1 / 23

Payment Card Industry Data Security Standard

Payment Card Industry Data Security Standard IU Treasury Operations 5th Annual e-Business/Banking Seminar August 10 & 11, 2006 Tom Davis, CISSP, CISM, GCIA Chief IT Security Officer Office of the VP for Information Technology Agenda Protecting card data

Ava
Download Presentation

Payment Card Industry Data Security Standard

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Payment Card IndustryData Security Standard IU Treasury Operations 5th Annual e-Business/Banking Seminar August 10 & 11, 2006 Tom Davis, CISSP, CISM, GCIA Chief IT Security Officer Office of the VP for Information Technology

  2. Agenda • Protecting card data • Overview of the Payment Card Industry Data Security Standard (PCI DSS) • PCI DSS requirements • Merchant levels • PCI DSS compliance validation • Risks of non-compliance • IU and PCI DSS compliance • Questions

  3. Protecting card data • Why it’s important • causes hardship for our customers • loss of customer confidence • required by PCI DSS • state laws on “disposal” and “notice” • impending federal legislation?

  4. Credit card theft is big business! • Phishing attempts on the rise • to trick individuals into divulging financial info • Dramatic move by “hackers” to compromise machines for profit • keyboard monitoring software • Many chat channels devoted to underground trading of credit card #’s

  5. Overview of PCI DSS • Prior to September 2004 • no standardization across card companies on credit card security requirements • difficult for merchants to become familiar with and adhere to competing standards from VISA, MasterCard, and others • As fraud losses increased, card industry realized the need for consistent and well defined security standards

  6. Overview of PCI DSS • PCI DSS announced in September 2004 • collaboration between VISA and MasterCard • endorsed by other card companies as well • “… offers a single approach to safeguarding sensitive data for all card brands…”

  7. Overview of PCI DSS • Applies to • all merchants that “store, process, or transmit cardholder data” • all payment (acceptance) channels, including brick-and-mortar, mail, telephone, e-commerce (Internet) • Includes 12 requirements, based on • administrative controls (policies, procedures, etc.) • physical security (locks, physical barriers, etc.) • technical security (passwords, encryption, etc.)

  8. Card Security Programs • The following programs incorporate PCI DSS: • VISA • Cardholder Information Security Program (CISP) • MasterCard • Site Data Protection (SDP) Program • American Express • Data Security Requirements • Discover • Discover Information Security and Compliance (DISC) Program

  9. PCI DSS requirements Each requirement has many sub-requirements! • Install and maintain a firewall configuration to protect data • Do not use vendor-supplied defaults for system passwords and other security parameters • Protect stored data

  10. PCI DSS requirements • Encrypt transmission of cardholder data and sensitive information across public networks • Use and regularly update anti-virus software • Develop and maintain secure systems and applications • Restrict access to data by business need-to-know

  11. PCI DSS requirements • Assign a unique ID to each person with computer access • Restrict physical access to cardholder data • Track and monitor all access to network resources and cardholder data • Regularly test security systems and processes • Maintain a policy that addresses information security

  12. Merchant levels • Merchant levels are based on yearly transaction volume of merchant • Specific criteria for placement in merchant levels varies across card companies • All merchants, regardless of level, must adhere to PCI DSS requirements • Level into which merchant is placed determines PCI DSS compliance validation (and ultimately cost) • Let’s take a quick look at Visa’s levels…

  13. Merchant levels - Visa • Level 1: • merchants, regardless of acceptance channel, processing over 6,000,000 Visa transactions • any merchant that has suffered a data compromise • any merchant so selected by Visa • any merchant identified by other card brand as level 1

  14. Merchant levels - Visa • Level 2: • merchants, regardless of acceptance channel, processing 1,000,000 to 6,000,000 Visa transactions • Level 3: • any merchant processing 20,000 to 1,000,000 Visa e-commerce (Internet) transactions

  15. Merchant levels - Visa • Level 4: • any merchant processing fewer than 20,000 Visa e-commerce (Internet) transactions • all other merchants, regardless of acceptance channel, processing up to 1,000,000 Visa transactions

  16. PCI DSS compliance validation • Level 1 merchants • annual on-site assessment by approved assessor (generates a report on compliance) • quarterly network security scan by approved scan vendor • Level 2 and 3 merchants • self-assessment questionnaire • quarterly network security scan by approved scan vendor

  17. PCI DSS compliance validation • Level 4 merchants • self-assessment questionnaire • if required by acquirer • quarterly network security scan by approved scan vendor • if required by acquirer

  18. Risks of non-compliance • Endangering customer information • Exposure could lead to: • fines levied by acquiring banks • cost of replacing cards and perhaps covering fraudulent charges • loss of merchant status • elevations to Level 1 status (and resulting compliance validation costs)

  19. IU and PCI DSS compliance • Joint effort across many units • Treasury, IT Security and Policy, Internal Audit, Legal Counsel, Purchasing, etc. • Review IU merchants • rank existing merchants based on perceived risk and begin compliance reviews • will most likely hold merchants to higher standard than dictated by PCI DSS • especially for level 4 merchants

  20. IU and PCI DSS compliance • Contracts • review existing and new contracts with external agencies to ensure they are responsible for complying with PCI DSS • Education and awareness • this seminar!

  21. Questions?

  22. Additional reading • http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp.html • http://www.time.com/time/world/article/0,8599,1224273,00.html?cnn=yes • http://www.no1proxy.com/proxy-list.html • http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1146949,00.html • http://money.cnn.com/2006/05/11/technology/fastforward_fortune/index.htm

  23. Payment Card IndustryData Security Standard IU Treasury Operations 5th Annual e-Business/Banking Seminar August 10 & 11, 2006 Tom Davis, CISSP, CISM, GCIA Chief IT Security Officer Office of the VP for Information Technology

More Related