1 / 6

The PCI Half-Dozen

Burton Group Take 5! The PCI Half-Dozen: 6 Recommendations for PCI Compliance Diana Kelley, VP & Service Director March, 2007. The PCI Half-Dozen. It’s 5pm – do you know where your credit card numbers are? “BJ'S Wholesale Club Settles FTC Charges” ~Thousands of credit and debit card numbers

oswald
Download Presentation

The PCI Half-Dozen

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Burton Group Take 5!The PCI Half-Dozen: 6 Recommendations for PCI ComplianceDiana Kelley, VP & Service DirectorMarch, 2007

  2. The PCI Half-Dozen It’s 5pm – do you know where your credit card numbers are? • “BJ'S Wholesale Club Settles FTC Charges” • ~Thousands of credit and debit card numbers • http://www.ftc.gov/opa/2005/06/bjswholesale.htm • “Customer Data Breach Began in 2005, TJX Says” • ~card numbers impacted?– still investigating • http://www.washingtonpost.com/wp-yn/content/article/2007/02/21/AR2007022102039_pf.html • “CardSystems' Data Left Unsecured” • ~40 million card numbers impacted • http://www.wired.com/news/technology/0,1282,67980,00.html

  3. The PCI Half-Dozen Covered Data Elements (Data Source: PCI DSS Version 1.1, September 2006)

  4. The PCI Half-Dozen • Get the Facts • Go to the source – the PCI Data Security Standard and the PCI DSS Security Audit Procedures • Self assess – uncover and remediate gaps in advance • 2. Segment the Scope  • PCI DSS applies to the cardholder data environment • Reduce scope through zoning and segmentation • 3. Don’t Store What You Don’t Need • No Track II/Sensitive Auth Data! • But do you need the Cardholder data at all?

  5. The PCI Half-Dozen 4. Be Prepared and Be a Partner • Work with Qualified Security Assessors (QSA) or in-house assessors • Agree on the scope up-front • Prepare supporting documentation – including for compensating controls • Build remediation plans – and follow them 5. Get Involved • Changes were made between v1.0 and v1.1 in part, due to feedback • Merchants and Payment Service Providers can become “Participating Organizations” of the SSC 6. Build a Compliance Program • Compliance is about more than PCI • Take a long-view approach to compliance as a whole

  6. Thank you! For more information: • Burton Group Security and Risk Management Strategies Overview – “What and Why PCI? Inside the Payment Card Industry Data Security Standards,” http://www.burtongroup.com/content/doc.aspx?cid=1001 • The PCI Security Standards Council, http://www.pcisecuritystandards.org • Payment Card Industry (PCI) Data Security Standard, Version 1.1, https://www.pcisecuritystandards.org/tech/download_the_pci_dss.htm • PCI DSS Security Audit Procedures, • https://www.pcisecuritystandards.org/pdfs/pci_audit_procedures_v1-1.pdf

More Related