SlideShare a Scribd company logo

A practical guides to PCI compliance

Jisc, profile picture
Jisc

This document provides an overview of PCI compliance and guidance for organizations starting their PCI compliance journey. It discusses what PCI is, the 12 main requirements, self-assessment questionnaires (SAQs) for different merchant levels, goals of PCI compliance and associated requirements. It provides tips on determining an organization's current state of compliance, reducing the scope of compliance, treating PCI compliance as a project, and resources for assistance. The overall document aims to give a practical introduction to PCI compliance and next steps for organizations handling cardholder data.

Technology
1 of 36
1
2
3
4
5
6
7
8
9
Most read
10
11
12
13
14
15
16
Most read
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
Most read
A practical guide to PCI compliance Matthew Page, IT security manager, Leeds Beckett University 14/11/2017
A Practical Guide to PCI Compliance Matthew Page – IT Security Manager PCI ISA
• To help those who are starting out on the PCI compliance journey • Where to find help and documentation • Formal courses tend to discuss the 12 requirements rather than how to become compliant • It can be quite daunting, so I aim to provide an overview of PCI • I’m not going to discuss: – The requirements in detail – The payment cycle *For further information on these please review the documents referenced in the resources section. A Practical Guide to PCI The Purpose of this Presentation
A Practical Guide to PCI • Payment Card Industries What is PCI?
A Practical Guide to PCI • Payment card data and transactions, not direct debits or PayPal payments What is PCI? *Courtesy of PCIDSSSIG
A Practical Guide to PCI • Its not a legal requirement • It’s a contractual requirement • 12 main requirements (essentially a check list) • Mainly technical requirements with procedural and policy based requirements • Who is PCI compliant? What is PCI?
A Practical Guide to PCI • Its very valuable data to hackers • US company Target breach 2013-2014 – 40 millions card details affected – Cost target $350 million – 46% drop in profits – 1-3 million cards sold on the black market – Resignation of CEO • Reputational impact Why Protect this Data? *Data source Axelos Resilia
A Practical Guide to PCI 6 Goals of PCI Compliance
A Practical Guide to PCI Goal 1 – Build and maintain a secure network and systems *Barclaycard Associated Requirements 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters
A Practical Guide to PCI Goal 2 – Protect Cardholder data *Barclaycard Associated Requirements 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks
A Practical Guide to PCI Goal 3 – Maintain a vulnerability management program *Barclaycard Associated Requirements 5. Protect all systems against malware and regularly update antivirus software or programs 6. Develop and maintain secure systems and applications (patching and config)
A Practical Guide to PCI Goal 4 – Implement strong access control measures *Barclaycard Associated Requirements 7. Restrict access to cardholder data by business need to know 8. Identify and authenticate access to system components 9. Restrict physical access to cardholder data
A Practical Guide to PCI Goal 5 – Regularly monitor and test networks *Barclaycard Associated Requirements 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes (pen tests, vulnerability scans, etc.)
A Practical Guide to PCI Goal 6 – Maintain an information security policy *Barclaycard Associated Requirements 12. Maintain a policy that addresses information security for all personnel
A Practical Guide to PCI Where are you now? *Barclaycard • Many of the goals and requirements will be already in place • Some may need fine tuning and some will need significant effort to bring into line with the standard
A Practical Guide to PCI • 12 high level requirements • All the requirements have sub requirements totalling over 300 across the standard • That’s a lot! • Very expensive to adhere to them all and time consuming to support and maintain • Good news, hopefully you won’t have to adhere to them all • That’s not to say you should take short cuts • Depending on your environment you may not need to comply with all the requirements to be compliant • This is where SAQs will help 12 Requirements & Sub Requirements
A Practical Guide to PCI The SAQs
A Practical Guide to PCI The SAQs Web Payments • A and A-EP
A Practical Guide to PCI Payment Terminals (Chip & Pin) • B, B-IP & P2PE The SAQs
A Practical Guide to PCI Merchants who use a payment application system or Virtual Terminal to process card payments • C & C-VT The SAQs
A Practical Guide to PCI Merchants who store cardholder data • D The SAQs
