SlideShare ist ein Scribd-Unternehmen logo

A practical guides to PCI compliance

Jisc
Jisc

by Matthew Page

Technologie
1 von 36
A practical guide to PCI compliance Matthew Page, IT security manager, Leeds Beckett University 14/11/2017
A Practical Guide to PCI Compliance Matthew Page – IT Security Manager PCI ISA
• To help those who are starting out on the PCI compliance journey • Where to find help and documentation • Formal courses tend to discuss the 12 requirements rather than how to become compliant • It can be quite daunting, so I aim to provide an overview of PCI • I’m not going to discuss: – The requirements in detail – The payment cycle *For further information on these please review the documents referenced in the resources section. A Practical Guide to PCI The Purpose of this Presentation
A Practical Guide to PCI • Payment Card Industries What is PCI?
A Practical Guide to PCI • Payment card data and transactions, not direct debits or PayPal payments What is PCI? *Courtesy of PCIDSSSIG
A Practical Guide to PCI • Its not a legal requirement • It’s a contractual requirement • 12 main requirements (essentially a check list) • Mainly technical requirements with procedural and policy based requirements • Who is PCI compliant? What is PCI?
A Practical Guide to PCI • Its very valuable data to hackers • US company Target breach 2013-2014 – 40 millions card details affected – Cost target $350 million – 46% drop in profits – 1-3 million cards sold on the black market – Resignation of CEO • Reputational impact Why Protect this Data? *Data source Axelos Resilia
A Practical Guide to PCI 6 Goals of PCI Compliance
A Practical Guide to PCI Goal 1 – Build and maintain a secure network and systems *Barclaycard Associated Requirements 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters
A Practical Guide to PCI Goal 2 – Protect Cardholder data *Barclaycard Associated Requirements 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks
A Practical Guide to PCI Goal 3 – Maintain a vulnerability management program *Barclaycard Associated Requirements 5. Protect all systems against malware and regularly update antivirus software or programs 6. Develop and maintain secure systems and applications (patching and config)
A Practical Guide to PCI Goal 4 – Implement strong access control measures *Barclaycard Associated Requirements 7. Restrict access to cardholder data by business need to know 8. Identify and authenticate access to system components 9. Restrict physical access to cardholder data
A Practical Guide to PCI Goal 5 – Regularly monitor and test networks *Barclaycard Associated Requirements 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes (pen tests, vulnerability scans, etc.)
A Practical Guide to PCI Goal 6 – Maintain an information security policy *Barclaycard Associated Requirements 12. Maintain a policy that addresses information security for all personnel
A Practical Guide to PCI Where are you now? *Barclaycard • Many of the goals and requirements will be already in place • Some may need fine tuning and some will need significant effort to bring into line with the standard
A Practical Guide to PCI • 12 high level requirements • All the requirements have sub requirements totalling over 300 across the standard • That’s a lot! • Very expensive to adhere to them all and time consuming to support and maintain • Good news, hopefully you won’t have to adhere to them all • That’s not to say you should take short cuts • Depending on your environment you may not need to comply with all the requirements to be compliant • This is where SAQs will help 12 Requirements & Sub Requirements
A Practical Guide to PCI The SAQs
A Practical Guide to PCI The SAQs Web Payments • A and A-EP
A Practical Guide to PCI Payment Terminals (Chip & Pin) • B, B-IP & P2PE The SAQs
A Practical Guide to PCI Merchants who use a payment application system or Virtual Terminal to process card payments • C & C-VT The SAQs
A Practical Guide to PCI Merchants who store cardholder data • D The SAQs
Requirement Description SAQ D SAQ C SAQ C-VT B-IP B A-EP* A P2PE 1 Firewall config Full Partial Partial Partial Partial 2 Vendor defaults Full Partial Partial Partial Partial Partial 3 Stored CHD Full Partial Partial Partial Partial Partial Partial 4 Encryption Full Partial Partial Partial Partial Partial 5 AV & patching Full Partial Partial Partial 6 Development Full Partial Partial Partial Partial 7 Restrict access Full Partial Partial Partial Partial Partial 8 Identify & authenticate Full Partial Partial Partial Partial Partial 9 Restrict physical access Full Partial Partial Partial Partial Partial Partial Partial 10 Track and monitor Full Partial Partial 11 Vulnerability testing Full Partial Partial Partial 12 Policies Full Partial Partial Partial Partial Partial Partial Partial A Practical Guide to PCI • Refer to the ‘PCI SAQ Instructions and Guidelines’ document to determine which of your merchant accounts align with which SAQ and speak to your acquirer to confirm SAQ Requirements
A Practical Guide to PCI PCI SAQ Instructions and Guidelines Document
A Practical Guide to PCI Merchant Levels & Assessment Criteria Level Merchant criteria Validation requirements 1 Merchants processing more than six million Visa transactions annually via all channels or global merchants identified as level one by any Visa region.  Annual Report on Compliance (ROC) to follow an on-site audit by either a Qualified Security Assessor or qualified internal security resource  Quarterly network scan by Approved Scan Vendor (ASV)  Attestation of Compliance form QSA Services • PCI assessment • ROC • Attestation sign off • Gap analysis ASV • Tool to scan the network environment for Vulnerabilities. Any high vulnerabilities are failures.
A Practical Guide to PCI Merchant Levels Level Merchant criteria Validation requirements 1 Merchants processing more than six million Visa transactions annually via all channels or global merchants identified as level one by any Visa region.  Annual Report on Compliance (ROC) to follow an on-site audit by either a Qualified Security Assessor or qualified internal security resource  Quarterly network scan by Approved Scan Vendor (ASV)  Attestation of Compliance form 2 Merchants processing one million to six million Visa transactions annually via all channels.  Annual Self-Assessment Questionnaire (SAQ)  Quarterly network scan by ASV  Attestation of Compliance form
