance Projects
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - Whitepaper
 
Payment Card Industry Data Security Standard
Payment Card Industry Data Security StandardPayment Card Industry Data Security Standard
Payment Card Industry Data Security Standard
 
Evolution Pci For Pod1
Evolution Pci For Pod1Evolution Pci For Pod1
Evolution Pci For Pod1
 
PCI DSS introduction by khaled mosharraf,
PCI DSS introduction by khaled mosharraf,PCI DSS introduction by khaled mosharraf,
PCI DSS introduction by khaled mosharraf,
 
Looking Forward: What to Expect With PCI 4.0
Looking Forward: What to Expect With PCI 4.0Looking Forward: What to Expect With PCI 4.0
Looking Forward: What to Expect With PCI 4.0
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA Perspective
 
PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011
 
What Everybody Ought to Know About PCI DSS and PA-DSS
What Everybody Ought to Know About PCI DSS and PA-DSSWhat Everybody Ought to Know About PCI DSS and PA-DSS
What Everybody Ought to Know About PCI DSS and PA-DSS
 
Introduction To SAQ 4 U
Introduction To SAQ 4 UIntroduction To SAQ 4 U
Introduction To SAQ 4 U
 
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAININGPCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
 
PCI_Presentation_OASIS
PCI_Presentation_OASISPCI_Presentation_OASIS
PCI_Presentation_OASIS
 
Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010
 
PruebaJLF.pptx
PruebaJLF.pptxPruebaJLF.pptx
PruebaJLF.pptx
 
Best practices for PCI compliance
Best practices for PCI compliance Best practices for PCI compliance
Best practices for PCI compliance
 

More from VISTA InfoSec

Future of Data Privacy Examining the Impact of GDPR and CPRA on Business Prac...
Future of Data Privacy Examining the Impact of GDPR and CPRA on Business Prac...Future of Data Privacy Examining the Impact of GDPR and CPRA on Business Prac...
Future of Data Privacy Examining the Impact of GDPR and CPRA on Business Prac...VISTA InfoSec
 
CCPA Compliance Vs CPRA Compliance.pdf
CCPA Compliance Vs CPRA Compliance.pdfCCPA Compliance Vs CPRA Compliance.pdf
CCPA Compliance Vs CPRA Compliance.pdfVISTA InfoSec
 
HIPAA Compliance Checklist 2022
HIPAA Compliance Checklist 2022HIPAA Compliance Checklist 2022
HIPAA Compliance Checklist 2022VISTA InfoSec
 
SOC2 Advisory and Attestation
SOC2 Advisory and AttestationSOC2 Advisory and Attestation
SOC2 Advisory and AttestationVISTA InfoSec
 
What is expected from an organization under NCA ECC Compliance?
What is expected from an organization under NCA ECC Compliance?What is expected from an organization under NCA ECC Compliance?
What is expected from an organization under NCA ECC Compliance?VISTA InfoSec
 
Webinar - PCI PIN, PCI cryptography & key management
Webinar - PCI PIN, PCI cryptography & key managementWebinar - PCI PIN, PCI cryptography & key management
Webinar - PCI PIN, PCI cryptography & key managementVISTA InfoSec
 
What to expect from the New York Privacy Act
What to expect from the New York Privacy ActWhat to expect from the New York Privacy Act
What to expect from the New York Privacy ActVISTA InfoSec
 
Guide on ISO 27001 Controls
Guide on ISO 27001 ControlsGuide on ISO 27001 Controls
Guide on ISO 27001 ControlsVISTA InfoSec
 
Are Mobile Banking Apps Safe?
Are Mobile Banking Apps Safe?Are Mobile Banking Apps Safe?
Are Mobile Banking Apps Safe?VISTA InfoSec
 
Why should I do SOC2?
Why should I do SOC2?Why should I do SOC2?
Why should I do SOC2?VISTA InfoSec
 
What is GDPR Data Flow Mapping
What is GDPR Data Flow MappingWhat is GDPR Data Flow Mapping
What is GDPR Data Flow MappingVISTA InfoSec
 
What is a Firewall Risk Assessment?
What is a Firewall Risk Assessment?What is a Firewall Risk Assessment?
What is a Firewall Risk Assessment?VISTA InfoSec
 
Which SOC Report Do I need?
Which SOC Report Do I need?Which SOC Report Do I need?
Which SOC Report Do I need?VISTA InfoSec
 
