SlideShare ist ein Scribd-Unternehmen logo

PCI What When AISA Sydney 2009

J
Jason Edelstein
Technologie
1 von 20
Downloaden Sie, um offline zu lesen
AISA Sydney 15th April 2009 Where PCI stands today: Who needs to do What, by When Presented by: David Light Sense of Security Pty Ltd www.senseofsecurity.com.au
Agenda • Overview of PCI DSS • Compliance requirements – What & When • Risks & consequences of non-compliance • Lessons learned & prioritising remediation • Approach for PCI compliance www.senseofsecurity.com.au
PCI Security Standards Council Members PCI DSS is developed to encourage and enhance cardholder data security www.senseofsecurity.com.au
Terminology: Merchant, Acquirer, Issuer and Service Provider Merchant Customer requests Client OR purchase transaction on PC OR Merchant receives Merchant swipes the card, authorisation response and enters the dollar amount. completes the transaction. Merchant bank forwards Authorisation request authorisation response is sent to acquiring to merchant. merchant bank. Customer bank sends Service funds to merchant bank. Providers Merchant bank sends transaction information to Customer bank customer bank verifies credit card : k: a nk (Issuer) through an and clears request. B Card Scheme tB m er r an irer sto sue Network h C u Is erc cqu M A www.senseofsecurity.com.au
Who must comply? • Everyone who stores, processes or transmits cardholder data must comply with PCI DSS – PCI compliance is mandatory – PCI applies to all parties in the payment process – You cannot be partially compliant: Compliance is PASS/FAIL www.senseofsecurity.com.au
Who must comply? • If you outsource components of your PCI process to Service Providers, they must comply – Either they are included in your scope – Or they must provide evidence to demonstrate their compliance www.senseofsecurity.com.au
2: Compliance requirements – What & When Six Goals, Twelve Requirements The Payment Card Industry Data Security Standard (PCI DSS) Build and Maintain a 1. Install and maintain a firewall configuration to protect Secure Network cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability 5. Use and regularly update anti-virus software Management Program 6. Develop and maintain secure systems and applications Implement Strong Access 7. Restrict access to cardholder data by business need-to- Control Measures know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and 10. Track and monitor all access to network resources and Test Networks cardholder data 11. Regularly test security systems and processes Maintain an Information 12. Maintain a policy that addresses Security Policy information security www.senseofsecurity.com.au
PCI DSS Merchant Levels (Visa and Mastercard) Level 1 Level 2 Level 3 Level 4 More than 6m Between 1m Between 20k All Others Transactions or and 6m and 1m (Under 20k e- Cardholder data transactions e-commerce commerce and has been transactions under 1m compromised transactions) Self Not Required Mandated Mandated Mandated Assessment * Vulnerability Mandated Mandated Mandated Mandated Scan † Onsite Mandated Not Required Not Required Not Required Review ‡ Example: Visa penalties of US$10k & US$5k / merchant / month from Sept 2009 for Merchant Levels 1 and 2 respectively. Acquirer is liable. www.senseofsecurity.com.au
Westpac Merchant Levels (Visa/MasterCard/Bankcard) Level 3 Level 2 Level 1 Level 0 Above Between Between Under A$800,000 or A$150,000 & A$30,000 & A$30,000 Cardholder data A$800,000 A$150,000 has been compromised Self Mandated Mandated Mandated Not Required Assessment * Vulnerability Mandated Mandated Not Required Not Required Scan † Onsite Mandated Not Required Not Required Not Required Review ‡ www.senseofsecurity.com.au
Service Provider Obligations Level Visa MasterCard American Requirement Express 1 VisaNet All Third Party All Third •Annual onsite review & processors or any Processors (TPP) Party ROC by Qualified service provider Processors Security Assessor that stores, All Data Storage (TPP) (QSA) processes and/or Entities (DSE) that •Quarterly network transmits over store, transmit or security scan by ASV 300k transactions process greater than (Approved Scanning / year 1m transactions Vendor) 2 Any service All DSEs that store, N/A •Annual completion of provider that transmit or process PCI DSS self stores, processes less than 1m assessment and/or transmits transactions questionnaire less than 300k •Quarterly network transactions / year security scan by ASV Feb.1, 2009: Only Level 1 service providers will be listed on Visa’s List of PCI DSS Compliant Service Providers www.senseofsecurity.com.au