A Practical Guide to PCI Merchant Levels Level Merchant criteria Validation requirements 1 Merchants processing more than six million Visa transactions annually via all channels or global merchants identified as level one by any Visa region.  Annual Report on Compliance (ROC) to follow an on-site audit by either a Qualified Security Assessor or qualified internal security resource  Quarterly network scan by Approved Scan Vendor (ASV)  Attestation of Compliance form 2 Merchants processing one million to six million Visa transactions annually via all channels.  Annual Self-Assessment Questionnaire (SAQ)  Quarterly network scan by ASV  Attestation of Compliance form 3 Merchants processing 20,000 to one million Visa e- commerce transactions annually.  Use a service provider that has certified their PCI DSS compliance (certified providers are listed on Visa Europe’s website: www.visaeurope.com) OR  Have certified their own PCI DSS compliance to the acquirer (who must, on request, be able to validate that compliance to Visa Europe) (SAQ)
A Practical Guide to PCI Merchant Levels Level Merchant criteria Validation requirements 1 Merchants processing more than six million Visa transactions annually via all channels or global merchants identified as level one by any Visa region.  Annual Report on Compliance (ROC) to follow an on-site audit by either a Qualified Security Assessor or qualified internal security resource  Quarterly network scan by Approved Scan Vendor (ASV)  Attestation of Compliance form 2 Merchants processing one million to six million Visa transactions annually via all channels.  Annual Self-Assessment Questionnaire (SAQ)  Quarterly network scan by ASV  Attestation of Compliance form 3 Merchants processing 20,000 to one million Visa e- commerce transactions annually.  Use a service provider that has certified their PCI DSS compliance (certified providers are listed on Visa Europe’s website: www.visaeurope.com) OR  Have certified their own PCI DSS compliance to the acquirer (who must, on request, be able to validate that compliance to Visa Europe) (SAQ) 4 E-commerce merchants only Merchants processing fewer than 20,000 Visa e- commerce transactions annually.  Use a service provider that has certified their PCI DSS compliance (certified providers are listed on Visa Europe’s website: www.visaeurope.com) OR  Have certified their own PCI DSS compliance to the acquirer (who must, on request, be able to validate that compliance to Visa Europe) (SAQ)
A Practical Guide to PCI • Who are the acquirers? An acquiring bank (simply known as an acquirer) is a bank that processes credit or debit card payments on behalf of a merchant. The acquirer enables merchants to accept card payments. • They can help provide information regarding the number of merchant accounts in use and the volume of transactions being processed through them • They are responsible for ensuring their associated merchants are PCI compliant and will ask you to provide an AOC • If you are unable to do this you may start to receive threatening letters Acquirers
A Practical Guide to PCI • Who are the acquirers? An acquiring bank (simply known as an acquirer) is a bank that processes credit or debit card payments on behalf of a merchant. The acquirer enables merchants to accept card payments. • They can help provide information regarding the number of merchant accounts in use and the volume of transactions being processed through them • They are responsible for ensuring their associated merchants are PCI compliant and will ask you to provide an AOC • If you are unable to do this you may start to receive threatening letters Acquirers • Don’t be afraid to challenge your acquirer • Find your business relationship manager and build a relationship
A Practical Guide to PCI • Identify where payments are being taken through out the university • Identify how card data traverses the network • Is cardholder data stored as part of the process? • Identify the SAQ level • Identify Merchant level • Speak to your acquirer they will help verify your Merchant and SAQ levels Your Payment Gateways
A Practical Guide to PCI • Are card payments segregated from the rest of your network? • Can you segregate your networks? • Avoid storing card holder data • Be aware of the problems with descoping – perceptions that the entire network is as secure as the card holder environment when in fact they have been descoped and therefore may not be maintained to the same standard. • Determine the cost of descoping is it just easier to include everything? • Remember PCI should be part of data security strategy Reduce the Scope
A Practical Guide to PCI • Its project - create a plan • Use the prioritised approach provided by PCI • Collaborative approach with: – IT – Finance – Governance – Other relevant departments – Acquirers • Who should drive the project? – IT – Finance – Governance – ? • Get buy in – You can’t do this alone The PCI Project
A Practical Guide to PCI • Find a QSA https://www.pcisecuritystandards.org/assessors_and_so lutions/qualified_security_assessors • Your Acquirer • Merchant levels • MasterCard https://www.mastercard.us/en- us/merchants/safety-security/security- recommendations/merchants-need-to-know.html • Visa https://www.visaeurope.com/receiving- payments/security/merchants • PCIDSSSIG – Training courses – Foundation, Practitioner and ISA (free if you are a member) – Resources http://www.pcidsssig.org.uk/ • PCI Document library https://www.pcisecuritystandards.org/document_library • PCI Prioritised approach https://www.pcisecuritystandards.org/documents/Priorit ized-Approach-for-PCI_DSS-v3_2.pdf • Guidance for Network Segmentation https://www.pcisecuritystandards.org/documents/Guida nce-PCI-DSS-Scoping-and- Segmentation_v1_1.pdf?agreement=true&time=15100 49283753 Resources
A Practical Guide to PCI • It’s a check list so you can take one step at a time • Training/reading/familarise yourself with the standard • Get Project buy in • Speak to people (Finance, Acquirers, staff) • Determine the scope • Work with the acquirers • The goals of PCI are just the best practice elements we should all be implementing. • Different security/compliance standards will aid each other • You don’t need to be an ISA, but it helps. Final Thoughts
Questions?
A Practical Guide to PCI • Find a QSA https://www.pcisecuritystandards.org/assessors_and_so lutions/qualified_security_assessors • Your Acquirer • Merchant levels • MasterCard https://www.mastercard.us/en- us/merchants/safety-security/security- recommendations/merchants-need-to-know.html • Visa https://www.visaeurope.com/receiving- payments/security/merchants • PCIDSSSIG – Training courses – Foundation, Practitioner and ISA (free if you are a member) – Resources http://www.pcidsssig.org.uk/ • PCI Document library https://www.pcisecuritystandards.org/document_librar y • PCI Prioritized approach https://www.pcisecuritystandards.org/documents/Prior itized-Approach-for-PCI_DSS-v3_2.pdf • Guidance for Network Segmentation https://www.pcisecuritystandards.org/documents/Guid ance-PCI-DSS-Scoping-and- Segmentation_v1_1.pdf?agreement=true&time=1510 049283753 Resources

