• No results found

PAYMENT CARD INDUSTRY (PCI) SECURITY STANDARDS COUNCIL

N/A
N/A
Protected

Academic year: 2021

Share "PAYMENT CARD INDUSTRY (PCI) SECURITY STANDARDS COUNCIL"

Copied!
14
0
0

Loading.... (view fulltext now)

Full text

(1)

PAYMENT CARD INDUSTRY (PCI)

SECURITY STANDARDS

COUNCIL

(2)

Top 3 Largest Security Incidents Reported Worldwide = CREDIT CARDS Related

(3)

A Transaction Lifecycle - $$$

Credit / Debit Card Usage

Credit Card Information Collection Credit Card Information Routing Credit Card Information Authorization

Cardholder to Merchant Merchant to Acquirer/Service Provider Acquirer/Service Provider to Payment Brand Payment Brand to Issuer

Authorization Request Authorization Request e- Commerce data (CVV2) Track data (PIN) Acquirer / Service Provider(s) Card Present Transaction

Card Not Present Transaction Credit/Debit

Card

(4)

Participants in a Transaction Lifecycle…..

Terminology

Entity Description

Merchant

Any business that, having met the qualification standards of a payment brand and having been approved by any Acquiring member, accepts payment cards in exchange for goods and services.

Acquirer

Payment brand member that maintains relationships and accounts for merchants that accept payment cards. Serves as the intermediary figure between merchants and the payment brands.

(e.g., Chase Paymentech Solutions, First Data, BA Merchant Services, Nova Information systems, Fifth Third Bank, Wells Fargo Merchant Serv, Global Payments, Heartland Payment Systems, First Nat’l Merchant Solutions, RBS Lynk)

Service Provider (e.g., Processor, Gateway, Hosting Provider)

Business entity that is not a payment brand member or a merchant directly involved in the processing, storage, transmission, and switching of transaction data and cardholder information or both.

This also includes companies that provide services to merchants, services providers or members that control or could impact the security of cardholder data (e.g., service providers that provide managed firewalls, IDS and other services, hosting providers, etc).

Payment Brand

Processing organization that licenses members and merchants to issue and accept credit cards, respectively. The organization serves as an intermediary between Acquirers and Issuers.

(e.g., Visa.Inc, MasterCard Worlwide, America Express, Discover Financial Services & JCB International)

Issuer

(5)

Security Breach!!!!

Past Events

Implications of a cardholder data breach could

be huge

– Fines imposed* by payment brands (Visa, Mastercard, etc) and other regulatory bodies (FTC, etc) on acquirer banks / merchants / service providers

– Merchants loosing their ability to process customers credit card transactions

– Notification to legal authorities* and offering free credit-protection services to those affected

– Legal action* being taken by cardholders

– Bad Publicity

– Customer Attrition and eventual loss of business *TJX approximately $118 Million (Regulatory fines, Legal fees,

(6)

Cost of Security Breach $$$

RISK!

Detection or Discovery, Escalation, Notification & Ex-post

Response*

– Activities that enable a company to reasonably detect the breach of personal data either at risk (in storage) or in motion

– Activities necessary to report breach of protected information to appropriate personnel within a specified time period

– Activities that enable the company to notify data subjects with a letter, outbound telephone call, e-mail or general notice that personal information was lost or stolen

– Activities to help victims of a breach communicate with the company to ask additional questions or obtain recommendations in order to minimize potential harms. Redress activities also include ex-post response such as credit report monitoring or the reissuing of a new account (or credit card)

(7)

Background

Payment Card Industry Security Standards Council

PCI Security Standards Council

– Organization founded by America Express, Visa.Inc, MasterCard Worlwide, Discover Financial Services & JCB International

(8)

Payment Card Industry Security Standards Council

Background

PCI Security Standards Council

– PCI security standards are technical and operational requirements set by the council

– The standards globally govern all

• Merchants and organizations that store, process and transmit card data

• Software developers and manufacturers of applications and devices used in the card transaction

– PCI Data Security Standard (PCI DSS), PIN Transaction Security (PTS) & Payment Application Data Security Standard (PA-DSS)

(9)

Payment Card Industry Data Security Standard (PCI DSS)

PCI DSS 1.2

Data Security Standard 1.2*

– PCI DSS applies to any entity that stores, processes, and/or transmits cardholder data

– Covers technical and operational system components included in or connected to cardholder data

– 6 principles/goals and 12 requirements

(10)

PCI DSS (Principles)

Payment Card Industry Data Security Standard (PCI DSS)

Build and Maintain a Secure Network

Protect Card Holder Data

Maintain a Vulnerability Management Program

Implement Strong Access Control Measure

Regularly Monitor and Test Networks

(11)

PCI DSS (Requirements)

Payment Card Industry Data Security Standard (PCI DSS)

Build and Maintain a Secure Network

1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Card Holder Data

3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus software

(12)

PCI DSS (Requirements)

Payment Card Industry Data Security Standard (PCI DSS)

7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data

Implement Strong Access Control Measure

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

Maintain an Information Security Policy

(13)

Stay Tuned – Session 2

Payment Card Industry Security Standards Council

PCI DSS - Deepdive

Changes from PCI DSS 1.1 to 1.2

Payment Application Data Security Standard

(14)

Payment Card Industry Security Standards Council

References

Related documents

• Secure transmission to the DalPay payment gateway for transaction processing, • Secure storage of cardholder information according to the PCI DSS. DalPay Checkout does not

Payment card industry (PCI) data security standards (DSS) are a set of standards that the payment card industry and related organizations use to increase controls around

 PCI DSS: Payment Card Industry Data Security Standard  Goal is to protect “Cardholder Data” (CHD)..  Goal is to protect “Cardholder Data” (CHD)  Primary Account

  PCI DSS: Payment Card Industry Data Security Standard   Goal is to protect “Cardholder Data” (CHD)..   Primary Account

Payment  Card  Industry  Data  Security  Standard.    Credit  card  processing  security 

They will provide a support service for patients requiring complex cardiac devices (ICD’s/CRT devices) and other patients requiring arrhythmia management on a daily basis..

Biaya operasional adalah biaya yang dikeluarkan usaha alat tangkap gombang yang terdiri dari biaya tetap dan biaya tidak tetap dalam satu trip, namun juga

The Payment Card Industry Data Security Standard, PCI DSS, is a proprietary information security standard for organizations that handle cardholder information...