Who must comply and When? • Merchants, Acquirers, Issuers, Service Providers: – PCI Compliance is mandatory NOW. • Merchants: VISA penalties will apply: – September 30, 2009: Level 1& 2: Attest to not storing prohibited data (aligned with Acquirers) – September 30, 2010: Level 1: Full compliance – Fines are issued to the Acquiring Bank, who may pass it on to the Merchant www.senseofsecurity.com.au
Who must comply and When? • Acquirers (per VISA) – September 30, 2009 - Attest to not storing prohibited data (aligned with level 1 merchants) – September 30, 2010 - Full PCI DSS compliance - (if not compliant provide ROC and remediation plan for evaluation) • Service Providers – Need to provide evidence of compliance to align with their client’s PCI compliance programs www.senseofsecurity.com.au
3: Risks & consequences of non- compliance • Risks – PCI DSS is mandatory – Breach impact can be massive (Forrester Research: US$90 to US$305 per lost record) • Consequences – Card imposed fines up to US$500,000 per incident – Legal authorities need to be notified & free credit protection offered to those affected – Brand impacts (customer & shareholder level) & legal action by card holders www.senseofsecurity.com.au
Performance gains expected from ongoing IT controls and compliance • Loss from security events • Detection of security breaches via automated controls • Unplanned work • Success rate of changes • First fix rate • Servers per system administrator Source: IT Process Institute, 2006 - 2009 www.senseofsecurity.com.au
4: Lessons learned & prioritising remediation Lessons learned – Tips to avoid failure Top 5 Failed Requirements Relevant Compromise Recommended Tactics Requirement 3: Protect stored Unencrypted spreadsheet data; Store less data; data unsecured physical assets Understand the flow of data; Encrypt data Requirement 11: Regularly POS/shopping cart application Rigorously test applications; test security systems and vulnerabilities; most data Scan quarterly processes compromises can be attributed to a Web application vulnerability Requirement 8: Assign a Weak or easily guessed Improve security awareness unique ID to each person with administrative account computer access passwords Requirement 10: Track & Lack of log monitoring and IDS Install intrusion detection or monitor all access to network data; prevention devices; resources & cardholder data Poor logging tools Improve log monitoring and retention Requirement 1: Install & Card numbers in the DMZ; Segment credit card networks and maintain a firewall Segmentation flaws control access to them configuration to protect data Source: Verisign www.senseofsecurity.com.au
Lessons learned – Managing a PCI audit • PCI is about people and business processes as well as systems • Engage with experts • Reduce scope where possible • Set and manage expectations • Have friends (internally) in high places • Ensure governance for PCI audit is in place www.senseofsecurity.com.au
Prioritising remediation effort Prioritised Approach PCI SSC 2009 Six security milestones: 1. Remove sensitive authentication data and limit data retention 2. Protect the perimeter, internal, and wireless networks 3. Secure payment card applications 4. Monitor and control access to your systems 5. Protect stored cardholder data 6. The rest, and ensure all controls are in place www.senseofsecurity.com.au
5: Approach for PCI compliance Start with a Scope Review PCI DSS applies to any network component, server or application included or connected to the card-holder data environment Start with a Scope Review, addressing: – Network Segmentation – Wireless – Third Party / Outsourcing – Sample Business Facilities & System Cmpnts – Compensating Controls www.senseofsecurity.com.au
PCI Assessment Approach • Then commence the PCI Audit – Preparation – On-site Audit – Post-site Analysis and Reporting – Remediation – Final Audit and Lodgement – Maintenance • Expect the PCI compliance program to take 6 to 12 months to complete www.senseofsecurity.com.au
Thank you David Light Sense of Security Pty Ltd Level 3, 66 King Street Sydney NSW 2000 T: +61 (0)2 9290 4444 M: +61 (0)423 121 217 W: www.senseofsecurity.com.au E: DavidL@senseofsecurity.com.au www.senseofsecurity.com.au

