SlideShare a Scribd company logo

Payment card industry data security standard

S
sallychiu

The Payment Card Industry Data Security Standard (PCI DSS) is an industry-wide framework for protecting cardholder data. It was developed by the Payment Card Industry Security Standards Council in response to growing credit card fraud. PCI DSS consists of 12 requirements across 6 control objectives that entities must comply with depending on their level of cardholder transactions. Compliance is enforced by each card brand and validated by independent parties. Studies show that PCI DSS has been effective at improving security for many organizations, but compliant companies can still experience breaches, so it does not guarantee protection. PCI DSS presents opportunities for accountants to assist with compliance as Qualified Security Assessors or consultants.

BusinessTechnologyEconomy & Finance
1 of 14
1
2
3
4
5
6
7
8
9
10
11
12
13
14
Payment Card Industry Data Security StandardBy: Sally ChiuACC 626 Section 002
What is PCI DSS?Is it effective?Impact on the auditing professionOverview
“Payment Card Industry Data Security Standard”industry-wide framework for developing a robust payment card data security processaims to protect cardholder data What is PCI DSS?
response to the growing misuse of payment card informationPayment Card Industry (PCI) Security Standards Council - 5 global payment card companies: American Express, Discover, JCB International, MasterCard, and Visaapplies to entities that store, process or transmit cardholder information Retailers, on-line merchants, payment processing companiesHistory and Origins
6 principles, 12 major requirements, many sub-requirements and detailed requirements, and testing procedures 6 objectives:Build and Maintain a Secure NetworkProtect Cardholder DataMaintain a Vulnerability Management ProgramImplement Strong Access Control MeasuresRegularly Monitor and Test NetworksMaintain an Information Security PolicyComponents of PCI DSS:
PCI Security Standards Council sets the overall high level requirementseach card issuer enforces the standard, sets validation requirements and penaltiesdifferent merchant / service provider levels, and requirements for each levelEg: Level 1 – merchants with 6M+ transactions annually most stringent requirements ASV scans, QSA auditsmost recent version - PCI DSS v.2.0continuously updated to as new threats emergePCI DSS Logistics
Is PCI DSS Effective?Effectiveness of PCI DSS2011Ponemon Institute & Imperva study:64% of compliant firms had no breaches over the past two years, vs only 38% of non-compliant firms 2011 Cisco study:70% feel that their organizations are more secure 87% feel that PCI compliance is necessary60% are using PCI compliance to drive other security network projectsappears that most organizations regard PCI DSS as an effective tool in improving cardholder security
Ineffectiveness of PCI DSSPCI DSS compliant firms still experience security breachesEg: Hannaford Bros, breach in 2008: theft of 4.2 million customer card numbers Eg: Heartland Payment Systems, breach in 2008: 130 million credit card numbers exposedCritics: PCI DSS ineffective as it has failed to prevent data breach incidents Is PCI DSS Effective?
Is PCI DSS Effective?Ineffectiveness of PCI DSSdeveloped by card companies to shift blame to retailers rather than actually preventing cybercrimelack of standardizationhigh cost of compliance - $3.8M implementation cost for Level 1 merchantsExecutives see PCI DSS as a burden, not an investment ROI unknown
PCI DSS: Effective guideline, but does not guarantee security Breaches of PCI DSS compliant firms show that even compliance does not guarantee protection against security breachesPCI DSS - only a framework for protecting cardholder data – will not 100% guarantee securityEffective from aspect of laying the groundwork for a secure systemForces entities to be continuously compliant
Canadians are among the most frequent users of debit and credit cards Canada seen as vulnerable to hackers and data thieves due to:lack of strong Canadian privacy legislation inadequate IS security at Canadian SMEslag in adopting Chip & PIN technology on credit cards Canada has relied upon PCI DSS to improve cardholder data securityPCI DSS and Canada
Impact of PCI DSS on the Accounting Professionopens numerous opportunities for the accounting profession CAs can act as consultants to businesses CAs can act as QSAs to assess PCI DSS complianceCAs can work together with the PCI to achieve greater protection of cardholder data
Impact of PCI DSS on the Accounting ProfessionCAs acting as QSAs can offer integrated services to clients PCI compliance & S. 5970 audit efficiencies can be gainedHowever, should be aware of differences:FrameworkTesting periodScope
PCI DSS is a critical step towards improving the security of cardholder data in Canada and worldwidepresents new opportunities for the accounting professionConclusion

