SlideShare a Scribd company logo

PCI DSS Compliance Readiness

Al Abbas, PMP, CISSP, MBA, MSc, profile picture
Al Abbas, PMP, CISSP, MBA, MSc

This document provides an overview of PCI DSS compliance, including: - What the PCI Security Standards Council is and its objectives in establishing payment security standards. - Why compliance is important to avoid penalties, reduce risk, and protect an organization's reputation. - How to achieve compliance through self-assessment questionnaires or audits depending on transaction volume. - The requirements of the PCI DSS including building a secure network, protecting data, vulnerability management, and more.

1 of 25
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
PCI DSS Compliance Readiness BizTech Presentation www.biztechmasters.com 1-888-666-1745
AGENDA • Introduction • What is PCI Standards Council • PCI Objectives • Why PCI Compliance • Penalties for Non-Compliance • How to Achieve Compliance • Merchant Levels & SAQs • PCI DSS Requirements & Applicability • Service Providers • Compliance Requirements • Credit Card Transaction Flow • Payment Brand Compliance Programs • Network Management Tip • Compliance Roadmap • Q & A © Copyright 2015 2
Introduction • BizTech Risk & Security • Attendees – How this presentation can help you in your current situation © Copyright 2015 3
What is PCI Security Standards Council? • An independent industry standards body providing oversight of the development and management of Payment Card Industry Security Standards on a global basis (www.pcisecuritystandards.org) • Founding multi-national acceptance brand members: – VISA, MasterCard, Discover, American Express, JCB 4© Copyright 2015
PCI Security Standards Council Objectives • Issue new standards and manage standards life cycle • Enhance payment account security • Create awareness and drive adoption of standards • Foster participation and gather feedback 5© Copyright 2015
PCI DSS • PCI DSS = Payment Card Industry Data Security Standard • Formalized security standard • Covers security of the systems and networks that store, process and transmit card data • Revised on a 24 month cycle 6© Copyright 2015
Why PCI DSS Compliance for my Organization? • Executive Management and Leadership of the organization receive safe harbour as they have demonstrated performing due diligence • Organization avoids high penalties by the card brands in case of data breach • Reduce the risk of lawsuits by customers whose data is lost in case of data breach and demonstrate that due diligence was performed by the organization in safekeeping of sensitive data • Protect the reputation of the organization. 7© Copyright 2015
Penalties and Fees for Non Compliance • Dependent on the card brand and acquiring bank • Non- compliance (Visa Example)- $5,000 and $25,000 a month for each of its Level 1 and 2 merchants (Track data and CVV2 can be worse). • Card Holder Breach (Visa Example)- Members are subject to fines, up to $500,000 per incident, for any merchant or service provider that is compromised and not compliant at the time of the incident. Safe Harbour if PCI Compliance • Impose restrictions on non-compliant merchants 8© Copyright 2015
How to Achieve Compliance? • Depends on total number of transactions per year – PCI DSS Self Assessment Questionnaire (SAQ) Completed by a security professional and submit to Payment Processor • 4 types of SAQs; the type you complete depends on how your card holder data environment is set up • See small merchants information/training at: https://www.pcisecuritystandards.org/smb/ – For larger organizations with high number of transactions, complete a PCI DSS readiness project and then request a PCI DSS QSA company to perform an audit – Perform routine vulnerability scan and reporting of the card holder data environment 9© Copyright 2015
Merchant Levels Merchant Level Annual Transactions SAQ* Network Vulnerability Scan Validation Actions/Dates 1 6 million plus N/A Quarterly by ASV Annual onsite review by QSA 2 1 million to 6 million Annual Quarterly by ASV N/A 3 20k to 1 million ecommerce Annual Quarterly by ASV N/A 4 Ecommerce < 20k; All others <1 million Annual Quarterly by ASV Dates determined by Acquirer/payment processor *SAQ=Self Assessment Questionnaire 10© Copyright 2015
The Self Assessment Questionnaire Categories As per the PCI Standards Council, merchants or service providers need to complete one of the following SAQs. 11© Copyright 2015
PCI DSS Requirements • Build and Maintain a Secure Network – Install and maintain a firewall configuration to protect data – Do not use vendor-supplied defaults for system passwords and other security parameters • Protect Cardholder Data – Protect stored data – Encrypt transmission of cardholder data and sensitive information across public networks • Maintain a Vulnerability Management Program – Use and regularly update anti-virus information – Develop and maintain secure systems and applications 12© Copyright 2015
