payment card industry data security standard l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Payment Card Industry Data Security Standard PowerPoint Presentation
Download Presentation
Payment Card Industry Data Security Standard

Loading in 2 Seconds...

play fullscreen
1 / 23

Payment Card Industry Data Security Standard - PowerPoint PPT Presentation


  • 493 Views
  • Uploaded on

Payment Card Industry Data Security Standard IU Treasury Operations 5th Annual e-Business/Banking Seminar August 10 & 11, 2006 Tom Davis, CISSP, CISM, GCIA Chief IT Security Officer Office of the VP for Information Technology Agenda Protecting card data

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Payment Card Industry Data Security Standard' - Ava


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
payment card industry data security standard

Payment Card IndustryData Security Standard

IU Treasury Operations

5th Annual e-Business/Banking Seminar

August 10 & 11, 2006

Tom Davis, CISSP, CISM, GCIA

Chief IT Security Officer

Office of the VP for Information Technology

agenda
Agenda
  • Protecting card data
  • Overview of the Payment Card Industry Data Security Standard (PCI DSS)
  • PCI DSS requirements
  • Merchant levels
  • PCI DSS compliance validation
  • Risks of non-compliance
  • IU and PCI DSS compliance
  • Questions
protecting card data
Protecting card data
  • Why it’s important
    • causes hardship for our customers
    • loss of customer confidence
    • required by PCI DSS
    • state laws on “disposal” and “notice”
    • impending federal legislation?
credit card theft is big business
Credit card theft is big business!
  • Phishing attempts on the rise
    • to trick individuals into divulging financial info
  • Dramatic move by “hackers” to compromise machines for profit
    • keyboard monitoring software
  • Many chat channels devoted to underground trading of credit card #’s
overview of pci dss
Overview of PCI DSS
  • Prior to September 2004
    • no standardization across card companies on credit card security requirements
    • difficult for merchants to become familiar with and adhere to competing standards from VISA, MasterCard, and others
  • As fraud losses increased, card industry realized the need for consistent and well defined security standards
overview of pci dss6
Overview of PCI DSS
  • PCI DSS announced in September 2004
    • collaboration between VISA and MasterCard
    • endorsed by other card companies as well
    • “… offers a single approach to safeguarding sensitive data for all card brands…”
overview of pci dss7
Overview of PCI DSS
  • Applies to
    • all merchants that “store, process, or transmit cardholder data”
    • all payment (acceptance) channels, including brick-and-mortar, mail, telephone, e-commerce (Internet)
  • Includes 12 requirements, based on
    • administrative controls (policies, procedures, etc.)
    • physical security (locks, physical barriers, etc.)
    • technical security (passwords, encryption, etc.)
card security programs
Card Security Programs
  • The following programs incorporate PCI DSS:
    • VISA
      • Cardholder Information Security Program (CISP)
    • MasterCard
      • Site Data Protection (SDP) Program
    • American Express
      • Data Security Requirements
    • Discover
      • Discover Information Security and Compliance (DISC) Program
pci dss requirements
PCI DSS requirements

Each requirement has many sub-requirements!

  • Install and maintain a firewall configuration to protect data
  • Do not use vendor-supplied defaults for system passwords and other security parameters
  • Protect stored data
pci dss requirements10
PCI DSS requirements
  • Encrypt transmission of cardholder data and sensitive information across public networks
  • Use and regularly update anti-virus software
  • Develop and maintain secure systems and applications
  • Restrict access to data by business need-to-know
pci dss requirements11
PCI DSS requirements
  • Assign a unique ID to each person with computer access
  • Restrict physical access to cardholder data
  • Track and monitor all access to network resources and cardholder data
  • Regularly test security systems and processes
  • Maintain a policy that addresses information security
merchant levels
Merchant levels
  • Merchant levels are based on yearly transaction volume of merchant
  • Specific criteria for placement in merchant levels varies across card companies
  • All merchants, regardless of level, must adhere to PCI DSS requirements
  • Level into which merchant is placed determines PCI DSS compliance validation (and ultimately cost)
  • Let’s take a quick look at Visa’s levels…
merchant levels visa
Merchant levels - Visa
  • Level 1:
    • merchants, regardless of acceptance channel, processing over 6,000,000 Visa transactions
    • any merchant that has suffered a data compromise
    • any merchant so selected by Visa
    • any merchant identified by other card brand as level 1
merchant levels visa14
Merchant levels - Visa
  • Level 2:
    • merchants, regardless of acceptance channel, processing 1,000,000 to 6,000,000 Visa transactions
  • Level 3:
    • any merchant processing 20,000 to 1,000,000 Visa e-commerce (Internet) transactions
merchant levels visa15
Merchant levels - Visa
  • Level 4:
    • any merchant processing fewer than 20,000 Visa e-commerce (Internet) transactions
    • all other merchants, regardless of acceptance channel, processing up to 1,000,000 Visa transactions
pci dss compliance validation
PCI DSS compliance validation
  • Level 1 merchants
    • annual on-site assessment by approved assessor (generates a report on compliance)
    • quarterly network security scan by approved scan vendor
  • Level 2 and 3 merchants
    • self-assessment questionnaire
    • quarterly network security scan by approved scan vendor
pci dss compliance validation17
PCI DSS compliance validation
  • Level 4 merchants
    • self-assessment questionnaire
      • if required by acquirer
    • quarterly network security scan by approved scan vendor
      • if required by acquirer
risks of non compliance
Risks of non-compliance
  • Endangering customer information
  • Exposure could lead to:
    • fines levied by acquiring banks
    • cost of replacing cards and perhaps covering fraudulent charges
    • loss of merchant status
    • elevations to Level 1 status (and resulting compliance validation costs)
iu and pci dss compliance
IU and PCI DSS compliance
  • Joint effort across many units
    • Treasury, IT Security and Policy, Internal Audit, Legal Counsel, Purchasing, etc.
  • Review IU merchants
    • rank existing merchants based on perceived risk and begin compliance reviews
    • will most likely hold merchants to higher standard than dictated by PCI DSS
      • especially for level 4 merchants
iu and pci dss compliance20
IU and PCI DSS compliance
  • Contracts
    • review existing and new contracts with external agencies to ensure they are responsible for complying with PCI DSS
  • Education and awareness
    • this seminar!
additional reading
Additional reading
  • http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp.html
  • http://www.time.com/time/world/article/0,8599,1224273,00.html?cnn=yes
  • http://www.no1proxy.com/proxy-list.html
  • http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1146949,00.html
  • http://money.cnn.com/2006/05/11/technology/fastforward_fortune/index.htm
payment card industry data security standard23

Payment Card IndustryData Security Standard

IU Treasury Operations

5th Annual e-Business/Banking Seminar

August 10 & 11, 2006

Tom Davis, CISSP, CISM, GCIA

Chief IT Security Officer

Office of the VP for Information Technology