230 likes | 431 Views
The future is mission critical Solutions your way. MphasiS PCI DSS Offerings. Bhaskar Maddala Associate Vice President MphasiS Australia Pty Ltd – a HP Company. Agenda. What is PCI DSS? What it means for us/ Who gets affected? Meaning for me and who does it affect? How to be compliant?
E N D
MphasiS PCI DSS Offerings BhaskarMaddala Associate Vice President MphasiS Australia Pty Ltd – a HP Company
Agenda • What is PCI DSS? • What it means for us/ Who gets affected? • Meaning for me and who does it affect? • How to be compliant? • What if not compliant • PCI compliance for Non Stop • MphasiS PCI service approach and Service offerings • Case Studies
What is PCI DSS? The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data. PCI DSS is primarily concerned with the Processing, Storage and Transmission of the Primary Account Number (PAN) on the front of every Debit and Credit Card, and its protection. • Joint effort of • VISA International • MasterCard Worldwide • American Express • Discover Financial Services • JCB • Includes 12 security requirements (approx 327 sub-requirements) grouped into six control objective. • First version (1.0) published in December 2004, second version(1.2) in October 2008. • Current version of standard is 2.0 (October 2010)
PCI DSS, WHY? • Response to an alarming increase in the theft of payment card data • Several high profile cases in US • TJX Companies (January 2007, +45 million customers affected) • Hannaford Brothers(March 2008, +4 million customers affected) • Payment card processors had security breaches too • Heartland Payment Systems ( January 2009, 100 million transactions per month) • Security breached at small business as well • Limited public information in Australia • RosesOnly(September 2007, 20,000 customers affected) • Bottle Domains (February 2009, 60,000 customers affected) • Note: In some of the cases above (Hannaford and Heartland) the comprised entity was PCI DSS Compliant
Benefits of compliance • Protect customers’ personal data • Boost customer confidence through a higher level of data security • Lower exposure to financial losses and remediation costs • Maintain customer trust and safeguard the reputation of the brand • Provide a complete “health check” for any business that stores or transmit customer information
What are criminals after? • Most of bad entities want to obtain the track data : • Magnetic Track Data: • PAN • USERNAME • EXPIRY DATE • CVC 1/ CVC 2 • And especially the PIN • Why this information • Multiple stripe cards can be made using the track 2 data, can be used to perform ‘card not present fraud • PIN can be used with the counterfeit cards for any transactions(cash withdraw etc…)
Common challenges to become PCI Compliance • Fully understand and document the processes and payment environment • Tracking and monitoring of access to payments card systems and data • Controlling logical access (authentication) to systems containing payment card data • Security event monitoring across a disparate environment • Limited security capabilities (authentication, monitoring, etc…) of legacy systems • Remediation of controls across large (often legacy) distributed environments • Encryption of payment card data • Putting PCI contractual language in place for third party service providers • Obtaining management support to perform remediation
Trends in PCI Compliance market Achieving compliance: How are businesses living up to PCI DSS requirements? Restricting access to card data is the most important PCI DSS requirement, but also the most difficult to achieve Firewalls and encryption are the most effective technologies for achieving compliance Cost of annual audits averages $225,000 per year for the large merchants Protecting cardholder data: Where is data at risk and how is it being protected? Handling charge backs still requires storage of cardholder data Cardholder data is most at risk traveling across merchant networks and stored in databases Encryption is the favored technology for achieving end-to-end cardholder data protection Controlling access to encryption keys is the most difficult key management task • State of compliance: How is the PCI DSS perceived and prioritisedin business? • Businesses are still not taking data security seriously and are struggling with compliance costs • Business units own compliance assessment budgets, but IT security responsible for compliance • Few organisations fail compliance, but many rely on mechanisms not prescribed by the PCI DSS Ref: http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/PCIDSSTrends-QSAInsights010310.pdf
NEW VENTURES - PAYMENTS 12 rules ofcompliance
MphasiS – PCI Service Approach The PCI DSS Management Services Offering contains the following packages: PCI DSS Integrated Management Services A comprehensive package of base infrastructure related services, ensuring that processes, and overall security controls are in place and that compliance is provided with PCI Data Security Standards. This service covers all requirements related to infrastructure support that can be outsourced by the client. PCI DSS Discrete Management Services A set of standalone security services each addressing a certain set of PCI Data Security Standards that clients can select for addressing specific PCI DSS requirements.
