PCI Security Standards Council

(1)

Guiding open standards for global payment card security

PCI Security Standards Council

Guiding open standards for global payment card security

Bob Russo, General Manager

(2)

Agenda

Why PCI

(3)

About the PCI Council

Open, global forum

Founded 2006

Guiding open standards for payment card security

• Development

• Management

• Education

(4)

Business Sectors With the Most Breaches

Retail 45%

Food & Beverage 24%

Hospitality 9%

Other 8%

Financial Services 7%

Nonprofit 3%

Health & Beauty 2%

High Technology 2%

Systems that store, process or

transmit cardholder data remain

primary targets for criminals

(5)

Top Mistakes By Those Breached

Revealed by Forensic Audits

• Weak Passwords

• Lack of employee education

• Security deficiencies introduced by third

parties responsible for system support,

development and/or maintenance

• Slow ‘self-detection’

(6)

PCI Standards Help Secure Your Data

92%

_97%

92% of

compromises were

simple

97% were avoidable through

simple or intermediate

controls

(7)

Manufacturers

PCI PTS

Pin Entry Devices

Ecosystem of payment devices, applications, infrastructure and users

Software Developers

PCI PA-DSS

Payment Applications

PCI Security

& Compliance

P2PE

Merchants & Service Providers

PCI DSS

Secure Environments

PCI Security Standards Suite

(8)

Getting Ready for PCI 3.0

(9)

PTS POI 4.0 – May 2013

Security policy

Device

implementation

documentation

Added source code

reviews

(10)

Card Production Requirements – May 2013

• Personnel

• Vendor Premises

• Production Procedures and Audit Trails

• Product Storage and Shipping Procedures

10

(11)

Card Production Requirements

11

Logical

Typical Vendor Network

Internet POTS Internet Facing Network Data Processing

(12)

Applying PCI

Why PCI

(13)

Tokenization

P2PE

Applying PCI in Your Environment

Virtualization

Mobile

EMV

ATM

(14)

EMV Chip Helps Reduce Face-to-Face Fraud

EMV chip by itself does

not protect the

confidentiality of, or

(15)

(16)

Understanding Mobile Payments

(17)

PCI on Mobile Payment Acceptance Security

Identified mobile applications that

can be validated to PA-DSS

Published merchant guidance for

‘mobile’ solutions leveraging P2PE

Developed best practices for

(18)

Areas of Focus for Mobile

Devices

Tamper-responsive,

PTS Devices (e.g.

SCR) using P2PE

Applications

Requirements and/or

Best Practices for

authorization and

settlement

Service Providers

Service provider

protection of

cardholder data and

(19)

(20)

New Merchant Guidelines

• Objectives and guidance

for the security of a

payment transaction

• Guidelines for securing the

mobile device

• Guidelines for securing the

payment acceptance

solution

(21)

Point-to-Point Encryption

• Available to all members of the

payment chain

• Also called “P2PE”

• Optional standard for

decreasing scope

• PCI 2PE hardware /hardware

requirements available

• PCI P2PE “Hybrid” requirements

available

(22)

Tokenization

Work on tokenization standards has begun

Ensure that process of creating token from

PAN doesn’t leak information about PAN

Ensure that a token or collection

of tokens by themselves cannot feasibly allow

discovery of PAN

Ensure that adequate controls exist over

de-tokenization process

Ensure that token cannot be used in lieu of

PAN for impermissible purposes

PAN

T

(23)

ATM Security Best Practices

• ATM Best Practices for development, deployment

and management of ATMs

• Target Audience

• ATM manufacturers

• Integrators

(24)

Special Interest Group (SIG) Guidance

E-commerce

Security

Risk

Assessment

Cloud

Computing

Go to our website today to download these new guidelines! https://www.pcisecuritystandards.org/index.php

• Awareness of specific risks and considerations

• Guidance on how to determine what these might mean for your particular

environment

(25)

The Formula for Payment Security Success

+

(26)

How You Can Participate

Why PCI

(27)

2013 Training Highlights

_{Online Internal Security Assessor}

(ISA) Training

P2PE Assessor Training

Corporate PCI Awareness – Let Us

Come To You!

Online Awareness Training in Four

Hours

Qualified Integrators and Resellers

(QIR)™ Program

PCI Professional Program (PCIP)™

To learn more, visit:

(28)

Qualified Integrators & Resellers Program

I’m using a PA-DSS validated

application, so I must be OK.

I’m using a “reputable” 3

rd

_{party, so}

they must be doing a secure

installation.

This applies only to brick and

mortar establishments.

(29)

Payment Card Industry Professional (PCIP)™

Support your

organization

Professional

credibility

Competitive

advantage

Global

(30)

A comprehensive PCI DSS training and qualification program for eligible

internal audit security professionals that you asked for!

Internal Security Assessor (ISA) Program

• Improves your understanding

of PCI DSS and compliance

procedures

• Helps your organization build

internal expertise

(31)

Guiding open standards for global payment card security Chief Security Officers Information Security Professionals Compliance

Officers Investigators Forensic Technologists

IT Managers Risk Managers Information Chief

Officers Legal Experts

Data Security Experts

Join! Become a

Participating

Organization today

(32)

Help Participate in Standards Development

(33)

Best Practices for Maintaining PCI

Compliance

Third Party Security Assurance

2013 Special Interest Groups- Join us!

(34)

(35)

Get Involved – We Need Your Input

Join

Learn

Input

Network

(36)

(37)