1 / 22

PCI : As complicated as it sounds?

PCI : As complicated as it sounds? . Gerry Lawrence CTO g erry.lawrence@netbenefit.com. Background. Experts in business critical hosting Wide range of customers …including many e-commerce sites. Growth of e-commerce. Source: UK National Statistics Office. Card fraud. Reduction due to:

cleave
Download Presentation

PCI : As complicated as it sounds?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PCI: As complicated as it sounds? Gerry Lawrence CTO gerry.lawrence@netbenefit.com

  2. Background • Experts in business critical hosting • Wide range of customers • …including many e-commerce sites

  3. Growth of e-commerce Source: UK National Statistics Office

  4. Card fraud • Reduction due to: • Sophisticated fraud screening • Cardholder authentication • Awareness campaign • PCI compliance improvements Source: UK Card Association

  5. Card fraud At some point every business website will suffer an attempted attack in a year. In 2008 75600 burglary's took place in the UKaccording to Home Office statistics yet the number of hacks that occur far outweigh this figure. According to Information Security Breaches survey 2010 94% of business respondents suffered a security breach Source: Home Office statistics (534 businesses polled)

  6. Card fraud • PCI awareness increased • PCI standards more organised more specific and tougher • Banks now following through on non-compliance Source: Home Office statistics (534 businesses polled)

  7. Time/resource • Many skills only needed some of the time • Monitoring is very time consuming • Monitoring needs to happen 24x7

  8. Skills • Deep understanding of the compliance and regulatory framework • Secure network design • Systems design • Detailed log analysis • Incident response

  9. Typical system Internet Secondary datacentre Primary datacentre Firewalls Firewall Load balanced Web servers Database servers Web server Database server SAN Backup server Backup server

  10. Choosing the right partner Selection criteria: • Security industry expertise to compliment our own • Specific PCI compliance experience • Pro-active 24 hour monitoring and response service • Cultural fit and great attitude

  11. 12 steps to achieve PCI Compliance Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

  12. 12 steps to achieve PCI Compliance Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks

  13. 12 steps to achieve PCI Compliance Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications

  14. 12 steps to achieve PCI Compliance Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications Implement Strong Access Control Measures Requirement 7:Restrict access to cardholder data by business need-to-know Requirement 8:Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data

  15. 12 steps to achieve PCI Compliance Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications Implement Strong Access Control Measures Requirement 7:Restrict access to cardholder data by business need-to-know Requirement 8:Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes

  16. 12 steps to achieve PCI Compliance Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications Implement Strong Access Control Measures Requirement 7:Restrict access to cardholder data by business need-to-know Requirement 8:Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security

  17. 12 steps to achieve PCI Compliance PCI compliance… Does it apply to me? No, because I use a 3rd party payment provider…. ?

  18. 12 steps to achieve PCI Compliance PCI compliance… Does it apply to me? No, because I use a 3rd party payment provider…. ….ever heard of ‘Man in the Middle’? ?

  19. 12 steps to avoid Snakes & Hackers What are the risks? • Huge Fines • Banks may refuse your business • More expose to repeat hacking attacks • Brand reputation ?

  20. 12 steps to avoid Snakes & Hackers How can NetBenefit help?

  21. NetBenefit is located at Stand 930 • Pick up our PCI whitepaper • Speak to our PCI experts • Happy to answer any questions

  22. Working together

More Related