Requirement Description SAQ D SAQ C SAQ C-VT B-IP B A-EP* A P2PE 1 Firewall config Full Partial Partial Partial Partial 2 Vendor defaults Full Partial Partial Partial Partial Partial 3 Stored CHD Full Partial Partial Partial Partial Partial Partial 4 Encryption Full Partial Partial Partial Partial Partial 5 AV & patching Full Partial Partial Partial 6 Development Full Partial Partial Partial Partial 7 Restrict access Full Partial Partial Partial Partial Partial 8 Identify & authenticate Full Partial Partial Partial Partial Partial 9 Restrict physical access Full Partial Partial Partial Partial Partial Partial Partial 10 Track and monitor Full Partial Partial 11 Vulnerability testing Full Partial Partial Partial 12 Policies Full Partial Partial Partial Partial Partial Partial Partial A Practical Guide to PCI • Refer to the ‘PCI SAQ Instructions and Guidelines’ document to determine which of your merchant accounts align with which SAQ and speak to your acquirer to confirm SAQ Requirements
A Practical Guide to PCI PCI SAQ Instructions and Guidelines Document
A Practical Guide to PCI Merchant Levels & Assessment Criteria Level Merchant criteria Validation requirements 1 Merchants processing more than six million Visa transactions annually via all channels or global merchants identified as level one by any Visa region.  Annual Report on Compliance (ROC) to follow an on-site audit by either a Qualified Security Assessor or qualified internal security resource  Quarterly network scan by Approved Scan Vendor (ASV)  Attestation of Compliance form QSA Services • PCI assessment • ROC • Attestation sign off • Gap analysis ASV • Tool to scan the network environment for Vulnerabilities. Any high vulnerabilities are failures.
A Practical Guide to PCI Merchant Levels Level Merchant criteria Validation requirements 1 Merchants processing more than six million Visa transactions annually via all channels or global merchants identified as level one by any Visa region.  Annual Report on Compliance (ROC) to follow an on-site audit by either a Qualified Security Assessor or qualified internal security resource  Quarterly network scan by Approved Scan Vendor (ASV)  Attestation of Compliance form 2 Merchants processing one million to six million Visa transactions annually via all channels.  Annual Self-Assessment Questionnaire (SAQ)  Quarterly network scan by ASV  Attestation of Compliance form
A Practical Guide to PCI Merchant Levels Level Merchant criteria Validation requirements 1 Merchants processing more than six million Visa transactions annually via all channels or global merchants identified as level one by any Visa region.  Annual Report on Compliance (ROC) to follow an on-site audit by either a Qualified Security Assessor or qualified internal security resource  Quarterly network scan by Approved Scan Vendor (ASV)  Attestation of Compliance form 2 Merchants processing one million to six million Visa transactions annually via all channels.  Annual Self-Assessment Questionnaire (SAQ)  Quarterly network scan by ASV  Attestation of Compliance form 3 Merchants processing 20,000 to one million Visa e- commerce transactions annually.  Use a service provider that has certified their PCI DSS compliance (certified providers are listed on Visa Europe’s website: www.visaeurope.com) OR  Have certified their own PCI DSS compliance to the acquirer (who must, on request, be able to validate that compliance to Visa Europe) (SAQ)
A Practical Guide to PCI Merchant Levels Level Merchant criteria Validation requirements 1 Merchants processing more than six million Visa transactions annually via all channels or global merchants identified as level one by any Visa region.  Annual Report on Compliance (ROC) to follow an on-site audit by either a Qualified Security Assessor or qualified internal security resource  Quarterly network scan by Approved Scan Vendor (ASV)  Attestation of Compliance form 2 Merchants processing one million to six million Visa transactions annually via all channels.  Annual Self-Assessment Questionnaire (SAQ)  Quarterly network scan by ASV  Attestation of Compliance form 3 Merchants processing 20,000 to one million Visa e- commerce transactions annually.  Use a service provider that has certified their PCI DSS compliance (certified providers are listed on Visa Europe’s website: www.visaeurope.com) OR  Have certified their own PCI DSS compliance to the acquirer (who must, on request, be able to validate that compliance to Visa Europe) (SAQ) 4 E-commerce merchants only Merchants processing fewer than 20,000 Visa e- commerce transactions annually.  Use a service provider that has certified their PCI DSS compliance (certified providers are listed on Visa Europe’s website: www.visaeurope.com) OR  Have certified their own PCI DSS compliance to the acquirer (who must, on request, be able to validate that compliance to Visa Europe) (SAQ)