MphasiS GNIS – Service Offerings • PCI related services for first time clients • PCI consulting • PCI DSS Pre Compliance Assessment • PCI DSS Gap Analysis • PCI DSS Implementation [Custom solutions, Point Solutions] • Formulating policies in line with PCI requirements • PCI DSS Pre Audit & Audit Preparation • PCI Training • Penetration Testing and Vulnerability assessment PCI related services for already certified customers • Provide continuum services • Ensure that the certifications remains valid • Conduct bi annual mock audits • Help in pre assessment and assessment audits with certified QSA
In Short …. • A number of NonStop customers have passed PCI certification audits on their systems! • However, there is no standard process or single security product that automatically achieves PCI compliance on any system • PCI DSS compliance is achieved by a combination of enforced policies, process and technology • Organizations must create and implement appropriate security-related policies and practices for their business • Selecting and making proper use of security products can help ensure that policies and best practices are met
Why MphasiS ? • An integrated approach which is vendor neutral and with customers interests in mind • We have delivered PCI compliance services for several customers successfully • An approach that could help meet your Nonstop Security & PCI needs at optimal costs – reusable components and specific methodologies • A strong team that has knowledge of some of the world renowned security standards. - 182 Security Consultants; 17 FTEs in PCI COE (SME + Technical team) • Strong focus on Payments business unit • Provides alternatives that match the security awareness of your organization with a gradual increase in consciousness
MphasiS GNIS Infosec and PCI COE Team • MphasiS GNIS is operational for 5 years. This team is involved both in developing security capabilities as well as delivering ongoing security services for HP and HP clients. • MphasiS ITO GNIS Security team is staffed with: • Total 500+ energetic workforce in GNIS • Dedicated group of 182+ MS/MBA Security Engineers, Consultants, PM & Analysts in IS • Technical members having skills in security engineering and software platforms used in development • More than 10 ongoing Security Projects dedicated & Leveraged Security Project Management professionals
Case Studies (Selective) • BNTB – IT Security/Compliance and IT Operations (Completed) • Pegasus (Completed ) • National City GSN (Completed) • HP ECS : HP Enterprise Cloud Services (Ongoing) • TOPs Retails Chains (Completed) • Luxottica • DCNA 2.1 /HSP 3.1 (Assessment Completed)
BNTB – IT Security/Compliance and IT Operations Services Featured Customer Overview Bank of N.T. Butterfield & Son Limited (BNTB) : The Butterfield Group is a full service community bank and a provider of specialized international financial services. Security Management: User Provisioning & De-provisioning Centralised management of identity data in a heterogeneous environment of 600+ Servers Automated Workflow Auditing and reporting SRF & Digital Workflow Tool Compliance A: PCI DSS compliant solutions/compartment. Incident Management Analysis , Resolution and closure Acceptance and responding Capture, Logging and routing Problem Management Handling escalated Incidents Incident trend analysis Project Overview HP entered into a new agreement with BNTB to transform their security infrastructure to meet the PCI DSS standards/ requirements. MphasiS and HP PCI architects and engineers designed the solution with 2 PCI compartments and drive the process to meet the standards.
BNTB – Security Office Team Challenges Benefits Delivered • Significant reduction in cost overhead due to effective best shoring • PCI DSS ready solution • Lack of security policies • Customized applications used for card processing • Partially automated workflows • No Regulation in flow of request • Delayed approval of request from role owners
Bhaskar Maddala Associate Vice President MphasiS Australia Pty Ltd – a HP Company Mob: +61 424761703 Bhaskar.Maddala@hp.com, Bhaskar.maddala@mphasis.com www.MphasiS.com Thank you