PCI DSS v 2.0 - Don't Fall In. Short & high level presentation for the Ecommerce group - June 2013.
-
Upload
nostradelboy -
Category
Technology
-
view
99 -
download
0
description
Transcript of PCI DSS v 2.0 - Don't Fall In. Short & high level presentation for the Ecommerce group - June 2013.
![Page 1: PCI DSS v 2.0 - Don't Fall In. Short & high level presentation for the Ecommerce group - June 2013.](https://reader033.fdocuments.net/reader033/viewer/2022060200/559942c01a28ab1b778b4849/html5/thumbnails/1.jpg)
PCI-DSS
DON’T FALL IN ...
![Page 2: PCI DSS v 2.0 - Don't Fall In. Short & high level presentation for the Ecommerce group - June 2013.](https://reader033.fdocuments.net/reader033/viewer/2022060200/559942c01a28ab1b778b4849/html5/thumbnails/2.jpg)
Agenda
• Intro
• Buzzwords
• PCI – What is it?
• PCI – Do’s and Don'ts
• How to eat an Elephant
• Divide & Conquer
• Questions & Answers
![Page 3: PCI DSS v 2.0 - Don't Fall In. Short & high level presentation for the Ecommerce group - June 2013.](https://reader033.fdocuments.net/reader033/viewer/2022060200/559942c01a28ab1b778b4849/html5/thumbnails/3.jpg)
Intro … who is this clown?
• Realex Payments … Platform Operations Security Lead
• Certified … CISA. CISM. SSCP. CISSP.
• Former Chair of the Irish Information Security Forum
• Current Item Writer for ISC2
• Responsible for PCI Compliance in Realex Payments
![Page 4: PCI DSS v 2.0 - Don't Fall In. Short & high level presentation for the Ecommerce group - June 2013.](https://reader033.fdocuments.net/reader033/viewer/2022060200/559942c01a28ab1b778b4849/html5/thumbnails/4.jpg)
Buzzwords
• Member organisations Card Schemes are made up of member organisations who can be
Acquirers, Issuers, or both
• Merchant Merchants are entities that “accept” Card transactions.
Levels 1 – 4, with varying requirements for validation (by volume)
• Acquirer Acquiring Bank - handles Merchant lines of credit
• Issuer Issuing Bank – offers cards to Cardholder
• Cardholder Consumers. Customers … Punters
• Service Provider Entities that service the processing, storing, transport of card
information on behalf of Merchants, Acquirers, or Issuers
![Page 5: PCI DSS v 2.0 - Don't Fall In. Short & high level presentation for the Ecommerce group - June 2013.](https://reader033.fdocuments.net/reader033/viewer/2022060200/559942c01a28ab1b778b4849/html5/thumbnails/5.jpg)
Merchant Levels … 1 to 4
Level Criteria Validation
1 Process more than 6 Million txns ROC – Report on Compliance
QSA – Qualified Security Assessor
ASV – Approved Scanning Vendor
Attestation of Compliance
2 Process 1 to 6 Million txns SAQ – Self Assessment Questionnaire
ASC – Approved Scanning Vendor
Attestation of Compliance
3 Process 20,000 to 1 Million txns SAQ
ASV (if applicable)
Attestation of Compliance
4 All other merchants SAQ – recommended
ASV (if applicable)
Validation requirements typically set by Acquirer
![Page 6: PCI DSS v 2.0 - Don't Fall In. Short & high level presentation for the Ecommerce group - June 2013.](https://reader033.fdocuments.net/reader033/viewer/2022060200/559942c01a28ab1b778b4849/html5/thumbnails/6.jpg)
PCI … What is it?
• PCI DSS - Payment Card Industry Data Security Standard
• Published by the PCI Security Standards Council (PCI-SSC)
• PCI-SSC = Visa, MasterCard, Discover, American Express, JCB
• Baseline Information Security Standard that applies to ANY
business that “accept, capture, store, transmit, or process
Credit or Debit card data” – No exceptions.
