What is the Payment Card Industry Data Security Standard - PowerPoint PPT Presentation

About This Presentation
Title:

What is the Payment Card Industry Data Security Standard

Description:

... Credit Card Programs (American Express, JCB, Discover) ... Discover Financial Services. MasterCard Worldwide. Visa International. JCB (Japan Credit Bureau) ... – PowerPoint PPT presentation

Number of Views:141
Avg rating:3.0/5.0
Slides: 13
Provided by: aew1
Category:

less

Transcript and Presenter's Notes

Title: What is the Payment Card Industry Data Security Standard


1
(No Transcript)
2
  • What is the Payment Card Industry Data Security
    Standard?
  • What are the Different Levels of Merchants?
  • Who is the PCI Security Council
  • 12 Requirements for PCI Compliance
  • Who is Affected at your Institution?
  • Security Breach Data
  • PCI DSS Risk of Non-Compliance
  • Items to Consider
  • Next Steps

2
3
  • Payment Card Industry Data Security Standards
    (www.pcisecuritystandards.org)
  • Common Set of Technical Requirements and Testing
    Methodologies
  • Purpose is to Ensure the Safe Handling of
    Sensitive Payment Card Information
  • Initially Created to Align the Separate Security
    Programs of MasterCard (SDP) and Visa (CISP)
  • Was Later Adopted By Other Major Credit Card
    Programs (American Express, JCB, Discover)
  • The Standard is not Optional and Non-Compliance
    Could Bring Significant Financial Cost

3
4
  • Levels are Defined by the Credit Card Companies
    (Visa/MasterCard), and Established by your
    Merchant Bank
  • Level 4 (
  • Network Scan Recommended Quarterly
  • Self-Assessment Questionnaire Recommended
    Annually
  • Level 3 (20,000 1,000,000 e-Commerce
    Transactions)
  • Quarterly Network Scan and Annually
    Self-Assessment Questionnaire Required
  • Level 2 (1,000,000 6,000,000)
  • Quarterly Network Scan and Annually
    Self-Assessment Questionnaire Required
  • Level 1 (Over 6,000,000, Suffered a Breach, or
    Deemed High Risk)
  • Network Scan Required Quarterly
  • On-Site PCI Security Audit Required Annually

4
5
  • PCI Security Standards Council Governs the
    Standards for the Payment Card Industry
  • Founding Members
  • American Express
  • Discover Financial Services
  • MasterCard Worldwide
  • Visa International
  • JCB (Japan Credit Bureau)

5
6
  • Build and Maintain a Secure Network
  • Install and Maintain a Firewall Configuration to
    Protect Card Holder Data (25)
  • Do Not Use Vendor-Supplied Defaults for System
    Passwords and Other Security Parameters (13)
  • Protect Cardholder Data
  • Protect Stored Cardholder Data (28)
  • Encrypt Transmission of Cardholder Data Across
    Open, Public Networks (6)
  • Maintain a Vulnerability Management Program
  • Use and Regularly Update Anti-Virus Software (3)
  • Develop and Maintain Secure Systems and
    Applications (30)
  • Implement Strong Access Control Measures
  • Restrict Access to Cardholder Data by Business
    Need-To-Know (2)
  • Assign a Unique ID to Each Person with Computer
    Access (25)
  • Restrict Physical Access to Cardholder Data (23)
  • Regularly Monitor and Test Networks
  • Track and Monitor All Access to Network Resources
    and Cardholder Data (28)
  • Regularly Test Security Systems and Processes
    (11)
  • Maintain an Information Security Policy
  • Maintain a Policy That Addresses Information
    Security (39)

6
7
  • Everyone Who Takes Credit Cards on Behalf of the
    Institution Examples Include
  • Campus Card
  • Supply/Book Store
  • Athletics
  • Student Receivables
  • Alumni/Advancement
  • Undergraduate/Graduate Admissions
  • Publications Year Book/Other Campus Documents
  • Performing Arts/Music
  • Continuing Education

7
8
January 2000 March 23, 2009
  • 1781 Publically Reported Computer Security
    Breaches in the United States (44 States and
    DC/Puerto Rico/Virgin Islands States with
    no/limited laws AL, MS, KY, MO, NM, SD)
  • 24.1 (19.3) Educational Institutions (Most Were
    Hacks)
  • 43.6 Businesses
  • 20.7 Government Agencies (State, Local and
    Federal
  • 11.6 Medical Institutions
  • Educational Institutions are Disproportionately
    Vulnerable to Security Breaches
  • According to http//datalossdb.org/

8
9
  • Median Higher Ed Breach is 5,000 - 50,000
    accounts1
  • Expected cost 182 per account compromised1
  • Cost of Notifying Affected Cardholders
  • Cost of Paying for Credit Monitoring
  • Cost of Paying for Unauthorized Charges
  • A Small Breach Can Cost 1 million1
  • Including the Cost of an Annual On-Site Audit
  • Cost Related to a Possible Increase in Credit
    Card Rates
  • Implementing Hardware/Software/Resource Upgrades
  • Possible Fines By the Card Association In 2006,
    Visa Alone Issued Merchant Fines Totaling 4.4
    million
  • Visa and TJX reach an agreement in November 2007
    of a 40.9M Settlement
  • Additional Indirect Cost Unfavorable Publicity,
    Significant Brand Damage to the Institution

1 According to Walter Conway Associates, LLC,
Security Breach Data, 2000-July 2007
9
10
  • Understand your card processing environment
  • How do you gather and manage the data
  • How do you manage the PCI DSS Team
  • Do you have a good partner in Finance
  • Understand the flow of credit card traffic
    through your network
  • Each Merchant must complete one of 4
    questionnaires based on how they handle credit
    card data
  • Using a 3rd Party, PCI Compliant Vendor doesnt
    make you PCI compliant
  • News Events Heartland, TJX

10
11
  • If you havent started, get started now Its a
    long road
  • Partner with Finance to gather data by Merchant
    ID
  • Include interviews with the merchants vendors
  • Interview each Merchant ID owner at least twice
  • Maintain a common set of data on a single large
    spreadsheet
  • Dont forget about the paper copies of credit
    card data
  • Unless youre a level 4, Hire an Approved
    Scanning Vendor (ASV) www.pcisecuritystandard.org

  • If you need external assistance, Hire a Qualified
    Security Assessor (QSA) www.pcisecuritystandard.or
    g
  • Work closely with your Merchant Bank

11
12
COMMENTS/QUESTIONS?
  • J. Ashley Ewing, CISSP, CISA
  • Director of Information Security and
    Compliance/ISO
  • University of Alabama
  • aewing_at_ua.edu

12
Write a Comment
User Comments (0)
About PowerShow.com