Empfohlen

Ecommerce Chap 08
Ecommerce Chap 08Ecommerce Chap 08
Ecommerce Chap 08
Pimsat University
 
EMV chip cards
EMV chip cardsEMV chip cards
EMV chip cards
Dilip Kumar
 
Sploitego
SploitegoSploitego
Sploitego
London School of Cyber Security
 
Abdullin modern payments security. emv, nfc, etc
Abdullin modern payments security. emv, nfc, etcAbdullin modern payments security. emv, nfc, etc
Abdullin modern payments security. emv, nfc, etc
DefconRussia
 
Smart Card EMV for Dummies
Smart Card EMV for DummiesSmart Card EMV for Dummies
Smart Card EMV for Dummies
Silly Beez
 
Introduction to emv
Introduction to emvIntroduction to emv
Introduction to emv
Anil Chaurasiya
 
Mis06
Mis06Mis06
Mis06
Lee Gomez
 
Secure PIN Management How to Issue and Change PINs Securely over the Web
Secure PIN Management How to Issue and Change PINs Securely over the WebSecure PIN Management How to Issue and Change PINs Securely over the Web
Secure PIN Management How to Issue and Change PINs Securely over the Web
SafeNet
 

Empfohlen

Ecommerce Chap 08
Ecommerce Chap 08Ecommerce Chap 08
Ecommerce Chap 08
Pimsat University
 
EMV chip cards
EMV chip cardsEMV chip cards
EMV chip cards
Dilip Kumar
 
Sploitego
SploitegoSploitego
Sploitego
London School of Cyber Security
 
Abdullin modern payments security. emv, nfc, etc
Abdullin modern payments security. emv, nfc, etcAbdullin modern payments security. emv, nfc, etc
Abdullin modern payments security. emv, nfc, etc
DefconRussia
 
Smart Card EMV for Dummies
Smart Card EMV for DummiesSmart Card EMV for Dummies
Smart Card EMV for Dummies
Silly Beez
 
Introduction to emv
Introduction to emvIntroduction to emv
Introduction to emv
Anil Chaurasiya
 
Mis06
Mis06Mis06
Mis06
Lee Gomez
 
Secure PIN Management How to Issue and Change PINs Securely over the Web
Secure PIN Management How to Issue and Change PINs Securely over the WebSecure PIN Management How to Issue and Change PINs Securely over the Web
Secure PIN Management How to Issue and Change PINs Securely over the Web
SafeNet
 
Chip and Skim: cloning EMV cards with the pre-play attack
Chip and Skim: cloning EMV cards with the pre-play attackChip and Skim: cloning EMV cards with the pre-play attack
Chip and Skim: cloning EMV cards with the pre-play attack
- Mark - Fullbright
 
EMV Overview
EMV OverviewEMV Overview
EMV Overview
Kona Software Lab Limited.
 
A Practical Guide to EMV
A Practical Guide to EMVA Practical Guide to EMV
A Practical Guide to EMV
Upserve
 
Key Things to Know About EMV
Key Things to Know About EMVKey Things to Know About EMV
Key Things to Know About EMV
Corral Solutions
 
Emv and fraud
Emv and fraudEmv and fraud
Emv and fraud
Ujwal Tamminedi
 
Clydestone Profile
Clydestone ProfileClydestone Profile
Clydestone Profile
Eve Adams
 
Pay your payments safely merchant account services by jay wigdore
Pay your payments safely merchant account services by jay wigdorePay your payments safely merchant account services by jay wigdore
Pay your payments safely merchant account services by jay wigdore
JayWigdore
 
emv-ebook
emv-ebookemv-ebook
emv-ebook
Richard Dover
 
Infinite C Scope
Infinite C ScopeInfinite C Scope
Infinite C Scope
TosinOgunkunle
 
Woe zaal a 17.15 17.45 Intrum&Buckaroo
Woe zaal a 17.15 17.45 Intrum&BuckarooWoe zaal a 17.15 17.45 Intrum&Buckaroo
Woe zaal a 17.15 17.45 Intrum&Buckaroo
webwinkelvakdag
 
PayU 3D Secure Merchant Guide
PayU 3D Secure Merchant GuidePayU 3D Secure Merchant Guide
PayU 3D Secure Merchant Guide
Penny Paine
 
Emv Explained in few words
Emv Explained in few words Emv Explained in few words
Emv Explained in few words
Banque Populaire Du Rwanda
 