More Related Content

PPTX
Is your business PCI DSS compliant? You’re digging your own grave if not
CheapSSLsecurity
 
PPTX
PCI DSS Slidecast
RobertXia
 
PDF
Reduce PCI Scope - Maximise Conversion - Whitepaper
Shaun O'keeffe
 
PPT
PCI DSS Certification
hodonoghue
 
PPT
Evolution Pci For Pod1
Amanda Squires@Pod1
 
PDF
Introduction to the Payment Card Industry Data Security Standard (PCI DSS) - ...
AtoZ Compliance
 
PDF
PCI_Presentation_OASIS
Dermot Clarke
 
DOCX
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
himalya sharma
 
Is your business PCI DSS compliant? You’re digging your own grave if not
CheapSSLsecurity
 
PCI DSS Slidecast
RobertXia
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Shaun O'keeffe
 
PCI DSS Certification
hodonoghue
 
Evolution Pci For Pod1
Amanda Squires@Pod1
 
Introduction to the Payment Card Industry Data Security Standard (PCI DSS) - ...
AtoZ Compliance
 
PCI_Presentation_OASIS
Dermot Clarke
 
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
himalya sharma
 

What's hot (20)

PDF
Tripwire pci basics_wp
Edward Lam
 
PPTX
What Everybody Ought to Know About PCI DSS and PA-DSS
London School of Cyber Security
 
PPS
P0 Pcidss Overview
b28stu
 
PDF
Pcidss qr gv3_1
leon bonilla
 
PDF
PCI-DSS for IDRBT
Shanmugavel Sankaran
 
PDF
PCIDSS compliance made easier through a collaboration between NC State and UN...
John Baines
 
DOCX
Pci dss compliance
pcidss14s
 
PPTX
Introduction to PCI DSS
Saumya Vishnoi
 
PPTX
Webinar: Protect Your Customers, Protect Yourself Learn How to Take Precautio...
i2Coalition
 
PDF
Alcumus ISOQAR PCIDSS Compliance Presentation
Bhargav Upadhyay
 
PDF
Senate_2014_Data_Breach_Testimony_Richey
Peter Tran
 
PDF
Pci dss v3-2-1
leon bonilla
 
PDF
Visa Compliance Mark National Certification
Mark Pollard
 
PPT
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
Melanie Beam
 
PDF
Pcidss
yazsapa
 
PPTX
Payment Card Industry Introduction CMTA APR 2010
Donald E. Hester
 
PDF
Whitepaper - Application Delivery in PCI DSS Compliant Environments
Jason Dover
 
PDF
Quick Reference Guide to the PCI Data Security Standard
- Mark - Fullbright
 
PDF
PCI Compliance - How To Keep Your Business Safe From Credit Card Criminals
Fit Small Business
 
PPTX
Reducing cardholder data footprint with tokenization and other techniques
VISTA InfoSec
 
Tripwire pci basics_wp
Edward Lam
 
What Everybody Ought to Know About PCI DSS and PA-DSS
London School of Cyber Security
 
P0 Pcidss Overview
b28stu
 
Pcidss qr gv3_1
leon bonilla
 
PCI-DSS for IDRBT
Shanmugavel Sankaran
 
PCIDSS compliance made easier through a collaboration between NC State and UN...
John Baines
 
