Title: PCI DSS Protecting your business
1PCI DSSProtecting your business
- Lara Fiorani, Visa Europe
- Basel
- 25 April, 2006
2Agenda
- Account Information Security Programme and the
Payment Card Industry (PCI) Data Security
Standards - PCI DSS - Protecting your business
- Plans for 2006
3Account Information Security Programme
- The Payment Card Industry Data Security Standards
(PCI DSS) were developed jointly by Visa and
MasterCard and are endorsed by Amex, JCB,
Discovery, Diners - Work is under way to promote the establishment of
PCICo, an independent industry body that will act
as custodian of the PCI DSS - Visa promotes the implementation of the PCI DSS
through its Account Information Security
Programme (AIS) - AIS is part of a wider Visa strategy to make the
card industry more secure
4Account Information Security (AIS) alongside
other Visa security products
POS Environment
Online e-comm
Back office, systems
Chip PIN
Verified by Visa
AIS
5Why do we need PCI DSS?
40M credit cards hacked
Breach at third party payment processor affects
22 million Visa cards and 14 million
MasterCards. June 20, 2005 504 PM EDT Jeanne
Sahadi, CNN/Money senior writer
6Why do we need PCI DSS?
- From The Times, Saturday April 15 2006
- The Times contacted 14 customers whose details
had been passed to it by a US company that
monitors chat rooms. They were astonished
when a reporter read out their credit card
numbers. - The names had been taken from unidentified
British servers. By ringing the individuals on
each list and checking which purchases they had
made on the day the details were stolen, The
Times was led to two reputable companies one a
supplier of travel goods based in Amesbury,
Wiltshire, with a database of more than 20,000
customers, the other a computer sales company in
Sheffield. Neither company was aware that its
systems had been targeted. - Jonathan Richards, Revealed how credit cards
are plundered on the net, The Times, Saturday
April 15 2006
7External pressure on Visa to protect personal
financial information
Key role of beyond facilitator of
payments?
Top mentions
Q28 Aside from Visa being a facilitator of
purchases or a processor of transactions, when
you think of Visa and the role you expect it to
play in society, which one of the following best
describes your expectations of what Visa should
be educator on financial issues, protector of
personal financial information, contributor to
economic growth, or something else? If you have
a different expectation for Visa, please let me
know. Base Total Respondents, n2044
8In addition Data Security is a major concern for
customers worldwide
Top 3 Box (Rated 8-10)
Base All respondents, except () not asked in
China
9Recent Visa Europe experience
- Remarkable increase in compromises in Europe,
regardless of acceptance channels - Full track two data being targeted
- Processors and IPSPs remotely targeted
- Increase in compromises at non e-commerce
Merchants - E-commerce still a target
- Fraud migrating to card not present sector
because of increased security in face to face
(EMV chip)
10Benefits of compliance with PCI DSS
- Ensures protection of the brands and reputation
of all parties - Visa
- Acquiring banks
- Merchants
- Service providers
- Helps gaining and maintains consumer confidence
in payment systems - Secures customers
- Makes them come back
11Compliance with PCI DSS- Systems benefit
- Helps you identify and address weaknesses in your
security
Systems
More aware of how your business works
- Provides you with greater awareness of security
measures and preventative options available
12Compliance with PCI DSS - Financial Benefits
Protects you from card schemes post-compromise
penalties
Avoid cost of fraud
Financial
- Avoid cost of reaction to cybercrime
police involvement
law suits
suspension from trading
consultancy fees
consultancy fees
13Compliance with PCI DSS- Reputational Benefits
No compromises no unwanted media attention
Brand damage alone may put a company out of
business!
Reputation
14If an organisation is certified compliant with
PCI DSS..
- A compromise is less likely to happen.
- If it happens it may be
- Smaller
- reduced fraud cost
- easier and cheaper to contain
- Less investment needed to bring the organisation
into compliance - Faster to bring the organisation into compliance
- If the forensics investigation confirms that the
organisation was still PCI compliant at the time
of compromise - Visa will not levy compromise fees
15Sensitive Information
- Card number
- Expiry date
- Full Track 2 (for face to face transactions)
- CVV2 (for Card not Present transactions)
- Track 2 and CVV2 should never be stored after
authorisation - NOT storing any of the above removes the need for
PCI DSS validation - If the information is stored, it has to be stored
securely (encrypted)
16Compliance Validation Requirements - Merchants
- Level 1 - Merchants with 6,000,000 transactions
a year- all acceptance channels - Level 23 - E-commerce Merchants with 6,000,000
to 20,000 transactions a year - Level 4 all other Merchants
- Mandated Annual onsite audit, and Quarterly
network scan - The audit can be done by a qualified auditor or
by Merchants internal audit team, but has to
assess compliance with the PCI Standards - Mandated Annual PCI Self-assessment
questionnaire, and Quarterly network scan - Recommended annual PCI Self-assessment
questionnaire and annual network scan
17Merchants next steps for 2006
- ALL Merchants should be compliant with PCI DSS
already - Regardless of Merchant size
- Data security should be ongoing work
- Difference is only in type of validation required
- Validation may be recommended for some
categories, but compliance is mandated to be part
of the Visa system - All Merchants should make provisions to ensure
than any third party they contract with is
compliant
18Visa Recent and next steps
- Finished re-accreditation of Qualified Security
Assessors ? - Producing more awareness raising and support
materials ? - AIS as contractual requirement for all new
merchant agreements - New set of penalties for Acquirers with
non-compliant Merchants - If a Merchant commits to starting the work, they
will be allowed reasonable time to work towards
compliance - Lowering the Level 1 threshold to include more
non e-commerce Merchants
19Conclusion
We are flexible, want to help you get started
PCI DSS adds value to your brand and
consumers PCI DSS protects your revenues
Based on ISO/BSS, tailoring these standards to
cards industry
20Where to find information on PCI DSS
- Visa OnLine
- https//www.eu.visaonline.com/eu_ais/
- Visa Europe website
- www.visaeurope.com/acceptingvisa/datasecurity.html
- Email datasecuritystandards_at_visa.com
- AIS Programme Manager Lara Fiorani
- Tel 44 207 795 5668
- Email datasecuritystandards_at_visa.com
20
21Thank you