Ec module 4
Ec module 4Ec module 4
Ec module 4
Sakshi Nagpal
 
Hickman threat modeling
Hickman threat modelingHickman threat modeling
Hickman threat modeling
jonecx
 
ipai online pos solutions
ipai online pos solutionsipai online pos solutions
ipai online pos solutions
Beverly Xu
 
EMV 201 EMF June 2016
EMV 201 EMF June 2016EMV 201 EMF June 2016
EMV 201 EMF June 2016
Philip Andreae
 
Pay Easy Solutions International
Pay Easy Solutions InternationalPay Easy Solutions International
Pay Easy Solutions International
jeanieaguilar
 
PCI Compliance What Does This Mean For the Australian Market Place 2007
PCI Compliance What Does This Mean For the Australian Market Place 2007PCI Compliance What Does This Mean For the Australian Market Place 2007
PCI Compliance What Does This Mean For the Australian Market Place 2007
Jason Edelstein
 
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
Miminten
 
Don't Handle Sensitive Data. Create A Tokenization Layer Around Your Enterprise.
Don't Handle Sensitive Data. Create A Tokenization Layer Around Your Enterprise.Don't Handle Sensitive Data. Create A Tokenization Layer Around Your Enterprise.
Don't Handle Sensitive Data. Create A Tokenization Layer Around Your Enterprise.
Paymetric, Inc.
 
PCI DSS
PCI DSSPCI DSS
PCI DSS
Duy Do Phan
 
10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...
10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...
10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...
amadhireddy
 

Weitere ähnliche Inhalte

Was ist angesagt?

Clydestone Profile
Clydestone ProfileClydestone Profile
Clydestone Profile
Eve Adams
 
Woe zaal a 17.15 17.45 Intrum&Buckaroo
Woe zaal a 17.15 17.45 Intrum&BuckarooWoe zaal a 17.15 17.45 Intrum&Buckaroo
Woe zaal a 17.15 17.45 Intrum&Buckaroo
webwinkelvakdag
 
Hickman threat modeling
Hickman threat modelingHickman threat modeling
Hickman threat modeling
jonecx
 
ipai online pos solutions
ipai online pos solutionsipai online pos solutions
ipai online pos solutions
Beverly Xu
 
Pay Easy Solutions International
Pay Easy Solutions InternationalPay Easy Solutions International
Pay Easy Solutions International
jeanieaguilar
 

Was ist angesagt? (17)

Chip and Skim: cloning EMV cards with the pre-play attack
Chip and Skim: cloning EMV cards with the pre-play attackChip and Skim: cloning EMV cards with the pre-play attack
Chip and Skim: cloning EMV cards with the pre-play attack
 
EMV Overview
EMV OverviewEMV Overview
EMV Overview
 
A Practical Guide to EMV
A Practical Guide to EMVA Practical Guide to EMV
A Practical Guide to EMV
 
Key Things to Know About EMV
Key Things to Know About EMVKey Things to Know About EMV
Key Things to Know About EMV
 
Emv and fraud
Emv and fraudEmv and fraud
Emv and fraud
 
Clydestone Profile
Clydestone ProfileClydestone Profile
Clydestone Profile
 
Pay your payments safely merchant account services by jay wigdore
Pay your payments safely merchant account services by jay wigdorePay your payments safely merchant account services by jay wigdore
Pay your payments safely merchant account services by jay wigdore
 
emv-ebook
emv-ebookemv-ebook
emv-ebook
 
Infinite C Scope
Infinite C ScopeInfinite C Scope
Infinite C Scope
 
Woe zaal a 17.15 17.45 Intrum&Buckaroo
Woe zaal a 17.15 17.45 Intrum&BuckarooWoe zaal a 17.15 17.45 Intrum&Buckaroo
Woe zaal a 17.15 17.45 Intrum&Buckaroo
 
PayU 3D Secure Merchant Guide
PayU 3D Secure Merchant GuidePayU 3D Secure Merchant Guide
PayU 3D Secure Merchant Guide
 
Emv Explained in few words
Emv Explained in few words Emv Explained in few words
Emv Explained in few words
 