A Practical Guide to PCI • Who are the acquirers? An acquiring bank (simply known as an acquirer) is a bank that processes credit or debit card payments on behalf of a merchant. The acquirer enables merchants to accept card payments. • They can help provide information regarding the number of merchant accounts in use and the volume of transactions being processed through them • They are responsible for ensuring their associated merchants are PCI compliant and will ask you to provide an AOC • If you are unable to do this you may start to receive threatening letters Acquirers
A Practical Guide to PCI • Who are the acquirers? An acquiring bank (simply known as an acquirer) is a bank that processes credit or debit card payments on behalf of a merchant. The acquirer enables merchants to accept card payments. • They can help provide information regarding the number of merchant accounts in use and the volume of transactions being processed through them • They are responsible for ensuring their associated merchants are PCI compliant and will ask you to provide an AOC • If you are unable to do this you may start to receive threatening letters Acquirers • Don’t be afraid to challenge your acquirer • Find your business relationship manager and build a relationship
A Practical Guide to PCI • Identify where payments are being taken through out the university • Identify how card data traverses the network • Is cardholder data stored as part of the process? • Identify the SAQ level • Identify Merchant level • Speak to your acquirer they will help verify your Merchant and SAQ levels Your Payment Gateways
A Practical Guide to PCI • Are card payments segregated from the rest of your network? • Can you segregate your networks? • Avoid storing card holder data • Be aware of the problems with descoping – perceptions that the entire network is as secure as the card holder environment when in fact they have been descoped and therefore may not be maintained to the same standard. • Determine the cost of descoping is it just easier to include everything? • Remember PCI should be part of data security strategy Reduce the Scope
A Practical Guide to PCI • Its project - create a plan • Use the prioritised approach provided by PCI • Collaborative approach with: – IT – Finance – Governance – Other relevant departments – Acquirers • Who should drive the project? – IT – Finance – Governance – ? • Get buy in – You can’t do this alone The PCI Project
A Practical Guide to PCI • Find a QSA https://www.pcisecuritystandards.org/assessors_and_so lutions/qualified_security_assessors • Your Acquirer • Merchant levels • MasterCard https://www.mastercard.us/en- us/merchants/safety-security/security- recommendations/merchants-need-to-know.html • Visa https://www.visaeurope.com/receiving- payments/security/merchants • PCIDSSSIG – Training courses – Foundation, Practitioner and ISA (free if you are a member) – Resources http://www.pcidsssig.org.uk/ • PCI Document library https://www.pcisecuritystandards.org/document_library • PCI Prioritised approach https://www.pcisecuritystandards.org/documents/Priorit ized-Approach-for-PCI_DSS-v3_2.pdf • Guidance for Network Segmentation https://www.pcisecuritystandards.org/documents/Guida nce-PCI-DSS-Scoping-and- Segmentation_v1_1.pdf?agreement=true&time=15100 49283753 Resources
A Practical Guide to PCI • It’s a check list so you can take one step at a time • Training/reading/familarise yourself with the standard • Get Project buy in • Speak to people (Finance, Acquirers, staff) • Determine the scope • Work with the acquirers • The goals of PCI are just the best practice elements we should all be implementing. • Different security/compliance standards will aid each other • You don’t need to be an ISA, but it helps. Final Thoughts
Questions?
A Practical Guide to PCI • Find a QSA https://www.pcisecuritystandards.org/assessors_and_so lutions/qualified_security_assessors • Your Acquirer • Merchant levels • MasterCard https://www.mastercard.us/en- us/merchants/safety-security/security- recommendations/merchants-need-to-know.html • Visa https://www.visaeurope.com/receiving- payments/security/merchants • PCIDSSSIG – Training courses – Foundation, Practitioner and ISA (free if you are a member) – Resources http://www.pcidsssig.org.uk/ • PCI Document library https://www.pcisecuritystandards.org/document_librar y • PCI Prioritized approach https://www.pcisecuritystandards.org/documents/Prior itized-Approach-for-PCI_DSS-v3_2.pdf • Guidance for Network Segmentation https://www.pcisecuritystandards.org/documents/Guid ance-PCI-DSS-Scoping-and- Segmentation_v1_1.pdf?agreement=true&time=1510 049283753 Resources

