SlideShare a Scribd company logo

Evolve Pci Compliance

H
hypknight
BusinessTechnology
1 of 25
Download to read offline
Donald Raleigh The Mission Critical Aspects of PCI Compliance
Copyright 2009 Evolve Systems® Agenda •Compliance Overview •Cyber Threats •Payment Card Overview •PCI Compliance •Controls Framework •Questions PCI = Payment Card Industry DSS = Data Security Standard
Copyright 2009 Evolve Systems® 1970-1980 1980-1990 1990-2000 2000- Present The Regulatory Environment Represents a New Enterprise Challenge  Computer Security Act of 1987  EU Data Protection  HIPAA  FDA 21CFR Part 11  C6-Canada  GLBA  COPPA  USA Patriot Act 2001  EC Data Privacy Directive  CLERP 9  CAN-SPAM Act  FISMA  Sarbanes Oxley (SOX)  CIPA 2002  Basel II  NERC CIP 02-09)  CISP  Payment Card Industry (PCI)  California Individual Privacy SB1386  Other State Privacy Laws (38)  Privacy Act of 1974  Foreign Corrupt Practice Act of 1977 Compliance Trends
Copyright 2009 Evolve Systems® State Privacy Laws Businesses must establish basic information security programs Businesses must proactively manage their confidential consumer information Businesses must take steps to know when their defenses have been breached In the event of an actual or suspected security breach businesses have a legal obligation to notify impacted consumers resulting in new security requirements Compliant infrastructures are required!
Copyright 2009 Evolve Systems® Risks Have Increased as Technology Changed
Copyright 2009 Evolve Systems® Unauthorized Users
Copyright 2009 Evolve Systems® Attack Vectors • Virus Attack • Spyware (intentional and unintentional) o Worms and Trojans o Image embedded Trojans • Targeted attacks that exploit poor system configuration and vulnerabilities • Targeted attacks against a "friendly" who either loses your data or passes along the attack • Physical theft • System misuse by an authorized user o Internal staff o Third parties
Copyright 2009 Evolve Systems® Stolen Account Data Value
Copyright 2009 Evolve Systems®  DSW Shoe Warehouse customer database was hacked and 1.4 million records were stolen and records over $6.5 million reserve on 2005 financial statements. Scary Bedtime Stories What is the cost of non-compliance  Other headlines…. - TJ MAX causes several states to introduce new legislation to protect cardholder data. - Card Systems International forced to sell operations at a loss. - Ongoing compromises are driving changes in the DSS to include dual factor authentication and wireless security.  FTC fines Choice Point $10 million for unfair business practices for failure to protect consumer data.
Copyright 2009 Evolve Systems® Costs of a PCI Compromise Notify Clients and Provide Privacy Guard Fines and Penalties Loss of Clients Fraud liability (ADCR) Reputation Loss $50 x 10,000 = $500,000 $10,000 to $1 million 10,000 clients – 15% = 1,500 clients 1,500 x $100 in fees = $150,000 in lost fees 1,000 accounts x $500 = $500,000 PRICELESS! A hypothetical merchant compromises 10,000 accounts when a third party service provider has a server stolen. What is the potential financial impact? PCI = Payment Card Industry DSS = Data Security Standard
Copyright 2009 Evolve Systems® Cardholder Verification Number (CVV2) Cardholder Verification Number (CVN) (CID/CVV2/CVC2) CVV2 CVV
Copyright 2009 Evolve Systems® Processor Gateway Service Provider Cardholder Merchant PCI Relationship Matrix Acquiring Bank App Vendors Acquiring BankIssuing Bank Merchant Cardholder Environment
Copyright 2009 Evolve Systems® Six Goals: Twelve Requirements – PCI DSS Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10.Track and monitor all access to network resources and cardholder data 11.Regularly test security systems and processes Maintain Information Security Policy 12.Maintain a policy that addresses information security The “Digital Dozen” The Payment Card Industry Data Security Standard
Copyright 2009 Evolve Systems® The Mandate: Merchant Levels Defined Level Merchant Classification Criteria 1 Visa & MasterCard: Any merchant-regardless of acceptance channel-that:  Processes over 6 million Visa or MasterCard transactions per year  Has suffered a hack or an attack that resulted in an account data compromise  Visa or MasterCard determines should meet the Level 1 merchant requirements  Has been identified by any other payment card brand as Level 1 AMEX: Any merchant-regardless of acceptance channel-that processes over 2.5 million AMEX transactions 2 Visa & MasterCard: Any merchant that processes 1 million to 6 million Visa or MasterCard transactions, regardless of acceptance channel AMEX: Any merchant-regardless of acceptance channel-that processes 50,000 to 2.5 million AMEX transactions 3 Visa & MasterCard: Any merchant that processes 20,000 to 1 million Visa or MasterCard e- commerce transactions AMEX: Any merchant-regardless of acceptance channel-that processes less than 50,000 AMEX transactions 4 Visa & MasterCard: Any merchant that processes fewer than 20,000 Visa or MasterCard e- commerce transactions or processes fewer than 1 million Visa or MasterCard transactions, regardless of acceptance channel
Copyright 2009 Evolve Systems® Compliance Validation Requirements Level Validation Actions SCOPE Validated By 1 • Annual On-Site Security Audit - AND - • Authorization and Settlement Systems • Independent Assessor or Internal Audit if signed by Officer • Quarterly Network Scan • Internet Facing Perimeter Systems • Qualified Independent Scan Vendor 2 & 3 • Annual Self-Assessment Questionnaire - AND - • Any system storing, processing, or transmitting cardholder data • Merchant • Optional support from qualified vendor • Quarterly Network Scan • Internet Facing Perimeter Systems • Qualified Independent Scan Vendor 4 • Annual Self-Assessment Questionnaire • Internet Facing Perimeter Systems • Merchant • Optional support from qualified vendor • Network Scan Recommended • Internet Facing Perimeter Systems • Qualified Independent Scan Vendor
Copyright 2009 Evolve Systems® Food Service Industry represents the majority of the compromises. Retail Industry is the next largest industry seeing compromises. 52% 27% 4% 4% 3% 3% 2% FoodService Retail Entertainment Travel University Payment Processor Telecom Non-Profit/NGO Media Government Petroleum Medical Construction Case Analysis: Compromise by Industry
Copyright 2009 Evolve Systems® Top PCI DSS Violations #1 Requirement 12: Maintain a policy that addresses information security #2 Requirement 3: Protect stored data #3 Requirement 6: Develop and maintain secure systems and applications #4 Requirement 10: Track and monitor access to network and card data #5 Requirement 11: Regularly test security systems and processes #6 Requirement 8: Assign a unique ID to each person with computer access #7 Requirement 1: Install and maintain a firewall to protect cardholder data Violations >50% Found During Forensic Investigations Violations <50% Found During Forensic Investigations Violations Found During Initial PCI DSS Audits PCI = Payment Card Industry DSS = Data Security Standard
Copyright 2009 Evolve Systems® New Self Assessment Questionnaire (SAQ) SAQ
Copyright 2009 Evolve Systems® Visa Fine Schedule* (other card associations have different costs) Data compromise or non-compliance with PCI requirements: • First Violation -- Up to $50,000 • Second Violation -- Up to $100,000 • Third Violation -- At Visa’s discretion for more than two violations in 12 months Merchants who store full-track data: • Initial penalty of $50,000 • Thereafter Visa assesses fines up to $100,000 monthly until track data is removed • Representative fine structure based on public information distributed by Chase Paymentech. Actual fines to merchants may vary based on their acquirer. * Your Fines May Vary…
Copyright 2009 Evolve Systems® Assessment Scope Where is the card holder data? Customer Production Environment Acquiring Bank Wells Fargo, BoA, Chase Admin Environment Portal Access to Reconciliation Data (Charge Back / Sales Audit) Transaction Servers or Payment Gateway Transaction Record & Archive Data Warehouse Payment Gateway and Transaction Database Batch Settlement Application Servers Back Office & Customer Svc • Marketing • Customer Service • Ecommerce • Phone / Fax • Gift Cards • Fraud • Accounting / Administration Phone,Fax,Email Web Server (card not present) POS Terminals (card present in stores and parking facilities) Authorization Document Vaults Paper records
Copyright 2009 Evolve Systems® Phase Compliance Mandates Effective Date I. Newly boarded merchants must not use known vulnerable payment applications, and VisaNet Processors (“VNPs”) and agents must not certify new payment applications to their platforms that are known vulnerable payment applications. 1/1/08 II. VNPs and agents must only certify new payment applications to their platforms that are PABP-compliant. 7/1/08 III. Newly boarded Level 3 and 4 merchants must be PCI DSS compliant or use PABP-compliant applications. 10/1/08 IV. VNPs and agents must decertify all vulnerable payment applications. 10/1/09 V. Acquirers must ensure their merchants, VNPs and agents use only PABP- compliant applications. 7/1/10 Oct 23 Announcement from Visa: “It is critical that merchants and agents do not use payment applications known to retain prohibited data elements and that corrective action is immediately taken to address any identified deficiencies because these applications are at risk of being compromised.” New Visa Application Requirements
Copyright 2009 Evolve Systems® Summary • Assessment – vs - Audit • Penalties for non-compliance is high but guidelines on “Assessment” procedures are marginal (sample size, evidence of control effectiveness, retention period, testing oversight) • The testing procedures for each control activities are PRESCRIPTIVE .. Maintain evidence of controls • Self Assessment Questionnaire must track to the environment • Organizations may not understand the cardholder environment • Reporting process depends on the acquiring bank • More risks to manage than test procedures measure
Copyright 2009 Evolve Systems® 23 What’s One More Certification? Payment Application Best Practices [PABP]
Copyright 2009 Evolve Systems® Knowledge – Action = Negligence
Copyright 2009 Evolve Systems® Questions Donald Raleigh (651) 628-4000 don@evolve-systems.com www.evolve-systems.com/paragon

