Key USP s. Multiple PCI level GRC tool

Introduction

•

GP history

•

Visa level 1 approved hosting facility

•

Niche product for a specific problem

•

Reduce BAU cost and cost of PCI compliance

•

Reduce cost in managing 3rd parties

•

PCI stakeholder engagement

•

Metering PCI compliance all year long

Key USP’s

• Based on the compliance reporting as expected by the QSA and the Acquiring Banks

• Every item included in the solution is based on key audit points that will be required to show their activities over a period of time

Multiple PCI level GRC tool

• Complete visibility into 3rd_{parties risks, assets, policies and projects}

• Online registration and data entry

• Merchant has complete control over 3rd_{party PCI compliance}

Integration and Management of 3rd_Parties

• Backbone to PCI DSS 3.1 Governance, Reporting and Compliance • Continuously evolves as PCI requirement changes

• Complete audit trail across many periods

Complete System of Record for PCI DSS 3.1

• Perfect tool for operations to use on an ongoing basis to ensure compliance

Target audience

• processing over 6M Visa transactions per year. Level 1

• processing 1M to 6M Visa transactions per year. Level 2

• 20,000 to 1M Visa e-commerce transactions per year Level 3

• 20,000 Visa e-commerce transactions per year, and all other merchants Level 4

QSA required No QSA required

What is PCI GRC?

• A new concept to the PCI sector

• Allows merchants to be organised and structured in the management on their PCI obligations

• Puts the merchant in control of its PCI estate

• Reduces OPEX on PCI compliance

• Breaks down all the PCI reporting compliance into manageable task distributed across your organisation with consolidated reporting

• Online based self reporting that can be expanded nationwide

• Reduces the need to have multiple Auditors with the self assessment capabilities

PCI GRC

Acquiring

Banks Merchant ID PCI scope Payment

channels

Business demand for MIDs

Payment

systems SAQs PCI stakeholders Business units Project managers Incident reporting PCI non compliance Notification & escalation Remediation & approval PCI compliance status Compliance dashboard Online Self reporting Policy management Policy owners & review dates

Policy enforcement Policy change management Risk assessment of changes PCI 3rd

parties Compliance assessment Non compliance reporting Incident notification Service catalogue

A consolidated system of records for PCI

PCI

GRC

PCI 3rd

parties Merchant IDs PCI non tech risks PCI service catalogue Centralised self reporting

MID lifecycle

MID request

• Business units complete online form

• They select options from the form

PCI scope

alignment

• Business units selects from a Service

catalogue in the PCI scope

PCI

compliance

• PCI team assesses the request for PCI compliance

Treasury

approval

• Treasury receive a PCI compliant request ready for Acquiring Bank submission

Acquiring

Bank

• MID assignment • PCI compliance

reporting per MID

PCI request register/form

1. PCI request form completed

2. Request is sent to PCI POC for review and approval

3. Once POC approves, it is sent to Treasury for treasury approval 4. Request approver approves and it is sent to supplier

5. Supplier gets the form and enters confirmation number and confirmation is sent to all the parties

6. Request is archived and added to the PCI scope 7. Update to existing

a. New role called Treasury

b. PCI location linked to business departments c. MID to be associated to each payment channel d. Business units to reflect payment scope

e. Business department to include address, f. Acquiring bank to include user accounts 8. Permission can be set

MID Request –

Card Readers

MID Request –

eCommerce

System of record from Merchant ID to risks

PCI

m

er

ch

an

t

ID

The foundation of the PCI compliance starts from your Merchant ID. Every activity you carry is based on the decision of whether or not the activity is in scope (within the Merchant ID or out of scope (not within the Merchant ID.

PCI GRC approach to Asset management

PCI GRC

Projects Assets Technical Assets

3rd_{party Assets}

PCI projects PCI changes PCI systems PCI firewalls PCI routers PCI devices

PCI physical locations Merchant owned locations

3rd _PCI

systems

3rd_PCI

devices

3rd _PCI

locations 3rd _{party owned}

locations

PCI devices (Telephone)

Sy

st

em of

rec

or

d

PCI 3rd _party

suppliers

PCI Assets & network elements PCI change management PCI BAU activities

Network monitoring solutions Acquiring

Bank

Business units

E-commerce Cardholder present Cardholder not present Payment apps Business projects Risk assessment Risk assessment E-commerce redirect PCI products & services

3rd_party

procurement PCI service catalogue P CI r ep ort ing r

ange _assessment Risk

Software development lifecycle Business acquisitions New sales projects New suppliers Due diligence PCI policies & procedures

PCI QSA & ASV reports PCI risk management Prioritized approach reporting PCI SAQs

Automated PCI Asset network monitoring

PCI Asse

t

mana

gemen

t

Integration with PCI Asset monitoring

tools PCI Assets linked to

risks, Policies and projects

What is the contractual expectation of

Acquiring Banks in relation to 3

rd

parties

• The Merchant must notify Acquiring Banks of all third parties who have access to Cardholder data on behalf of the Merchant (i.e., store, process or otherwise transmit Cardholder data).

• The Merchant acknowledges such third parties are required by the Card Schemes to be registered, and the Merchant shall cooperate with Acquiring Banks in completing such registration and be responsible for all fees imposed by the Card Schemes in connection therewith.

• The Merchant shall notify Acquiring Bank immediately if it becomes aware of or suspects any security breach relating to Transaction Data and shall also (and without prejudice to any other

remedy Acquiring Bank have in respect thereof) immediately identify and resolve the cause of such security breach and take any steps that Acquiring Bank may require of the Merchant to do so,

including as reasonably necessary the procurement (at the Merchant’s cost) of forensic reports from third parties recommended by Acquiring Bank.

PCI compliant PCI service providers are

maintained with automatic notification

Visa & MasterCard approved suppliers

Managing external

providers and their

obligations

QSAs and their

deliverables

PCI service catalogue

PCI products and

service view

PCI Risk reporting

Business units PCI 3rd_parties

Contact centres Suspicious activities Customer complaints Anomaly reporting Banned cards

PCI BAU team notification

PCI risk register PCI Asset register PCI policy register PCI policy register PCI project register PCI risk assessment

Online tool available to Manager level or

regional level contact

R ec or ds k ep t to sh o w P CI ri sk m iti ga ti on ef fort s les son learn t c an be sh ar ed gr oup wi de

PCI Risk reporting

from business units

PCI

The End