Empfohlen

PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overviewsameh Abulfotooh
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS ComplianceSaumya Vishnoi
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSSSaumya Vishnoi
 
PCI DSS
PCI DSSPCI DSS
PCI DSSDuy Do Phan
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overviewokrantz
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuideAlienVault
 
PCI DSS Compliance Checklist
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance ChecklistControlCase
 
Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates VISTA InfoSec
 

Empfohlen

PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overviewsameh Abulfotooh
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS ComplianceSaumya Vishnoi
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSSSaumya Vishnoi
 
PCI DSS
PCI DSSPCI DSS
PCI DSSDuy Do Phan
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overviewokrantz
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuideAlienVault
 
PCI DSS Compliance Checklist
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance ChecklistControlCase
 
Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates VISTA InfoSec
 
Pcidss qr gv3_1
Pcidss qr gv3_1Pcidss qr gv3_1
Pcidss qr gv3_1leon bonilla
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
ISO 27001 Benefits
ISO 27001 BenefitsISO 27001 Benefits
ISO 27001 BenefitsDejan Kosutic
 
SOC 2 and You
SOC 2 and YouSOC 2 and You
SOC 2 and YouSchellman & Company
 
PCI DSS for Penetration Testing
PCI DSS for Penetration TestingPCI DSS for Penetration Testing
PCI DSS for Penetration TestingNetwork Intelligence India
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001Imran Ahmed
 
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020Jiunn-Jer Sun
 
Looking Forward to PCI DSS v4.0
Looking Forward to PCI DSS v4.0Looking Forward to PCI DSS v4.0
Looking Forward to PCI DSS v4.0Kriangkrai Chumsaktrakul
 
PCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfPCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfControlCase
 
French PCI DSS v4.0 Webinaire.pdf
French PCI DSS v4.0 Webinaire.pdfFrench PCI DSS v4.0 Webinaire.pdf
French PCI DSS v4.0 Webinaire.pdfControlCase
 
Webinar-Spanish-PCI DSS-4.0.pdf
Webinar-Spanish-PCI DSS-4.0.pdfWebinar-Spanish-PCI DSS-4.0.pdf
Webinar-Spanish-PCI DSS-4.0.pdfControlCase
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdfControlCase
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview Ahmed Riad .
 
Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013scttmcvy
 
ISO 27001 Training | ISMS Awareness Training
ISO 27001 Training | ISMS Awareness TrainingISO 27001 Training | ISMS Awareness Training
ISO 27001 Training | ISMS Awareness Traininghimalya sharma
 
ISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureUppala Anand
 
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness TrainingISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness TrainingOperational Excellence Consulting
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkTuan Phan
 
PCI DSS for Pentesting
PCI DSS for PentestingPCI DSS for Pentesting
PCI DSS for Pentestingn|u - The Open Security Community
 
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...PECB
 
Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxgealehegn
 
Payment System Risk. Visa
Payment System Risk. VisaPayment System Risk. Visa
Payment System Risk. VisaInternet Security Auditors
 

Weitere ähnliche Inhalte

Was ist angesagt?

ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001Imran Ahmed
 
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020Jiunn-Jer Sun
 
PCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfPCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfControlCase
 
French PCI DSS v4.0 Webinaire.pdf
French PCI DSS v4.0 Webinaire.pdfFrench PCI DSS v4.0 Webinaire.pdf
French PCI DSS v4.0 Webinaire.pdfControlCase
 
Webinar-Spanish-PCI DSS-4.0.pdf
Webinar-Spanish-PCI DSS-4.0.pdfWebinar-Spanish-PCI DSS-4.0.pdf
Webinar-Spanish-PCI DSS-4.0.pdfControlCase
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdfControlCase
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview Ahmed Riad .
 
Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013scttmcvy
 
ISO 27001 Training | ISMS Awareness Training
ISO 27001 Training | ISMS Awareness TrainingISO 27001 Training | ISMS Awareness Training
ISO 27001 Training | ISMS Awareness Traininghimalya sharma
 
ISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureUppala Anand
 
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness TrainingISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness TrainingOperational Excellence Consulting
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkTuan Phan
 
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...PECB
 

Was ist angesagt? (20)

Pcidss qr gv3_1
Pcidss qr gv3_1Pcidss qr gv3_1
Pcidss qr gv3_1
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
 
ISO 27001 Benefits
ISO 27001 BenefitsISO 27001 Benefits
ISO 27001 Benefits
 
SOC 2 and You
SOC 2 and YouSOC 2 and You
SOC 2 and You
 
PCI DSS for Penetration Testing
PCI DSS for Penetration TestingPCI DSS for Penetration Testing
PCI DSS for Penetration Testing
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001
 
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
 
Looking Forward to PCI DSS v4.0
Looking Forward to PCI DSS v4.0Looking Forward to PCI DSS v4.0
Looking Forward to PCI DSS v4.0
 
PCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfPCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdf
 
French PCI DSS v4.0 Webinaire.pdf
French PCI DSS v4.0 Webinaire.pdfFrench PCI DSS v4.0 Webinaire.pdf
French PCI DSS v4.0 Webinaire.pdf
 
Webinar-Spanish-PCI DSS-4.0.pdf
Webinar-Spanish-PCI DSS-4.0.pdfWebinar-Spanish-PCI DSS-4.0.pdf
Webinar-Spanish-PCI DSS-4.0.pdf
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview
 
Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013
 
ISO 27001 Training | ISMS Awareness Training
ISO 27001 Training | ISMS Awareness TrainingISO 27001 Training | ISMS Awareness Training
ISO 27001 Training | ISMS Awareness Training
 
ISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedure
 
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness TrainingISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity Framework
 
PCI DSS for Pentesting
PCI DSS for PentestingPCI DSS for Pentesting
PCI DSS for Pentesting
 
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
 

Ähnlich wie A practical guides to PCI compliance

Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxgealehegn
 
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)Miminten
 
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantMelanie Beam
 
eCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Merchants
 
PCI_Presentation_OASIS
PCI_Presentation_OASISPCI_Presentation_OASIS
PCI_Presentation_OASISDermot Clarke
 
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...Stephanie Gutowski
 
Payment Card Industry Compliance for Local Governments CSMFO 2009
Payment Card Industry Compliance for Local Governments CSMFO 2009Payment Card Industry Compliance for Local Governments CSMFO 2009
Payment Card Industry Compliance for Local Governments CSMFO 2009Donald E. Hester
 
PCI Compliance 101
PCI Compliance 101PCI Compliance 101
PCI Compliance 101pgalletta
 
PCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should carePCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should careSean D. Goodwin
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperShaun O'keeffe
 
PCI compliance and fraud prevention for non profits
PCI compliance and fraud prevention for non profitsPCI compliance and fraud prevention for non profits
PCI compliance and fraud prevention for non profitsNetSquared Vancouver
 
PCI DSS Data Security Compliance Program Overview
PCI DSS Data Security Compliance Program OverviewPCI DSS Data Security Compliance Program Overview
PCI DSS Data Security Compliance Program Overview- Mark - Fullbright
 
Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010Donald E. Hester
 
PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011Donald E. Hester
 
You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…Rochester Security Summit
 
Maze & Associates PCI Compliance Tracker for Local Governments
Maze & Associates PCI Compliance Tracker for Local GovernmentsMaze & Associates PCI Compliance Tracker for Local Governments
Maze & Associates PCI Compliance Tracker for Local GovernmentsDonald E. Hester
 

Ähnlich wie A practical guides to PCI compliance (20)

Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptx
 
Payment System Risk. Visa
Payment System Risk. VisaPayment System Risk. Visa
Payment System Risk. Visa
 
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
 
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
 
eCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain Media
 
PCI DSS Compliance Readiness
PCI DSS Compliance ReadinessPCI DSS Compliance Readiness
PCI DSS Compliance Readiness
 
PCI_Presentation_OASIS
PCI_Presentation_OASISPCI_Presentation_OASIS
PCI_Presentation_OASIS
 