• Information Security BASELINE. PCI is a floor. Not a ceiling.
![Page 7: PCI DSS v 2.0 - Don't Fall In. Short & high level presentation for the Ecommerce group - June 2013.](https://reader033.fdocuments.net/reader033/viewer/2022060200/559942c01a28ab1b778b4849/html5/thumbnails/7.jpg)
PCI … Do’s
• Visit the PCI-SCC website (www.pcisecuritystandards.org)
• Read the FAQ (Frequently Asked Questions) Knowledge Base
• SAQ – Self Assessment Questionnaire
• A – Mail Order Telephone Order Merchants
• B – Imprint Only Merchants
• CVT – Virtual Terminals
• C – Merchants with Internet Payment Applications
• D – All other merchant types
![Page 8: PCI DSS v 2.0 - Don't Fall In. Short & high level presentation for the Ecommerce group - June 2013.](https://reader033.fdocuments.net/reader033/viewer/2022060200/559942c01a28ab1b778b4849/html5/thumbnails/8.jpg)
PCI … Do’s … Prioritised Approach
• Have a clear, accurate and relevant Network Diagram.
• Inventory … cover your assets
• Data … where does it come from, and where does it go?
The Holy Trinity
• Policy Document
• Prioritised Approach Document
• Self Assessment Questionnaire
![Page 9: PCI DSS v 2.0 - Don't Fall In. Short & high level presentation for the Ecommerce group - June 2013.](https://reader033.fdocuments.net/reader033/viewer/2022060200/559942c01a28ab1b778b4849/html5/thumbnails/9.jpg)
PCI … Don’ts
• Don’t PANIC - Don’t fall for the FUD. Don’t fall in The Hole.
• Don’t boil the ocean – Scope and Segmentation are crucial
• Don’t forget that PCI applies to your organisation, not your
chosen hardware or software products and tools
• Don’t think you can “buy” compliance with products
• Don’t confuse “Compliant” for “Secure”
• Don’t ignore PCI … it’s not going away
![Page 10: PCI DSS v 2.0 - Don't Fall In. Short & high level presentation for the Ecommerce group - June 2013.](https://reader033.fdocuments.net/reader033/viewer/2022060200/559942c01a28ab1b778b4849/html5/thumbnails/10.jpg)
How to eat an Elephant …
![Page 11: PCI DSS v 2.0 - Don't Fall In. Short & high level presentation for the Ecommerce group - June 2013.](https://reader033.fdocuments.net/reader033/viewer/2022060200/559942c01a28ab1b778b4849/html5/thumbnails/11.jpg)
PCI … 6 Objectives / Milestones
![Page 12: PCI DSS v 2.0 - Don't Fall In. Short & high level presentation for the Ecommerce group - June 2013.](https://reader033.fdocuments.net/reader033/viewer/2022060200/559942c01a28ab1b778b4849/html5/thumbnails/12.jpg)
PCI … Divide & Conquer
• 225 individual tests, checks & proof points
• 12 Requirements
• 6 Objectives
• Prioritised Approach Document is your pal
![Page 13: PCI DSS v 2.0 - Don't Fall In. Short & high level presentation for the Ecommerce group - June 2013.](https://reader033.fdocuments.net/reader033/viewer/2022060200/559942c01a28ab1b778b4849/html5/thumbnails/13.jpg)
Questions & Answers …
![Page 14: PCI DSS v 2.0 - Don't Fall In. Short & high level presentation for the Ecommerce group - June 2013.](https://reader033.fdocuments.net/reader033/viewer/2022060200/559942c01a28ab1b778b4849/html5/thumbnails/14.jpg)
For your further reading enjoyment …
www.pcisecuritystandards.org/
www.pcisecuritystandards.org/faq/
www.pcisecuritystandards.org/security_standards/getting_started.php
www.visaeurope.com/en/businesses__retailers/payment_security/downloads__resources.aspx
www.iisf.ie
Irish Information Security Forum LinkedIn group … members only, just tell them I sent you!