Key additions and amendments introduced under the CPRA
Key additions and amendments introduced under the CPRAKey additions and amendments introduced under the CPRA
Key additions and amendments introduced under the CPRAVISTA InfoSec
 
6 Amazing Key Elements To Consider The PCI DSS Card Data Discovery Process
6 Amazing Key Elements To Consider The PCI DSS Card Data Discovery Process6 Amazing Key Elements To Consider The PCI DSS Card Data Discovery Process
6 Amazing Key Elements To Consider The PCI DSS Card Data Discovery ProcessVISTA InfoSec
 
SOC 2 Type 1 Vs. Type 2: Do You Really Need It? This Will Help You Decide!
SOC 2 Type 1 Vs. Type 2: Do You Really Need It? This Will Help You Decide! SOC 2 Type 1 Vs. Type 2: Do You Really Need It? This Will Help You Decide!
SOC 2 Type 1 Vs. Type 2: Do You Really Need It? This Will Help You Decide! VISTA InfoSec
 
Why is gdpr essential for small businesses with links
Why is gdpr essential for small businesses with linksWhy is gdpr essential for small businesses with links
Why is gdpr essential for small businesses with linksVISTA InfoSec
 
Pci dss scoping and segmentation with links converted-converted
Pci dss scoping and segmentation with links converted-convertedPci dss scoping and segmentation with links converted-converted
Pci dss scoping and segmentation with links converted-convertedVISTA InfoSec
 
Soc 2 vs iso 27001 certification withh links converted-converted
Soc 2 vs iso 27001 certification withh links converted-convertedSoc 2 vs iso 27001 certification withh links converted-converted
Soc 2 vs iso 27001 certification withh links converted-convertedVISTA InfoSec
 
Pci dss compliance for remote access during covid 19 pandemic article 1 with ...
Pci dss compliance for remote access during covid 19 pandemic article 1 with ...Pci dss compliance for remote access during covid 19 pandemic article 1 with ...
Pci dss compliance for remote access during covid 19 pandemic article 1 with ...VISTA InfoSec
 

More from VISTA InfoSec (20)

Future of Data Privacy Examining the Impact of GDPR and CPRA on Business Prac...
Future of Data Privacy Examining the Impact of GDPR and CPRA on Business Prac...Future of Data Privacy Examining the Impact of GDPR and CPRA on Business Prac...
Future of Data Privacy Examining the Impact of GDPR and CPRA on Business Prac...
 
CCPA Compliance Vs CPRA Compliance.pdf
CCPA Compliance Vs CPRA Compliance.pdfCCPA Compliance Vs CPRA Compliance.pdf
CCPA Compliance Vs CPRA Compliance.pdf
 
HIPAA Compliance Checklist 2022
HIPAA Compliance Checklist 2022HIPAA Compliance Checklist 2022
HIPAA Compliance Checklist 2022
 
SOC2 Advisory and Attestation
SOC2 Advisory and AttestationSOC2 Advisory and Attestation
SOC2 Advisory and Attestation
 
What is expected from an organization under NCA ECC Compliance?
What is expected from an organization under NCA ECC Compliance?What is expected from an organization under NCA ECC Compliance?
What is expected from an organization under NCA ECC Compliance?
 
Webinar - PCI PIN, PCI cryptography & key management
Webinar - PCI PIN, PCI cryptography & key managementWebinar - PCI PIN, PCI cryptography & key management
Webinar - PCI PIN, PCI cryptography & key management
 
What to expect from the New York Privacy Act
What to expect from the New York Privacy ActWhat to expect from the New York Privacy Act
What to expect from the New York Privacy Act
 
Guide on ISO 27001 Controls
Guide on ISO 27001 ControlsGuide on ISO 27001 Controls
Guide on ISO 27001 Controls
 
Are Mobile Banking Apps Safe?
Are Mobile Banking Apps Safe?Are Mobile Banking Apps Safe?
Are Mobile Banking Apps Safe?
 
Why should I do SOC2?
Why should I do SOC2?Why should I do SOC2?
Why should I do SOC2?
 
What is GDPR Data Flow Mapping
What is GDPR Data Flow MappingWhat is GDPR Data Flow Mapping
What is GDPR Data Flow Mapping
 
What is a Firewall Risk Assessment?
What is a Firewall Risk Assessment?What is a Firewall Risk Assessment?
What is a Firewall Risk Assessment?
 