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
 
Payment Card Industry Compliance for Local Governments CSMFO 2009
Payment Card Industry Compliance for Local Governments CSMFO 2009Payment Card Industry Compliance for Local Governments CSMFO 2009
Payment Card Industry Compliance for Local Governments CSMFO 2009
 
PruebaJLF.pptx
PruebaJLF.pptxPruebaJLF.pptx
PruebaJLF.pptx
 
PCI Compliance 101
PCI Compliance 101PCI Compliance 101
PCI Compliance 101
 
PCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should carePCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should care
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - Whitepaper
 
PCI compliance and fraud prevention for non profits
PCI compliance and fraud prevention for non profitsPCI compliance and fraud prevention for non profits
PCI compliance and fraud prevention for non profits
 
PCI DSS Data Security Compliance Program Overview
PCI DSS Data Security Compliance Program OverviewPCI DSS Data Security Compliance Program Overview
PCI DSS Data Security Compliance Program Overview
 
Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010
 
PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011
 
You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…
 
E commerce overview
E commerce overviewE commerce overview
E commerce overview
 
Maze & Associates PCI Compliance Tracker for Local Governments
Maze & Associates PCI Compliance Tracker for Local GovernmentsMaze & Associates PCI Compliance Tracker for Local Governments
Maze & Associates PCI Compliance Tracker for Local Governments
 

Mehr von Jisc

Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxJisc
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jisc
 
Wellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxWellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxJisc
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Jisc
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Jisc
 
International students’ digital experience: understanding and mitigating the ...
International students’ digital experience: understanding and mitigating the ...International students’ digital experience: understanding and mitigating the ...
International students’ digital experience: understanding and mitigating the ...Jisc
 
Digital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptxDigital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptxJisc
 
Open Access book publishing understanding your options (1).pptx
Open Access book publishing understanding your options (1).pptxOpen Access book publishing understanding your options (1).pptx
Open Access book publishing understanding your options (1).pptxJisc
 
Scottish Universities Press supporting authors with requirements for open acc...
Scottish Universities Press supporting authors with requirements for open acc...Scottish Universities Press supporting authors with requirements for open acc...
Scottish Universities Press supporting authors with requirements for open acc...Jisc
 
How Bloomsbury is supporting authors with UKRI long-form open access requirem...
How Bloomsbury is supporting authors with UKRI long-form open access requirem...How Bloomsbury is supporting authors with UKRI long-form open access requirem...
How Bloomsbury is supporting authors with UKRI long-form open access requirem...Jisc
 
Jisc Northern Ireland Strategy Forum 2023
Jisc Northern Ireland Strategy Forum 2023Jisc Northern Ireland Strategy Forum 2023
Jisc Northern Ireland Strategy Forum 2023Jisc
 
Jisc Scotland Strategy Forum 2023
Jisc Scotland Strategy Forum 2023Jisc Scotland Strategy Forum 2023
Jisc Scotland Strategy Forum 2023Jisc
 
Jisc stakeholder strategic update 2023
Jisc stakeholder strategic update 2023Jisc stakeholder strategic update 2023
Jisc stakeholder strategic update 2023Jisc
 
JISC Presentation.pptx
JISC Presentation.pptxJISC Presentation.pptx
JISC Presentation.pptxJisc
 
Community-led Open Access Publishing webinar.pptx
Community-led Open Access Publishing webinar.pptxCommunity-led Open Access Publishing webinar.pptx
Community-led Open Access Publishing webinar.pptxJisc
 
The Open Access Community Framework (OACF) 2023 (1).pptx
The Open Access Community Framework (OACF) 2023 (1).pptxThe Open Access Community Framework (OACF) 2023 (1).pptx
The Open Access Community Framework (OACF) 2023 (1).pptxJisc
 
Are we onboard yet University of Sussex.pptx
Are we onboard yet University of Sussex.pptxAre we onboard yet University of Sussex.pptx
Are we onboard yet University of Sussex.pptxJisc
 
JiscOAWeek_LAIR_slides_October2023.pptx
JiscOAWeek_LAIR_slides_October2023.pptxJiscOAWeek_LAIR_slides_October2023.pptx
JiscOAWeek_LAIR_slides_October2023.pptxJisc
 
UWP OA Week Presentation (1).pptx
UWP OA Week Presentation (1).pptxUWP OA Week Presentation (1).pptx
UWP OA Week Presentation (1).pptxJisc
 
An introduction to Cyber Essentials
An introduction to Cyber EssentialsAn introduction to Cyber Essentials
An introduction to Cyber EssentialsJisc
 

Mehr von Jisc (20)

Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)
 
Wellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxWellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptx
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...
 
International students’ digital experience: understanding and mitigating the ...
International students’ digital experience: understanding and mitigating the ...International students’ digital experience: understanding and mitigating the ...
International students’ digital experience: understanding and mitigating the ...
 
Digital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptxDigital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptx
 
Open Access book publishing understanding your options (1).pptx
Open Access book publishing understanding your options (1).pptxOpen Access book publishing understanding your options (1).pptx
Open Access book publishing understanding your options (1).pptx
 
Scottish Universities Press supporting authors with requirements for open acc...
Scottish Universities Press supporting authors with requirements for open acc...Scottish Universities Press supporting authors with requirements for open acc...
Scottish Universities Press supporting authors with requirements for open acc...
 
