1 / 26

The Payment Card Industry Data Security Standard (PCI DSS)

The Payment Card Industry Data Security Standard (PCI DSS). Presentation outline. Why PCI DSS? Compliance and validation levels Cardholder data The legal perspective Performing a PCI DSS audit Decreasing costs through automation.

micheal
Download Presentation

The Payment Card Industry Data Security Standard (PCI DSS)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Payment Card Industry Data Security Standard (PCI DSS)

  2. Presentation outline • Why PCI DSS? • Compliance and validation levels • Cardholder data • The legal perspective • Performing a PCI DSS audit • Decreasing costs through automation

  3. What is the Payment Card Industry Data Security Standard (PCI DSS)? • The PCI DSS is a set of security standards drawn up by the world’s major credit card companies including VISA and MasterCard to protect credit and debit card data • To date, these requirements govern all the payment channels including retail, mail orders, telephone orders and e-commerce • It was previously a separate information security standard, however it has now become a global security standard

  4. Why is the PCI DSS required? • Cardholder data theft and fraud have been around since the mid-80’s and this prompted Visa to establish the first security program • The recent TJX security breach in which at least 45.6 million credit and debit card numbers were stolen by hackers who broke into its network highlights the increased need for greater security • According to InformationWeek, hackers can sell stolen credit card data on the Black market at a rate of USD 490 for a card number with PIN

  5. PCI Data Security Standard v1.1 (1/3) • The PCI DSS framework is divided into 12 security requirements which can be grouped into three main areas: • Collection and storage of all log data so that it is available for analysis • Reporting on all activity so as to be able to prove compliance on the spot • Monitoring and alerting whereby administrators can constantly monitor access and usage of data and be warned of problems immediately

  6. PCI Data Security Standard v1.1 (2/3) • The PCI DSS framework is also made up of six categories as follows: Build and maintain a secure network Protect cardholder data Maintain a vulnerability management program Implement strong access control measures Regularly monitor and test networks Maintain an information security policy

  7. PCI Data Security Standard v1.1 (3/3) • Install and maintain a firewall configuration to protect cardholder data • Do not use vendor-supplied defaults for system passwords and other security parameters • Protect stored cardholder data • Encrypt transmission of cardholder data across open, public networks • Use and regularly update anti-virus software or programs • Develop and maintain secure systems and applications • Restrict access to cardholder data by business need-to-know • Assign a unique ID to each person with computer access • Restrict physical access to cardholder data • Track and monitor all access to network resources and cardholder data • Regularly test security systems and processes • Maintain a policy that addresses information security for employees and contractors

  8. 1234 What is “cardholder data”? • All information from a credit/debit card used in a transaction • - pcianswers.com • Cardholder data elements • Primary Account Number (PAN) • Cardholder name • Expiration date • Sensitive Authentication Data (SAD) • Magnetic stripe data • Card Validation Code (CVC) • Personal identification number (PIN) 123

  9. Cardholder data storage • The PCI DSS provides protection of cardholder data • It is permitted to store the following details as long as they are encrypted, hashed or truncated: • PAN, Cardholder name, Expiration date, Service Code

  10. Typical transaction flow Ž   Œ The merchant submits the credit card transaction to the Payment Gateway Ž Payment Gateway passes transaction via a secure connection to the Merchant’s Bank ŒA customer uses a credit card to pay a merchant for purchased goods Merchant’s bank then goes through the Credit Card Interchange for transaction approval

  11. Who should be PCI DSS compliant? • As from September 30, 2007 all businesses handling cardholder data – irrespective of size – have to be compliant with strict security standards drawn up by the world’s major credit card companies • This applies to all entities where cardholder data is • Stored • Transmitted • Processed • All entities described as merchants or service providers must become compliant

  12. Merchants • Entities that accept credit cards as payment • Examples of sectors affected • Online trading (e.g. ebay.com) • Retail (e.g. Wal-Mart) • Higher Education (e.g. Universities) • Health (e.g. Hospitals) • Travel and entertainment (e.g. Restaurants) • Energy (e.g. Gas/Service stations) • Finance (e.g. Insurance companies)

  13. Merchant compliance levels

  14. Service providers • Entities that provide services to merchants • Examples of services • Payment gateways (e.g. PayPal) • Payment processors • E-commerce host providers • Managed service providers • Credit reporting agencies • Backup management companies • Paper shred companies

  15. Service provider compliance levels

  16. PCI DSS compliance procedures

  17. Cardholder data compromises • “Intrusion into computer system where unauthorized disclosure, modification, or destruction of cardholder data is suspected” - PCI DSS glossary • Incident response plan • Requirement 12.9 • Why report a compromise? • Limit the damage • Reporting channels • Internal incident response team • Credit card associations and acquirers • Local law enforcement • Who risks a compromise?

  18. Consequences • Financial • Could lead to fines of up to USD 500,000 and expensive litigation costs • Reputation • A negative incident could have a big impact on a brand name • Involvement of law enforcement agencies • Operational • Level 2, 3 or 4 + compromise = Level 1 • Could lead to a potential loss of card processing privileges

  19. Preparation for PCI DSS compliance • Become familiar with the PCI DSS requirements • Identify all cardholder data and remove unnecessary cardholder data • Perform a security gap analysis • Create an action plan and call in experts for advice if necessary

  20. PCI DSS compliance costs

  21. Pain points • Maintain secure systems and applications • Audit your network • Scan for vulnerabilities • Deploy patches/service packs • Monitor the network • Log user activity • Log access to cardholder data • Alert on important events • Provide documented evidence • Maintain secure systems • Monitor activity • Take remedial action

  22. Automation through software • Drastically reduce manual, repetitive tasks: • Network audits • Vulnerability management • Activity monitoring • Real-time alerts • Remedial action • Report generation

  23. PCI DSS and GFI network security products GFI EventsManager GFI LANguard N.S.S. Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied system passwords & other security parameters Protect stored cardholder data Assign a unique ID to each person with computer access Track and monitor all access to network resources and cardholder data

  24. ROI and business benefits • Automation • Reduce manual and repetitive tasks • Reduce administrator’s workload • Trigger proactive remedial actions • Protection • Complement your security policy • Notify you on potential security threats • Gives you peace of mind • Savings • No PCI DSS fines • No outsourced consultancy fees • Business continuity

  25. Conclusion • Since companies are constantly at risk of losing sensitive cardholder data, which could result in fines, legal action and bad publicity, achieving compliance with the PCI DSS should be high on the agenda of companies who store, transmit or process credit card data • PCI DSS compliance needs to be achieved by September, 2007 – this is the deadline posed by credit card companies • GFI Software offers such businesses two products, GFI EventsManager and GFI LANguard Network Security Scanner (N.S.S.) to help them on their road to becoming compliant

  26. Corporate overview • Founded in 1992 • Over 200 employees worldwide • Offices in Malta, London, Raleigh, Hong Kong and Adelaide • GFI products installed on over 200,000 networks worldwide, mostly SMBs • A channel-focused company with over 10,000 partners throughout the world • The visionTo become the technology of choice for IT security and productivity solutions. • The missionTo provide quality, cost-effective content security, network security and messaging solutions to IT professionals around the world.

More Related