Payment Card Industry Data Security Standard
Payment Card Industry Data Security Standard
Payment Card Industry Data Security Standard
Payment Card Industry Data Security Standard
PCI DSS
PCI DSS
PCI DSS
PCI DSS
What Is PCI DSS?
What Is PCI DSS?
What Is PCI DSS?
What Is PCI DSS?
PCI DSS (Payment Card Industry Data Security Standard) PCI DSS (Payment Card Industry Data Security Standard) PCI DSS (Payment Card Industry Data Security Standard)
PCI DSS (Payment Card Industry Data Security Standard) is the common security standard of all major credit cards brands .The standard designed to enhance cardholder data security. Regardless of their size, organizations that process payment card information must be PCI DSS compliant. To secure business and increase customer confidence, achieving PCI DSS compliance is a clear indicator of protection when handling sensitive customer data.
American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. formed PCI SSC (PCI Security Standard Council)
PCI SSC (PCI Security Standard Council)PCI SSC (PCI Security Standard Council)
PCI SSC (PCI Security Standard Council) in 2006, responsible for administering, revising, managing, and promoting adoption of PCI DSS.
PCI DSS is mandatory for entities processing, transmitting or storing cardholder data. This could include acquirers, banks, service providers such as
payment gateway, data centers & merchants.
• Acquirers may ask merchants to cease credit cards transactions • Forensic audit – QSA team on-site to determine cause of breach • Can take 90-120 days to complete remediation actions • Merchant is responsible for all costs. $80-100K average • Breaches are public knowledge; brand image tarnished
Non-Compliant and Suffer a Breach ?
Breached Business are out of business within one year of the attack
Breaches originate from organized criminal groups Small businesses will suffer a credit card breach in the next 24 months
Is the average direct cost of a data breach
Average days between intrusion and detection
• What are the different types of threats to the organization? • What are the organization’s assets that need protecting from the
threats?
• How vulnerable is the organization to different threats? • What is the likelihood that a threat will be realized? • What would be the impact if a threat was realized?
• How can the organization reduce the likelihood of a threat being realized, or reduce the impact if it does occur?
Risk has many interpretations, and is often used to describe dangers or threats to a particular person, environment, or business. Understanding risk includes understanding of the different elements and how they fit together. For example, considerations from a business perspective may include:
Risk Management
Who Has to Comply ?
That:
That:
That:
That:
+ + ++ Stores cardholder data +
+ +
+ Transmits cardholder data +
+ +
+ Processes cardholder data
PCI DSS applies to:
PCI DSS applies to:
PCI DSS applies to:
PCI DSS applies to:
+ ++
+ Merchants +
++
+ Service Providers (TPPs, gateways) +
++
Standards & Requirements
The consolidation of individual payment card brand’s security programs offers the best available framework to guide better protection of cardholder data resulting a comprehensive security baseline of
Control Objective
6
6
6
6
Core Requirements
12
12
12
12
~375
~375
~375
~375
Audit Procedures
Compliance requirements apply to the entire “cardholder data environment” comprised of people, processes and technology thatstore, process, or transmit payment card data.
The PCI Security Standards Council recognizes the TÜV Rheinland Group as a QSAC (Qualified Security Assessors Company). To fully leverage cardholder data security through PCI DSS compliance, ask our experts. We will be glad to help your organization reach full compliance the standards and regulations for safe and secure credit card transactions.
Compliance Roadmap
Renew Measures Improve Review CollectHow to Comply ?
How to Comply ?
How to Comply ?
How to Comply ?
PCI DSS provides a baseline of technical and operational controls that work together to provide a defense-in-depth approach to the protection of cardholder data. Risk assessments provide valuable information to help organizations determine whether additional controls are necessary to protect their sensitive data and other assets. In order to achieve compliance with the PCI DSS, an organization must meet all applicable PCI DSS requirements.
Merchants Level & Validation
PCI compliance categorized compliance level depends on the number of annually. Understanding which PCI compliance level applies to your business is the first step in assuring that your PCI compliance audits will be as simple as possible.
Transac"on Volume Transac"on VolumeTransac"on Volume
Transac"on Volume >6mio 1 – 6 Mio 20K – 1 Mio All other merchant Level Level Level Level 111 1 22 22 3333 44 44
Onsite QSA Audit
Self Assessment Questionnaire (SAQ)
By a
QSA/ISA
Authorized Scanning
Vendor (ASV) scan
Security Awareness
training
Policy Review and
Acceptance
Requirements
Requirements
Requirements
Requirements
Build and maintain a SecureNetwork
Firewall Management Vendor Default Controls
Protect Cardholder Data Data Protection
Data Transmission Encryption
Maintain Vulnerability Management Program
Anti-virus Control
System & Application Security
Implement Strong Access Control Measures
Data Access Control Personal Access Control Physical Access Control
Regularly Monitor and Test Networks
Data & Network Access Controls Security testing
Maintain information
Results of Audit:
• Executive Summary • Technical Report • Solution and Remedial
Test Target:
• Network components • Servers incl. database. • Applications
• Segmentation interface
Vulnerability Assessment and Penetration Test
Vulnerability Assessment focuses on IT Infrastructure, Network and Application:
Whitebox Penetration Test done by involving your IT Staff to monitor and evaluate the work and results of the audit. The audit is done from within the agency or evaluated institution.
Blackbox Penetration Test not involved your IT Staff. The Audit is done from outside agencies or evaluated institution, the test is generally done with published web application for the enterprise, vendor and client.
• Internal and External Vulnerability Assessments needs to be performed quarterly • A clean ASV scan report is mandatory every quarter to comply with PCI DSS. • Workflow would be set up to perform quarterly schedule the scans.
• Internal and External Penetration Tests need to be performed annually
Quarterly & Annual Schedules
PCI DSS version 3 intends to make compliance to be a continuous process, a business-as-usual approach. Maintaining compliance throughout the year is a demanding task involving oversight over hundreds of documents and approvals.
In order to simplify this process, a GRC tool has been developed, which reduces time and complexity to review, process and inform compliance status. PCM is a one-stop portal to manage documentation, role assignment, workflow alerts, escalation, audit readiness on a continuous basis.
Compliance Management
Methodology Reference
• OSSTMM (Open Source Security Testing Methodology Manual
• ISSAF (Information System Security Assessments Framework)
• NIST SP800-115 (National Institute of Standards and Technology)
• OWASP Testing Guide (Open Web Application Security Project).
Gap Analysis
Gap Analysis
Gap Analysis
Gap Analysis
Identify Identify IdentifyIdentifynon-compliance issues Discover Discover Discover Discovervulnerabilities Explore Explore Explore
Exploresegmentation potential Draw up
Draw up Draw up
Draw upa detailed compliance plan
Training
Training
Training
Training
Holding trainings/workshops on PCI compliance, attack vectors, Policies/ SOPs/Forms, vendor management, Risk assessment, Incident Response, Business Continuity
Compliance Audit
Compliance Audit
Compliance Audit
Compliance Audit
PCI DSS compliance assessment, real time dashboard. Report on
Compliance (RoC), Attestation of Compliance (AOC), Testmark, Certificate or validation of Self Assess-ment Questionnaire (SAQ) .
Remediation & Consulting
Remediation & ConsultingRemediation & Consulting
Remediation & Consulting • Minimizing CHDE footprint
• Documentation development
• On-site/Off-site support
• Mitigating risks
• All requirements covered