How Bloomsbury is supporting authors with UKRI long-form open access requirem...
How Bloomsbury is supporting authors with UKRI long-form open access requirem...How Bloomsbury is supporting authors with UKRI long-form open access requirem...
How Bloomsbury is supporting authors with UKRI long-form open access requirem...
 
Jisc Northern Ireland Strategy Forum 2023
Jisc Northern Ireland Strategy Forum 2023Jisc Northern Ireland Strategy Forum 2023
Jisc Northern Ireland Strategy Forum 2023
 
Jisc Scotland Strategy Forum 2023
Jisc Scotland Strategy Forum 2023Jisc Scotland Strategy Forum 2023
Jisc Scotland Strategy Forum 2023
 
Jisc stakeholder strategic update 2023
Jisc stakeholder strategic update 2023Jisc stakeholder strategic update 2023
Jisc stakeholder strategic update 2023
 
JISC Presentation.pptx
JISC Presentation.pptxJISC Presentation.pptx
JISC Presentation.pptx
 
Community-led Open Access Publishing webinar.pptx
Community-led Open Access Publishing webinar.pptxCommunity-led Open Access Publishing webinar.pptx
Community-led Open Access Publishing webinar.pptx
 
The Open Access Community Framework (OACF) 2023 (1).pptx
The Open Access Community Framework (OACF) 2023 (1).pptxThe Open Access Community Framework (OACF) 2023 (1).pptx
The Open Access Community Framework (OACF) 2023 (1).pptx
 
Are we onboard yet University of Sussex.pptx
Are we onboard yet University of Sussex.pptxAre we onboard yet University of Sussex.pptx
Are we onboard yet University of Sussex.pptx
 
JiscOAWeek_LAIR_slides_October2023.pptx
JiscOAWeek_LAIR_slides_October2023.pptxJiscOAWeek_LAIR_slides_October2023.pptx
JiscOAWeek_LAIR_slides_October2023.pptx
 
UWP OA Week Presentation (1).pptx
UWP OA Week Presentation (1).pptxUWP OA Week Presentation (1).pptx
UWP OA Week Presentation (1).pptx
 
An introduction to Cyber Essentials
An introduction to Cyber EssentialsAn introduction to Cyber Essentials
An introduction to Cyber Essentials
 

Kürzlich hochgeladen

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 

Kürzlich hochgeladen (20)