Recommended

ECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantMelanie Beam
 
101007 How To Sell Pci Compliance (External)
101007 How To Sell Pci Compliance (External)101007 How To Sell Pci Compliance (External)
101007 How To Sell Pci Compliance (External)Greg Naderi
 
eCommerce_Product_Overview_Brochure_-_0816
eCommerce_Product_Overview_Brochure_-_0816eCommerce_Product_Overview_Brochure_-_0816
eCommerce_Product_Overview_Brochure_-_0816Michael Vaillancourt
 
Noctress Presentation
Noctress PresentationNoctress Presentation
Noctress Presentationnoctress
 
Lttc 6262013
Lttc 6262013Lttc 6262013
Lttc 6262013RedChip Companies, Inc.
 
Aggregation Platforms-White Paper
Aggregation Platforms-White PaperAggregation Platforms-White Paper
Aggregation Platforms-White PaperEnvestnet Yodlee India
 
Small_Merchant_Guide_to_Safe_Payments
Small_Merchant_Guide_to_Safe_PaymentsSmall_Merchant_Guide_to_Safe_Payments
Small_Merchant_Guide_to_Safe_PaymentsSteve Abrams
 
PCI FAQs and Myths - BluePay
PCI FAQs and Myths - BluePayPCI FAQs and Myths - BluePay
PCI FAQs and Myths - BluePayBluePayProcessing
 

Recommended

ECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantMelanie Beam
 
101007 How To Sell Pci Compliance (External)
101007 How To Sell Pci Compliance (External)101007 How To Sell Pci Compliance (External)
101007 How To Sell Pci Compliance (External)Greg Naderi
 
eCommerce_Product_Overview_Brochure_-_0816
eCommerce_Product_Overview_Brochure_-_0816eCommerce_Product_Overview_Brochure_-_0816
eCommerce_Product_Overview_Brochure_-_0816Michael Vaillancourt
 
Noctress Presentation
Noctress PresentationNoctress Presentation
Noctress Presentationnoctress
 
Lttc 6262013
Lttc 6262013Lttc 6262013
Lttc 6262013RedChip Companies, Inc.
 
