1 / 27

Implementing PCI DSS Requirements Within Your Organisation

Implementing PCI DSS Requirements Within Your Organisation. September 2008 Simon Breeden. Data security and your brand. How much would your brand be worth if you lose your customers trust? Would your customers’ stay with you. Your brand needs security!.

torie
Download Presentation

Implementing PCI DSS Requirements Within Your Organisation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Implementing PCI DSS Requirements Within Your Organisation September 2008 Simon Breeden Visa Europe

  2. Data security and your brand • How much would your brand be worth if you lose your customers trust? • Would your customers’ stay with you Tel Aviv - !8th September 2008

  3. Your brand needs security! • Compromises do happen everyday, everywhere • In the customer’s view, consumers, card schemes and merchants share responsibility for protecting their card data • Yet… 63% of customers views merchants as the weakest link when it comes to protecting their data…¹ • ¹Source: Javelin Strategy and Research 2007 Tel Aviv - !8th September 2008

  4. In customers’ eyes we all share responsibility to prevent fraud Tel Aviv - !8th September 2008

  5. Merchants as the weakest link Tel Aviv - !8th September 2008

  6. Customer confidence seriously impacted by a data breach • In the case of a breach…. • 49%of customers believe merchants to be the most likely source of the data breach • 3 out of 4customers won’t shop again at a compromised merchant • 84%of customers want to shop at merchants who are security market leaders • Investing in PCI DSS should be part of your customer retention plans Tel Aviv - !8th September 2008

  7. Media and regulators are watching us… • National and European Government are showing increasing interest in the area of account information security • The European Commission is considering legislation on the duty to notify (suspicion of breach and actual compromise) – already adopted in California, Minnesota and Texas • Media increasingly questioning industry compliance and progress….. Tel Aviv - !8th September 2008

  8. Is PCI DSS mandated for everybody? • PCI DSS is mandated for all merchants and other entities with access to card data • No access to data = no need for compliance validation • In the future, more companies may consider not handling data directly, rather than going through the cost and risk of securing them Tel Aviv - !8th September 2008

  9. What is it for ? • Protecting customer confidence • Mitigating against fraud and other losses • Protecting against reputational damage • Avoiding further regulatory control Tel Aviv - !8th September 2008

  10. PCI DSS part of overall Visa Security POS Environment Online e-comm Back office Chip & PIN Verified by Visa PCI DSS Tel Aviv - !8th September 2008

  11. DATA What is important about ‘data’ ? Visa Europe

  12. Card numberChipExpiry date Magnetic StripeCVV2The card account number, plus a three-digit • made up of “Track 1” Card Verification Value 2 (CVV2) is indent-printed • and Track 2” data on the signature panel Track data and CVV2 should never be stored after authorisation Tel Aviv - !8th September 2008

  13. Processor You are only as safe as the least safe link in the chain Internetpayment gateway Web hosting company Merchant Acquiring bank Tel Aviv - !8th September 2008

  14. Data Theft is…………… • Organised • Multi-national • Increasing in frequency • Very, very lucrative • Easy • Almost risk-free Tel Aviv - !8th September 2008

  15. Most Companies don’t help themselves • Track data and CVV2 is the ‘honey pot’ that hackers look for • 80%+ of entities that are hacked are storing Track data and CVV2 • 70-80% of companies compromised go out of business within one year Tel Aviv - !8th September 2008

  16. PCI DSS is good business practice • Think of it as spring cleaning! • PCI DSS is an opportunity to take a fresh look at how your company works and identify any issues with people, processes, and systems; • This enables you to • Check your house is in order • Discard unwanted items • Rethink your data storage business needs • Fix issues Tel Aviv - !8th September 2008

  17. The First Thing! • PCI DSS is mandated for all merchants and other entities who store, process and/or transmit card data • No data = no need for compliance validation • Companies have the option of investing in data security or hire a third party to manage data on their behalf Tel Aviv - !8th September 2008

  18. The Second Thing! • The key to a successful compliance programme is to: • Identify stakeholders • - Finance Director, Risk Committee, Information Security Officer, IT Director, Operations Director, … • Get business sponsorship • - Present PCI DSS and the risk of non-compliance to the Board • - Brand image is at stake Tel Aviv - !8th September 2008

  19. Implement Remediation How does PCI relate? Data Flow Analysis Compliance Validation Remediation Plan Gap Analysis Making PCI Compliance a Reality • Visa’s recommended approach is • Complete data flow analysis early • Complete a comprehensive gap analysis • Define a detailed remediation plan Tel Aviv - !8th September 2008

  20. Scoping and Sampling • Proper scoping and thorough reviews are critical • Beware of: Not scoping and identifying all potential systems that may hold cardholder information • Can lead to critical and destructive hacks • The data flow mapping exercise should identify all points of storage, processing & transmission Tel Aviv - !8th September 2008

  21. PCI DSS Scoping • PCI DSS applies to all systems and networks that store, process, and/or transmit cardholder data, and all connected systems • Includes networking equipment that transmits cardholder data (i.e. routers, switches, firewalls, wireless access points) • Encrypted cardholder data is still within scope Tel Aviv - !8th September 2008

  22. Quick Wins • Do not store track data or CVV2 post authorisation • Delete card data everywhere you can • Update security policy • Update templates to ensure PCI DSS is included in all new projects • Data retention policy & process Tel Aviv - !8th September 2008

  23. Advice on Payment Applications • PA-DSS is here! • Released by PCI SSC on 15 April 2008 • Set of comprehensive security standards for use by vendors to ensure their products assist PCI DSS compliance • Ensure new applications are PA-DSS compliant • Get the comfort of knowing you have an application which, if implemented correctly, helps you to become PCI DSS compliant • PA-DSS certified applications do not make you compliant, but they help you get there Tel Aviv - !8th September 2008

  24. Merchant Compliance Validation • Processing more than 6 million Visa transactions per year, compromised in the last yearAnnual on-site security audit and quarterly network scan • Processing 1 million to 6 million Visa transactions per yearAnnual self assessment questionnaire audit and quarterly network scan • Processing 20,000 to 1 million Visa e-com transactions per yearAnnual self assessment questionnaire audit and quarterly network scan • Processing up to 20,000 Visa e-com transactions per year and all merchants processing up to 1 million Visa transactions per yearRecommended annual self assessment questionnaire audit and quarterly network scan Tel Aviv - !8th September 2008

  25. Service Provider Compliance Validation • All VisaNet processors, payment gateways and Internet payment service providers regardless of volumesAnnual on-site security audit and quarterly network scan • Any service provider not in level 1 and stores, processes or transmits more than 1 million Visa accounts or transactions per yearAnnual on-site security audit and quarterly network scan • Any service provider not in level 1 and stores, processes or transmits less than 1 million Visa accounts or transactions per year Annual self assessment questionnaire audit and quarterly network scan Tel Aviv - !8th September 2008

  26. Compliance Management • If you do not comply • There are levels of fines that are imposed • There are fines for data compromise • Ultimate Sanction • Prohibition by all brands to deal with card and card data Tel Aviv - !8th September 2008

  27. However it is a Journey…. • No expectation of immediate compliance • However….. • No open ended deadlines to comply • Evidence of commitment to comply • Planned approach • Compliance is a 24 hour a day activity – not a once a year activity to satisfy an audit Tel Aviv - !8th September 2008

More Related