More Related Content

PPTX
Introduction to PCI DSS
Saumya Vishnoi
 
PDF
PCI-DSS_Overview
sameh Abulfotooh
 
PPT
PCI DSS
Duy Do Phan
 
PPTX
PCI DSS Compliance
Saumya Vishnoi
 
PDF
1. PCI Compliance Overview
okrantz
 
PPTX
PCI DSS Compliance Checklist
ControlCase
 
PPTX
Webinar - pci dss 4.0 updates
VISTA InfoSec
 
PDF
PCI DSS Implementation: A Five Step Guide
AlienVault
 
Introduction to PCI DSS
Saumya Vishnoi
 
PCI-DSS_Overview
sameh Abulfotooh
 
PCI DSS
Duy Do Phan
 
PCI DSS Compliance
Saumya Vishnoi
 
1. PCI Compliance Overview
okrantz
 
PCI DSS Compliance Checklist
ControlCase
 
Webinar - pci dss 4.0 updates
VISTA InfoSec
 
PCI DSS Implementation: A Five Step Guide
AlienVault
 

What's hot (20)

PDF
Why ISO27001 For My Organisation
Vigilant Software
 
PDF
ISO 27001 2002 Update Webinar.pdf
ControlCase
 
PPTX
CISSP-Certified.pptx
ssuser645549
 
PPTX
ISO 27001 Awareness/TRansition.pptx
Dr Madhu Aman Sharma
 
PDF
ISO27001: Implementation & Certification Process Overview
Shankar Subramaniyan
 
PDF
Information security management system (isms) overview
Julia Urbina-Pineda
 
PPTX
Basic introduction to iso27001
Imran Ahmed
 
PDF
Iso 27001 Checklist
Craig Willetts ISO Expert
 
PDF
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
Jiunn-Jer Sun
 
PDF
ISO 27001
n|u - The Open Security Community
 
PDF
PCI DSS v4 - ControlCase Update Webinar Final.pdf
ControlCase
 
PDF
ISO 27001:2022 Introduction
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PDF
Cybersecurity roadmap : Global healthcare security architecture
Priyanka Aash
 
PDF
Industrial_Cyber_Security
WillianMachadoFonsec
 
PDF
Pcidss qr gv3_1
leon bonilla
 
PPT
Overview of ISO 27001 ISMS
Akhil Garg
 
PDF
HITRUST 101: All the basics you need to know
➲ Stella Bridges
 
PDF
CISSP Cheatsheet.pdf
shyedshahriar
 
PDF
Isms awareness presentation
Pranay Kumar
 
PPTX
27001 awareness Training
Dr Madhu Aman Sharma
 
Why ISO27001 For My Organisation
Vigilant Software
 
ISO 27001 2002 Update Webinar.pdf
ControlCase
 
CISSP-Certified.pptx
ssuser645549
 
ISO 27001 Awareness/TRansition.pptx
Dr Madhu Aman Sharma
 
ISO27001: Implementation & Certification Process Overview
Shankar Subramaniyan
 
Information security management system (isms) overview
Julia Urbina-Pineda
 
Basic introduction to iso27001
Imran Ahmed
 
Iso 27001 Checklist
Craig Willetts ISO Expert
 
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
Jiunn-Jer Sun
 
ISO 27001
n|u - The Open Security Community
 
PCI DSS v4 - ControlCase Update Webinar Final.pdf
ControlCase
 
ISO 27001:2022 Introduction
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Cybersecurity roadmap : Global healthcare security architecture
Priyanka Aash
 
Industrial_Cyber_Security
WillianMachadoFonsec
 
Pcidss qr gv3_1
leon bonilla
 
Overview of ISO 27001 ISMS
Akhil Garg
 
HITRUST 101: All the basics you need to know
➲ Stella Bridges
 
CISSP Cheatsheet.pdf
shyedshahriar
 
Isms awareness presentation
Pranay Kumar
 
27001 awareness Training
Dr Madhu Aman Sharma
 
Ad

Similar to A practical guides to PCI compliance (20)

PPTX
Educause+PCI+briefing+4-19-20162345.pptx
gealehegn
 
PDF
Payment System Risk. Visa
Internet Security Auditors
 
PDF
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
Miminten
 
PPT
eCommerce Summit Atlanta Mountain Media
eCommerce Merchants
 
PPT
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
Melanie Beam
 
PPTX
PCI DSS Compliance Readiness
Al Abbas, PMP, CISSP, MBA, MSc
 
PDF
PCI_Presentation_OASIS
Dermot Clarke
 
PDF
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Stephanie Gutowski
 
PPTX
Payment Card Industry Compliance for Local Governments CSMFO 2009
Donald E. Hester
 