Ec module 4
Ec module 4Ec module 4
Ec module 4
 
Hickman threat modeling
Hickman threat modelingHickman threat modeling
Hickman threat modeling
 
ipai online pos solutions
ipai online pos solutionsipai online pos solutions
ipai online pos solutions
 
EMV 201 EMF June 2016
EMV 201 EMF June 2016EMV 201 EMF June 2016
EMV 201 EMF June 2016
 
Pay Easy Solutions International
Pay Easy Solutions InternationalPay Easy Solutions International
Pay Easy Solutions International
 

Ähnlich wie PCI What When AISA Sydney 2009

PCI Compliance What Does This Mean For the Australian Market Place 2007
PCI Compliance What Does This Mean For the Australian Market Place 2007PCI Compliance What Does This Mean For the Australian Market Place 2007
PCI Compliance What Does This Mean For the Australian Market Place 2007
Jason Edelstein
 
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
Miminten
 
Don't Handle Sensitive Data. Create A Tokenization Layer Around Your Enterprise.
Don't Handle Sensitive Data. Create A Tokenization Layer Around Your Enterprise.Don't Handle Sensitive Data. Create A Tokenization Layer Around Your Enterprise.
Don't Handle Sensitive Data. Create A Tokenization Layer Around Your Enterprise.
Paymetric, Inc.
 
10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...
10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...
10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...
amadhireddy
 
PCI Compliance Seminar
PCI Compliance SeminarPCI Compliance Seminar
PCI Compliance Seminar
dlinehan2
 
P0 Pcidss Overview
P0 Pcidss OverviewP0 Pcidss Overview
P0 Pcidss Overview
b28stu
 
Payliance Industry partner program
Payliance Industry partner programPayliance Industry partner program
Payliance Industry partner program
DustinP_Channel
 
A practical guides to PCI compliance
A practical guides to PCI complianceA practical guides to PCI compliance
A practical guides to PCI compliance
Jisc
 
Evolve Pci Compliance
Evolve Pci ComplianceEvolve Pci Compliance
Evolve Pci Compliance
hypknight
 

Ähnlich wie PCI What When AISA Sydney 2009 (20)

PCI Compliance What Does This Mean For the Australian Market Place 2007
PCI Compliance What Does This Mean For the Australian Market Place 2007PCI Compliance What Does This Mean For the Australian Market Place 2007
PCI Compliance What Does This Mean For the Australian Market Place 2007
 
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
 
Don't Handle Sensitive Data. Create A Tokenization Layer Around Your Enterprise.
Don't Handle Sensitive Data. Create A Tokenization Layer Around Your Enterprise.Don't Handle Sensitive Data. Create A Tokenization Layer Around Your Enterprise.
Don't Handle Sensitive Data. Create A Tokenization Layer Around Your Enterprise.
 
PCI DSS
PCI DSSPCI DSS
PCI DSS
 
10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...
10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...
10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overview
 
Adventures in PCI Wonderland
Adventures in PCI WonderlandAdventures in PCI Wonderland
Adventures in PCI Wonderland
 
Mb2420032007
Mb2420032007Mb2420032007
Mb2420032007
 
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
 
PCI Compliance 101
PCI Compliance 101PCI Compliance 101
PCI Compliance 101
 
PCI Compliance Seminar
PCI Compliance SeminarPCI Compliance Seminar
PCI Compliance Seminar
 
E-commerce & WordPress: Navigating the Minefield
E-commerce & WordPress: Navigating the MinefieldE-commerce & WordPress: Navigating the Minefield
E-commerce & WordPress: Navigating the Minefield
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSS
 
P0 Pcidss Overview
P0 Pcidss OverviewP0 Pcidss Overview
P0 Pcidss Overview
 
Payliance Industry partner program
Payliance Industry partner programPayliance Industry partner program
Payliance Industry partner program
 
EMV Credit Card Technology in Parking
EMV Credit Card Technology in ParkingEMV Credit Card Technology in Parking
EMV Credit Card Technology in Parking
 
A practical guides to PCI compliance
A practical guides to PCI complianceA practical guides to PCI compliance
A practical guides to PCI compliance
 