Which SOC Report Do I need?
Which SOC Report Do I need?Which SOC Report Do I need?
Which SOC Report Do I need?
 
Key additions and amendments introduced under the CPRA
Key additions and amendments introduced under the CPRAKey additions and amendments introduced under the CPRA
Key additions and amendments introduced under the CPRA
 
6 Amazing Key Elements To Consider The PCI DSS Card Data Discovery Process
6 Amazing Key Elements To Consider The PCI DSS Card Data Discovery Process6 Amazing Key Elements To Consider The PCI DSS Card Data Discovery Process
6 Amazing Key Elements To Consider The PCI DSS Card Data Discovery Process
 
SOC 2 Type 1 Vs. Type 2: Do You Really Need It? This Will Help You Decide!
SOC 2 Type 1 Vs. Type 2: Do You Really Need It? This Will Help You Decide! SOC 2 Type 1 Vs. Type 2: Do You Really Need It? This Will Help You Decide!
SOC 2 Type 1 Vs. Type 2: Do You Really Need It? This Will Help You Decide!
 
Why is gdpr essential for small businesses with links
Why is gdpr essential for small businesses with linksWhy is gdpr essential for small businesses with links
Why is gdpr essential for small businesses with links
 
Pci dss scoping and segmentation with links converted-converted
Pci dss scoping and segmentation with links converted-convertedPci dss scoping and segmentation with links converted-converted
Pci dss scoping and segmentation with links converted-converted
 
Soc 2 vs iso 27001 certification withh links converted-converted
Soc 2 vs iso 27001 certification withh links converted-convertedSoc 2 vs iso 27001 certification withh links converted-converted
Soc 2 vs iso 27001 certification withh links converted-converted
 
Pci dss compliance for remote access during covid 19 pandemic article 1 with ...
Pci dss compliance for remote access during covid 19 pandemic article 1 with ...Pci dss compliance for remote access during covid 19 pandemic article 1 with ...
Pci dss compliance for remote access during covid 19 pandemic article 1 with ...
 

Recently uploaded

SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 

Recently uploaded (20)

SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 

PCI DSS Merchant Levels, SAQs, AoC & RoC

  • 1. PCI DSS MERCHANT LEVELS, VALIDATIONS AND APPLICABLE SAQs
  • 2. Webinar Objective Briefly understand the PCI DSS Compliance Requirements. Learn about the different Merchant levels of Compliance & Service Provider levels of Compliance. Understand what is an SAQ and to which Merchant is a specific type of SAQ applicable. Learn what is an AoC and RoC and understand their importance in PCI DSS Compliance.
  • 3. Topic Covered in the Webinar A Quick Introduction to PCI DSS PCI DSS Validation Requirements PCI Merchant and Service Provider Levels. What are SAQs, what is applicable to whom? What is RoC? What is AoC?
  • 4. Gain CPE Points Attending the Webinar! •Attend the entire session of the Webinar and gain Continued Professional Education points. •It can be used for various certification such as CISA, CISSP, CRISC, CISM, PCI QSA, etc.
  • 5. Free Informative Resources •Subscribe to our YouTube channel: https://www.youtube.com/c/vistainfosecofficial •Get access to free informative videos on •PCI DSS •HIPAA •GDPR •SOC1 & SOC2 •Ethical Hacking
  • 6. •PCI DSS - Managing your outsourced vendor. •Log Management and reporting for the PCI environment. •Best practices in Ecommerce security. •PCI DSS and the Cloud – Top risks and Mitigations •Wireless in the PCI environment – Top risks and Mitigations •PCI DSS in the virtualized environment – Top risks and Mitigations •Targeted attacks: Spear Phishing and Social Engineering. •PCI DSS Scoping and Segmentation. Past Webinars
  • 7. •Managing Data Leakage in your PCI environment. •Strategies for migration from early TLS and SSL. •Using PCI DSS for GDPR Compliance •Using ISO27001 for PCI DSS •SOC2 and YOU •GDPR – Are you ready •SOC2 – Beyond the myth •GDPR – Steps to a successful DPIA Past Webinars
  • 8. •Block chain – A crash course – What is it, potential uses and pitfalls •Tackling Security in the Cloud: CASB to the rescue •HIPAA – Basics and Beyond… •Using SOC2 for HIPAA Compliance •Developing a Cyber Security framework using NIST •SOC for Cyber Security •Rights of Data Subjects – GDPR and PDPA Past Webinars
  • 9. •SOC2 Compliance and the Cloud •Debunking Top 10 myths of PCI DSS •Achieving PCI DSS in 90 days •FDA CFR Part 11 – What’s the hype all about •Achieving SOC2 Compliance in 90 days – Is it possible? •Step by step approach to PDPA compliance •7 steps for Compliance with NIST 800-171 compliance Past Webinars
  • 10. •PCI DSS - 5 Simple Techniques to reduce scope •SOC2 and CCM •In talks with Nitin Bhatnagar (PCI Council) - Meeting Payment Security Needs Now and for the Future •Covid-19 and Business Continuity •PA DSS and PCI SSF – How they match up and how they map •PCI PIN, PCI Cryptography & Key Management Past Webinars
  • 11. Past Webinars •NESA – How it matters to you •SOC 2 and GDPR - How to integrate in one audit process •GDPR & CCPA - Is your organization ready to synchronize •MAS TRM - Managing the compliance process •CPRA and CCPA – implications for your business Four year Anniversary Four years to the day
  • 12. As We Go Along •Do type in your queries in the query box and I will answer as much as possible during the webinar. If due to time constraints, I will surely write directly to you. •Feel free to share a topic of your interest that you would like to learn more about from our team ( Information Security- Compliance, Regulatory Standards, Risk Assessment Services related topic).
  • 13. DE Couvertes It is not the answer that enlightens, but the question.
  • 14. About Me NARENDRASAHOO Designation Founder & Director of VISTA InfoSec Certifications- PCI QPA, PCI QSA, CISSP,CISA, CRISC, ISO27001 LA Industry Experience-25 Years Mr. Sahoo carries over 25 years of experience in the IT industry, out of which the last 15 years has been dedicated to VISTA InfoSec. His professional qualifications includes PCI QSA, CISA, CISSP, CRISC, ISO 27001 Lead Assessor. Starting off as an assembly language programmer, with the advent of networking and the Internet in India, he moved on into networking and IT management of which InfoSec was a natural progression. A very well versed professional with proficiency in globally recognized standards such as ISO27001, PCI DSS, ITIL/ISO 20000, COBIT and many international regulations such as HIPAA, CSV, SOX, SSAE16, SOC, etc., Mr. Sahoo has conducted IT consulting and assessments for large Banks, Software development organizations, Banks, Research & Development companies and BPOs in India and overseas. Well versed with strategy development and an astute Technical background, he has audited, designed and strategized for a wide variety of Information security and networking technologies. He has provided consulting services for premier organizations such as Tata Group, Shell Oil, Cipla, numerous payment processing organizations and a host of banks including the Reserve Bank of India and the Indian armed forces.He has recently been awarded the “Crest of Honor” by the Indian Navy for his contributions. He was inducted into the CSI – Hall of Fame for his significant contributions to the fraternity. Sectors: Worked in all vertical ranging from Government/PSU, BFSI, Pharma, Manufacturing, ITES etc.
  • 15.