PPTX
PruebaJLF.pptx
JoseLuna802663
 
PPT
PCI Compliance 101
pgalletta
 
PDF
PCI DSS: What it is, and why you should care
Sean D. Goodwin
 
PDF
Reduce PCI Scope - Maximise Conversion - Whitepaper
Shaun O'keeffe
 
PDF
PCI compliance and fraud prevention for non profits
NetSquared Vancouver
 
PDF
PCI DSS Data Security Compliance Program Overview
- Mark - Fullbright
 
PPTX
Payment Card Industry CMTA NOV 2010
Donald E. Hester
 
PPTX
PCI Compliance for Community Colleges @One CISOA 2011
Donald E. Hester
 
PDF
You Know You Need PCI Compliance Help When…
Rochester Security Summit
 
PPTX
E commerce overview
Woodridge Software
 
PPTX
Maze & Associates PCI Compliance Tracker for Local Governments
Donald E. Hester
 
Educause+PCI+briefing+4-19-20162345.pptx
gealehegn
 
Payment System Risk. Visa
Internet Security Auditors
 
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
Miminten
 
eCommerce Summit Atlanta Mountain Media
eCommerce Merchants
 
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
Melanie Beam
 
PCI DSS Compliance Readiness
Al Abbas, PMP, CISSP, MBA, MSc
 
PCI_Presentation_OASIS
Dermot Clarke
 
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Stephanie Gutowski
 
Payment Card Industry Compliance for Local Governments CSMFO 2009
Donald E. Hester
 
PruebaJLF.pptx
JoseLuna802663
 
PCI Compliance 101
pgalletta
 
PCI DSS: What it is, and why you should care
Sean D. Goodwin
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Shaun O'keeffe
 
PCI compliance and fraud prevention for non profits
NetSquared Vancouver
 
PCI DSS Data Security Compliance Program Overview
- Mark - Fullbright
 
Payment Card Industry CMTA NOV 2010
Donald E. Hester
 
PCI Compliance for Community Colleges @One CISOA 2011
Donald E. Hester
 
You Know You Need PCI Compliance Help When…
Rochester Security Summit
 
E commerce overview
Woodridge Software
 
Maze & Associates PCI Compliance Tracker for Local Governments
Donald E. Hester
 
Ad

More from Jisc (20)

PPTX
Strengthening open access through collaboration: building connections with OP...
Jisc
 
PPTX
Andrew-Brown-JUSP-showcase-20240730.pptx
Jisc
 
PPTX
JUSP Showcase - Rebuilding Data presentation
Jisc
 
PPTX
Adobe Express Engagement Webinar (Delegate).pptx
Jisc
 
PPTX
FE Accessibility training matrix partnership - information session
Jisc
 
PPTX
Procuring a research management system: why is it so hard?
Jisc
 
PPTX
Adobe Express Engagement Webinar (Delegate).pptx
Jisc
 
PPTX
How libraries can support authors with open access requirements for UKRI fund...
Jisc
 
PPTX
Supporting (UKRI) OA monographs at Salford.pptx
Jisc
 
PPTX
The approach at University of Liverpool.pptx
Jisc
 
PPTX
Jisc's value to HE: the University of Sheffield
Jisc
 
PPTX
Towards a code of practice for AI in AT.pptx
Jisc
 
PPTX
Jamworks pilot and AI at Jisc (20/03/2024)
Jisc
 
PPTX
Wellbeing inclusion and digital dystopias.pptx
Jisc
 
PPTX
Accessible Digital Futures project (20/03/2024)
Jisc
 
PPTX
Procuring digital preservation CAN be quick and painless with our new dynamic...
Jisc
 
PPTX
International students’ digital experience: understanding and mitigating the ...
Jisc
 
PPTX
Digital Storytelling Community Launch!.pptx
Jisc
 
PPTX
Open Access book publishing understanding your options (1).pptx
Jisc
 
PPTX
Scottish Universities Press supporting authors with requirements for open acc...
Jisc
 
Strengthening open access through collaboration: building connections with OP...
Jisc
 
Andrew-Brown-JUSP-showcase-20240730.pptx
Jisc
 
JUSP Showcase - Rebuilding Data presentation
Jisc
 
Adobe Express Engagement Webinar (Delegate).pptx
Jisc
 
FE Accessibility training matrix partnership - information session
Jisc
 
Procuring a research management system: why is it so hard?
Jisc
 
Adobe Express Engagement Webinar (Delegate).pptx
Jisc
 
How libraries can support authors with open access requirements for UKRI fund...
Jisc
 
Supporting (UKRI) OA monographs at Salford.pptx
Jisc
 
The approach at University of Liverpool.pptx
Jisc
 
Jisc's value to HE: the University of Sheffield
Jisc
 
Towards a code of practice for AI in AT.pptx
Jisc
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jisc
 