Aggregation Platforms-White Paper
Aggregation Platforms-White PaperAggregation Platforms-White Paper
Aggregation Platforms-White PaperEnvestnet Yodlee India
 
Small_Merchant_Guide_to_Safe_Payments
Small_Merchant_Guide_to_Safe_PaymentsSmall_Merchant_Guide_to_Safe_Payments
Small_Merchant_Guide_to_Safe_PaymentsSteve Abrams
 
PCI FAQs and Myths - BluePay
PCI FAQs and Myths - BluePayPCI FAQs and Myths - BluePay
PCI FAQs and Myths - BluePayBluePayProcessing
 
Tripwire pci basics_wp
Tripwire pci basics_wpTripwire pci basics_wp
Tripwire pci basics_wpEdward Lam
 
Ild's no credit card required alternative payement
Ild's no credit card required alternative payementIld's no credit card required alternative payement
Ild's no credit card required alternative payementILD Teleservices
 
E payment system
E payment systemE payment system
E payment systemParam Raikwar
 
QSecure Presentation at RSA 2011
QSecure Presentation at RSA 2011QSecure Presentation at RSA 2011
QSecure Presentation at RSA 2011jhatch9418
 
FinTech, Internet of Things & Patents
FinTech, Internet of Things & PatentsFinTech, Internet of Things & Patents
FinTech, Internet of Things & PatentsAlex G. Lee, Ph.D. Esq. CLP
 
Requirement of PCI DSS in India.
Requirement of PCI DSS in India.Requirement of PCI DSS in India.
Requirement of PCI DSS in India.CA Priyadarshan Behera
 
04-2 E-commerce Payment Systems slides
04-2 E-commerce Payment Systems slides04-2 E-commerce Payment Systems slides
04-2 E-commerce Payment Systems slidesmonchai sopitka
 
Electronic payment system
Electronic payment systemElectronic payment system
Electronic payment systempankhadi
 
Payment Card Industry Compliance for Local Governments CSMFO 2009
Payment Card Industry Compliance for Local Governments CSMFO 2009Payment Card Industry Compliance for Local Governments CSMFO 2009
Payment Card Industry Compliance for Local Governments CSMFO 2009Donald E. Hester
 
Introduction to B2B Electronic Payments
Introduction to B2B Electronic PaymentsIntroduction to B2B Electronic Payments
Introduction to B2B Electronic PaymentsGriffin McGahey
 
Electronic payment
Electronic paymentElectronic payment
Electronic paymentRaneen Hussein
 
MTBiz May-June 2019
MTBiz May-June 2019 MTBiz May-June 2019
MTBiz May-June 2019 Mutual Trust Bank Ltd.
 
Boost your approved transaction volume - Ana Vuksanovikj Vaneska, Netcetera
Boost your approved transaction volume - Ana Vuksanovikj Vaneska, NetceteraBoost your approved transaction volume - Ana Vuksanovikj Vaneska, Netcetera
Boost your approved transaction volume - Ana Vuksanovikj Vaneska, NetceteraNetcetera
 
Lecture 13 -_e-commmerce_e-banking_and_advanced_tech
Lecture 13 -_e-commmerce_e-banking_and_advanced_techLecture 13 -_e-commmerce_e-banking_and_advanced_tech
Lecture 13 -_e-commmerce_e-banking_and_advanced_techSerious_SamSoul
 
Micro Finance with Smart Card
Micro Finance with Smart CardMicro Finance with Smart Card
Micro Finance with Smart CardParikshit Sampat Ram
 
ManagingRiskWithVDR
ManagingRiskWithVDRManagingRiskWithVDR
ManagingRiskWithVDRjokeung
 
TBG Security Mgl93 H 201 CMR17.00 Compliance Service
TBG Security Mgl93 H 201 CMR17.00 Compliance ServiceTBG Security Mgl93 H 201 CMR17.00 Compliance Service
TBG Security Mgl93 H 201 CMR17.00 Compliance Servicegorsline
 
management issues in online banking
management issues in online bankingmanagement issues in online banking
management issues in online bankingRanjeet Patel
 
Security and trust in e payment
Security and trust in e paymentSecurity and trust in e payment
Security and trust in e paymentحمد الشلوي
 
eCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Merchants
 
Adventures in PCI Wonderland
Adventures in PCI WonderlandAdventures in PCI Wonderland
Adventures in PCI WonderlandMichele Chubirka
 
PCI Compliance Seminar
PCI Compliance SeminarPCI Compliance Seminar
PCI Compliance Seminardlinehan2
 

More Related Content

What's hot

Tripwire pci basics_wp
Tripwire pci basics_wpTripwire pci basics_wp
Tripwire pci basics_wpEdward Lam
 
Ild's no credit card required alternative payement
Ild's no credit card required alternative payementIld's no credit card required alternative payement
Ild's no credit card required alternative payementILD Teleservices
 
QSecure Presentation at RSA 2011
QSecure Presentation at RSA 2011QSecure Presentation at RSA 2011
QSecure Presentation at RSA 2011jhatch9418
 
04-2 E-commerce Payment Systems slides
04-2 E-commerce Payment Systems slides04-2 E-commerce Payment Systems slides
04-2 E-commerce Payment Systems slidesmonchai sopitka
 
