Payment Card Industry PCI Data Security Standard DSS Compliance - PowerPoint PPT Presentation

1 / 11
About This Presentation
Title:

Payment Card Industry PCI Data Security Standard DSS Compliance

Description:

If you transact credit card business, you have to worry about it. ... Credit card industry Founders of the PCI Security Standards Council are Visa, ... – PowerPoint PPT presentation

Number of Views:1007
Avg rating:3.0/5.0
Slides: 12
Provided by: patd
Category:

less

Transcript and Presenter's Notes

Title: Payment Card Industry PCI Data Security Standard DSS Compliance


1
Payment Card Industry (PCI) Data Security
Standard (DSS) Compliance
  • Commonwealth of Massachusetts
  • Office of the State Comptroller
  • March 2007

2
What is PCI DSS?
  • Mandatory compliance program resulting from a
    collaboration between the credit card
    associations to create common industry security
    requirements for cardholder data.

3
More about PCI compliance.
  • Common set of industry tools and measurements to
    ensure safe handling of sensitive information.
  • Actionable framework for developing a robust
    account data security processincluding
    preventing, detecting, and reacting to security
    incidents.
  • Technical requirements for secure storage,
    processing, and transmission of cardholder data.
  • Common auditing and scanning procedures.

4
Who has to worry about it?
  • If you transact credit card business, you have to
    worry about it.
  • Merchants and third party providers who process,
    transmit, or store cardholder data are required
    to adhere to certain data security standards.
  • Applies to credit card business transacted over
    all payment channels (POS, mail, IVR, and
    e-commerce).

5
Who are the stakeholders?
  • Credit card industry Founders of the PCI
    Security Standards Council are Visa, Mastercard,
    Amex, Discover, and JCB brands.
  • Acquiring banks/member banks must require PCI
    compliance from merchants and service providers
    doing credit card business.
  • Merchants and service providers must be PCI
    compliant, regardless of channel.
  • Our customers.

6
PCI DSSCovers 6 Areas/12 Requirements
  • Build and Maintain a Secure Network
  • 1. Install and maintain a firewall configuration
    to protect data
  • 2. Do not use vendor-supplied defaults for system
    passwords and other security parameters
  • Protect Cardholder Data
  • 3. Protect stored cardholder data
  • 4. Encrypt transmission of cardholder data and
    sensitive information across open public networks

  • Maintain a Vulnerability Management Program
  • 5. Use and regularly update anti-virus software
  • 6. Develop and maintain secure systems and
    applications

7
PCI DSSCovers 6 Areas/12 Requirements
(continued)
  • Implement Strong Access Control Measures
  • 7. Restrict access to data by business
    need-to-know
  • 8. Assign a unique ID to each person with
    computer access
  • 9. Restrict physical access to cardholder data
  • Regularly Monitor and Test Networks
  • 10. Track and monitor all access to network
    resources and cardholder data
  • 11. Regularly test security systems and processes

  • Maintain an Information Security Policy
  • 12. Maintain a policy that addresses information
    security

8
Major Activity Areas
  • Identify merchant level (dependent on volume).
  • Subject matter expertise.
  • Consulting and recommendations.
  • Compliance relates to infrastructure security
    and business procedures (may be supported by
    Qualified Security Assessor (QSA)).
  • Annual self-assessment questionnaire
  • Annual on-site security audit (depending on
    merchant level)
  • Validation process performed by an Approved
    Scanning Vendor (ASV) on all external-facing IP
    addresses.
  • Possibly, audit (depending on merchant level).

9
Our Approach
  • See what departments and other states are doing.
  • Communicate share information to promote
    awareness of the issue, identify participating
    departments, and gain support.
  • Learn about PCI DSS Compliance.
  • Check in with banks and service providers on
    their PCI Compliance status and requirements.
  • Initiate a procurement to identify Qualified
    Security Assessors (QSVs) and Approved Scanning
    Vendors (ASVs) to assist departments in achieving
    compliance and validation.
  • Identify costs and funding.

10
Consequences of Non-Compliance
  • Forensic investigation
  • Steep monetary fines (up to 500K) levied by the
    card associations
  • Lawsuits
  • Damage to reputation
  • Bad publicity
  • Revocation of credit card business privileges

11
For more information
  • See https//www.pcisecuritystandards.org/index.htm
    and http//www.pcicomplianceguide.org for
    general information.
  • Check out the self-assessment questionnaire at
    https//www.pcisecuritystandards.org/pdfs/pci_saq_
    v1-0.pdf to assess level of effort and resources
    to remediate problems and achieve compliance.
  • See http//usa.visa.com and Visa Cardholder
    Information Program (CISP) links.
  • See http//www.mastercard.com/us/sdp/assets/pdf/SD
    P_Presentation.pdf for Mastercard Site Data
    Protection (SDP) information
  • Stay tuned for updates on RFR progress.
Write a Comment
User Comments (0)
About PowerShow.com