PCI_Presentation_OASIS
22
Payment Card Industry DSS (PCI) Presented By: Claire Gallagher EVP, OASIS Group November 11 th , 2013
-
Upload
dermot-clarke -
Category
Documents
-
view
373 -
download
1
Transcript of PCI_Presentation_OASIS
Payment Card Industry DSS (PCI)
Presented By: Claire Gallagher EVP, OASIS Group
November 11th, 2013
Payment Card Industry DSS (PCI)
What is PCI DSS? Payment Card Industry Digital Security Standards
A collaborative effort to achieve a common set of security standards for use by entities that process, store or
transport payment card data.
Agenda
• Overview of PCI DSS • Compliance Levels and Requirements • How we Achieved PCI Compliance • Benefits of PCI to you & your Clients • Lessons Learnt • Discussion, Questions
Overview of PCI
Topics in this section • PCI-DSS Defined
• Merchant Level
• Service Provider Levels
• PCI Assessments
• PCI Enforcement
PCI Defined
Payment Card Industry Digital Security Standards: A collaborative effort to achieve a common set of security standards for use by entities that process, store or transport, payment card data.
Multiple Credit Card Organisations Participating in PCI Efforts:
Members Include • Visa • MasterCard • American Express (Amex) • Diner’s Club • Discover Card • JCB.
Merchant Levels
Level Conditions
Level 1
Any Merchant processing over 6,000,000 transactions per year, compromised in the last year, or identified by another payment card brand as Level 1
Level 2 Any Merchant processing between 150,000 and 6,000,000 e-commerce transactions per year, or identified by another payment card brand as Level 2
Level 3 Any Merchant processing between 20,000 and 150,000 ecommerce transactions per year, or identified by another payment card brand as Level 3
Level 4 Any Merchant processing less than 20,000 e-commerce transactions per year, and all other Merchants processing up to 6,000,000 transactions per year
Service Provider Levels
Level Conditions Level 1 Criteria: Visa System Processors or any service provider that
stores, processes and/or transmits over 300,000 transactions per year Validation Requirements: Annual Report on Compliance (ROC) by QSA, Quarterly network scan by Approved Scanning Vendor (ASV), Attestation of Compliance (AOC) Form Result: Included on Visa Europe’s List of PCI DSS validated service providers
Level 2 Criteria: Any service provider that stores, processes and/or transmits less than 300,000 transactions per year Validation Requirements: Annual Self-Assessment Questionnaire (SAQ), Quarterly network scan by Approved Scanning Vendor (ASV), Attestation of Compliance (AOC) Result: Not included on Visa Europe’s List of PCI DSS validated service providers
Merchant Requirements
Level QSA Onsite Review
Self Assessment
Network Security Scan
Level 1 REQUIRED (Annually)
Not Required REQUIRED (Quarterly)
Level 2 Not Required REQUIRED (Annually)
REQUIRED (Quarterly)
Level 3 Not Required REQUIRED (Annually)
REQUIRED (Quarterly)
Level 4 Not Required Recommended (Annually)
Recommended (Annually)
Service Provider Requirements
QSA Onsite Review
Self Assessment
Network Security Scan
Level 1 REQUIRED (Annually)
Not Required REQUIRED (Quarterly)
Level 2 REQUIRED (Annually)
REQUIRED (Annually)
REQUIRED (Quarterly)
Level 3 Not Required REQUIRED (Annually)
REQUIRED (Quarterly)
PCI DSS Structure
Six Key Sections: • Build and Maintain a Secure Network
• Protect Cardholder Data
• Maintain a Vulnerability Management Program
• Implement Strong Control Measures
• Regularly Monitor and Test Networks
• Maintain an Information Security Policy
Network Scanning
Targets Internet Facing Devices, Systems and Applications Including : • Routers and Firewalls
• Servers and Hosts (Including Virtual!)
