Payment Card Industry Data Security Standards - PowerPoint PPT Presentation

1 / 22
About This Presentation
Title:

Payment Card Industry Data Security Standards

Description:

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board * * * * * * * * * * * * * Agenda Overview of the Payment Card ... – PowerPoint PPT presentation

Number of Views:286
Avg rating:3.0/5.0
Slides: 23
Provided by: TomD81
Category:

less

Transcript and Presenter's Notes

Title: Payment Card Industry Data Security Standards


1
Surviving the PCI Self -Assessment
James Placer, CISSP West Michigan Cisco Users
Group Leadership Board
2
Agenda
  • Overview of the Payment Card Industry Data
    Security Standard (PCI DSS)
  • PCI DSS requirements
  • Merchant levels
  • Requirements of Self-Assessment
  • The ASV conflict.
  • Questions

3
Protecting card data
  • Why its important
  • causes hardship for our customers
  • loss of customer confidence
  • required by PCI DSS
  • state laws on disposal and notice
  • State breach law notification requirements

4
Overview of PCI DSS
The basis is - cloned cards must never again be
capable of being created from stored data,
through compromise or eavesdrop One can store
elements of the Track II i.e. a card number,
expiry date, when required for particular cards.
( front of card information ONLY) In no
circumstances should the CVV or the PIN
verification value data elements be store
5
Overview of PCI DSS
  • Applies to
  • all merchants that store, process, or transmit
    cardholder data ( if you accept one credit card
    payment a year you must be compliant)
  • all payment (acceptance) channels, including
    brick-and-mortar, mail, telephone, e-commerce
    (Internet)
  • Includes 12 requirements, based on
  • administrative controls (policies, procedures,
    etc.)
  • physical security (locks, physical barriers,
    etc.)
  • technical security (passwords, encryption, etc.)

6
Shared Network Resources
  • A network that is shared by other services cannot
    be considered secure.
  • whatever we think of our wider network, we cannot
    fully trust it

7
Merchant levels
  • Merchant levels are based on yearly transaction
    volume of merchant
  • Specific criteria for placement in merchant
    levels varies across card companies
  • All merchants, regardless of level, must adhere
    to PCI DSS requirements
  • Level into which merchant is placed determines
    PCI DSS compliance validation (and ultimately
    cost)
  • Lets take a quick look at Visas levels

8
Merchant levels - Visa
  • Level 2
  • merchants, regardless of acceptance channel,
    processing 1,000,000 to 6,000,000 Visa
    transactions
  • Level 3
  • any merchant processing 20,000 to 1,000,000 Visa
    e-commerce (Internet) transactions

9
Merchant levels - Visa
  • Level 4
  • any merchant processing fewer than 20,000 Visa
    e-commerce (Internet) transactions
  • all other merchants, regardless of acceptance
    channel, processing up to 1,000,000 Visa
    transactions

10
PCI DSS compliance validation
  • Level 2 and 3 merchants
  • self-assessment questionnaire
  • quarterly network security scan by approved scan
    vendor (ASV)

11
PCI DSS compliance validation
  • Level 4 merchants
  • self-assessment questionnaire
  • if required by acquirer
  • quarterly network security scan by approved scan
    vendor
  • if required by acquirer

12
PCI DSS compliance validation
  • 5 levels of self assessment
  • 4 self assessment questionnaires

13
Self Assessment Questionnaire
  • Type 1
  • Card-not-present (e-commerce or
    mail/telephone-order) merchants, all cardholder
    data functions outsourced. This would never apply
    to face-to-face merchants. Use questionnaire A
  • Type 2
  • Imprint-only merchants with no electronic
    cardholder data storage. Use Questionnaire B

14
Self Assessment Questionnaire
  • Type 3
  • Stand-alone terminal merchants, no electronic
    cardholder data storage Use questionnaire B
  • Type 4
  • Merchants with POS systems connected to the
    Internet, no electronic cardholder data storage .
    Use Questionnaire C

15
Self Assessment Questionnaire
  • Type 5
  • All other merchants (not included in Types 1-4
    above) and all service providers defined by a
    payment brand as eligible to complete an SAQ.
  • May be required to perform full Self-Assessment
    form as opposed to short forms A through C)

16
Authorized Scanning Vendors
  • External ASV scan may be required for self
    assessment.
  • Not all ASV's are created equal
  • ASV's must be approved by PCI and on the PCI
    authorized scanning vendor list
  • DO NOT automatically use the recommended ASV of
    your card processor!!!

17
PCI DSS requirements
First step is to document the FULL path of
credit card data through your company. This is
electronic as well and procedural If you do not
know the path you cannot self- assess!!!!! Card
Environment MUST be isolated...
18
PCI DSS requirements Best Practice to be applied!
  • Each requirement has many sub-requirements!
  • Install and maintain a firewall configuration to
    protect data
  • Do not use vendor-supplied defaults for system
    passwords and other security parameters
  • Protect stored data

19
PCI DSS requirements
  1. Encrypt transmission of cardholder data and
    sensitive information across public networks
  2. Use and regularly update anti-virus software
  3. Develop and maintain secure systems and
    applications
  4. Restrict access to data by business need-to-know

20
PCI DSS requirements
  1. Assign a unique ID to each person with computer
    access
  2. Restrict physical access to cardholder data
  3. Track and monitor all access to network resources
    and cardholder data
  4. Regularly test security systems and processes
  5. Maintain a policy that addresses information
    security

21
Resources
  • PCI DSS self assessment guidelines
  • https//www.pcisecuritystandards.org/saq/instructi
    ons.shtml
  • The PCI DSS guidance document
  • https//www.pcisecuritystandards.org/security_stan
    dards/pci_dss.shtml

22
Questions???
Write a Comment
User Comments (0)
About PowerShow.com