PCI DSS Requirements (contd.) • Implement Strong Access Control Measures – Restrict access to data by business need-to-know – Assign a unique ID to each person with computer access – Restrict physical access to cardholder data • Regularly Monitor and Test Networks – Track and monitor all access to network resources and cardholder data – Regularly test security systems and processes • Maintain an Information Security Policy • Maintain a policy that addresses information security 13© Copyright 2015
Applicability • All members, merchants, and service providers that store, process, OR transmit cardholder data • All system components which are defined as any network component, server, or application that is included in or connected to the cardholder data environment. • Merchants, mail order, phone order, payment processors, credit card processing, clearing, etc. 14© Copyright 2015
Service Providers • A service provider is a business entity directly involved in the processing, storage, transmission, and switching of transaction data and cardholder data. – Usually not a payment card brand member – Sometimes a service provider is a merchant • Includes companies that provide services to merchants, service providers or members that control or could impact the security of cardholder data. 15© Copyright 2015
Sample Service Providers • Transaction Processors – Enables transactions such as authorization and settlement between merchants and issuers or acquirers. • Payment Gateways – Enables transactions between merchants and processors • Independent Sales Organizations (ISOs) or External Sales Agents (ESAs) – Perform cardholder and merchant program solicitations • Credit Reporting Services • Customer Service Functions 16© Copyright 2015
Compliance Requirements • Compliance is mandated by the payment card brands and not by the PCI Security Standards Council. • All entities that transmit, process or store payment card data must be compliant with PCI DSS. 17© Copyright 2015
Payment Industry Transaction Flow The diagram below shows the entities in a typical transaction. Cardholder Issuer Merchant Acquirer Payment Brand Network 18© Copyright 2015
PCI Scope • The PCI DDS security requirements apply to all system components. 'System components' are defined as any network component, server, or application that is included in or connected to the cardholder data environment (CDE). • The cardholder data environment is that part of the network that possesses cardholder data or sensitive authentication data. Network components include but are not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Server types include, but are not limited to the following: web, application, database, authentication, mail, proxy, network time protocol (NTP), and domain name server (DNS). • Applications include all purchased and custom applications, including internal and external (Internet) applications. 19© Copyright 2015
What is cardholder data? • Cardholder Data is the information printed on the physical card as well as the data on the magnetic strip or chip • Cardholder Data includes: – Primary account number (PAN) – Cardholder name – Service Code – Expiration date • Cardholder Data also includes Sensitive Authentication Data: – Magnetic Stripe or Track Data – Magnetic stripe image on a chip card – CAV2/CVC2/CVV2/CIID – PIN/ PIN Block – This data cannot be stored after authorization even if it is encrypted. 20© Copyright 2015
Role of Payment Brands • All payment brands – Provide authorization & clearing/settlement services – Establish operating rules and regulations • Issue cards and acquire transactions through third parties (usually banks or credit unions) • American Express, Discover, and JCB are also issuers and acquirers • Visa and MasterCard do not issue cards or acquire transactions 21© Copyright 2015
Payment Brand Compliance Programs • Payment brands' compliance programs include: – Tracking and enforcement – Penalties, fees, compliance deadlines – Validation process and who needs to validate – Approval and posting of compliant entities – Definition of merchants and service provider levels – Forensic investigation for account data compromise • Payment brands are also responsible for forensics and response to account data compromises 22© Copyright 2015
Network Management Tip • Network segmentation of, or isolating (segmenting), the cardholder data environment from the remainder of the corporate network is not a PCI DSS requirement. • Without adequate network segmentation (sometimes called a 'flat network') the entire network is in scope of the PCI DSS assessment. Network segmentation can be achieved through internal network firewalls, routers with strong access control lists or other technology that restricts access to a particular segment of a network. 23© Copyright 2015
Compliance Roadmap • Determine the locations of the card holder data • Reduce scope by eliminating or segmenting the card holder data (electronic storage is automatically SAQ Validation Type 5) • Baseline your environment against the PCI DSS to identify gaps • For all gaps determine recommendations with associated effort. • Develop a prioritized plan to address gaps • Execute 24© Copyright 2015
Q & A • Questions & Answers – Need help with PCI DSS Compliance Readiness? Contact: • Al Abbas, Practice Director • aabbas@biztechmasters.com • www.biztechmasters.com • 1-888-666-1745 © Copyright 2015 25