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 

A practical guides to PCI compliance

  • 1. A practical guide to PCI compliance Matthew Page, IT security manager, Leeds Beckett University 14/11/2017
  • 2. A Practical Guide to PCI Compliance Matthew Page – IT Security Manager PCI ISA
  • 3. • To help those who are starting out on the PCI compliance journey • Where to find help and documentation • Formal courses tend to discuss the 12 requirements rather than how to become compliant • It can be quite daunting, so I aim to provide an overview of PCI • I’m not going to discuss: – The requirements in detail – The payment cycle *For further information on these please review the documents referenced in the resources section. A Practical Guide to PCI The Purpose of this Presentation
  • 4. A Practical Guide to PCI • Payment Card Industries What is PCI?
  • 5. A Practical Guide to PCI • Payment card data and transactions, not direct debits or PayPal payments What is PCI? *Courtesy of PCIDSSSIG
  • 6. A Practical Guide to PCI • Its not a legal requirement • It’s a contractual requirement • 12 main requirements (essentially a check list) • Mainly technical requirements with procedural and policy based requirements • Who is PCI compliant? What is PCI?
  • 7. A Practical Guide to PCI • Its very valuable data to hackers • US company Target breach 2013-2014 – 40 millions card details affected – Cost target $350 million – 46% drop in profits – 1-3 million cards sold on the black market – Resignation of CEO • Reputational impact Why Protect this Data? *Data source Axelos Resilia
  • 8. A Practical Guide to PCI 6 Goals of PCI Compliance
  • 9. A Practical Guide to PCI Goal 1 – Build and maintain a secure network and systems *Barclaycard Associated Requirements 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters
  • 10. A Practical Guide to PCI Goal 2 – Protect Cardholder data *Barclaycard Associated Requirements 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks
  • 11. A Practical Guide to PCI Goal 3 – Maintain a vulnerability management program *Barclaycard Associated Requirements 5. Protect all systems against malware and regularly update antivirus software or programs 6. Develop and maintain secure systems and applications (patching and config)
  • 12. A Practical Guide to PCI Goal 4 – Implement strong access control measures *Barclaycard Associated Requirements 7. Restrict access to cardholder data by business need to know 8. Identify and authenticate access to system components 9. Restrict physical access to cardholder data
  • 13. A Practical Guide to PCI Goal 5 – Regularly monitor and test networks *Barclaycard Associated Requirements 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes (pen tests, vulnerability scans, etc.)
  • 14. A Practical Guide to PCI Goal 6 – Maintain an information security policy *Barclaycard Associated Requirements 12. Maintain a policy that addresses information security for all personnel
  • 15. A Practical Guide to PCI Where are you now? *Barclaycard • Many of the goals and requirements will be already in place • Some may need fine tuning and some will need significant effort to bring into line with the standard
  • 16. A Practical Guide to PCI • 12 high level requirements • All the requirements have sub requirements totalling over 300 across the standard • That’s a lot! • Very expensive to adhere to them all and time consuming to support and maintain • Good news, hopefully you won’t have to adhere to them all • That’s not to say you should take short cuts • Depending on your environment you may not need to comply with all the requirements to be compliant • This is where SAQs will help 12 Requirements & Sub Requirements
  • 17. A Practical Guide to PCI The SAQs
  • 18. A Practical Guide to PCI The SAQs Web Payments • A and A-EP
  • 19. A Practical Guide to PCI Payment Terminals (Chip & Pin) • B, B-IP & P2PE The SAQs
  • 20. A Practical Guide to PCI Merchants who use a payment application system or Virtual Terminal to process card payments • C & C-VT The SAQs
  • 21. A Practical Guide to PCI Merchants who store cardholder data • D The SAQs
  • 22. Requirement Description SAQ D SAQ C SAQ C-VT B-IP B A-EP* A P2PE 1 Firewall config Full Partial Partial Partial Partial 2 Vendor defaults Full Partial Partial Partial Partial Partial 3 Stored CHD Full Partial Partial Partial Partial Partial Partial 4 Encryption Full Partial Partial Partial Partial Partial 5 AV & patching Full Partial Partial Partial 6 Development Full Partial Partial Partial Partial 7 Restrict access Full Partial Partial Partial Partial Partial 8 Identify & authenticate Full Partial Partial Partial Partial Partial 9 Restrict physical access Full Partial Partial Partial Partial Partial Partial Partial 10 Track and monitor Full Partial Partial 11 Vulnerability testing Full Partial Partial Partial 12 Policies Full Partial Partial Partial Partial Partial Partial Partial A Practical Guide to PCI • Refer to the ‘PCI SAQ Instructions and Guidelines’ document to determine which of your merchant accounts align with which SAQ and speak to your acquirer to confirm SAQ Requirements
  • 23. A Practical Guide to PCI PCI SAQ Instructions and Guidelines Document
  • 24. A Practical Guide to PCI Merchant Levels & Assessment Criteria Level Merchant criteria Validation requirements 1 Merchants processing more than six million Visa transactions annually via all channels or global merchants identified as level one by any Visa region.  Annual Report on Compliance (ROC) to follow an on-site audit by either a Qualified Security Assessor or qualified internal security resource  Quarterly network scan by Approved Scan Vendor (ASV)  Attestation of Compliance form QSA Services • PCI assessment • ROC • Attestation sign off • Gap analysis ASV • Tool to scan the network environment for Vulnerabilities. Any high vulnerabilities are failures.
  • 25. A Practical Guide to PCI Merchant Levels Level Merchant criteria Validation requirements 1 Merchants processing more than six million Visa transactions annually via all channels or global merchants identified as level one by any Visa region.  Annual Report on Compliance (ROC) to follow an on-site audit by either a Qualified Security Assessor or qualified internal security resource  Quarterly network scan by Approved Scan Vendor (ASV)  Attestation of Compliance form 2 Merchants processing one million to six million Visa transactions annually via all channels.  Annual Self-Assessment Questionnaire (SAQ)  Quarterly network scan by ASV  Attestation of Compliance form