Wellbeing inclusion and digital dystopias.pptx
Jisc
 
Accessible Digital Futures project (20/03/2024)
Jisc
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Jisc
 
International students’ digital experience: understanding and mitigating the ...
Jisc
 
Digital Storytelling Community Launch!.pptx
Jisc
 
Open Access book publishing understanding your options (1).pptx
Jisc
 
Scottish Universities Press supporting authors with requirements for open acc...
Jisc
 

Recently uploaded (20)

PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
KodekX | Application Modernization Development
KodekX
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 

A practical guides to PCI compliance

  • 1. A practical guide to PCI compliance Matthew Page, IT security manager, Leeds Beckett University 14/11/2017
  • 2. A Practical Guide to PCI Compliance Matthew Page – IT Security Manager PCI ISA
  • 3. • To help those who are starting out on the PCI compliance journey • Where to find help and documentation • Formal courses tend to discuss the 12 requirements rather than how to become compliant • It can be quite daunting, so I aim to provide an overview of PCI • I’m not going to discuss: – The requirements in detail – The payment cycle *For further information on these please review the documents referenced in the resources section. A Practical Guide to PCI The Purpose of this Presentation
  • 4. A Practical Guide to PCI • Payment Card Industries What is PCI?
  • 5. A Practical Guide to PCI • Payment card data and transactions, not direct debits or PayPal payments What is PCI? *Courtesy of PCIDSSSIG
  • 6. A Practical Guide to PCI • Its not a legal requirement • It’s a contractual requirement • 12 main requirements (essentially a check list) • Mainly technical requirements with procedural and policy based requirements • Who is PCI compliant? What is PCI?
  • 7. A Practical Guide to PCI • Its very valuable data to hackers • US company Target breach 2013-2014 – 40 millions card details affected – Cost target $350 million – 46% drop in profits – 1-3 million cards sold on the black market – Resignation of CEO • Reputational impact Why Protect this Data? *Data source Axelos Resilia
  • 8. A Practical Guide to PCI 6 Goals of PCI Compliance
  • 9. A Practical Guide to PCI Goal 1 – Build and maintain a secure network and systems *Barclaycard Associated Requirements 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters
  • 10. A Practical Guide to PCI Goal 2 – Protect Cardholder data *Barclaycard Associated Requirements 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks
  • 11. A Practical Guide to PCI Goal 3 – Maintain a vulnerability management program *Barclaycard Associated Requirements 5. Protect all systems against malware and regularly update antivirus software or programs 6. Develop and maintain secure systems and applications (patching and config)
  • 12. A Practical Guide to PCI Goal 4 – Implement strong access control measures *Barclaycard Associated Requirements 7. Restrict access to cardholder data by business need to know 8. Identify and authenticate access to system components 9. Restrict physical access to cardholder data
  • 13. A Practical Guide to PCI Goal 5 – Regularly monitor and test networks *Barclaycard Associated Requirements 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes (pen tests, vulnerability scans, etc.)
  • 14. A Practical Guide to PCI Goal 6 – Maintain an information security policy *Barclaycard Associated Requirements 12. Maintain a policy that addresses information security for all personnel
  • 15. A Practical Guide to PCI Where are you now? *Barclaycard • Many of the goals and requirements will be already in place • Some may need fine tuning and some will need significant effort to bring into line with the standard
  • 16. A Practical Guide to PCI • 12 high level requirements • All the requirements have sub requirements totalling over 300 across the standard • That’s a lot! • Very expensive to adhere to them all and time consuming to support and maintain • Good news, hopefully you won’t have to adhere to them all • That’s not to say you should take short cuts • Depending on your environment you may not need to comply with all the requirements to be compliant • This is where SAQs will help 12 Requirements & Sub Requirements
  • 17. A Practical Guide to PCI The SAQs
  • 18. A Practical Guide to PCI The SAQs Web Payments • A and A-EP
  • 19. A Practical Guide to PCI Payment Terminals (Chip & Pin) • B, B-IP & P2PE The SAQs
  • 20. A Practical Guide to PCI Merchants who use a payment application system or Virtual Terminal to process card payments • C & C-VT The SAQs
  • 21. A Practical Guide to PCI Merchants who store cardholder data • D The SAQs
