Transcript PowerPoint
An Introduction to PCI Compliance
• Data Breach Trends • About PCI-SSC • 12 Requirements of PCI-DSS • Establishing Your Validation Level • PCI Basics • Benefits of PCI Compliance • Benefits of Accepting Credit Cards
Source: http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf
“From the chart, it is evident…unauthorized access via default, shared, or stolen credentials constituted more than a third of the entire hacking category and over half of all compromised records. “ Example: “Tito’s Taco Shack”
Source: http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf
PCI-SSC
Payment Card Industry - Security Standards Council
Does Data Security Standard (DSS) Payment Application Data Security Standard (PA-DSS) Pin Transaction Security (PTS) Requirements. Does Not Enforce standards Set fine and fee structures Set validation levels
• • • • • •
Build and Maintain a Secure Network
– Requirement 1: Install and maintain a firewall configuration to protect cardholder data – Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
– Requirement 3: Protect stored cardholder data – Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
– Requirement 5: Use and regularly update anti-virus software – Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
– Requirement 7: Restrict access to cardholder data by business need-to-know – Requirement 8: Assign a unique ID to each person with computer access – Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
– Requirement 10: Track and monitor all access to network resources and cardholder data – Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
– Requirement 12: Maintain a policy that addresses information security
= State PCI Law = Breach Notification Laws
• Any merchant that processes, transmits, or stores credit card data regardless of processing volume must comply to PCI-DSS regulations.
• Every merchant must validate compliance every year.* • MIDs under different TAXIDs will need to certify separately.
* Check with your Acquiring bank for specific validation requirements and deadlines
Step 1
• Identify Validation Type
Step 2
• Complete the applicable Self Assessment Questionnaire (SAQ)
Step 3
• Complete and obtain evidence of passing vulnerability scan with an Approved Scanning Vendor (ASV on a quarterly basis, if necessary.
Step 4
• Complete and obtain evidence of passing vulnerability scan with an Approved Scanning Vendor (ASV on a quarterly basis, if necessary.
Level 1 2 3 4 Merchant Criteria Merchants processing over 6 million Visa transactions annually (all channels) or Global merchants identified as Level 1 by any Visa region Merchants processing 1 million to 6 million Visa transactions annually (all channels) Merchants processing 20,000 to 1 million Visa e commerce transactions annually Merchants processing less than 20,000 Visa e commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually.
Validation Requirements • Annual Report on Compliance (ROC) by Qualified Security Assessor (QSA) • Quarterly network scan by Approved Scan Vendor (ASV) • Attestation of Compliance Form • Annual Self-Assessment Questionnaire (SAQ) • Quarterly network scan by ASV • Attestation of Compliance Form • Annual SAQ • Quarterly network scan by ASV • Attestation of Compliance Form • Annual SAQ recommended • Quarterly network scan by ASV if applicable • Compliance validation requirements set by acquirer
Source: www.visa.com/cisp
Source: www.pcisecuritystandards.org
Fill out appropriate SAQ Credit Card Processing Methods Remediation Monitoring Reporting
• Peace of mind for your business and clients • Decreased risk of security breaches • Boost in customer confidence • Protection from costly fines • Relatively quick and easy • Safeguard your business reputation
• Stay viable in the marketplace – “The number of payments made by debit, credit, or EBT card grew by 12.8 billion from 2003 to 2006, reaching 48.1 billion and exceeding the number of checks paid by 17.6 billion.“* • Offer payment flexibility to clients • Improve cash flow • Reduce the hassle of collections
*http://www.federalreserve.gov/pubs/bulletin/2008/articles/payments/default.htm
www.visa.com/cisp www.pcisecuritystandards.org
www.mastercard.com/us/sdp/education www.pcicentral.com/docs/pciscc_ten_common_myths.pdf
http://www.federalreserve.gov/pubs/bulletin/2008/articles/payments/default.htm
http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf