Payment Card Industry PCI Data Security Standard DSS Compliance

About This Presentation

Title:

Description:

Number of Views:1007

Avg rating:3.0/5.0

Slides: 12

Provided by: patd

Category:

more less

Transcript and Presenter's Notes

Title: Payment Card Industry PCI Data Security Standard DSS Compliance

1
Payment Card Industry (PCI) Data Security
Standard (DSS) Compliance

2
What is PCI DSS?

Mandatory compliance program resulting from a
collaboration between the credit card
associations to create common industry security
requirements for cardholder data.

3
More about PCI compliance.

Common set of industry tools and measurements to
ensure safe handling of sensitive information.
Actionable framework for developing a robust
account data security processincluding
preventing, detecting, and reacting to security
incidents.
Technical requirements for secure storage,
processing, and transmission of cardholder data.
Common auditing and scanning procedures.

4
Who has to worry about it?

If you transact credit card business, you have to
worry about it.
Merchants and third party providers who process,
transmit, or store cardholder data are required
to adhere to certain data security standards.
Applies to credit card business transacted over
all payment channels (POS, mail, IVR, and
e-commerce).

5
Who are the stakeholders?

Credit card industry Founders of the PCI
Security Standards Council are Visa, Mastercard,
Amex, Discover, and JCB brands.
Acquiring banks/member banks must require PCI
compliance from merchants and service providers
doing credit card business.
Merchants and service providers must be PCI
compliant, regardless of channel.
Our customers.

6
PCI DSSCovers 6 Areas/12 Requirements

Build and Maintain a Secure Network
1. Install and maintain a firewall configuration
to protect data
2. Do not use vendor-supplied defaults for system
passwords and other security parameters
Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data and
sensitive information across open public networks
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and
applications

7
PCI DSSCovers 6 Areas/12 Requirements
(continued)

8
Major Activity Areas

Identify merchant level (dependent on volume).
Subject matter expertise.
Consulting and recommendations.
Compliance relates to infrastructure security
and business procedures (may be supported by
Qualified Security Assessor (QSA)).
Annual self-assessment questionnaire
Annual on-site security audit (depending on
merchant level)
Validation process performed by an Approved
Scanning Vendor (ASV) on all external-facing IP
addresses.
Possibly, audit (depending on merchant level).

9
Our Approach

See what departments and other states are doing.
Communicate share information to promote
awareness of the issue, identify participating
departments, and gain support.
Learn about PCI DSS Compliance.
Check in with banks and service providers on
their PCI Compliance status and requirements.
Initiate a procurement to identify Qualified
Security Assessors (QSVs) and Approved Scanning
Vendors (ASVs) to assist departments in achieving
compliance and validation.
Identify costs and funding.

10
Consequences of Non-Compliance

11
For more information

See https//www.pcisecuritystandards.org/index.htm
and http//www.pcicomplianceguide.org for
general information.
Check out the self-assessment questionnaire at
https//www.pcisecuritystandards.org/pdfs/pci_saq_
v1-0.pdf to assess level of effort and resources
to remediate problems and achieve compliance.
See http//usa.visa.com and Visa Cardholder
Information Program (CISP) links.
See http//www.mastercard.com/us/sdp/assets/pdf/SD
P_Presentation.pdf for Mastercard Site Data
Protection (SDP) information
Stay tuned for updates on RFR progress.