Loading in 2 Seconds...
Loading in 2 Seconds...
Presented By: David Kidd, Director of Compliance, Peak 10 & Brian Herman, VP of Managed Security Sales, Still Secure. Defining the Challenge. Cost of Breaches Continues to Rise. An increase in the total average cost of a data breach:
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
TJX: The “Pearl Harbor” of Credit Card Breaches (01/2007)
Federal Trade Commission Response
Founders: Payment Brands
Merchants, Banks, Processors, Developers, POS Vendors
Trademarks and logos used on this page are the property of their respective owners.
Established in 2006, the Security Standards Council was formed to coordinate information security programs of the founding payment brands.
The PCI Security Standards Council has established multiple standards for the industry including equipment manufacturers, payment software application developers, merchantsand merchant service providers.
The PCI Data Security Standard
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that store, process, or transmit cardholder data.
The PCI DSS applies to all entities that store, process, and/or transmit cardholder data. If you are a merchant who accepts or processes payment cards, you must comply with the PCI DSS regardless of transaction volume.
Platform as a Service (PaaS) – Capability for clients to deploy their applications (created or acquired) onto the cloud infrastructure, using programming languages, libraries, services, and tools supported by the provider.
Infrastructure as a Service (IaaS) – Capability for clients to utilize the provider’s processing, storage, networks, and other fundamental computing resources to deploy and run operating systems, applications and other software on a cloud infrastructure.
Understanding the Cloud
What makes the cloud different?
The cloud is relatively new technology and may be misunderstood.
Clients may have limited visibility into the service providers underlying infrastructure and the related security controls.
Some virtual components do not have the same level of access control, logging, and monitoring as their physical counterparts.
It can be challenging to verify who has access to cardholder data process, transmitted, or stored in the cloud environment.
Public cloud environments are usually designed to allow access from anywhere on the Internet.
Cloud Service Stack (typical)
The client may have limited control of user-specific appliacation configuration settings
The client has control over the deployed applications and possibly configuration settings for the application-hosting environment.
The client has control over operating systems, storage, deployed applications and possible limited control of select networking components (e.g. host firewalls)
Questions for Service Providers
PCI Compliance is an Ongoing Process of Continuous
Monitoring and Improvement.
The assessment stage is key.