DSS - ITSEC conf - Arcot - Security for eCommerce - Riga Nov2011
DSS - ITSEC conf - Arcot - Security for eCommerce - Riga Nov2011DSS - ITSEC conf - Arcot - Security for eCommerce - Riga Nov2011
DSS - ITSEC conf - Arcot - Security for eCommerce - Riga Nov2011
 
Evolve Pci Compliance
Evolve Pci ComplianceEvolve Pci Compliance
Evolve Pci Compliance
 
Card & Payments Industry Overview
Card & Payments Industry OverviewCard & Payments Industry Overview
Card & Payments Industry Overview
 

Mehr von Jason Edelstein

Sense of security - Virtualisation Security for Regulated Environments
Sense of security - Virtualisation Security for Regulated EnvironmentsSense of security - Virtualisation Security for Regulated Environments
Sense of security - Virtualisation Security for Regulated Environments
Jason Edelstein
 
Sense of Security - Securing Virtualised Environments; Focus on the Fundamentals
Sense of Security - Securing Virtualised Environments; Focus on the FundamentalsSense of Security - Securing Virtualised Environments; Focus on the Fundamentals
Sense of Security - Securing Virtualised Environments; Focus on the Fundamentals
Jason Edelstein
 
PCI Compliance a Business Issue Isaca 2009
PCI Compliance a Business Issue Isaca 2009PCI Compliance a Business Issue Isaca 2009
PCI Compliance a Business Issue Isaca 2009
Jason Edelstein
 
Addressing Security Challenges of Mobility and Web 2.0 2009
Addressing Security Challenges of Mobility and Web 2.0 2009Addressing Security Challenges of Mobility and Web 2.0 2009
Addressing Security Challenges of Mobility and Web 2.0 2009
Jason Edelstein
 
Achieving PCI Compliance Long And Short Term Strategies 2009
Achieving PCI Compliance Long And Short Term Strategies 2009Achieving PCI Compliance Long And Short Term Strategies 2009
Achieving PCI Compliance Long And Short Term Strategies 2009
Jason Edelstein
 

Mehr von Jason Edelstein (9)

Sense of Security Best practice strategies to improve your enterprise security
Sense of Security Best practice strategies to improve your enterprise securitySense of Security Best practice strategies to improve your enterprise security
Sense of Security Best practice strategies to improve your enterprise security
 
Sense of security - Virtualisation Security for Regulated Environments
Sense of security - Virtualisation Security for Regulated EnvironmentsSense of security - Virtualisation Security for Regulated Environments
Sense of security - Virtualisation Security for Regulated Environments
 
Sense of Security - Securing Virtualised Environments; Focus on the Fundamentals
Sense of Security - Securing Virtualised Environments; Focus on the FundamentalsSense of Security - Securing Virtualised Environments; Focus on the Fundamentals
Sense of Security - Securing Virtualised Environments; Focus on the Fundamentals
 
PCI Compliance a Business Issue Isaca 2009
PCI Compliance a Business Issue Isaca 2009PCI Compliance a Business Issue Isaca 2009
PCI Compliance a Business Issue Isaca 2009
 
Addressing Security Challenges of Mobility and Web 2.0 2009
Addressing Security Challenges of Mobility and Web 2.0 2009Addressing Security Challenges of Mobility and Web 2.0 2009
Addressing Security Challenges of Mobility and Web 2.0 2009
 
Achieving PCI Compliance Long And Short Term Strategies 2009
Achieving PCI Compliance Long And Short Term Strategies 2009Achieving PCI Compliance Long And Short Term Strategies 2009
Achieving PCI Compliance Long And Short Term Strategies 2009
 
Virtualisation: Pitfalls in Corporate VMware Implementations
Virtualisation: Pitfalls in Corporate VMware ImplementationsVirtualisation: Pitfalls in Corporate VMware Implementations
Virtualisation: Pitfalls in Corporate VMware Implementations
 
VoIP: Attacks & Countermeasures in the Corporate World
VoIP: Attacks & Countermeasures in the Corporate WorldVoIP: Attacks & Countermeasures in the Corporate World
VoIP: Attacks & Countermeasures in the Corporate World
 
Managing and Securing Web 2.0
Managing and Securing Web 2.0Managing and Securing Web 2.0
Managing and Securing Web 2.0
 