Pci dss compliance
pcidss14s
 
Introduction to PCI DSS
Saumya Vishnoi
 
Webinar: Protect Your Customers, Protect Yourself Learn How to Take Precautio...
i2Coalition
 
Alcumus ISOQAR PCIDSS Compliance Presentation
Bhargav Upadhyay
 
Senate_2014_Data_Breach_Testimony_Richey
Peter Tran
 
Pci dss v3-2-1
leon bonilla
 
Visa Compliance Mark National Certification
Mark Pollard
 
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
Melanie Beam
 
Pcidss
yazsapa
 
Payment Card Industry Introduction CMTA APR 2010
Donald E. Hester
 
Whitepaper - Application Delivery in PCI DSS Compliant Environments
Jason Dover
 
Quick Reference Guide to the PCI Data Security Standard
- Mark - Fullbright
 
PCI Compliance - How To Keep Your Business Safe From Credit Card Criminals
Fit Small Business
 
Reducing cardholder data footprint with tokenization and other techniques
VISTA InfoSec
 
Ad

Similar to Payment card industry data security standard (20)

PPTX
Payment Card Industry Security Standards
Ashintha Rukmal
 
PDF
Credit Card Processing for Small Business
Mark Ginnebaugh
 
PDF
PCI DSS: What it is, and why you should care
Sean D. Goodwin
 
PDF
PCI-DSS_Overview
sameh Abulfotooh
 
PDF
Pci ssc quick reference guide
Mohammad Makchudul Alam (Arif)
 
PDF
MTBiz May-June 2019
Mutual Trust Bank Ltd.
 
DOCX
PCI DSS 6 Key Objectives You Must Know for Compliance.docx
BORNSEC CONSULTING
 
PDF
Pci standards, from participation to implementation and review
isc2-hellenic
 
PDF
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Rapid7
 
PDF
Adventures in PCI Wonderland
Michele Chubirka
 
PDF
a Guide for quick pci dss and payment security
suridhalder
 
PPTX
Payment Card Industry CMTA NOV 2010
Donald E. Hester
 
PPTX
PruebaJLF.pptx
JoseLuna802663
 
PPT
pci-comp pci requirements and controls.ppt
gealehegn
 
DOCX
Online_Transactions_PCI
Kelly Lam
 
PPT
PCI DSS
Duy Do Phan
 
PDF
Understanding Your PCI DSS Guidelines: Successes and Failures
- Mark - Fullbright
 
PPT
PCI Compliance Seminar
dlinehan2
 
PPTX
PCI DSS Compliance Readiness
Al Abbas, PMP, CISSP, MBA, MSc
 
PPTX
PCI Compliance for Community Colleges @One CISOA 2011
Donald E. Hester
 
Payment Card Industry Security Standards
Ashintha Rukmal
 
Credit Card Processing for Small Business
Mark Ginnebaugh
 
PCI DSS: What it is, and why you should care
Sean D. Goodwin
 
PCI-DSS_Overview
sameh Abulfotooh
 
Pci ssc quick reference guide
Mohammad Makchudul Alam (Arif)
 
MTBiz May-June 2019
Mutual Trust Bank Ltd.
 
PCI DSS 6 Key Objectives You Must Know for Compliance.docx
BORNSEC CONSULTING
 
Pci standards, from participation to implementation and review
isc2-hellenic
 
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Rapid7
 
Adventures in PCI Wonderland
Michele Chubirka
 
a Guide for quick pci dss and payment security
suridhalder
 
Payment Card Industry CMTA NOV 2010
Donald E. Hester
 
PruebaJLF.pptx
JoseLuna802663
 
pci-comp pci requirements and controls.ppt
gealehegn
 
Online_Transactions_PCI
Kelly Lam
 
PCI DSS
Duy Do Phan
 
Understanding Your PCI DSS Guidelines: Successes and Failures
- Mark - Fullbright
 
PCI Compliance Seminar
dlinehan2
 
PCI DSS Compliance Readiness
Al Abbas, PMP, CISSP, MBA, MSc
 
PCI Compliance for Community Colleges @One CISOA 2011
Donald E. Hester
 
Ad

Recently uploaded (20)

PDF
Nidhal Samdaie CV - International Business Consultant
Nidhal Samdaie
 
PDF
Roadmap Map-digital Banking feature MB,IB,AB
Alemayehu
 
PPTX
AI-assistance in Knowledge Collection and Curation supporting Safe and Sustai...
Barry Hardy
 
PPTX
The Marketing Journey - Tracey Phillips - Marketing Matters 7-2025.pptx
shannonzipoy2
 
PPTX
ICG2025_ICG 6th steering committee 30-8-24.pptx
AtiarRahaman5
 
PDF
WRN_Investor_Presentation_August 2025.pdf
cmagee4
 
PDF
Training And Development of Employee .pdf
nivethavm864
 
PDF
Types of control:Qualitative vs Quantitative
reshmaaslm06
 
PPTX
Business Ethics - An introduction and its overview.pptx
Keerthana Chinnathambi
 
PDF
COST SHEET- Tender and Quotation unit 2.pdf
MANJU N
 
PDF
Ôn tập tiếng anh trong kinh doanh nâng cao
thaoonguyenn2311
 
PDF
Traveri Digital Marketing Seminar 2025 by Corey and Jessica Perlman
Corey Perlman, Social Media Speaker and Consultant
 
PDF
Deliverable file - Regulatory guideline analysis.pdf
Quan Risk
 
PPTX
job Avenue by vinith.pptxvnbvnvnvbnvbnbmnbmbh
kaniece
 
PPT
Chapter four Project-Preparation material
argachewbochena1
 
PDF
How to Get Funding for Your Trucking Business
Jake Thornhill
 
PDF
A Brief Introduction About Julia Allison
Julia Allison
 
PPTX
CkgxkgxydkydyldylydlydyldlyddolydyoyyU2.pptx
DSAISUBRAHMANYAAASHR
 
PPTX
Lecture (1)-Introduction.pptx business communication
HamzaGhani10
 
PPTX
Dragon_Fruit_Cultivation_in Nepal ppt.pptx
UmeshTimilsina1
 
Nidhal Samdaie CV - International Business Consultant
Nidhal Samdaie
 
Roadmap Map-digital Banking feature MB,IB,AB
Alemayehu
 
AI-assistance in Knowledge Collection and Curation supporting Safe and Sustai...
Barry Hardy
 
The Marketing Journey - Tracey Phillips - Marketing Matters 7-2025.pptx
shannonzipoy2
 
ICG2025_ICG 6th steering committee 30-8-24.pptx
AtiarRahaman5
 
WRN_Investor_Presentation_August 2025.pdf
cmagee4
 
Training And Development of Employee .pdf
nivethavm864
 
Types of control:Qualitative vs Quantitative
reshmaaslm06
 
Business Ethics - An introduction and its overview.pptx
Keerthana Chinnathambi
 
COST SHEET- Tender and Quotation unit 2.pdf
MANJU N
 
Ôn tập tiếng anh trong kinh doanh nâng cao
thaoonguyenn2311
 
Traveri Digital Marketing Seminar 2025 by Corey and Jessica Perlman
Corey Perlman, Social Media Speaker and Consultant
 
