1 / 17

Evolving Challenges of PCI Compliance

Evolving Challenges of PCI Compliance. Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014. Agenda. What is PCI? Evolution of PCI What is PCI DSS? Compliance What does this mean to me? Recent Breach of Target Q & A. What is PCI?.

aaron-davenport
Download Presentation

Evolving Challenges of PCI Compliance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA,CRISC, CISA Principal, The Bonadio Group January 10, 2014

  2. Agenda • What is PCI? • Evolution of PCI • What is PCI DSS? • Compliance • What does this mean to me? • Recent Breach of Target • Q & A

  3. What is PCI? The Payment Card Industry (PCI) standard is a set of requirements designed to ensure that ALL organizations that store, process, or transmit cardholder data do so in a secure environment. • The PCI Security Standards Council

  4. Evolution of PCI PCI Security Standards Council was founded in 2006 by the major card brands: • Visa • MasterCard • Amex • Discover • JCB Each card brand has input into the guidance provided by the Council.

  5. What is PCI (cont.) A credit card as defined by the Council is any card that is backed by a major card brand, including but not limited to: • Credit • Debit • HSA • FSA • Payroll

  6. Evolution of PCI (cont.) PCI Security Standard Council is responsible for the oversight of the PCI Standards, which include guidance relative to the following: • PCI DSS • PA-DSS • P2PE • PTS

  7. What is PCI DSS? • Core set of best security practices • Set of 12 requirements broken down into 6 categories, as follows: • Build and maintain a secure network • Protect cardholder data • Maintain a vulnerability management program • Implement strong access control measures • Monitor and test networks • Maintain an information security policy

  8. What is PCI DSS? • PCI DSS can include the following depending on the organization: • PA-DSS • P2PE • PTS

  9. Common PCI Myths • We don’t take enough cards to necessitate compliance • We outsource card processing so we are compliant • PCI is an IT issue • PCI is unreasonable / difficult • PCI compliance makes us secure • We aren’t a target

  10. Compliance • Compliance is determined based on how your organization stores, processes, and/or transmits cardholder data across your infrastructure • Compliance is based on “Level” and “Type” • Level is based on the number of transactions performed in a 12-month period • Type is defined by how your organization takes credit cards

  11. Compliance (cont.) Levels are based on the number of transactions. Visa defines them as follows:

  12. Compliance (cont.) Types are defined by how your organization takes credit cards and are broken down as follows:

  13. What does this mean to me? Based on the volume of transactions, organizations would be required to perform the following:

  14. What does this mean to me? (cont.) In English: • Depending on what “Type” of organization you are, you will have to address anywhere from 15 to 200 + controls Cost • Hardware • Software • Internal Resources • External Resources

  15. Recent Breach of Target What happened: • Lost ~40 million credit and debit cards • Theft period: November 27 – December 15 • Malware on point-of-sale terminals • Not detected until December 15

  16. Recent Breach of Target (cont.) Common Questions • How could this happen? • Was Target PCI compliant? • How do I know if I was affected? Costs? • Credit score monitoring • Fines, sanctions and lawsuits • Reputational damage

  17. Q & A Questions? cwood@bonadio.com (585) 249-2757

More Related