Kürzlich hochgeladen

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Kürzlich hochgeladen (20)

A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 

PCI What When AISA Sydney 2009

  • 1. AISA Sydney 15th April 2009 Where PCI stands today: Who needs to do What, by When Presented by: David Light Sense of Security Pty Ltd www.senseofsecurity.com.au
  • 2. Agenda • Overview of PCI DSS • Compliance requirements – What & When • Risks & consequences of non-compliance • Lessons learned & prioritising remediation • Approach for PCI compliance www.senseofsecurity.com.au
  • 3. PCI Security Standards Council Members PCI DSS is developed to encourage and enhance cardholder data security www.senseofsecurity.com.au
  • 4. Terminology: Merchant, Acquirer, Issuer and Service Provider Merchant Customer requests Client OR purchase transaction on PC OR Merchant receives Merchant swipes the card, authorisation response and enters the dollar amount. completes the transaction. Merchant bank forwards Authorisation request authorisation response is sent to acquiring to merchant. merchant bank. Customer bank sends Service funds to merchant bank. Providers Merchant bank sends transaction information to Customer bank customer bank verifies credit card : k: a nk (Issuer) through an and clears request. B Card Scheme tB m er r an irer sto sue Network h C u Is erc cqu M A www.senseofsecurity.com.au
  • 5. Who must comply? • Everyone who stores, processes or transmits cardholder data must comply with PCI DSS – PCI compliance is mandatory – PCI applies to all parties in the payment process – You cannot be partially compliant: Compliance is PASS/FAIL www.senseofsecurity.com.au
  • 6. Who must comply? • If you outsource components of your PCI process to Service Providers, they must comply – Either they are included in your scope – Or they must provide evidence to demonstrate their compliance www.senseofsecurity.com.au
  • 7. 2: Compliance requirements – What & When Six Goals, Twelve Requirements The Payment Card Industry Data Security Standard (PCI DSS) Build and Maintain a 1. Install and maintain a firewall configuration to protect Secure Network cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability 5. Use and regularly update anti-virus software Management Program 6. Develop and maintain secure systems and applications Implement Strong Access 7. Restrict access to cardholder data by business need-to- Control Measures know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and 10. Track and monitor all access to network resources and Test Networks cardholder data 11. Regularly test security systems and processes Maintain an Information 12. Maintain a policy that addresses Security Policy information security www.senseofsecurity.com.au
  • 8. PCI DSS Merchant Levels (Visa and Mastercard) Level 1 Level 2 Level 3 Level 4 More than 6m Between 1m Between 20k All Others Transactions or and 6m and 1m (Under 20k e- Cardholder data transactions e-commerce commerce and has been transactions under 1m compromised transactions) Self Not Required Mandated Mandated Mandated Assessment * Vulnerability Mandated Mandated Mandated Mandated Scan † Onsite Mandated Not Required Not Required Not Required Review ‡ Example: Visa penalties of US$10k & US$5k / merchant / month from Sept 2009 for Merchant Levels 1 and 2 respectively. Acquirer is liable. www.senseofsecurity.com.au
  • 9. Westpac Merchant Levels (Visa/MasterCard/Bankcard) Level 3 Level 2 Level 1 Level 0 Above Between Between Under A$800,000 or A$150,000 & A$30,000 & A$30,000 Cardholder data A$800,000 A$150,000 has been compromised Self Mandated Mandated Mandated Not Required Assessment * Vulnerability Mandated Mandated Not Required Not Required Scan † Onsite Mandated Not Required Not Required Not Required Review ‡ www.senseofsecurity.com.au
  • 10. Service Provider Obligations Level Visa MasterCard American Requirement Express 1 VisaNet All Third Party All Third •Annual onsite review & processors or any Processors (TPP) Party ROC by Qualified service provider Processors Security Assessor that stores, All Data Storage (TPP) (QSA) processes and/or Entities (DSE) that •Quarterly network transmits over store, transmit or security scan by ASV 300k transactions process greater than (Approved Scanning / year 1m transactions Vendor) 2 Any service All DSEs that store, N/A •Annual completion of provider that transmit or process PCI DSS self stores, processes less than 1m assessment and/or transmits transactions questionnaire less than 300k •Quarterly network transactions / year security scan by ASV Feb.1, 2009: Only Level 1 service providers will be listed on Visa’s List of PCI DSS Compliant Service Providers www.senseofsecurity.com.au