  • 26. A Practical Guide to PCI Merchant Levels Level Merchant criteria Validation requirements 1 Merchants processing more than six million Visa transactions annually via all channels or global merchants identified as level one by any Visa region.  Annual Report on Compliance (ROC) to follow an on-site audit by either a Qualified Security Assessor or qualified internal security resource  Quarterly network scan by Approved Scan Vendor (ASV)  Attestation of Compliance form 2 Merchants processing one million to six million Visa transactions annually via all channels.  Annual Self-Assessment Questionnaire (SAQ)  Quarterly network scan by ASV  Attestation of Compliance form 3 Merchants processing 20,000 to one million Visa e- commerce transactions annually.  Use a service provider that has certified their PCI DSS compliance (certified providers are listed on Visa Europe’s website: www.visaeurope.com) OR  Have certified their own PCI DSS compliance to the acquirer (who must, on request, be able to validate that compliance to Visa Europe) (SAQ)
  • 27. A Practical Guide to PCI Merchant Levels Level Merchant criteria Validation requirements 1 Merchants processing more than six million Visa transactions annually via all channels or global merchants identified as level one by any Visa region.  Annual Report on Compliance (ROC) to follow an on-site audit by either a Qualified Security Assessor or qualified internal security resource  Quarterly network scan by Approved Scan Vendor (ASV)  Attestation of Compliance form 2 Merchants processing one million to six million Visa transactions annually via all channels.  Annual Self-Assessment Questionnaire (SAQ)  Quarterly network scan by ASV  Attestation of Compliance form 3 Merchants processing 20,000 to one million Visa e- commerce transactions annually.  Use a service provider that has certified their PCI DSS compliance (certified providers are listed on Visa Europe’s website: www.visaeurope.com) OR  Have certified their own PCI DSS compliance to the acquirer (who must, on request, be able to validate that compliance to Visa Europe) (SAQ) 4 E-commerce merchants only Merchants processing fewer than 20,000 Visa e- commerce transactions annually.  Use a service provider that has certified their PCI DSS compliance (certified providers are listed on Visa Europe’s website: www.visaeurope.com) OR  Have certified their own PCI DSS compliance to the acquirer (who must, on request, be able to validate that compliance to Visa Europe) (SAQ)
  • 28. A Practical Guide to PCI • Who are the acquirers? An acquiring bank (simply known as an acquirer) is a bank that processes credit or debit card payments on behalf of a merchant. The acquirer enables merchants to accept card payments. • They can help provide information regarding the number of merchant accounts in use and the volume of transactions being processed through them • They are responsible for ensuring their associated merchants are PCI compliant and will ask you to provide an AOC • If you are unable to do this you may start to receive threatening letters Acquirers
  • 29. A Practical Guide to PCI • Who are the acquirers? An acquiring bank (simply known as an acquirer) is a bank that processes credit or debit card payments on behalf of a merchant. The acquirer enables merchants to accept card payments. • They can help provide information regarding the number of merchant accounts in use and the volume of transactions being processed through them • They are responsible for ensuring their associated merchants are PCI compliant and will ask you to provide an AOC • If you are unable to do this you may start to receive threatening letters Acquirers • Don’t be afraid to challenge your acquirer • Find your business relationship manager and build a relationship
  • 30. A Practical Guide to PCI • Identify where payments are being taken through out the university • Identify how card data traverses the network • Is cardholder data stored as part of the process? • Identify the SAQ level • Identify Merchant level • Speak to your acquirer they will help verify your Merchant and SAQ levels Your Payment Gateways
  • 31. A Practical Guide to PCI • Are card payments segregated from the rest of your network? • Can you segregate your networks? • Avoid storing card holder data • Be aware of the problems with descoping – perceptions that the entire network is as secure as the card holder environment when in fact they have been descoped and therefore may not be maintained to the same standard. • Determine the cost of descoping is it just easier to include everything? • Remember PCI should be part of data security strategy Reduce the Scope
  • 32. A Practical Guide to PCI • Its project - create a plan • Use the prioritised approach provided by PCI • Collaborative approach with: – IT – Finance – Governance – Other relevant departments – Acquirers • Who should drive the project? – IT – Finance – Governance – ? • Get buy in – You can’t do this alone The PCI Project
  • 33. A Practical Guide to PCI • Find a QSA https://www.pcisecuritystandards.org/assessors_and_so lutions/qualified_security_assessors • Your Acquirer • Merchant levels • MasterCard https://www.mastercard.us/en- us/merchants/safety-security/security- recommendations/merchants-need-to-know.html • Visa https://www.visaeurope.com/receiving- payments/security/merchants • PCIDSSSIG – Training courses – Foundation, Practitioner and ISA (free if you are a member) – Resources http://www.pcidsssig.org.uk/ • PCI Document library https://www.pcisecuritystandards.org/document_library • PCI Prioritised approach https://www.pcisecuritystandards.org/documents/Priorit ized-Approach-for-PCI_DSS-v3_2.pdf • Guidance for Network Segmentation https://www.pcisecuritystandards.org/documents/Guida nce-PCI-DSS-Scoping-and- Segmentation_v1_1.pdf?agreement=true&time=15100 49283753 Resources
  • 34. A Practical Guide to PCI • It’s a check list so you can take one step at a time • Training/reading/familarise yourself with the standard • Get Project buy in • Speak to people (Finance, Acquirers, staff) • Determine the scope • Work with the acquirers • The goals of PCI are just the best practice elements we should all be implementing. • Different security/compliance standards will aid each other • You don’t need to be an ISA, but it helps. Final Thoughts
  • 36. A Practical Guide to PCI • Find a QSA https://www.pcisecuritystandards.org/assessors_and_so lutions/qualified_security_assessors • Your Acquirer • Merchant levels • MasterCard https://www.mastercard.us/en- us/merchants/safety-security/security- recommendations/merchants-need-to-know.html • Visa https://www.visaeurope.com/receiving- payments/security/merchants • PCIDSSSIG – Training courses – Foundation, Practitioner and ISA (free if you are a member) – Resources http://www.pcidsssig.org.uk/ • PCI Document library https://www.pcisecuritystandards.org/document_librar y • PCI Prioritized approach https://www.pcisecuritystandards.org/documents/Prior itized-Approach-for-PCI_DSS-v3_2.pdf • Guidance for Network Segmentation https://www.pcisecuritystandards.org/documents/Guid ance-PCI-DSS-Scoping-and- Segmentation_v1_1.pdf?agreement=true&time=1510 049283753 Resources

Hinweis der Redaktion

  1. Thanks to Jisc for the late shift I hope you have all had a coffee at break
  2. Who is PCI compliant show of hands.
  3. Hacking techniques are changing
  4. Who is cyber essentials compliant show of hands