This document discusses the consequences of data breaches for merchants, provides an overview of PCI compliance requirements, and describes tools that can help merchants protect payment data and simplify PCI compliance. It notes that data breaches are costly and common, even among small merchants, and that PCI focuses on them because they are vulnerable targets. It outlines PCI's 12 requirements and prioritized approach. It then describes tokenization, value-added services like risk management, and hosted payment pages as tools that can help merchants address PCI requirements more easily.
37. 60% of small businesses do not understand fines they are subject to* *National Retail Federation (NRF) and First Data Corporation 2010 survey of US Small Business
39. PCI Security Standards Council “The PCI Security Standards Council is an open global forum, launched in 2006, that is responsible for the development, management, education, and awareness of the PCI Security Standards… “All five payment brands share equally in the Council’s governance, have equal input into the PCI Security Standards Council and share responsibility for carrying out the work of the organization.” - https://www.pcisecuritystandards.org/organization_info/index.php
40. What Does PCI-DSS Consist Of? 1. Install and maintain a firewall to protect cardholder data. 2. Do not use vendor-supplied defaults for system passwords and other security parameters. Build and Maintain a Secure Network 1 3. Protect stored cardholder data. 4. Encrypt transmission of cardholder data across open, public networks. Protect Cardholder Data 2 Maintain a Vulnerability Management Program 3 5. Use and regularly update anti-virus software or programs. 6. Develop and maintain secure systems and applications. 7. Restrict access to cardholder data by business need to know. 8. Assign a unique ID to each person with computer access. 9. Restrict physical access to cardholder data. Implement Strong Access Control Measures 4 10. Track and monitor all access to network resources and cardholder data. 11. Regularly test security systems and processes. Regularly Monitor and Test Networks 5 12. Maintain a policy that addresses information security for all personnel. Maintain an Information Security Policy 6
48. Token can be leveraged for future use, such as recurring payments.
49. The data is stored in a PCI Compliant data center, removing that element of risk.How It Works Payment Account data is sent from the merchant’s website, POS system to the Platform for tokenizing. A copy of the payment account data is assigned a token and stored securely. The Platform securely passes payment account data to the desired payment service provider. A token is returned in the transaction response and can be stored, instead of the payment account data, and used for subsequent transactions.
65. Q&A Tyler Hannan Platform Evangelist, IP Commerce thannan@ipcommerce.com @tylerhannan David Herrald Consulting Architect - Information Security, Global Technology Resources Inc. dherrald@gtri.com @daveherrald http://www.e-similate.com
Hinweis der Redaktion
WelcomeResponsibilities of protecting payment dataConsequences and examples of not protecting dataTools, options to help protect data, and shift responsibility
Tyler Hannan is an experienced technologist and the platform evangelist for IP Commerce, a leading cloud-computing payment platform. Tyler facilitates collaboration and coordination with companies in the payment processing and technology market to drive innovation and deliver understanding of IP Commerce. His blog, Reflections on Emergent Commerce and Technology,helps industry leaders break down technology silos and deliver on-demand commerce services.
David Herrald is an information security consultant with 17 years of information technology experience in the financial services, software, and payments industries. He has built information-security and PCI DSS compliance programs from the ground up, and he has advised many software companies and merchants on information security and PCI DSS compliance topics. He is now consulting architect for information security with Global Technology Resources, Inc., an international security and technology firm.