  • 11. Who must comply and When? • Merchants, Acquirers, Issuers, Service Providers: – PCI Compliance is mandatory NOW. • Merchants: VISA penalties will apply: – September 30, 2009: Level 1& 2: Attest to not storing prohibited data (aligned with Acquirers) – September 30, 2010: Level 1: Full compliance – Fines are issued to the Acquiring Bank, who may pass it on to the Merchant www.senseofsecurity.com.au
  • 12. Who must comply and When? • Acquirers (per VISA) – September 30, 2009 - Attest to not storing prohibited data (aligned with level 1 merchants) – September 30, 2010 - Full PCI DSS compliance - (if not compliant provide ROC and remediation plan for evaluation) • Service Providers – Need to provide evidence of compliance to align with their client’s PCI compliance programs www.senseofsecurity.com.au
  • 13. 3: Risks & consequences of non- compliance • Risks – PCI DSS is mandatory – Breach impact can be massive (Forrester Research: US$90 to US$305 per lost record) • Consequences – Card imposed fines up to US$500,000 per incident – Legal authorities need to be notified & free credit protection offered to those affected – Brand impacts (customer & shareholder level) & legal action by card holders www.senseofsecurity.com.au
  • 14. Performance gains expected from ongoing IT controls and compliance • Loss from security events • Detection of security breaches via automated controls • Unplanned work • Success rate of changes • First fix rate • Servers per system administrator Source: IT Process Institute, 2006 - 2009 www.senseofsecurity.com.au
  • 15. 4: Lessons learned & prioritising remediation Lessons learned – Tips to avoid failure Top 5 Failed Requirements Relevant Compromise Recommended Tactics Requirement 3: Protect stored Unencrypted spreadsheet data; Store less data; data unsecured physical assets Understand the flow of data; Encrypt data Requirement 11: Regularly POS/shopping cart application Rigorously test applications; test security systems and vulnerabilities; most data Scan quarterly processes compromises can be attributed to a Web application vulnerability Requirement 8: Assign a Weak or easily guessed Improve security awareness unique ID to each person with administrative account computer access passwords Requirement 10: Track & Lack of log monitoring and IDS Install intrusion detection or monitor all access to network data; prevention devices; resources & cardholder data Poor logging tools Improve log monitoring and retention Requirement 1: Install & Card numbers in the DMZ; Segment credit card networks and maintain a firewall Segmentation flaws control access to them configuration to protect data Source: Verisign www.senseofsecurity.com.au
  • 16. Lessons learned – Managing a PCI audit • PCI is about people and business processes as well as systems • Engage with experts • Reduce scope where possible • Set and manage expectations • Have friends (internally) in high places • Ensure governance for PCI audit is in place www.senseofsecurity.com.au
  • 17. Prioritising remediation effort Prioritised Approach PCI SSC 2009 Six security milestones: 1. Remove sensitive authentication data and limit data retention 2. Protect the perimeter, internal, and wireless networks 3. Secure payment card applications 4. Monitor and control access to your systems 5. Protect stored cardholder data 6. The rest, and ensure all controls are in place www.senseofsecurity.com.au
  • 18. 5: Approach for PCI compliance Start with a Scope Review PCI DSS applies to any network component, server or application included or connected to the card-holder data environment Start with a Scope Review, addressing: – Network Segmentation – Wireless – Third Party / Outsourcing – Sample Business Facilities & System Cmpnts – Compensating Controls www.senseofsecurity.com.au
  • 19. PCI Assessment Approach • Then commence the PCI Audit – Preparation – On-site Audit – Post-site Analysis and Reporting – Remediation – Final Audit and Lodgement – Maintenance • Expect the PCI compliance program to take 6 to 12 months to complete www.senseofsecurity.com.au
  • 20. Thank you David Light Sense of Security Pty Ltd Level 3, 66 King Street Sydney NSW 2000 T: +61 (0)2 9290 4444 M: +61 (0)423 121 217 W: www.senseofsecurity.com.au E: DavidL@senseofsecurity.com.au www.senseofsecurity.com.au