Electronic payment system
Electronic payment systemElectronic payment system
Electronic payment systempankhadi
 
Payment Card Industry Compliance for Local Governments CSMFO 2009
Payment Card Industry Compliance for Local Governments CSMFO 2009Payment Card Industry Compliance for Local Governments CSMFO 2009
Payment Card Industry Compliance for Local Governments CSMFO 2009Donald E. Hester
 
Introduction to B2B Electronic Payments
Introduction to B2B Electronic PaymentsIntroduction to B2B Electronic Payments
Introduction to B2B Electronic PaymentsGriffin McGahey
 
Boost your approved transaction volume - Ana Vuksanovikj Vaneska, Netcetera
Boost your approved transaction volume - Ana Vuksanovikj Vaneska, NetceteraBoost your approved transaction volume - Ana Vuksanovikj Vaneska, Netcetera
Boost your approved transaction volume - Ana Vuksanovikj Vaneska, NetceteraNetcetera
 
Lecture 13 -_e-commmerce_e-banking_and_advanced_tech
Lecture 13 -_e-commmerce_e-banking_and_advanced_techLecture 13 -_e-commmerce_e-banking_and_advanced_tech
Lecture 13 -_e-commmerce_e-banking_and_advanced_techSerious_SamSoul
 
ManagingRiskWithVDR
ManagingRiskWithVDRManagingRiskWithVDR
ManagingRiskWithVDRjokeung
 
TBG Security Mgl93 H 201 CMR17.00 Compliance Service
TBG Security Mgl93 H 201 CMR17.00 Compliance ServiceTBG Security Mgl93 H 201 CMR17.00 Compliance Service
TBG Security Mgl93 H 201 CMR17.00 Compliance Servicegorsline
 
management issues in online banking
management issues in online bankingmanagement issues in online banking
management issues in online bankingRanjeet Patel
 

What's hot (19)

Tripwire pci basics_wp
Tripwire pci basics_wpTripwire pci basics_wp
Tripwire pci basics_wp
 
Ild's no credit card required alternative payement
Ild's no credit card required alternative payementIld's no credit card required alternative payement
Ild's no credit card required alternative payement
 
E payment system
E payment systemE payment system
E payment system
 
QSecure Presentation at RSA 2011
QSecure Presentation at RSA 2011QSecure Presentation at RSA 2011
QSecure Presentation at RSA 2011
 
FinTech, Internet of Things & Patents
FinTech, Internet of Things & PatentsFinTech, Internet of Things & Patents
FinTech, Internet of Things & Patents
 
Requirement of PCI DSS in India.
Requirement of PCI DSS in India.Requirement of PCI DSS in India.
Requirement of PCI DSS in India.
 
04-2 E-commerce Payment Systems slides
04-2 E-commerce Payment Systems slides04-2 E-commerce Payment Systems slides
04-2 E-commerce Payment Systems slides
 
Electronic payment system
Electronic payment systemElectronic payment system
Electronic payment system
 
Payment Card Industry Compliance for Local Governments CSMFO 2009
Payment Card Industry Compliance for Local Governments CSMFO 2009Payment Card Industry Compliance for Local Governments CSMFO 2009
Payment Card Industry Compliance for Local Governments CSMFO 2009
 
Introduction to B2B Electronic Payments
Introduction to B2B Electronic PaymentsIntroduction to B2B Electronic Payments
Introduction to B2B Electronic Payments
 
Electronic payment
Electronic paymentElectronic payment
Electronic payment
 
MTBiz May-June 2019
MTBiz May-June 2019 MTBiz May-June 2019
MTBiz May-June 2019
 
Boost your approved transaction volume - Ana Vuksanovikj Vaneska, Netcetera
Boost your approved transaction volume - Ana Vuksanovikj Vaneska, NetceteraBoost your approved transaction volume - Ana Vuksanovikj Vaneska, Netcetera
Boost your approved transaction volume - Ana Vuksanovikj Vaneska, Netcetera
 
Lecture 13 -_e-commmerce_e-banking_and_advanced_tech
Lecture 13 -_e-commmerce_e-banking_and_advanced_techLecture 13 -_e-commmerce_e-banking_and_advanced_tech
Lecture 13 -_e-commmerce_e-banking_and_advanced_tech
 
Micro Finance with Smart Card
Micro Finance with Smart CardMicro Finance with Smart Card
Micro Finance with Smart Card
 
ManagingRiskWithVDR
ManagingRiskWithVDRManagingRiskWithVDR
ManagingRiskWithVDR
 
TBG Security Mgl93 H 201 CMR17.00 Compliance Service
TBG Security Mgl93 H 201 CMR17.00 Compliance ServiceTBG Security Mgl93 H 201 CMR17.00 Compliance Service
TBG Security Mgl93 H 201 CMR17.00 Compliance Service
 
management issues in online banking
management issues in online bankingmanagement issues in online banking
management issues in online banking
 
Security and trust in e payment
Security and trust in e paymentSecurity and trust in e payment
Security and trust in e payment
 

Similar to Evolve Pci Compliance

eCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Merchants
 
Adventures in PCI Wonderland
Adventures in PCI WonderlandAdventures in PCI Wonderland
Adventures in PCI WonderlandMichele Chubirka
 
PCI Compliance Seminar
PCI Compliance SeminarPCI Compliance Seminar
PCI Compliance Seminardlinehan2
 
How To Sell PCI Compliance (External)
How To Sell PCI Compliance (External)How To Sell PCI Compliance (External)
How To Sell PCI Compliance (External)Greg Naderi
 
You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…Rochester Security Summit
 
Risks of not complying with sox and pci compliance
Risks of not complying with sox and pci complianceRisks of not complying with sox and pci compliance
Risks of not complying with sox and pci complianceSysCloud
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Risk Crew
 