  • 22. Requirement Description SAQ D SAQ C SAQ C-VT B-IP B A-EP* A P2PE 1 Firewall config Full Partial Partial Partial Partial 2 Vendor defaults Full Partial Partial Partial Partial Partial 3 Stored CHD Full Partial Partial Partial Partial Partial Partial 4 Encryption Full Partial Partial Partial Partial Partial 5 AV & patching Full Partial Partial Partial 6 Development Full Partial Partial Partial Partial 7 Restrict access Full Partial Partial Partial Partial Partial 8 Identify & authenticate Full Partial Partial Partial Partial Partial 9 Restrict physical access Full Partial Partial Partial Partial Partial Partial Partial 10 Track and monitor Full Partial Partial 11 Vulnerability testing Full Partial Partial Partial 12 Policies Full Partial Partial Partial Partial Partial Partial Partial A Practical Guide to PCI • Refer to the ‘PCI SAQ Instructions and Guidelines’ document to determine which of your merchant accounts align with which SAQ and speak to your acquirer to confirm SAQ Requirements
  • 23. A Practical Guide to PCI PCI SAQ Instructions and Guidelines Document
  • 24. A Practical Guide to PCI Merchant Levels & Assessment Criteria Level Merchant criteria Validation requirements 1 Merchants processing more than six million Visa transactions annually via all channels or global merchants identified as level one by any Visa region.  Annual Report on Compliance (ROC) to follow an on-site audit by either a Qualified Security Assessor or qualified internal security resource  Quarterly network scan by Approved Scan Vendor (ASV)  Attestation of Compliance form QSA Services • PCI assessment • ROC • Attestation sign off • Gap analysis ASV • Tool to scan the network environment for Vulnerabilities. Any high vulnerabilities are failures.
  • 25. A Practical Guide to PCI Merchant Levels Level Merchant criteria Validation requirements 1 Merchants processing more than six million Visa transactions annually via all channels or global merchants identified as level one by any Visa region.  Annual Report on Compliance (ROC) to follow an on-site audit by either a Qualified Security Assessor or qualified internal security resource  Quarterly network scan by Approved Scan Vendor (ASV)  Attestation of Compliance form 2 Merchants processing one million to six million Visa transactions annually via all channels.  Annual Self-Assessment Questionnaire (SAQ)  Quarterly network scan by ASV  Attestation of Compliance form
  • 26. A Practical Guide to PCI Merchant Levels Level Merchant criteria Validation requirements 1 Merchants processing more than six million Visa transactions annually via all channels or global merchants identified as level one by any Visa region.  Annual Report on Compliance (ROC) to follow an on-site audit by either a Qualified Security Assessor or qualified internal security resource  Quarterly network scan by Approved Scan Vendor (ASV)  Attestation of Compliance form 2 Merchants processing one million to six million Visa transactions annually via all channels.  Annual Self-Assessment Questionnaire (SAQ)  Quarterly network scan by ASV  Attestation of Compliance form 3 Merchants processing 20,000 to one million Visa e- commerce transactions annually.  Use a service provider that has certified their PCI DSS compliance (certified providers are listed on Visa Europe’s website: www.visaeurope.com) OR  Have certified their own PCI DSS compliance to the acquirer (who must, on request, be able to validate that compliance to Visa Europe) (SAQ)
  • 27. A Practical Guide to PCI Merchant Levels Level Merchant criteria Validation requirements 1 Merchants processing more than six million Visa transactions annually via all channels or global merchants identified as level one by any Visa region.  Annual Report on Compliance (ROC) to follow an on-site audit by either a Qualified Security Assessor or qualified internal security resource  Quarterly network scan by Approved Scan Vendor (ASV)  Attestation of Compliance form 2 Merchants processing one million to six million Visa transactions annually via all channels.  Annual Self-Assessment Questionnaire (SAQ)  Quarterly network scan by ASV  Attestation of Compliance form 3 Merchants processing 20,000 to one million Visa e- commerce transactions annually.  Use a service provider that has certified their PCI DSS compliance (certified providers are listed on Visa Europe’s website: www.visaeurope.com) OR  Have certified their own PCI DSS compliance to the acquirer (who must, on request, be able to validate that compliance to Visa Europe) (SAQ) 4 E-commerce merchants only Merchants processing fewer than 20,000 Visa e- commerce transactions annually.  Use a service provider that has certified their PCI DSS compliance (certified providers are listed on Visa Europe’s website: www.visaeurope.com) OR  Have certified their own PCI DSS compliance to the acquirer (who must, on request, be able to validate that compliance to Visa Europe) (SAQ)