More Related Content

PPTX
Payment Card Industry Security Standards
Ashintha Rukmal
 
PPTX
PCI DSS for Penetration Testing
Network Intelligence India
 
PDF
1. PCI Compliance Overview
okrantz
 
PDF
PCI DSS v4 - ControlCase Update Webinar Final.pdf
ControlCase
 
PPTX
Check Point Corporate Overview 2020 - Detailed
Moti Sagey מוטי שגיא
 
PDF
Lecture #21: HTTPS , SSL & TLS
Dr. Ramchandra Mangrulkar
 
PPTX
A practical guides to PCI compliance
Jisc
 
PPTX
Introduction to PCI DSS
Saumya Vishnoi
 
Payment Card Industry Security Standards
Ashintha Rukmal
 
PCI DSS for Penetration Testing
Network Intelligence India
 
1. PCI Compliance Overview
okrantz
 
PCI DSS v4 - ControlCase Update Webinar Final.pdf
ControlCase
 
Check Point Corporate Overview 2020 - Detailed
Moti Sagey מוטי שגיא
 
Lecture #21: HTTPS , SSL & TLS
Dr. Ramchandra Mangrulkar
 
A practical guides to PCI compliance
Jisc
 
Introduction to PCI DSS
Saumya Vishnoi
 

What's hot (13)

PPTX
Veritas Managed Backup Services Presentation
Ideba
 
PDF
Hemingway the sea change 1931
jordanlachance
 
PDF
ISO 27001
n|u - The Open Security Community
 
PPT
PCI DSS
Duy Do Phan
 
PPTX
SWIFT CSP Presentations.pptx
MdMofijulHaque
 
PPTX
What is iso 27001 isms
Craig Willetts ISO Expert
 
PDF
Iso27001- Nashwan Mustafa
Fahmi Albaheth
 
PDF
Raising information security awareness
Terranovatraining
 
PPTX
Managed Security Services from Symantec
Arrow ECS UK
 
PPTX
Basic introduction to iso27001
Imran Ahmed
 
PDF
UAE Facility Management Market Analysis, 2021
NarayanSharma67
 
PPTX
FIDO Alliance - Simpler Stronger Authentication.pptx
LoriGlavin3
 
PPTX
Zero Trust Framework for Network Security​
AlgoSec
 
Veritas Managed Backup Services Presentation
Ideba
 
Hemingway the sea change 1931
jordanlachance
 
ISO 27001
n|u - The Open Security Community
 
PCI DSS
Duy Do Phan
 
SWIFT CSP Presentations.pptx
MdMofijulHaque
 
What is iso 27001 isms
Craig Willetts ISO Expert
 
Iso27001- Nashwan Mustafa
Fahmi Albaheth
 
Raising information security awareness
Terranovatraining
 
Managed Security Services from Symantec
Arrow ECS UK
 
Basic introduction to iso27001
Imran Ahmed
 
UAE Facility Management Market Analysis, 2021
NarayanSharma67
 
FIDO Alliance - Simpler Stronger Authentication.pptx
LoriGlavin3
 
Zero Trust Framework for Network Security​
AlgoSec
 
Ad

Similar to PCI DSS Compliance Readiness (20)