PCI Compliance 101
PCI Compliance 101PCI Compliance 101
PCI Compliance 101pgalletta
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperShaun O'keeffe
 
PCI_Presentation_OASIS
PCI_Presentation_OASISPCI_Presentation_OASIS
PCI_Presentation_OASISDermot Clarke
 
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdfpci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdfssuserbcc088
 
Visa Compliance Mark National Certification
Visa Compliance Mark National CertificationVisa Compliance Mark National Certification
Visa Compliance Mark National CertificationMark Pollard
 
Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxgealehegn
 
Payment Card Industry Introduction 2010
Payment Card Industry Introduction 2010Payment Card Industry Introduction 2010
Payment Card Industry Introduction 2010Donald E. Hester
 

Similar to Evolve Pci Compliance (20)

eCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain Media
 
Adventures in PCI Wonderland
Adventures in PCI WonderlandAdventures in PCI Wonderland
Adventures in PCI Wonderland
 
PCI Compliance Seminar
PCI Compliance SeminarPCI Compliance Seminar
PCI Compliance Seminar
 
PruebaJLF.pptx
PruebaJLF.pptxPruebaJLF.pptx
PruebaJLF.pptx
 
How To Sell PCI Compliance (External)
How To Sell PCI Compliance (External)How To Sell PCI Compliance (External)
How To Sell PCI Compliance (External)
 
You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…
 
Evolution Pci For Pod1
Evolution Pci For Pod1Evolution Pci For Pod1
Evolution Pci For Pod1
 
PCI DSS
PCI DSSPCI DSS
PCI DSS
 
Risks of not complying with sox and pci compliance
Risks of not complying with sox and pci complianceRisks of not complying with sox and pci compliance
Risks of not complying with sox and pci compliance
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892
 
PCI Compliance 101
PCI Compliance 101PCI Compliance 101
PCI Compliance 101
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - Whitepaper
 
Pci dss-for-it-providers
Pci dss-for-it-providersPci dss-for-it-providers
Pci dss-for-it-providers
 
PCI_Presentation_OASIS
PCI_Presentation_OASISPCI_Presentation_OASIS
PCI_Presentation_OASIS
 
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdfpci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
 
PCI DSS Compliance Readiness
PCI DSS Compliance ReadinessPCI DSS Compliance Readiness
PCI DSS Compliance Readiness
 
Visa Compliance Mark National Certification
Visa Compliance Mark National CertificationVisa Compliance Mark National Certification
Visa Compliance Mark National Certification
 
PCI-DSS for IDRBT
PCI-DSS for IDRBTPCI-DSS for IDRBT
PCI-DSS for IDRBT
 
Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptx
 
Payment Card Industry Introduction 2010
Payment Card Industry Introduction 2010Payment Card Industry Introduction 2010
Payment Card Industry Introduction 2010
 

More from hypknight

Zeacom Call Center Agent
Zeacom Call Center AgentZeacom Call Center Agent
Zeacom Call Center Agenthypknight
 
Xiotech Storage
Xiotech StorageXiotech Storage
Xiotech Storagehypknight
 
Xiotech Redefining Storage Value
Xiotech Redefining Storage ValueXiotech Redefining Storage Value
Xiotech Redefining Storage Valuehypknight
 
V Mware Desktop Virtualization
V Mware Desktop VirtualizationV Mware Desktop Virtualization
V Mware Desktop Virtualizationhypknight
 
VMware Cost Savings Through Virtualization
VMware Cost Savings Through VirtualizationVMware Cost Savings Through Virtualization
VMware Cost Savings Through Virtualizationhypknight
 
Toigo Critical Convergence
Toigo Critical ConvergenceToigo Critical Convergence
Toigo Critical Convergencehypknight
 
Proprietary Information
Proprietary InformationProprietary Information
Proprietary Informationhypknight
 
Open Options Evolutionary Trends
Open Options Evolutionary TrendsOpen Options Evolutionary Trends
Open Options Evolutionary Trendshypknight
 
Remote Worker - Road Warrior
Remote Worker - Road WarriorRemote Worker - Road Warrior
Remote Worker - Road Warriorhypknight
 
Nec Executive Knowledge Worker
Nec Executive Knowledge WorkerNec Executive Knowledge Worker
Nec Executive Knowledge Workerhypknight
 
Ncompass Uc Budgeting
Ncompass Uc BudgetingNcompass Uc Budgeting
Ncompass Uc Budgetinghypknight
 
Milestone Server And Storage Best Practice
Milestone Server And Storage Best PracticeMilestone Server And Storage Best Practice
Milestone Server And Storage Best Practicehypknight
 
Open Platform and IP Video
Open Platform and IP VideoOpen Platform and IP Video
Open Platform and IP Videohypknight
 
Axis The Future Of Ip Video
Axis The Future Of Ip VideoAxis The Future Of Ip Video
Axis The Future Of Ip Videohypknight
 
Avaya Unified Communications For Small Business
Avaya Unified Communications For Small BusinessAvaya Unified Communications For Small Business
Avaya Unified Communications For Small Businesshypknight
 
Avaya Sip Within Your Enterprise
Avaya Sip Within Your EnterpriseAvaya Sip Within Your Enterprise
Avaya Sip Within Your Enterprisehypknight
 
Avaya Emergency Preparedness Business Continuity
Avaya Emergency Preparedness Business ContinuityAvaya Emergency Preparedness Business Continuity
Avaya Emergency Preparedness Business Continuityhypknight
 
Avaya Delivering Improved Citizen Service
Avaya Delivering Improved Citizen ServiceAvaya Delivering Improved Citizen Service
Avaya Delivering Improved Citizen Servicehypknight
 
Avaya Collaboration
Avaya CollaborationAvaya Collaboration
Avaya Collaborationhypknight
 
