Weitere ähnliche Inhalte
Ähnlich wie Pci dss in retail now and into the future (20)
Kürzlich hochgeladen (20)
Pci dss in retail now and into the future
- 1. PCI DSS in Retail
Now and into the Future
Presenter: Stephen O’Boyle, Head of Consultancy
© Espion Sept 2013
For more information
visit www.espiongroup.com
1
- 2. Agenda
1. Current PCI process
– Challenges for
• Small retailers
• Large retailers
2. Point to Point Encryption (P2PE)
3. PCI DSS v3 Highlights
– Clarification
– Additional Guidance
– Evolving Requirement
4. Summary
© Espion Sept 2013
For more information
visit www.espiongroup.com
2
- 3. Current PCI process
• PCI Standards - strong framework for protecting
payment card data
• Principles apply to various environments and industry
verticals including small to large retailers
– Cardholder data is processed, stored, or transmitted
• Size & type of business will determine the specific
compliance requirements that must be met
• Enforcement and fines managed by payment brands /
acquirers
– Not the PCI Council
© Espion Sept 2013
For more information
visit www.espiongroup.com
3
- 4. Challenges
• Small Retailers
– Awareness of compliance requirements
– Implications of non-compliance
• Fines, reputational damage
– Identifying correct scope
– Performing a self assessment to the
appropriate SAQ
© Espion Sept 2013
For more information
visit www.espiongroup.com
4
- 5. Challenges
• Large Retailers
– Identifying scope
– Staff awareness
– Annual audits / SAQ
– Maintaining compliance
– P2PE
© Espion Sept 2013
For more information
visit www.espiongroup.com
5
- 6. Point to Point Encryption
• Point-to-Point Encryption (P2P Encryption) designed to
– Reduce PCI DSS scope
– Protect cardholder data throughout electronic payment
processing cycle
• Protects data as soon as it is collected from a card swipe
until the payment settlement process is complete
• Sometimes referred to as End-to-End Encryption
• “...remember?no silver bullet to securing a payment
environment,” said Bob Russo, general manager, PCI
SSC
– “Implementing one of these technologies will not automatically
make you compliant with the PCI DSS”.
© Espion Sept 2013
For more information
visit www.espiongroup.com
6
- 7. Point to Point Encryption
• Guidance produced on P2PE, compliant solution qualifies for
reduced scope. Guidance also states:
– P2PE solutions do not eliminate the need to maintain PCI DSS
compliance for specific systems
– Recognizes the need for a set of criteria to validate the
effectiveness of P2PE solutions so that merchants can have
confidence that the solution they deploy properly secures
cardholder data
• Previously no global standardization of point-to-point
encryption technology or validation of its implementation
exists in the industry.
© Espion Sept 2013
For more information
visit www.espiongroup.com
7
- 8. PCI DSS v3 – Change Highlights
• Types of changes to the Standards are
categorized as follows:
1. Clarification
2. Additional Guidance
3. Evolving Requirement
© Espion Sept 2013
For more information
visit www.espiongroup.com
8
- 9. Clarification - PCI DSS v3
• Enhanced testing procedures to clarify the level of
validation expected for each requirement
– To put more emphasis on the quality and consistency of
assessments.
• Clarified that sensitive authentication data must not be
stored after authorization even if PAN is not present
– To ensure better understanding of protection of sensitive
authentication data.
• Clarified the intent and scope of daily log reviews
– To help entities focus log-review efforts on identifying
suspicious activity and allow flexibility for review of lesscritical logs events, as defined by the entity’s
© Espion Sept 2013
For more information
visit www.espiongroup.com
9
- 10. Additional Guidance - PCI DSS v3
• Added guidance for all requirements with content from
the former Navigating PCI DSS Guide
– To assist understanding of security objectives and intent of
each requirement
• Added guidance for implementing security into businessas-usual (BAU) activities and best practices for
maintaining on-going PCI DSS compliance
– To address compromises where the organization had been
PCI DSS compliant but did not maintain that status.
– Recommends focus on helping organizations take a
proactive approach to protect cardholder data that focuses
on security, not compliance, and makes PCI DSS a
business-as-usual practice.
© Espion Sept 2013
For more information
visit www.espiongroup.com
10
- 11. Evolving Requirement - PCI DSS v3
• Update list of common vulnerabilities in alignment with
OWASP, NIST, SANS, etc., for inclusion in secure coding
practices
– To keep current with emerging threats
• Evaluate evolving malware threats for systems not
commonly affected by malware
– To promote on-going awareness and due diligence to
protect systems from malware
© Espion Sept 2013
For more information
visit www.espiongroup.com
11
- 12. Summary
• Current PCI process
• Point to Point Encryption (P2PE)
• Highlights of changes in PCI DSS v3
© Espion Sept 2013
For more information
visit www.espiongroup.com
12
- 14. About Espion
Information Risk, Security & Compliance
Digital Investigations & Litigation Support
Insight, Intelligence & Control
Expertise, Innovation & IP
Knowledge Transfer and Certification
Technology & Product Distribution
© Espion Sept 2013
For more information
visit www.espiongroup.com
14