PDF
Pci ssc quick reference guide
Mohammad Makchudul Alam (Arif)
 
PDF
a Guide for quick pci dss and payment security
suridhalder
 
PDF
Quick Reference Guide to the PCI Data Security Standard
- Mark - Fullbright
 
PDF
PCI DSS: What it is, and why you should care
Sean D. Goodwin
 
PDF
Pcidss qr gv3_1
leon bonilla
 
PDF
PCI-DSS_Overview
sameh Abulfotooh
 
PDF
Adventures in PCI Wonderland
Michele Chubirka
 
PPTX
Chapter 15: PCI Compliance for Merchants
Nada G.Youssef
 
PDF
Pci standards, from participation to implementation and review
isc2-hellenic
 
PDF
Reduce PCI Scope - Maximise Conversion - Whitepaper
Shaun O'keeffe
 
PPTX
PruebaJLF.pptx
JoseLuna802663
 
PPTX
Payment Card Industry CMTA NOV 2010
Donald E. Hester
 
PPTX
Educause+PCI+briefing+4-19-20162345.pptx
gealehegn
 
PPTX
Payment Card Acceptance PCI Compliance for Local Governments 2012
Donald E. Hester
 
PPTX
PCI Compliance for Community Colleges @One CISOA 2011
Donald E. Hester
 
PDF
MTBiz May-June 2019
Mutual Trust Bank Ltd.
 
PPTX
What Everybody Ought to Know About PCI DSS and PA-DSS
London School of Cyber Security
 
PPT
eCommerce Summit Atlanta Mountain Media
eCommerce Merchants
 
PPT
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
Melanie Beam
 
DOCX
Online_Transactions_PCI
Kelly Lam
 
Pci ssc quick reference guide
Mohammad Makchudul Alam (Arif)
 
a Guide for quick pci dss and payment security
suridhalder
 
Quick Reference Guide to the PCI Data Security Standard
- Mark - Fullbright
 
PCI DSS: What it is, and why you should care
Sean D. Goodwin
 
Pcidss qr gv3_1
leon bonilla
 
PCI-DSS_Overview
sameh Abulfotooh
 
Adventures in PCI Wonderland
Michele Chubirka
 
Chapter 15: PCI Compliance for Merchants
Nada G.Youssef
 
Pci standards, from participation to implementation and review
isc2-hellenic
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Shaun O'keeffe
 
PruebaJLF.pptx
JoseLuna802663
 
Payment Card Industry CMTA NOV 2010
Donald E. Hester
 
Educause+PCI+briefing+4-19-20162345.pptx
gealehegn
 
Payment Card Acceptance PCI Compliance for Local Governments 2012
Donald E. Hester
 
PCI Compliance for Community Colleges @One CISOA 2011
Donald E. Hester
 
MTBiz May-June 2019
Mutual Trust Bank Ltd.
 
What Everybody Ought to Know About PCI DSS and PA-DSS
London School of Cyber Security
 