  • 28. A Practical Guide to PCI • Who are the acquirers? An acquiring bank (simply known as an acquirer) is a bank that processes credit or debit card payments on behalf of a merchant. The acquirer enables merchants to accept card payments. • They can help provide information regarding the number of merchant accounts in use and the volume of transactions being processed through them • They are responsible for ensuring their associated merchants are PCI compliant and will ask you to provide an AOC • If you are unable to do this you may start to receive threatening letters Acquirers
  • 29. A Practical Guide to PCI • Who are the acquirers? An acquiring bank (simply known as an acquirer) is a bank that processes credit or debit card payments on behalf of a merchant. The acquirer enables merchants to accept card payments. • They can help provide information regarding the number of merchant accounts in use and the volume of transactions being processed through them • They are responsible for ensuring their associated merchants are PCI compliant and will ask you to provide an AOC • If you are unable to do this you may start to receive threatening letters Acquirers • Don’t be afraid to challenge your acquirer • Find your business relationship manager and build a relationship
  • 30. A Practical Guide to PCI • Identify where payments are being taken through out the university • Identify how card data traverses the network • Is cardholder data stored as part of the process? • Identify the SAQ level • Identify Merchant level • Speak to your acquirer they will help verify your Merchant and SAQ levels Your Payment Gateways
  • 31. A Practical Guide to PCI • Are card payments segregated from the rest of your network? • Can you segregate your networks? • Avoid storing card holder data • Be aware of the problems with descoping – perceptions that the entire network is as secure as the card holder environment when in fact they have been descoped and therefore may not be maintained to the same standard. • Determine the cost of descoping is it just easier to include everything? • Remember PCI should be part of data security strategy Reduce the Scope
  • 32. A Practical Guide to PCI • Its project - create a plan • Use the prioritised approach provided by PCI • Collaborative approach with: – IT – Finance – Governance – Other relevant departments – Acquirers • Who should drive the project? – IT – Finance – Governance – ? • Get buy in – You can’t do this alone The PCI Project
  • 33. A Practical Guide to PCI • Find a QSA https://www.pcisecuritystandards.org/assessors_and_so lutions/qualified_security_assessors • Your Acquirer • Merchant levels • MasterCard https://www.mastercard.us/en- us/merchants/safety-security/security- recommendations/merchants-need-to-know.html • Visa https://www.visaeurope.com/receiving- payments/security/merchants • PCIDSSSIG – Training courses – Foundation, Practitioner and ISA (free if you are a member) – Resources http://www.pcidsssig.org.uk/ • PCI Document library https://www.pcisecuritystandards.org/document_library • PCI Prioritised approach https://www.pcisecuritystandards.org/documents/Priorit ized-Approach-for-PCI_DSS-v3_2.pdf • Guidance for Network Segmentation https://www.pcisecuritystandards.org/documents/Guida nce-PCI-DSS-Scoping-and- Segmentation_v1_1.pdf?agreement=true&time=15100 49283753 Resources
  • 34. A Practical Guide to PCI • It’s a check list so you can take one step at a time • Training/reading/familarise yourself with the standard • Get Project buy in • Speak to people (Finance, Acquirers, staff) • Determine the scope • Work with the acquirers • The goals of PCI are just the best practice elements we should all be implementing. • Different security/compliance standards will aid each other • You don’t need to be an ISA, but it helps. Final Thoughts
  • 36. A Practical Guide to PCI • Find a QSA https://www.pcisecuritystandards.org/assessors_and_so lutions/qualified_security_assessors • Your Acquirer • Merchant levels • MasterCard https://www.mastercard.us/en- us/merchants/safety-security/security- recommendations/merchants-need-to-know.html • Visa https://www.visaeurope.com/receiving- payments/security/merchants • PCIDSSSIG – Training courses – Foundation, Practitioner and ISA (free if you are a member) – Resources http://www.pcidsssig.org.uk/ • PCI Document library https://www.pcisecuritystandards.org/document_librar y • PCI Prioritized approach https://www.pcisecuritystandards.org/documents/Prior itized-Approach-for-PCI_DSS-v3_2.pdf • Guidance for Network Segmentation https://www.pcisecuritystandards.org/documents/Guid ance-PCI-DSS-Scoping-and- Segmentation_v1_1.pdf?agreement=true&time=1510 049283753 Resources

Editor's Notes

  • #3: Thanks to Jisc for the late shift I hope you have all had a coffee at break
  • #7: Who is PCI compliant show of hands.
  • #8: Hacking techniques are changing
  • #38: Who is cyber essentials compliant show of hands