Avaya Best Practices In Communications Mobility
Avaya Best Practices In Communications MobilityAvaya Best Practices In Communications Mobility
Avaya Best Practices In Communications Mobilityhypknight
 

More from hypknight (20)

Zeacom Call Center Agent
Zeacom Call Center AgentZeacom Call Center Agent
Zeacom Call Center Agent
 
Xiotech Storage
Xiotech StorageXiotech Storage
Xiotech Storage
 
Xiotech Redefining Storage Value
Xiotech Redefining Storage ValueXiotech Redefining Storage Value
Xiotech Redefining Storage Value
 
V Mware Desktop Virtualization
V Mware Desktop VirtualizationV Mware Desktop Virtualization
V Mware Desktop Virtualization
 
VMware Cost Savings Through Virtualization
VMware Cost Savings Through VirtualizationVMware Cost Savings Through Virtualization
VMware Cost Savings Through Virtualization
 
Toigo Critical Convergence
Toigo Critical ConvergenceToigo Critical Convergence
Toigo Critical Convergence
 
Proprietary Information
Proprietary InformationProprietary Information
Proprietary Information
 
Open Options Evolutionary Trends
Open Options Evolutionary TrendsOpen Options Evolutionary Trends
Open Options Evolutionary Trends
 
Remote Worker - Road Warrior
Remote Worker - Road WarriorRemote Worker - Road Warrior
Remote Worker - Road Warrior
 
Nec Executive Knowledge Worker
Nec Executive Knowledge WorkerNec Executive Knowledge Worker
Nec Executive Knowledge Worker
 
Ncompass Uc Budgeting
Ncompass Uc BudgetingNcompass Uc Budgeting
Ncompass Uc Budgeting
 
Milestone Server And Storage Best Practice
Milestone Server And Storage Best PracticeMilestone Server And Storage Best Practice
Milestone Server And Storage Best Practice
 
Open Platform and IP Video
Open Platform and IP VideoOpen Platform and IP Video
Open Platform and IP Video
 
Axis The Future Of Ip Video
Axis The Future Of Ip VideoAxis The Future Of Ip Video
Axis The Future Of Ip Video
 
Avaya Unified Communications For Small Business
Avaya Unified Communications For Small BusinessAvaya Unified Communications For Small Business
Avaya Unified Communications For Small Business
 
Avaya Sip Within Your Enterprise
Avaya Sip Within Your EnterpriseAvaya Sip Within Your Enterprise
Avaya Sip Within Your Enterprise
 
Avaya Emergency Preparedness Business Continuity
Avaya Emergency Preparedness Business ContinuityAvaya Emergency Preparedness Business Continuity
Avaya Emergency Preparedness Business Continuity
 
Avaya Delivering Improved Citizen Service
Avaya Delivering Improved Citizen ServiceAvaya Delivering Improved Citizen Service
Avaya Delivering Improved Citizen Service
 
Avaya Collaboration
Avaya CollaborationAvaya Collaboration
Avaya Collaboration
 
Avaya Best Practices In Communications Mobility
Avaya Best Practices In Communications MobilityAvaya Best Practices In Communications Mobility
Avaya Best Practices In Communications Mobility
 

Recently uploaded

Chapter 9 PPT 4th edition.pdf internal audit
Chapter 9 PPT 4th edition.pdf internal auditChapter 9 PPT 4th edition.pdf internal audit
Chapter 9 PPT 4th edition.pdf internal auditNhtLNguyn9
 
Market Sizes Sample Report - 2024 Edition
Market Sizes Sample Report - 2024 EditionMarket Sizes Sample Report - 2024 Edition
Market Sizes Sample Report - 2024 EditionMintel Group
 
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCRashishs7044
 
Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03DallasHaselhorst
 
APRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfAPRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfRbc Rbcua
 
Organizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessOrganizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessSeta Wicaksana
 
PSCC - Capability Statement Presentation
PSCC - Capability Statement PresentationPSCC - Capability Statement Presentation
PSCC - Capability Statement PresentationAnamaria Contreras
 
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...ictsugar
 
8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCR8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCRashishs7044
 
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deckPitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deckHajeJanKamps
 
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCRashishs7044
 
Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.Anamaria Contreras
 
Guide Complete Set of Residential Architectural Drawings PDF
Guide Complete Set of Residential Architectural Drawings PDFGuide Complete Set of Residential Architectural Drawings PDF
Guide Complete Set of Residential Architectural Drawings PDFChandresh Chudasama
 
Church Building Grants To Assist With New Construction, Additions, And Restor...
Church Building Grants To Assist With New Construction, Additions, And Restor...Church Building Grants To Assist With New Construction, Additions, And Restor...
Church Building Grants To Assist With New Construction, Additions, And Restor...Americas Got Grants
 
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCRashishs7044
 
Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!
Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!
Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!Doge Mining Website
 
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptxThe-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptxmbikashkanyari
 
Digital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdfDigital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdfJos Voskuil
 
Financial-Statement-Analysis-of-Coca-cola-Company.pptx
Financial-Statement-Analysis-of-Coca-cola-Company.pptxFinancial-Statement-Analysis-of-Coca-cola-Company.pptx
Financial-Statement-Analysis-of-Coca-cola-Company.pptxsaniyaimamuddin
 
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607dollysharma2066
 

Recently uploaded (20)

Chapter 9 PPT 4th edition.pdf internal audit
Chapter 9 PPT 4th edition.pdf internal auditChapter 9 PPT 4th edition.pdf internal audit
Chapter 9 PPT 4th edition.pdf internal audit
 
Market Sizes Sample Report - 2024 Edition
Market Sizes Sample Report - 2024 EditionMarket Sizes Sample Report - 2024 Edition
Market Sizes Sample Report - 2024 Edition
 
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
 
Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03
 
APRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfAPRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdf
 
Organizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessOrganizational Structure Running A Successful Business
Organizational Structure Running A Successful Business
 
PSCC - Capability Statement Presentation
PSCC - Capability Statement PresentationPSCC - Capability Statement Presentation
PSCC - Capability Statement Presentation
 
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
 
8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCR8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCR
 
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deckPitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
 
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
 
Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.
 
