Scribd Logo
Upload

Welcome to Scribd!

  • Pci Comp

    Uploaded by

    Sumit Bhatia
    8 views11 pages

    Original Title

    pci-comp

    Copyright

    © © All Rights Reserved

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    8 views11 pages

    Pci Comp

    Uploaded by

    Sumit Bhatia

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 11

    Payment Card Industry (PCI)

    Data Security Standard (DSS)


    Compliance

    Commonwealth of Massachusetts
    Office of the State Comptroller
    March 2007
    What is PCI DSS?
    • Mandatory compliance program resulting
    from a collaboration between the credit
    card associations to create common
    industry security requirements for
    cardholder data.

    2
    More about PCI compliance….
    • Common set of industry tools and measurements
    to ensure safe handling of sensitive information.
    • Actionable framework for developing a robust
    account data security process—including
    preventing, detecting, and reacting to security
    incidents.
    • Technical requirements for secure storage,
    processing, and transmission of cardholder data.
    • Common auditing and scanning procedures.

    3
    Who has to worry about it?
    • If you transact credit card business, you
    have to worry about it.
    • Merchants and third party providers who
    process, transmit, or store cardholder data
    are required to adhere to certain data
    security standards.
    • Applies to credit card business transacted
    over all payment channels (POS, mail, IVR,
    and e-commerce).

    4
    Who are the stakeholders?
    • Credit card industry – Founders of the PCI
    Security Standards Council are Visa,
    Mastercard, Amex, Discover, and JCB brands.
    • Acquiring banks/member banks – must
    require PCI compliance from merchants and
    service providers doing credit card business.
    • Merchants and service providers – must be
    PCI compliant, regardless of channel.
    • Our customers.
    5
    PCI DSS:
    Covers 6 Areas/12 Requirements
    Build and Maintain a Secure Network
    1. Install and maintain a firewall configuration to protect data
    2. Do not use vendor-supplied defaults for system passwords and
    other security parameters

    Protect Cardholder Data


    3. Protect stored cardholder data
    4. Encrypt transmission of cardholder data and sensitive
    information across open public networks

    Maintain a Vulnerability Management Program


    5. Use and regularly update anti-virus software
    6. Develop and maintain secure systems and applications
    6
    PCI DSS:
    Covers 6 Areas/12 Requirements
    (continued)
    Implement Strong Access Control Measures
    7. Restrict access to data by business need-to-know
    8. Assign a unique ID to each person with computer access
    9. Restrict physical access to cardholder data

    Regularly Monitor and Test Networks


    10. Track and monitor all access to network resources and
    cardholder data
    11. Regularly test security systems and processes

    Maintain an Information Security Policy


    12. Maintain a policy that addresses information security
    7
    Major Activity Areas
    • Identify merchant level (dependent on volume).
    • Subject matter expertise.
    • Consulting and recommendations.
    • Compliance – relates to infrastructure security
    and business procedures (may be supported by
    Qualified Security Assessor (QSA)).
    – Annual self-assessment questionnaire
    – Annual on-site security audit (depending on merchant
    level)
    • Validation – process performed by an Approved
    Scanning Vendor (ASV) on all external-facing IP
    addresses.
    • Possibly, audit (depending on merchant level).
    8
    Our Approach
    • See what departments and other states are doing.
    • Communicate – share information to promote
    awareness of the issue, identify participating
    departments, and gain support.
    • Learn about PCI DSS Compliance.
    • Check in with banks and service providers on their
    PCI Compliance status and requirements.
    • Initiate a procurement to identify Qualified Security
    Assessors (QSVs) and Approved Scanning Vendors
    (ASVs) to assist departments in achieving
    compliance and validation.
    • Identify costs and funding.
    9
    Consequences of Non-Compliance
    • Forensic investigation
    • Steep monetary fines (up to $500K) levied
    by the card associations plus damages
    • Lawsuits
    • Damage to reputation
    • Bad publicity
    • Revocation of credit card business
    privileges

    10
    For more information:
    • See https://www.pcisecuritystandards.org/index.htm and
    http://www.pcicomplianceguide.org for general information.
    • Check out the self-assessment questionnaire at:
    https://www.pcisecuritystandards.org/pdfs/pci_saq_v1-0.pdf
    to assess level of effort and resources to remediate
    problems and achieve compliance.
    • See http://usa.visa.com and Visa Cardholder Information
    Program (CISP) links.
    • See http://
    www.mastercard.com/us/sdp/assets/pdf/SDP_Presentation.
    pdf
    for Mastercard Site Data Protection (SDP) information
    • Stay tuned for updates on RFR progress.
    11

    You might also like