PCI What it is Why it Matters What is PCI ? Payment Card - PowerPoint PPT Presentation

1 / 36
About This Presentation
Title:

PCI What it is Why it Matters What is PCI ? Payment Card

Description:

PCI What it is Why it Matters What is PCI ? Payment Card Industry Not a Law Data security standard adopted by major card processing networks (Visa, MasterCard, etc ... – PowerPoint PPT presentation

Number of Views:231
Avg rating:3.0/5.0
Slides: 37
Provided by: isacautOr
Category:
Tags: pci | card | matters | payment

less

Transcript and Presenter's Notes

Title: PCI What it is Why it Matters What is PCI ? Payment Card


1
PCI What it is Why it Matters
2
What is PCI ?
  • Payment Card Industry
  • Not a Law
  • Data security standard adopted by major card
    processing networks (Visa, MasterCard, etc.) to
    combat fraud and promote secure processing of
    payment card transactions

3
Terms you need to know
  • Merchant sells products and services
    e-Merchant sells online
  • Card Holder - Customer buys products and
    services using a credit card as method of payment
  • Service Provider 3rd Party payment support
    entity (web host, shopping cart, payment
    processor, etc.)

4
Terms
  • Issuer financial institution that issues card
    and contracts with cardholder for repayment of
    transactions (your bank)
  • Acquirer Financial institution that contracts
    with merchants to accept and process cards for
    payment (merchant bank Chase, Citibank)

5
More Terms
  • Shopping Cart capability to select merchandise
    or services, review what has been selected with
    related monetary and item quantity amounts, make
    necessary modifications or additions, and
    finalize the transaction (purchase merchandise or
    service)
  • Magnetic Stripe Data (Full Track Data) data
    coded on magnetic stripe used for authorization
    during a card present transaction.

6
More Terms
  • Payment Gateway Service that allows an
    e-commerce merchant to connect to the Acquirer or
    merchant processor to complete a card transaction
    in real time (PayPal, Authorize.Net)
  • Merchant Processor Routes electronic
    transaction for authorization, clearing, and
    settlement on behalf of the Acquirer (PaymentTech)

7
  • Whenever someone clicks a pay button on a
    website, payment information is processed
    in-house or by 3rd party service provider

8
Transaction Cycle
9
Three Core Processing Actions
  • Authentication
  • Validation of cardholders identity and card being
    used
  • Authorization
  • Issuer approves or declines purchase
  • Settlement
  • Transfer of funds into merchant account once
    product/service shipped or delivered

10
Authentication
  • AVS Address Verification Service allows
    e-commerce merchants to check a cardholder
    billing address with the issuer.
  • AVS provides merchants with a key indicator that
    helps verify whether or not a transaction is
    valid.

11
Authentication
  • CVV2 Card Verification Value 2 a three digit
    number imprinted on the back of cards to help
    validate that the customer has a genuine card in
    his/her possession and that the card account is
    legitimate.

12
Settlement
13
What are PCI Requirements
  • Comply with security standards based on Merchant
    Level
  • Validation and Reporting Requirements by Merchant
    Level

14
Security Standards

15
Build and Maintain a Secure Network
  • Install and maintain a firewall configuration to
    protect data
  • Do not use vendor-supplied defaults for system
    passwords and security parameters

16
Protect Cardholder
  • Protect stored data
  • Limit type and length of storage
  • Mask card numbers
  • Encrypt transmission of cardholder data and
    sensitive information across public networks

17
Maintain a Vulnerability Management Program
  • Use and regularly update anti-virus software
  • Develop and maintain secure systems and
    applications

18
Implement Strong Access Control Measures
  • Restrict access to data by business need-to-know
  • Assign a unique ID to each person with computer
    access
  • Restrict physical access to cardholder data

19
Regularly Monitor and Test Networks
  • 10. Track and monitor all access to network
    resources and cardholder data
  • 11. Regularly test security systems and processes

20
Maintain an Information Security Policy
  • 12. Maintain a policy that addresses information
    security for employees and contractors
  • Incident Response Plan
  • Business Continuity
  • Business Recovery
  • Backup procedures
  • TEST these Annually

21
Application of Standards
  • Standards apply to ALL members, merchants, and
    service providers that store, process or transmit
    cardholder data
  • Apply to all system components included in or
    connected to cardholder environment
  • Network component
  • Server
  • Application

22
Network Components
  • Include but not limited to
  • Firewalls
  • Switches
  • Routers
  • Wireless access points
  • Network appliances
  • Other Security appliances

23
Levels of Merchants
  • Compliance Requirements

24
Level 1
  • Over 6 Million Visa or MasterCard transactions
    per year
  • Any merchant that suffered a hack or attack that
    resulted in data compromised
  • Any merchant that Visa or MasterCard determine
    should meet level 1 requirements to reduce risk
    to their systems

25
Level 1 Compliance
  • Annual on-site security audit completed by
    Qualified Independent Security Assessor
  • Quarterly network scan conducted by qualified
    independent scan vendor

26
Level 2
  • Any merchant processing 150K to 6M Visa or
    MasterCard transactions per year
  • Compliance
  • Annual PCI Self-Assessment Questionnaire
    validated by Merchant
  • Quarterly network scan conducted by qualified
    independent vendor

27
Level 3
  • Any merchant processing between 20K to 150K Visa
    or MasterCard transactions per year
  • Level 3 Compliance
  • Annual PCI Self-Assessment Questionnaire
    validated by Merchant
  • Quarterly network scan conducted by qualified
    independent vendor

28
Level 4
  • Any other merchant
  • Compliance
  • Recommended Annual PCI Self-Assessment
    Questionnaire validated by Merchant
  • Recommended quarterly network scan conducted by a
    qualified independent scan vendor

29
How To Become Compliant
  • Submit Application to PCI
  • Depending on Merchant Level
  • Audit by approved firm
  • Self Assessment Questionnaire
  • Security Scans by approved firm

30
If Data is Compromised
  • Must Notify within 24 hours of Suspected Breach
  • Potential Fines up to 500,000
  • Each Card Company Different
  • All Fraud Losses Incurred from Date of Compromise
    Forward
  • Cost of Re-issuing Cards
  • Cost any Additional Fraud Prevention/Detection
    Activities

31
Visa Penalties
  • Violation with in 12 Month Period
  • 1st - 50,000
  • 2nd - 100,000
  • 3rd Discretion of Visa
  • Failure to Report a Compromise
  • Up to 100,000
  • Egregious Violation up to 500,000

32
MasterCard Penalties
  • Level 1 Merchant
  • Up to 100,000 if not compliant after 60 days
  • Additional 10,000 per day not to exceed
    500,000
  • Level 2 Merchant
  • Up to 50,000 and 10,000 per day after 60 days
    not to exceed 500,000
  • Level 3 Merchant
  • Up to 25,000 and 10,000 per day after 60 days
    not to exceed 500,000

33
Breach Case Study
  • Level 2 Merchant
  • Visa and MasterCard only
  • Estimate 1,000 Fraud per Card
  • Replacement of Card 75 each
  • Credit Card Monitoring 45 per account
  • Egregious Loss Fines Discretionary
  • Based on Local SLC Case

34
(No Transcript)
35
Incident Response Plan
  • PCI Requirements
  • Data Privacy Laws
  • Notification of Customers

36
Wrap-up
  • Changes to PCI Standards
  • Backlog of providing PCI Certificates
  • Backlog of audits
Write a Comment
User Comments (0)
About PowerShow.com