eCommerce Summit Atlanta Mountain Media
eCommerce Merchants
 
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
Melanie Beam
 
Online_Transactions_PCI
Kelly Lam
 
Ad

PCI DSS Compliance Readiness

  • 1. PCI DSS Compliance Readiness BizTech Presentation www.biztechmasters.com 1-888-666-1745
  • 2. AGENDA • Introduction • What is PCI Standards Council • PCI Objectives • Why PCI Compliance • Penalties for Non-Compliance • How to Achieve Compliance • Merchant Levels & SAQs • PCI DSS Requirements & Applicability • Service Providers • Compliance Requirements • Credit Card Transaction Flow • Payment Brand Compliance Programs • Network Management Tip • Compliance Roadmap • Q & A © Copyright 2015 2
  • 3. Introduction • BizTech Risk & Security • Attendees – How this presentation can help you in your current situation © Copyright 2015 3
  • 4. What is PCI Security Standards Council? • An independent industry standards body providing oversight of the development and management of Payment Card Industry Security Standards on a global basis (www.pcisecuritystandards.org) • Founding multi-national acceptance brand members: – VISA, MasterCard, Discover, American Express, JCB 4© Copyright 2015
  • 5. PCI Security Standards Council Objectives • Issue new standards and manage standards life cycle • Enhance payment account security • Create awareness and drive adoption of standards • Foster participation and gather feedback 5© Copyright 2015
  • 6. PCI DSS • PCI DSS = Payment Card Industry Data Security Standard • Formalized security standard • Covers security of the systems and networks that store, process and transmit card data • Revised on a 24 month cycle 6© Copyright 2015
  • 7. Why PCI DSS Compliance for my Organization? • Executive Management and Leadership of the organization receive safe harbour as they have demonstrated performing due diligence • Organization avoids high penalties by the card brands in case of data breach • Reduce the risk of lawsuits by customers whose data is lost in case of data breach and demonstrate that due diligence was performed by the organization in safekeeping of sensitive data • Protect the reputation of the organization. 7© Copyright 2015
  • 8. Penalties and Fees for Non Compliance • Dependent on the card brand and acquiring bank • Non- compliance (Visa Example)- $5,000 and $25,000 a month for each of its Level 1 and 2 merchants (Track data and CVV2 can be worse). • Card Holder Breach (Visa Example)- Members are subject to fines, up to $500,000 per incident, for any merchant or service provider that is compromised and not compliant at the time of the incident. Safe Harbour if PCI Compliance • Impose restrictions on non-compliant merchants 8© Copyright 2015
  • 9. How to Achieve Compliance? • Depends on total number of transactions per year – PCI DSS Self Assessment Questionnaire (SAQ) Completed by a security professional and submit to Payment Processor • 4 types of SAQs; the type you complete depends on how your card holder data environment is set up • See small merchants information/training at: https://www.pcisecuritystandards.org/smb/ – For larger organizations with high number of transactions, complete a PCI DSS readiness project and then request a PCI DSS QSA company to perform an audit – Perform routine vulnerability scan and reporting of the card holder data environment 9© Copyright 2015
  • 10. Merchant Levels Merchant Level Annual Transactions SAQ* Network Vulnerability Scan Validation Actions/Dates 1 6 million plus N/A Quarterly by ASV Annual onsite review by QSA 2 1 million to 6 million Annual Quarterly by ASV N/A 3 20k to 1 million ecommerce Annual Quarterly by ASV N/A 4 Ecommerce < 20k; All others <1 million Annual Quarterly by ASV Dates determined by Acquirer/payment processor *SAQ=Self Assessment Questionnaire 10© Copyright 2015
  • 11. The Self Assessment Questionnaire Categories As per the PCI Standards Council, merchants or service providers need to complete one of the following SAQs. 11© Copyright 2015
  • 12. PCI DSS Requirements • Build and Maintain a Secure Network – Install and maintain a firewall configuration to protect data – Do not use vendor-supplied defaults for system passwords and other security parameters • Protect Cardholder Data – Protect stored data – Encrypt transmission of cardholder data and sensitive information across public networks • Maintain a Vulnerability Management Program – Use and regularly update anti-virus information – Develop and maintain secure systems and applications 12© Copyright 2015
  • 13. PCI DSS Requirements (contd.) • Implement Strong Access Control Measures – Restrict access to data by business need-to-know – Assign a unique ID to each person with computer access – Restrict physical access to cardholder data • Regularly Monitor and Test Networks – Track and monitor all access to network resources and cardholder data – Regularly test security systems and processes • Maintain an Information Security Policy • Maintain a policy that addresses information security 13© Copyright 2015