  • 16. Compliance & Governance Risk & Security Management Technical Advisory & Assessment Academia Compliance Standard Compliance (ISO27001/ ISO20000) Business Continuity Management. PCI DSS / PCI PIN/ PA DSS /PCI SSF Consulting & Certification Regulatory Compliance - SOC1/SOC2, GDPR, RBI/NPCI, HIPAA, SOX, NESA, MAS TRM, CCPA, PDPA... Cloud Risk Management GRC Consulting Software License Audit VA / PT Web/Mobile AppSec Assessment Virtualization Risk Assessment Secure Configuration Assessment Source Code Review SCADA Risk Assessment Social Engineering Infrastructure Design & Advisory Data Center Consulting Services Specialised Assessments WAF, SIEM, IPS, DAM, WIPS, MDM, NAC... InfoSec Training & Development © VISTA InfoSec ® Services Portfolio
  • 17. Certification Services PCI DSS PCI SSF PCI PIN SOC 1/ SOC 2/ SOC 3 HIPAA GDPR CCM RBI Master Directions Audit NPCI Audit Rupay Perso Audit SEBI Audit
  • 18. Partial Client Listing © VISTA InfoSec ®
  • 19. Survey Participation Request We Value Your Feedback Request you to complete our brief survey at the end of the webinar and leave your valuable comments. Your Answer will allow us to meet your expectations better.
  • 20. PCI History Late 90’s - Visa recognized a need to protect Card Data to prevent theft June, 2001 – Visa mandated rules to protect Card Data Later the other card associations followed Visa’s lead with their own programs The Four Programs Were Called: Visa: CISP – Cardholder Information Security Program MasterCard: SDP – Site Data Protection American Express: DSOP - Data Security Operating Policy Discover: DISC - Discover Information Security & Compliance
  • 21. PCI History Once there were four programs Confusion ensued There were now four sets of rules, guidelines, penalties and fines
  • 23. PCI History The creation of a standards organization named Payment Card Industry Security Standards Council Also Known As: PCI The founding members were the five major card brands: American Express MasterCard Discover Visa JCB (Japan Credit Bureau) Primarily seen in Hawaii, California and other major T & E Markets in the USA
  • 24. History in brief Visa, MasterCard, American Express, Discover and JCB decided to standardize on a common set of data security requirements for merchants and data processors – the PCI Data Security Standard (PCI DSS) PCI Security Standards Council was formed in 2004 as an independent organization in order to maintain and promote the PCI DSS Version 1.0 of the PCI DSS was published in January 2005 Version 1.1 published in September 2006 Version 1.2 released October 2008 Latest version… 3.1.2
  • 25. PCI History Not The Perfect Solution The Good News The security guidelines have been consolidated under a single entity – PCI DSS: Data Security Standard Your Compliance and IT staff will appreciate this The Bad News Due to federal restraint of trade laws, the card brands can not collude on the rules, penalties and fines So we must still please multiple masters For the most part, Visa’s rules are the most restrictive and therefore are used as the bellweather guideline
  • 26. The PCI Security Standards Council Members
  • 27. PCI SSC Participating Organizations by Industry
  • 29. Terminology BANK 1234 5678 0123 4567 VALID 01/25 C R ED IT C AR D Payment Brand Network Authorization Issuer Cardholder Merchant Acquirer Clearing Issuer and Acquirer exchange purchase and reconciliation information Settlement Issuer pays Acquirer Merchant receiver payment Cardholder gets charged Merchant requests and receives authorisation
  • 30. More Terminologies Issuer BANK 1234 5678 0123 4567 VALID 01/25 C R ED IT C AR D Cardholder Merchant Acquirer Acquirer is also called: Merchant Bank ISO (sometimes) Payment Brand - Amex, Discover, JCB Never Visa or MasterCard Customer purchasing goods either as a “card Present” or “Card Not Present” transaction Receiver the payment card and bills from the issuer Bank or other organization issuing a payment card on behalf of a Payment Brand (e.g. MasterCard & Visa) Payment Brand issuing a payment card directly (e.g. Amex, Discover, JCB) Organization accepting the payment card for payment during a purchase Bank or entity the merchant uses to process their payment card transactions Receive authorization request from merchant and forward to issuer for approval Provide authorization, clearing and settlement services to merchants
  • 31. Authorisation 1 Cardholder presents card Acquirer asks payment brand to determine issuer Payment brand network determines issuer and requests approval Issue approves purchase Acquirer sends approval to merchant Payment brand network sends approval to acquirer 2 3 4 5 6 7 Cardholder completes purchase and receives receipt Merchant requests and receives authorization from the issuer to allow the purchase to be conducted Authorization Code is provided
  • 32. Clearing Payment brand network sends purchase information to issuer Issuer prepares data for cardholder statement Payment brand network provide complete reconciliation to acquirer Acquirer sends purchase information to the paymentbrand network 1 Acquirer and issuer exchange purchase information 2 3
  • 33. Settlement Acquirer pays merchant for cardholder purchase 3 Issuer bills cardholder Issuer sends payment to acquirer 2 4 1 Issuer determines acquirer via the payment brand network Acquirer pays merchant for cardholder pruchase Issuer bills cardholder
  • 34. Service Providers A service provider is a business that is not a payment brand, directly involved in the processing, storage or transmission of cardholder data on behalf of another entity. sometimes a service provider is a merchant Includes companies that provide services (to merchants, service providers or other entities) which control or could impact the security of cardholder data.
  • 36. PCI DSS Compliance Requirements
