evolving challenges of pci compliance n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Evolving Challenges of PCI Compliance PowerPoint Presentation
Download Presentation
Evolving Challenges of PCI Compliance

Loading in 2 Seconds...

play fullscreen
1 / 17

Evolving Challenges of PCI Compliance - PowerPoint PPT Presentation


  • 163 Views
  • Uploaded on

Evolving Challenges of PCI Compliance. Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014. Agenda. What is PCI? Evolution of PCI What is PCI DSS? Compliance What does this mean to me? Recent Breach of Target Q & A. What is PCI?.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Evolving Challenges of PCI Compliance' - jorryn


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
evolving challenges of pci compliance

Evolving Challenges of PCI Compliance

Charlie Wood, PCI QSA,CRISC, CISA

Principal, The Bonadio Group

January 10, 2014

agenda
Agenda
  • What is PCI?
  • Evolution of PCI
  • What is PCI DSS?
  • Compliance
  • What does this mean to me?
  • Recent Breach of Target
  • Q & A
what is pci
What is PCI?

The Payment Card Industry (PCI) standard is a set of requirements designed to ensure that ALL organizations that store, process, or transmit cardholder data do so in a secure environment.

  • The PCI Security Standards Council
evolution of pci
Evolution of PCI

PCI Security Standards Council was founded in 2006 by the major card brands:

  • Visa
  • MasterCard
  • Amex
  • Discover
  • JCB

Each card brand has input into the guidance provided by the Council.

what is pci cont
What is PCI (cont.)

A credit card as defined by the Council is any card that is backed by a major card brand, including but not limited to:

  • Credit
  • Debit
  • HSA
  • FSA
  • Payroll
evolution of pci cont
Evolution of PCI (cont.)

PCI Security Standard Council is responsible for the oversight of the PCI Standards, which include guidance relative to the following:

  • PCI DSS
  • PA-DSS
  • P2PE
  • PTS
what is pci dss
What is PCI DSS?
  • Core set of best security practices
  • Set of 12 requirements broken down into 6 categories, as follows:
      • Build and maintain a secure network
      • Protect cardholder data
      • Maintain a vulnerability management program
      • Implement strong access control measures
      • Monitor and test networks
      • Maintain an information security policy
what is pci dss1
What is PCI DSS?
  • PCI DSS can include the following depending on the organization:
    • PA-DSS
    • P2PE
    • PTS
common pci myths
Common PCI Myths
  • We don’t take enough cards to necessitate compliance
  • We outsource card processing so we are compliant
  • PCI is an IT issue
  • PCI is unreasonable / difficult
  • PCI compliance makes us secure
  • We aren’t a target
compliance
Compliance
  • Compliance is determined based on how your organization stores, processes, and/or transmits cardholder data across your infrastructure
  • Compliance is based on “Level” and “Type”
  • Level is based on the number of transactions performed in a 12-month period
  • Type is defined by how your organization takes credit cards
compliance cont
Compliance (cont.)

Levels are based on the number of transactions. Visa defines them as follows:

compliance cont1
Compliance (cont.)

Types are defined by how your organization takes credit cards and are broken down as follows:

what does this mean to me
What does this mean to me?

Based on the volume of transactions, organizations would be required to perform the following:

what does this mean to me cont
What does this mean to me? (cont.)

In English:

  • Depending on what “Type” of organization you are, you will have to address anywhere from 15 to 200 + controls

Cost

  • Hardware
  • Software
  • Internal Resources
  • External Resources
recent breach of target
Recent Breach of Target

What happened:

  • Lost ~40 million credit and debit cards
  • Theft period: November 27 – December 15
  • Malware on point-of-sale terminals
    • Not detected until December 15
recent breach of target cont
Recent Breach of Target (cont.)

Common Questions

  • How could this happen?
  • Was Target PCI compliant?
  • How do I know if I was affected?

Costs?

  • Credit score monitoring
  • Fines, sanctions and lawsuits
  • Reputational damage
slide17
Q & A

Questions?

cwood@bonadio.com

(585) 249-2757