1 / 21

PCI DSS Protecting your business

PCI DSS Protecting your business. Lara Fiorani, Visa Europe Basel 25 April, 2006. Agenda. Account Information Security Programme and the Payment Card Industry (PCI) Data Security Standards PCI DSS - Protecting your business Plans for 2006. Account Information Security Programme.

leonard-fuller
Download Presentation

PCI DSS Protecting your business

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PCI DSSProtecting your business Lara Fiorani, Visa Europe Basel 25 April, 2006 Visa Europe Confidential

  2. Agenda • Account Information Security Programme and the Payment Card Industry (PCI) Data Security Standards • PCI DSS - Protecting your business • Plans for 2006

  3. Account Information Security Programme • The Payment Card Industry Data Security Standards (PCI DSS) were developed jointly by Visa and MasterCard and are endorsed by Amex, JCB, Discovery, Diners • Work is under way to promote the establishment of PCICo, an independent industry body that will act as custodian of the PCI DSS • Visa promotes the implementation of the PCI DSS through its Account Information Security Programme (AIS) • AIS is part of a wider Visa strategy to make the card industry more secure

  4. Account Information Security (AIS) alongside other Visa security products POS Environment Online e-comm Back office, systems Chip & PIN Verified by Visa AIS

  5. Why do we need PCI DSS? 40M credit cards hacked Breach at third party payment processor affects 22 million Visa cards and 14 million MasterCards. June 20, 2005: 5:04 PM EDT Jeanne Sahadi, CNN/Money senior writer

  6. Why do we need PCI DSS? • From The Times, Saturday April 15 2006 : • The Times contacted 14 customers whose details had been passed to it by a US company that monitors […] chat rooms. They were astonished when a reporter read out their credit card numbers. • The names had been taken from unidentified British servers. By ringing the individuals on each list and checking which purchases they had made on the day the details were stolen, The Times was led to two reputable companies — one a supplier of travel goods based in Amesbury, Wiltshire, with a database of more than 20,000 customers, the other a computer sales company in Sheffield. Neither company was aware that its systems had been targeted. • [Jonathan Richards, ‘Revealed: how credit cards are plundered on the net’, The Times, Saturday April 15 2006]

  7. Externalpressure on Visa to protect personal financial information Key role of beyond facilitator of payments? Top mentions Q28: Aside from Visa being a facilitator of purchases or a processor of transactions, when you think of Visa and the role you expect it to play in society, which one of the following best describes your expectations of what Visa should be – educator on financial issues, protector of personal financial information, contributor to economic growth, or something else? If you have a different expectation for Visa, please let me know. Base: Total Respondents, n=2044

  8. Having your personal or financial info lost or stolen • Protecting the environment • Terrorism in the world or in your country • Losing your primary source of income (such as your job) • Having a credit card, debit card, or some type of payment card lost or stolen • Spread of disease, or health epidemics • *Loss of trust in governments/businesses/ institutions • Natural disasters (drought, earthquakes, floods, fires, hurricanes) In addition: Data Security is a major concern for customers worldwide Top 3 Box (Rated 8-10) Base: All respondents, except (*) not asked in China

  9. Recent Visa Europe experience • Remarkable increase in compromises in Europe, regardless of acceptance channels • Full track two data being targeted • Processors and IPSPs remotely targeted • Increase in compromises at non e-commerce Merchants • E-commerce still a target • Fraud migrating to card not present sector because of increased security in face to face (EMV chip)

  10. Benefits of compliance with PCI DSS • Ensures protection of the brands and reputation of all parties • Visa • Acquiring banks • Merchants • Service providers • Helps gaining and maintains consumer confidence in payment systems • Secures customers • Makes them come back

  11. Compliance with PCI DSS- Systems benefit Helps you identify and address weaknesses in your security Systems More aware of how your business works Provides you with greater awareness of security measures and preventative options available

  12. Compliance with PCI DSS - Financial Benefits Protects you from card schemes post-compromise penalties Avoid cost of fraud Financial Avoid cost of reaction to cybercrime policeinvolvement law suits suspension from trading consultancy fees consultancy fees

  13. Compliance with PCI DSS- Reputational Benefits No compromises – no unwanted media attention Brand damage alone may put a company out of business! Reputation

  14. If an organisation is certified compliant with PCI DSS.. • A compromise is less likely to happen. • If it happens it may be: • Smaller • reduced fraud cost • easier and cheaper to contain • Less investment needed to bring the organisation into compliance • Faster to bring the organisation into compliance • If the forensics investigation confirms that the organisation was still PCI compliant at the time of compromise • Visa will not levy compromise fees

  15. Sensitive Information • Card number • Expiry date • Full Track 2 (for face to face transactions) • CVV2 (for Card not Present transactions) • Track 2 and CVV2 should never be stored after authorisation • NOT storing any of the above removes the need for PCI DSS validation • If the information is stored, it has to be stored securely (encrypted)

  16. Level 1 - Merchants with 6,000,000+ transactions a year- all acceptance channels Level 2&3 - E-commerce Merchants with 6,000,000 to 20,000 transactions a year Level 4 – all other Merchants Mandated Annual onsite audit, and Quarterly network scan The audit can be done by a qualified auditor or by Merchant’s internal audit team, but has to assess compliance with the PCI Standards Mandated Annual PCI Self-assessment questionnaire, and Quarterly network scan Recommended annual PCI Self-assessment questionnaire and annual network scan Compliance Validation Requirements - Merchants

  17. Merchants – next steps for 2006 • ALL Merchants should be compliant with PCI DSS already • Regardless of Merchant size • Data security should be ongoing work • Difference is only in type of validation required • Validation may be recommended for some categories, but compliance is mandated to be part of the Visa system • All Merchants should make provisions to ensure than any third party they contract with is compliant

  18. Visa – Recent and next steps • Finished re-accreditation of Qualified Security Assessors  • Producing more awareness raising and support materials  • AIS as contractual requirement for all new merchant agreements • New set of penalties for Acquirers with non-compliant Merchants • If a Merchant commits to starting the work, they will be allowed reasonable time to work towards compliance • Lowering the Level 1 threshold to include more non e-commerce Merchants

  19. Conclusion We are flexible, want to help you get started PCI DSS adds value to your brand and consumers PCI DSS protects your revenues Based on ISO/BSS, tailoring these standards to cards industry

  20. Where to find information on PCI DSS • Visa OnLine • https://www.eu.visaonline.com/eu_ais/ • Visa Europe website • www.visaeurope.com/acceptingvisa/datasecurity.html • Email: datasecuritystandards@visa.com • AIS Programme Manager: Lara Fiorani • Tel: +44 207 795 5668 • Email: datasecuritystandards@visa.com 20

  21. Thank you Visa Europe Confidential

More Related