  • 14. Applicability • All members, merchants, and service providers that store, process, OR transmit cardholder data • All system components which are defined as any network component, server, or application that is included in or connected to the cardholder data environment. • Merchants, mail order, phone order, payment processors, credit card processing, clearing, etc. 14© Copyright 2015
  • 15. Service Providers • A service provider is a business entity directly involved in the processing, storage, transmission, and switching of transaction data and cardholder data. – Usually not a payment card brand member – Sometimes a service provider is a merchant • Includes companies that provide services to merchants, service providers or members that control or could impact the security of cardholder data. 15© Copyright 2015
  • 16. Sample Service Providers • Transaction Processors – Enables transactions such as authorization and settlement between merchants and issuers or acquirers. • Payment Gateways – Enables transactions between merchants and processors • Independent Sales Organizations (ISOs) or External Sales Agents (ESAs) – Perform cardholder and merchant program solicitations • Credit Reporting Services • Customer Service Functions 16© Copyright 2015
  • 17. Compliance Requirements • Compliance is mandated by the payment card brands and not by the PCI Security Standards Council. • All entities that transmit, process or store payment card data must be compliant with PCI DSS. 17© Copyright 2015
  • 18. Payment Industry Transaction Flow The diagram below shows the entities in a typical transaction. Cardholder Issuer Merchant Acquirer Payment Brand Network 18© Copyright 2015
  • 19. PCI Scope • The PCI DDS security requirements apply to all system components. 'System components' are defined as any network component, server, or application that is included in or connected to the cardholder data environment (CDE). • The cardholder data environment is that part of the network that possesses cardholder data or sensitive authentication data. Network components include but are not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Server types include, but are not limited to the following: web, application, database, authentication, mail, proxy, network time protocol (NTP), and domain name server (DNS). • Applications include all purchased and custom applications, including internal and external (Internet) applications. 19© Copyright 2015
  • 20. What is cardholder data? • Cardholder Data is the information printed on the physical card as well as the data on the magnetic strip or chip • Cardholder Data includes: – Primary account number (PAN) – Cardholder name – Service Code – Expiration date • Cardholder Data also includes Sensitive Authentication Data: – Magnetic Stripe or Track Data – Magnetic stripe image on a chip card – CAV2/CVC2/CVV2/CIID – PIN/ PIN Block – This data cannot be stored after authorization even if it is encrypted. 20© Copyright 2015
  • 21. Role of Payment Brands • All payment brands – Provide authorization & clearing/settlement services – Establish operating rules and regulations • Issue cards and acquire transactions through third parties (usually banks or credit unions) • American Express, Discover, and JCB are also issuers and acquirers • Visa and MasterCard do not issue cards or acquire transactions 21© Copyright 2015
  • 22. Payment Brand Compliance Programs • Payment brands' compliance programs include: – Tracking and enforcement – Penalties, fees, compliance deadlines – Validation process and who needs to validate – Approval and posting of compliant entities – Definition of merchants and service provider levels – Forensic investigation for account data compromise • Payment brands are also responsible for forensics and response to account data compromises 22© Copyright 2015
  • 23. Network Management Tip • Network segmentation of, or isolating (segmenting), the cardholder data environment from the remainder of the corporate network is not a PCI DSS requirement. • Without adequate network segmentation (sometimes called a 'flat network') the entire network is in scope of the PCI DSS assessment. Network segmentation can be achieved through internal network firewalls, routers with strong access control lists or other technology that restricts access to a particular segment of a network. 23© Copyright 2015
  • 24. Compliance Roadmap • Determine the locations of the card holder data • Reduce scope by eliminating or segmenting the card holder data (electronic storage is automatically SAQ Validation Type 5) • Baseline your environment against the PCI DSS to identify gaps • For all gaps determine recommendations with associated effort. • Develop a prioritized plan to address gaps • Execute 24© Copyright 2015
  • 25. Q & A • Questions & Answers – Need help with PCI DSS Compliance Readiness? Contact: • Al Abbas, Practice Director • aabbas@biztechmasters.com • www.biztechmasters.com • 1-888-666-1745 © Copyright 2015 25