• Applications
Self Assessment
A selected subset of the full Onsite Audit criteria completed by the Merchant or Service Provider Submitted to Acquirer(s) (eg: Visa, Mastercard) Made up mainly of Yes/No/Not Applicable responses Is broken into five of the six sections from PCI DSS: • Build and Maintain a Secure Network
• Protect Cardholder Data
• Implement Strong Control Measures
• Regularly Monitor and Test Networks
• Maintain an Information Security Policy
QSA Onsite Review
• Is a detailed audit against the PCI Data Security Standard • Potentially targets all systems and networks that store,
process and/or transmit cardholder information
• Includes review of contractual relationships, but not assessment of the Third Parties themselves
• Biggest difficulties in having onsite reviews are the initial scoping and the subsequent cost of correction to compliant levels
• QSA provides a Report on Compliance when compliant for Submission to the Acquirer. Interim reports may be asked for by the Acquirer
PCI Enforcement
• Visa and MasterCard require their Acquirers to ensure the compliance of their Merchants and Service Providers.
• Visa and MasterCard are able to penalise their Acquirers for having Merchants or Service Providers that are noncompliant.
• Acquirers can pass on penalties to their Merchants and Service Providers through their contractual relationships.
• Penalties can presently be financial against the Acquirer and restrict a Merchant’s / Service Provider’s ability to accept transactions.
How OASIS Achieved Compliance
• Engaged a third party Qualified Security Assessor (QSA’S). • Undertook a Gap Analysis. • A Gap Analysis identifies the measurable gap between current policies,
procedures and practices and the Payment Card Industry Data Security Standard. A Gap Analysis is the preferred route for identifying mechanisms to reduce risks and costs and processes associated with achieving compliance
• Scored 82% on the Gap Analysis. • ISO 27001 covered a lot of the requirements in the PCI.
• 1 week to close off issues raised in Gap Analysis, eg: Data Classification Policy, Abandoned Boxes Policy, Annual Information Security Training Program.
Benefits of PCI to You & Your Clients
• Benefit #1: Decreased Risk of Security Breaches PCI compliance isn't just about satisfying a list of guidelines -- it's a very real and proven way to protect you and your customers' data from outside attacks. In fact, a recent Verizon study found that compliant businesses are 50% more likely to successfully withstand a breach.
• Benefit #2: Peace of Mind For You (and Your Clients) With breaches much less likely to happen, you'll have one less thing to worry about in the daily course of running your business. You'll appreciate this peace of mind, and over time, your customers will, too (see the next benefit below).
Benefits of PCI to You & Your Clients Continued…
Benefit #3: Boost In Customer Confidence Your customers may not currently understand every detail about what it means to be compliant, but their awareness about the issue is growing. Every day, more and more of your customers are growing savvy about how their data is protected when they use their credit cards. It's only a matter of time before customers see PCI compliance as a sign that your business follows best practices. That feeling of security will directly increase buyers' confidence, and make them more likely to choose you over a non-compliant competitor.
Benefits of PCI to You & Your Clients Continued…
Benefit #4: Avoid Costly Fines PCI compliance dramatically lowers your likelihood of getting breached, but it doesn't completely eliminate the possibility. If you are breached, fines can grow as high as $500,000 per incident. Companies who are PCI compliant significantly reduce their risk of a breach, and therefore, their likelihood of receiving a fine. If a company is breached, regardless of their state of compliance, they must immediately inform customers and their processor of the data breach in writing. The processor or bank will initiate an audit on that company to see if the merchant was in fact PCI DSS compliant at the time of the breach. Benefit #5: Relatively Quick and Easy This is one benefit that comes from what PCI compliance doesn't do: with the right partner, you won't have to make any substantial changes or disruptions to your business while attaining compliance. The process may seem complicated (and in many ways, it is), but a good compliance partner will shield you from the complexities and make it seem simple.
Lessons Learned
• Already having the ISO 27001 was a huge advantage
as the majority of the work was done as proven in our Gap Analysis.
• Unless it is a definite requirement for your client it is easier not to process credit card information, and remain a Merchant user.
• Take the time to choose the right QSA
Download Presentation
www.oasisgroup.eu
Questions???
