PCI DSS Protecting your business - PowerPoint PPT Presentation

1 / 21
About This Presentation
Title:

PCI DSS Protecting your business

Description:

Helps gaining and maintains consumer confidence in payment systems. Secures customers ... Difference is only in type of validation required ... – PowerPoint PPT presentation

Number of Views:79
Avg rating:3.0/5.0
Slides: 22
Provided by: drf70
Category:

less

Transcript and Presenter's Notes

Title: PCI DSS Protecting your business


1
PCI DSSProtecting your business
  • Lara Fiorani, Visa Europe
  • Basel
  • 25 April, 2006

2
Agenda
  • Account Information Security Programme and the
    Payment Card Industry (PCI) Data Security
    Standards
  • PCI DSS - Protecting your business
  • Plans for 2006

3
Account Information Security Programme
  • The Payment Card Industry Data Security Standards
    (PCI DSS) were developed jointly by Visa and
    MasterCard and are endorsed by Amex, JCB,
    Discovery, Diners
  • Work is under way to promote the establishment of
    PCICo, an independent industry body that will act
    as custodian of the PCI DSS
  • Visa promotes the implementation of the PCI DSS
    through its Account Information Security
    Programme (AIS)
  • AIS is part of a wider Visa strategy to make the
    card industry more secure

4
Account Information Security (AIS) alongside
other Visa security products
POS Environment
Online e-comm
Back office, systems
Chip PIN
Verified by Visa
AIS
5
Why do we need PCI DSS?
40M credit cards hacked
Breach at third party payment processor affects
22 million Visa cards and 14 million
MasterCards. June 20, 2005 504 PM EDT Jeanne
Sahadi, CNN/Money senior writer
6
Why do we need PCI DSS?
  • From The Times, Saturday April 15 2006
  • The Times contacted 14 customers whose details
    had been passed to it by a US company that
    monitors chat rooms. They were astonished
    when a reporter read out their credit card
    numbers.
  • The names had been taken from unidentified
    British servers. By ringing the individuals on
    each list and checking which purchases they had
    made on the day the details were stolen, The
    Times was led to two reputable companies one a
    supplier of travel goods based in Amesbury,
    Wiltshire, with a database of more than 20,000
    customers, the other a computer sales company in
    Sheffield. Neither company was aware that its
    systems had been targeted.
  • Jonathan Richards, Revealed how credit cards
    are plundered on the net, The Times, Saturday
    April 15 2006

7
External pressure on Visa to protect personal
financial information
Key role of beyond facilitator of
payments?
Top mentions
Q28 Aside from Visa being a facilitator of
purchases or a processor of transactions, when
you think of Visa and the role you expect it to
play in society, which one of the following best
describes your expectations of what Visa should
be educator on financial issues, protector of
personal financial information, contributor to
economic growth, or something else? If you have
a different expectation for Visa, please let me
know. Base Total Respondents, n2044
8
In addition Data Security is a major concern for
customers worldwide
Top 3 Box (Rated 8-10)
Base All respondents, except () not asked in
China
9
Recent Visa Europe experience
  • Remarkable increase in compromises in Europe,
    regardless of acceptance channels
  • Full track two data being targeted
  • Processors and IPSPs remotely targeted
  • Increase in compromises at non e-commerce
    Merchants
  • E-commerce still a target
  • Fraud migrating to card not present sector
    because of increased security in face to face
    (EMV chip)

10
Benefits of compliance with PCI DSS
  • Ensures protection of the brands and reputation
    of all parties
  • Visa
  • Acquiring banks
  • Merchants
  • Service providers
  • Helps gaining and maintains consumer confidence
    in payment systems
  • Secures customers
  • Makes them come back

11
Compliance with PCI DSS- Systems benefit
  • Helps you identify and address weaknesses in your
    security

Systems
More aware of how your business works
  • Provides you with greater awareness of security
    measures and preventative options available

12
Compliance with PCI DSS - Financial Benefits
Protects you from card schemes post-compromise
penalties
Avoid cost of fraud
Financial
  • Avoid cost of reaction to cybercrime

police involvement
law suits
suspension from trading
consultancy fees
consultancy fees
13
Compliance with PCI DSS- Reputational Benefits
No compromises no unwanted media attention
Brand damage alone may put a company out of
business!
Reputation
14
If an organisation is certified compliant with
PCI DSS..
  • A compromise is less likely to happen.
  • If it happens it may be
  • Smaller
  • reduced fraud cost
  • easier and cheaper to contain
  • Less investment needed to bring the organisation
    into compliance
  • Faster to bring the organisation into compliance
  • If the forensics investigation confirms that the
    organisation was still PCI compliant at the time
    of compromise
  • Visa will not levy compromise fees

15
Sensitive Information
  • Card number
  • Expiry date
  • Full Track 2 (for face to face transactions)
  • CVV2 (for Card not Present transactions)
  • Track 2 and CVV2 should never be stored after
    authorisation
  • NOT storing any of the above removes the need for
    PCI DSS validation
  • If the information is stored, it has to be stored
    securely (encrypted)

16
Compliance Validation Requirements - Merchants
  • Level 1 - Merchants with 6,000,000 transactions
    a year- all acceptance channels
  • Level 23 - E-commerce Merchants with 6,000,000
    to 20,000 transactions a year
  • Level 4 all other Merchants
  • Mandated Annual onsite audit, and Quarterly
    network scan
  • The audit can be done by a qualified auditor or
    by Merchants internal audit team, but has to
    assess compliance with the PCI Standards
  • Mandated Annual PCI Self-assessment
    questionnaire, and Quarterly network scan
  • Recommended annual PCI Self-assessment
    questionnaire and annual network scan

17
Merchants next steps for 2006
  • ALL Merchants should be compliant with PCI DSS
    already
  • Regardless of Merchant size
  • Data security should be ongoing work
  • Difference is only in type of validation required
  • Validation may be recommended for some
    categories, but compliance is mandated to be part
    of the Visa system
  • All Merchants should make provisions to ensure
    than any third party they contract with is
    compliant

18
Visa Recent and next steps
  • Finished re-accreditation of Qualified Security
    Assessors ?
  • Producing more awareness raising and support
    materials ?
  • AIS as contractual requirement for all new
    merchant agreements
  • New set of penalties for Acquirers with
    non-compliant Merchants
  • If a Merchant commits to starting the work, they
    will be allowed reasonable time to work towards
    compliance
  • Lowering the Level 1 threshold to include more
    non e-commerce Merchants

19
Conclusion
We are flexible, want to help you get started
PCI DSS adds value to your brand and
consumers PCI DSS protects your revenues
Based on ISO/BSS, tailoring these standards to
cards industry
20
Where to find information on PCI DSS
  • Visa OnLine
  • https//www.eu.visaonline.com/eu_ais/
  • Visa Europe website
  • www.visaeurope.com/acceptingvisa/datasecurity.html
  • Email datasecuritystandards_at_visa.com
  • AIS Programme Manager Lara Fiorani
  • Tel 44 207 795 5668
  • Email datasecuritystandards_at_visa.com

20
21
Thank you
Write a Comment
User Comments (0)
About PowerShow.com