4/30/12

pci-dss what does it mean to me?

Presented by

4/30/12

What is pci-dss?

PCI-DSS is a Compliance standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. PCI-DSS was developed by the major credit card companies (VISA, Mastercard etc) as a guideline to help organisations that process card payments prevent credit card fraud, hacking and various other security issues.

4/30/12

What are the Requirements?

Organisations that are required to be compliant under the scheme must adhere to 12 PCI compliance requirements within 6 control objectives. These are:

1. Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters 2. Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks 3. Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications 4. Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data 5. Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes 6. Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security

4/30/12

Merchant Levels

Level 1 Criteria Merchants with over 6 million transactions a year, or merchants whose data has previously been compromised Level 1 Validation Requirements Annual Onsite Security Audit (reviewed by a QSA or Internal Audit if signed by officer of merchant company and pre-approved by acquirer) and Quarterly Scan by an Approved Scanning Vendor (ASV) Level 2 Criteria Merchants with 1,000,000 to 6 million transactions a year Level 2 Validation Requirements Annual Self Assessment Questionnaire, Quarterly Scan by an Approved Scanning Vendor (ASV) Level 3 Criteria Merchants with 20,000 to 1,000,000 transactions a year Level 3 Validation Requirements Quarterly Scan by an Approved Scanning Vendor (ASV), Annual Self Assessment Questionnaire Level 4 Criteria Merchants with less than 20,000 transactions Level 4 Validation Requirements Annual Self Assessment Questionnaire, Quarterly Scan by an Approved Scanning Vendor (may be recommended or required, depending on acquirer compliance criteria)

4/30/12

Where do I start?

All merchants will fall into one of the four merchant levels based on transaction volume over a 12-month period. Your acquiring bank will determine your level. your Validation Type as defined by PCI. This is used to determine which Self Assessment Questionnaire is appropriate for your business.

Identify

4/30/12

Becoming Compliant

There are generally three main stages of compliance:

Collecting

and Storing This involves the secure collection and tamper-proof storage of log data so that it is available for analysis. This is the ability to prove

Reporting

4/30/12

Why should I comply?

Negative consequences of noncompliance:

Legal action Acquiring banks terminate their relationship with you or increase fees Government fines

4/30/12

Be aware!!!
PCI-DSS

tells you what you need to do; what standards you need to meet to be compliant. DSS does not tell you how to become compliant, that is individual to your situation and your environment: Your systems Your processes Your vendors

PCI

4/30/12

What are the benefits?

Protect your customers personal data Boost customer confidence through a higher level of data security Insulate you from financial losses and remediation costs Maintain customer trust, and safeguard the reputation of your brand Provide a complete health check and peace of mind

4/30/12

Thank you..

QUESTIONS?