Deliverable file - Regulatory guideline analysis.pdf
Quan Risk
 
job Avenue by vinith.pptxvnbvnvnvbnvbnbmnbmbh
kaniece
 
Chapter four Project-Preparation material
argachewbochena1
 
How to Get Funding for Your Trucking Business
Jake Thornhill
 
A Brief Introduction About Julia Allison
Julia Allison
 
CkgxkgxydkydyldylydlydyldlyddolydyoyyU2.pptx
DSAISUBRAHMANYAAASHR
 
Lecture (1)-Introduction.pptx business communication
HamzaGhani10
 
Dragon_Fruit_Cultivation_in Nepal ppt.pptx
UmeshTimilsina1
 

Payment card industry data security standard

  • 1. Payment Card Industry Data Security StandardBy: Sally ChiuACC 626 Section 002
  • 2. What is PCI DSS?Is it effective?Impact on the auditing professionOverview
  • 3. “Payment Card Industry Data Security Standard”industry-wide framework for developing a robust payment card data security processaims to protect cardholder data What is PCI DSS?
  • 4. response to the growing misuse of payment card informationPayment Card Industry (PCI) Security Standards Council - 5 global payment card companies: American Express, Discover, JCB International, MasterCard, and Visaapplies to entities that store, process or transmit cardholder information Retailers, on-line merchants, payment processing companiesHistory and Origins
  • 5. 6 principles, 12 major requirements, many sub-requirements and detailed requirements, and testing procedures 6 objectives:Build and Maintain a Secure NetworkProtect Cardholder DataMaintain a Vulnerability Management ProgramImplement Strong Access Control MeasuresRegularly Monitor and Test NetworksMaintain an Information Security PolicyComponents of PCI DSS:
  • 6. PCI Security Standards Council sets the overall high level requirementseach card issuer enforces the standard, sets validation requirements and penaltiesdifferent merchant / service provider levels, and requirements for each levelEg: Level 1 – merchants with 6M+ transactions annually most stringent requirements ASV scans, QSA auditsmost recent version - PCI DSS v.2.0continuously updated to as new threats emergePCI DSS Logistics
  • 7. Is PCI DSS Effective?Effectiveness of PCI DSS2011Ponemon Institute & Imperva study:64% of compliant firms had no breaches over the past two years, vs only 38% of non-compliant firms 2011 Cisco study:70% feel that their organizations are more secure 87% feel that PCI compliance is necessary60% are using PCI compliance to drive other security network projectsappears that most organizations regard PCI DSS as an effective tool in improving cardholder security
  • 8. Ineffectiveness of PCI DSSPCI DSS compliant firms still experience security breachesEg: Hannaford Bros, breach in 2008: theft of 4.2 million customer card numbers Eg: Heartland Payment Systems, breach in 2008: 130 million credit card numbers exposedCritics: PCI DSS ineffective as it has failed to prevent data breach incidents Is PCI DSS Effective?
  • 9. Is PCI DSS Effective?Ineffectiveness of PCI DSSdeveloped by card companies to shift blame to retailers rather than actually preventing cybercrimelack of standardizationhigh cost of compliance - $3.8M implementation cost for Level 1 merchantsExecutives see PCI DSS as a burden, not an investment ROI unknown
  • 10. PCI DSS: Effective guideline, but does not guarantee security Breaches of PCI DSS compliant firms show that even compliance does not guarantee protection against security breachesPCI DSS - only a framework for protecting cardholder data – will not 100% guarantee securityEffective from aspect of laying the groundwork for a secure systemForces entities to be continuously compliant
  • 11. Canadians are among the most frequent users of debit and credit cards Canada seen as vulnerable to hackers and data thieves due to:lack of strong Canadian privacy legislation inadequate IS security at Canadian SMEslag in adopting Chip & PIN technology on credit cards Canada has relied upon PCI DSS to improve cardholder data securityPCI DSS and Canada
  • 12. Impact of PCI DSS on the Accounting Professionopens numerous opportunities for the accounting profession CAs can act as consultants to businesses CAs can act as QSAs to assess PCI DSS complianceCAs can work together with the PCI to achieve greater protection of cardholder data
  • 13. Impact of PCI DSS on the Accounting ProfessionCAs acting as QSAs can offer integrated services to clients PCI compliance & S. 5970 audit efficiencies can be gainedHowever, should be aware of differences:FrameworkTesting periodScope
  • 14. PCI DSS is a critical step towards improving the security of cardholder data in Canada and worldwidepresents new opportunities for the accounting professionConclusion