  • 37. PCI DSS Merchant Levels Merchant dealing with card payments through any channel, whether at the point of sale (POS), over the phone, or through e-commerce, are required to comply with the PCI DSS Standards. However, there are four levels of PCI compliance based on which businesses need to meet the necessary requirements to remain compliant. Since, not all business process the same amount of card payments annually and each has a different level of risk to incidents of data breaches and security, the PCI SSC established four PCI compliance levels that are determines the merchant level.
  • 38. Levels of PCI Compliance is classified based on the annual number of credit or debit card transactions a business processes. The classification levels are determined as given below- PCI DSS Merchant Levels
  • 39. Merchant Levels and Requirements Explained
  • 40. Service providers are third-party vendors who assist merchants with the storage, processing, or transmission of cardholder data. This way, they too are required comply with PCI DSS. PCI compliance is also applicable to those vendors who provide services and their controls have an impact on the security of cardholder data directly or indirectly in some way. So, similar to merchants, PCI Compliance to Service Providers are also determined based on their compliance levels. The compliance levels are based on the number of transactions they perform per year. There are only two levels of PCI compliance for service providers. Compliance Levels and Requirements for Service Providers
  • 41. Compliance Levels and Requirements for Service Providers
  • 42. As the name suggests, PCI Self-Assessment Questionnaire is a self validation tool that assess the security of the cardholder data. It basically documents the merchant’s or service provider’s security practices concerning the cardholder data. It is a tool meant for small merchants and service providers who are not required to submit a report of PCI DSS Compliance. The Self-Assessment Questionnaire includes a series of yes-or-no questions for each applicable PCI DSS Standard requirement. If the answer is no, the merchants is required to provide future remediation date and associated plan of actions. Self Assessment Questionnaire
  • 43. Self Assessment Questionnaire Every merchant environment has a different set of SAQ that describes how they accept payment cards. There are 9 different SAQs a merchant needs to select from depending on how they process, handle and store cardholder data. The questionnaire determines which PCI DSS compliance requirements apply to merchants and how their current systems align with the security requirements. Each of the SAQ types have different goals, and depending on what best applies to the merchants they can obtain an AoC.
  • 44. The SAQ document comprises of two components which includes – A set of questions corresponding to the PCI Data Security Standard requirements designed for Service Providers and Merchants. An Attestation of Compliance or certification that you are eligible to perform and have performed the appropriate Self-Assessment. The document of Attestation of Compliance will be provided the QSA. Self Assessment Questionnaire
  • 46.
  • 47.
  • 48. Report on Compliance is a PCI DSS requirement for all merchants who fall in the Visa and or MasterCard level 1 scope. Level 1 Merchants are those who process over 6 million Visa and/or MasterCard transaction a year. It is a document issued by the PCI Qualified Security Assessor after a PCI DSS Assessment detailing a Merchants security posture and the current security state of the environment in which they are operational. The Assessment includes both an onsite audit and review of controls after which the findings are documented in the final draft of RoC. The form is then submitted to the Merchant's Acquiring Bank for acceptance. Once the Merchant's Acquiring Bank accepts the RoC, it then sends the document to Visa/MasterCard for Compliance verification. Report on Compliance Documents
  • 49. Similar to RoC, and SAQ, the requirement of AoC depends on the level of merchants compliance. PCI Attestation of Compliance (AoC) is a document that declares the merchants status of Compliance with PCI DSS Standard. It is a documented evidence for Merchants and/or Service Providers to show their clients and other stakeholders their adoption of best practices for securing cardholder data. The document is a written statement that states that the Merchant has dully completed the applicable SAQ and has been verified by Qualified Security Assessor. Attestation of Compliance
  • 50. Achieving and maintaining PCI Compliance is the best way to protect business against cyber attacks. For achieving PCI DSS Compliance, Merchants and Service Providers must first determine Compliance level they fall into. The levels determines the amount of assessment and security validation required for clearing PCI DSS Assessment. Merchants/Service providers at every level must be sure of following the right PCI requirements for their particular levels. Key Takeaway
  • 51. Once the Compliance levels are determined, they can then strategize their action to validate compliance with the twelve requirements. While the lower level of Compliance requirements may seem simpler, but Merchants may find it challenging to meet the requirements if they do not have internal IT infrastructure. Fortunately, Cyber Security Consulting Service providers like us at VISTA InfoSec can offer PCI Compliance Assistance to make the compliance journey easier and affordable. Key Takeaway
  • 52. THANK YOU FOR SHARING YOUR VALUABLE TIME
  • 53. PLEASE SHARE YOUR VALUABLE FEEDBACK YOUR OPINION IS IMPORTANT FOR US
  • 54.