Guide Complete Set of Residential Architectural Drawings PDF
Guide Complete Set of Residential Architectural Drawings PDFGuide Complete Set of Residential Architectural Drawings PDF
Guide Complete Set of Residential Architectural Drawings PDF
 
Church Building Grants To Assist With New Construction, Additions, And Restor...
Church Building Grants To Assist With New Construction, Additions, And Restor...Church Building Grants To Assist With New Construction, Additions, And Restor...
Church Building Grants To Assist With New Construction, Additions, And Restor...
 
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
 
Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!
Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!
Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!
 
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptxThe-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
 
Digital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdfDigital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdf
 
Financial-Statement-Analysis-of-Coca-cola-Company.pptx
Financial-Statement-Analysis-of-Coca-cola-Company.pptxFinancial-Statement-Analysis-of-Coca-cola-Company.pptx
Financial-Statement-Analysis-of-Coca-cola-Company.pptx
 
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
 

Evolve Pci Compliance

  • 1. Donald Raleigh The Mission Critical Aspects of PCI Compliance
  • 2. Copyright 2009 Evolve Systems® Agenda •Compliance Overview •Cyber Threats •Payment Card Overview •PCI Compliance •Controls Framework •Questions PCI = Payment Card Industry DSS = Data Security Standard
  • 3. Copyright 2009 Evolve Systems® 1970-1980 1980-1990 1990-2000 2000- Present The Regulatory Environment Represents a New Enterprise Challenge  Computer Security Act of 1987  EU Data Protection  HIPAA  FDA 21CFR Part 11  C6-Canada  GLBA  COPPA  USA Patriot Act 2001  EC Data Privacy Directive  CLERP 9  CAN-SPAM Act  FISMA  Sarbanes Oxley (SOX)  CIPA 2002  Basel II  NERC CIP 02-09)  CISP  Payment Card Industry (PCI)  California Individual Privacy SB1386  Other State Privacy Laws (38)  Privacy Act of 1974  Foreign Corrupt Practice Act of 1977 Compliance Trends
  • 4. Copyright 2009 Evolve Systems® State Privacy Laws Businesses must establish basic information security programs Businesses must proactively manage their confidential consumer information Businesses must take steps to know when their defenses have been breached In the event of an actual or suspected security breach businesses have a legal obligation to notify impacted consumers resulting in new security requirements Compliant infrastructures are required!
  • 5. Copyright 2009 Evolve Systems® Risks Have Increased as Technology Changed
  • 6. Copyright 2009 Evolve Systems® Unauthorized Users
  • 7. Copyright 2009 Evolve Systems® Attack Vectors • Virus Attack • Spyware (intentional and unintentional) o Worms and Trojans o Image embedded Trojans • Targeted attacks that exploit poor system configuration and vulnerabilities • Targeted attacks against a "friendly" who either loses your data or passes along the attack • Physical theft • System misuse by an authorized user o Internal staff o Third parties
  • 8. Copyright 2009 Evolve Systems® Stolen Account Data Value
  • 9. Copyright 2009 Evolve Systems®  DSW Shoe Warehouse customer database was hacked and 1.4 million records were stolen and records over $6.5 million reserve on 2005 financial statements. Scary Bedtime Stories What is the cost of non-compliance  Other headlines…. - TJ MAX causes several states to introduce new legislation to protect cardholder data. - Card Systems International forced to sell operations at a loss. - Ongoing compromises are driving changes in the DSS to include dual factor authentication and wireless security.  FTC fines Choice Point $10 million for unfair business practices for failure to protect consumer data.
  • 10. Copyright 2009 Evolve Systems® Costs of a PCI Compromise Notify Clients and Provide Privacy Guard Fines and Penalties Loss of Clients Fraud liability (ADCR) Reputation Loss $50 x 10,000 = $500,000 $10,000 to $1 million 10,000 clients – 15% = 1,500 clients 1,500 x $100 in fees = $150,000 in lost fees 1,000 accounts x $500 = $500,000 PRICELESS! A hypothetical merchant compromises 10,000 accounts when a third party service provider has a server stolen. What is the potential financial impact? PCI = Payment Card Industry DSS = Data Security Standard
  • 11. Copyright 2009 Evolve Systems® Cardholder Verification Number (CVV2) Cardholder Verification Number (CVN) (CID/CVV2/CVC2) CVV2 CVV
  • 12. Copyright 2009 Evolve Systems® Processor Gateway Service Provider Cardholder Merchant PCI Relationship Matrix Acquiring Bank App Vendors Acquiring BankIssuing Bank Merchant Cardholder Environment
  • 13. Copyright 2009 Evolve Systems® Six Goals: Twelve Requirements – PCI DSS Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10.Track and monitor all access to network resources and cardholder data 11.Regularly test security systems and processes Maintain Information Security Policy 12.Maintain a policy that addresses information security The “Digital Dozen” The Payment Card Industry Data Security Standard
  • 14. Copyright 2009 Evolve Systems® The Mandate: Merchant Levels Defined Level Merchant Classification Criteria 1 Visa & MasterCard: Any merchant-regardless of acceptance channel-that:  Processes over 6 million Visa or MasterCard transactions per year  Has suffered a hack or an attack that resulted in an account data compromise  Visa or MasterCard determines should meet the Level 1 merchant requirements  Has been identified by any other payment card brand as Level 1 AMEX: Any merchant-regardless of acceptance channel-that processes over 2.5 million AMEX transactions 2 Visa & MasterCard: Any merchant that processes 1 million to 6 million Visa or MasterCard transactions, regardless of acceptance channel AMEX: Any merchant-regardless of acceptance channel-that processes 50,000 to 2.5 million AMEX transactions 3 Visa & MasterCard: Any merchant that processes 20,000 to 1 million Visa or MasterCard e- commerce transactions AMEX: Any merchant-regardless of acceptance channel-that processes less than 50,000 AMEX transactions 4 Visa & MasterCard: Any merchant that processes fewer than 20,000 Visa or MasterCard e- commerce transactions or processes fewer than 1 million Visa or MasterCard transactions, regardless of acceptance channel
  • 15. Copyright 2009 Evolve Systems® Compliance Validation Requirements Level Validation Actions SCOPE Validated By 1 • Annual On-Site Security Audit - AND - • Authorization and Settlement Systems • Independent Assessor or Internal Audit if signed by Officer • Quarterly Network Scan • Internet Facing Perimeter Systems • Qualified Independent Scan Vendor 2 & 3 • Annual Self-Assessment Questionnaire - AND - • Any system storing, processing, or transmitting cardholder data • Merchant • Optional support from qualified vendor • Quarterly Network Scan • Internet Facing Perimeter Systems • Qualified Independent Scan Vendor 4 • Annual Self-Assessment Questionnaire • Internet Facing Perimeter Systems • Merchant • Optional support from qualified vendor • Network Scan Recommended • Internet Facing Perimeter Systems • Qualified Independent Scan Vendor
  • 16. Copyright 2009 Evolve Systems® Food Service Industry represents the majority of the compromises. Retail Industry is the next largest industry seeing compromises. 52% 27% 4% 4% 3% 3% 2% FoodService Retail Entertainment Travel University Payment Processor Telecom Non-Profit/NGO Media Government Petroleum Medical Construction Case Analysis: Compromise by Industry
  • 17. Copyright 2009 Evolve Systems® Top PCI DSS Violations #1 Requirement 12: Maintain a policy that addresses information security #2 Requirement 3: Protect stored data #3 Requirement 6: Develop and maintain secure systems and applications #4 Requirement 10: Track and monitor access to network and card data #5 Requirement 11: Regularly test security systems and processes #6 Requirement 8: Assign a unique ID to each person with computer access #7 Requirement 1: Install and maintain a firewall to protect cardholder data Violations >50% Found During Forensic Investigations Violations <50% Found During Forensic Investigations Violations Found During Initial PCI DSS Audits PCI = Payment Card Industry DSS = Data Security Standard
  • 18. Copyright 2009 Evolve Systems® New Self Assessment Questionnaire (SAQ) SAQ
  • 19. Copyright 2009 Evolve Systems® Visa Fine Schedule* (other card associations have different costs) Data compromise or non-compliance with PCI requirements: • First Violation -- Up to $50,000 • Second Violation -- Up to $100,000 • Third Violation -- At Visa’s discretion for more than two violations in 12 months Merchants who store full-track data: • Initial penalty of $50,000 • Thereafter Visa assesses fines up to $100,000 monthly until track data is removed • Representative fine structure based on public information distributed by Chase Paymentech. Actual fines to merchants may vary based on their acquirer. * Your Fines May Vary…
  • 20. Copyright 2009 Evolve Systems® Assessment Scope Where is the card holder data? Customer Production Environment Acquiring Bank Wells Fargo, BoA, Chase Admin Environment Portal Access to Reconciliation Data (Charge Back / Sales Audit) Transaction Servers or Payment Gateway Transaction Record & Archive Data Warehouse Payment Gateway and Transaction Database Batch Settlement Application Servers Back Office & Customer Svc • Marketing • Customer Service • Ecommerce • Phone / Fax • Gift Cards • Fraud • Accounting / Administration Phone,Fax,Email Web Server (card not present) POS Terminals (card present in stores and parking facilities) Authorization Document Vaults Paper records
  • 21. Copyright 2009 Evolve Systems® Phase Compliance Mandates Effective Date I. Newly boarded merchants must not use known vulnerable payment applications, and VisaNet Processors (“VNPs”) and agents must not certify new payment applications to their platforms that are known vulnerable payment applications. 1/1/08 II. VNPs and agents must only certify new payment applications to their platforms that are PABP-compliant. 7/1/08 III. Newly boarded Level 3 and 4 merchants must be PCI DSS compliant or use PABP-compliant applications. 10/1/08 IV. VNPs and agents must decertify all vulnerable payment applications. 10/1/09 V. Acquirers must ensure their merchants, VNPs and agents use only PABP- compliant applications. 7/1/10 Oct 23 Announcement from Visa: “It is critical that merchants and agents do not use payment applications known to retain prohibited data elements and that corrective action is immediately taken to address any identified deficiencies because these applications are at risk of being compromised.” New Visa Application Requirements
  • 22. Copyright 2009 Evolve Systems® Summary • Assessment – vs - Audit • Penalties for non-compliance is high but guidelines on “Assessment” procedures are marginal (sample size, evidence of control effectiveness, retention period, testing oversight) • The testing procedures for each control activities are PRESCRIPTIVE .. Maintain evidence of controls • Self Assessment Questionnaire must track to the environment • Organizations may not understand the cardholder environment • Reporting process depends on the acquiring bank • More risks to manage than test procedures measure
  • 23. Copyright 2009 Evolve Systems® 23 What’s One More Certification? Payment Application Best Practices [PABP]
  • 24. Copyright 2009 Evolve Systems® Knowledge – Action = Negligence
  • 25. Copyright 2009 Evolve Systems® Questions Donald Raleigh (651) 628-4000 don@evolve-systems.com www.evolve-systems.com/paragon