Visa Europe Implementing PCI DSS Requirements Within Your Organisation September 2008 Simon Breeden.
-
Upload
elwin-bryant -
Category
Documents
-
view
213 -
download
0
Transcript of Visa Europe Implementing PCI DSS Requirements Within Your Organisation September 2008 Simon Breeden.
Presentation Identifier.2Information Classification as NeededTel Aviv - !8th September 20082Visa Europe
Data security and your brand
• How much would your brand be worth if you lose your customers trust?
• Would your customers’ stay with you
Presentation Identifier.3Information Classification as NeededTel Aviv - !8th September 20083Visa Europe
Your brand needs security!
• Compromises do happen everyday, everywhere
• In the customer’s view, consumers, card schemes and merchants share responsibility for protecting their card data
• Yet… 63% of customers views merchants as the weakest link when it comes to protecting their data…¹
¹Source: Javelin Strategy and Research 2007
Presentation Identifier.4Information Classification as NeededTel Aviv - !8th September 20084Visa Europe
In customers’ eyes we all share responsibility to prevent fraud
Presentation Identifier.5Information Classification as NeededTel Aviv - !8th September 20085Visa Europe
Merchants as the weakest link
Presentation Identifier.6Information Classification as NeededTel Aviv - !8th September 20086Visa Europe
Customer confidence seriously impacted by a data breach
In the case of a breach….
49% of customers believe merchants to be the most likely source of the data breach
3 out of 4 customers won’t shop again at a compromised merchant
84% of customers want to shop at merchants who are security market leaders
Investing in PCI DSS should be part of your customer retention plans
Presentation Identifier.7Information Classification as NeededTel Aviv - !8th September 20087Visa Europe
Media and regulators are watching us…
-National and European Government are showing increasing interest in the area of account information security
• The European Commission is considering legislation on the duty to notify (suspicion of breach and actual compromise) – already adopted in California, Minnesota and Texas
-Media increasingly questioning industry compliance and progress…..
Presentation Identifier.8Information Classification as NeededTel Aviv - !8th September 20088Visa Europe
Is PCI DSS mandated for everybody?
PCI DSS is mandated for all merchants and other entities with access to card data
No access to data = no need for compliance validation
In the future, more companies may consider not handling data directly, rather than going through the cost and risk of securing them
Presentation Identifier.9Information Classification as NeededTel Aviv - !8th September 20089Visa Europe
What is it for ?
• Protecting customer confidence
• Mitigating against fraud and other losses
• Protecting against reputational damage
• Avoiding further regulatory control
Presentation Identifier.10Information Classification as NeededTel Aviv - !8th September 200810Visa Europe
PCI DSS part of overall Visa Security
POSEnvironment Online e-comm Back office
Chip & PIN Verified by Visa PCI DSS
Presentation Identifier.12Information Classification as NeededTel Aviv - !8th September 200812Visa Europe
Card number Chip Expiry date
Magnetic Stripe CVV2 The card account number, plus a three-digit
made up of “Track 1” Card Verification Value 2 (CVV2) is indent-printed
and Track 2” data on the signature panel
Track data and CVV2 should never be stored after authorisation
Presentation Identifier.13Information Classification as NeededTel Aviv - !8th September 200813Visa Europe
You are only as safe as the least safe link in the chain
Processor
Acquiring bank
Internet payment gateway
Merchant
Web hosting company
Presentation Identifier.14Information Classification as NeededTel Aviv - !8th September 200814Visa Europe
Data Theft is……………
• Organised
• Multi-national
• Increasing in frequency
• Very, very lucrative
• Easy
• Almost risk-free
Presentation Identifier.15Information Classification as NeededTel Aviv - !8th September 200815Visa Europe
Most Companies don’t help themselves
• Track data and CVV2 is the ‘honey pot’ that hackers look for
• 80%+ of entities that are hacked are storing Track data and CVV2
• 70-80% of companies compromised go out of business within one year
Presentation Identifier.16Information Classification as NeededTel Aviv - !8th September 200816Visa Europe
PCI DSS is good business practice
Think of it as spring cleaning!
PCI DSS is an opportunity to take a fresh look at how your company works and identify any issues with people, processes, and systems;
• This enables you to
• Check your house is in order
• Discard unwanted items
• Rethink your data storage business needs
• Fix issues
Presentation Identifier.17Information Classification as NeededTel Aviv - !8th September 200817Visa Europe
The First Thing!
PCI DSS is mandated for all merchants and other entities who store, process and/or transmit card data
No data = no need for compliance validation
Companies have the option of investing in data security or hire a third party to manage data on their behalf
Presentation Identifier.18Information Classification as NeededTel Aviv - !8th September 200818Visa Europe
The Second Thing!
The key to a successful compliance programme is to:
• Identify stakeholders
- Finance Director, Risk Committee, Information Security Officer, IT Director, Operations Director, …
• Get business sponsorship
- Present PCI DSS and the risk of non-compliance to the Board
- Brand image is at stake
Presentation Identifier.19Information Classification as NeededTel Aviv - !8th September 200819Visa Europe
Making PCI Compliance a Reality
Visa’s recommended approach is
– Complete data flow analysis early
– Complete a comprehensive gap analysis
– Define a detailed remediation plan
How does PCI relate?
Data Flow Analysis
Gap Analysis Remediation Plan
Compliance Validation
Implement Remediation
Presentation Identifier.20Information Classification as NeededTel Aviv - !8th September 200820Visa Europe
Scoping and Sampling
Proper scoping and thorough reviews are critical
Beware of:
Not scoping and identifying all potential systems that may hold cardholder information
• Can lead to critical and destructive hacks
• The data flow mapping exercise should identify all points of storage, processing & transmission
Presentation Identifier.21Information Classification as NeededTel Aviv - !8th September 200821Visa Europe
PCI DSS Scoping
PCI DSS applies to all systems and networks that store, process, and/or transmit cardholder data, and all connected systems
• Includes networking equipment that transmits cardholder data (i.e. routers, switches, firewalls, wireless access points)
• Encrypted cardholder data is still within scope
Presentation Identifier.22Information Classification as NeededTel Aviv - !8th September 200822Visa Europe
Quick Wins
• Do not store track data or CVV2 post authorisation
• Delete card data everywhere you can
• Update security policy
• Update templates to ensure PCI DSS is included in all new projects
• Data retention policy & process
Presentation Identifier.23Information Classification as NeededTel Aviv - !8th September 200823Visa Europe
Advice on Payment Applications
• PA-DSS is here!
• Released by PCI SSC on 15 April 2008
• Set of comprehensive security standards for use by vendors to ensure their products assist PCI DSS compliance
• Ensure new applications are PA-DSS compliant
• Get the comfort of knowing you have an application which, if implemented correctly, helps you to become PCI DSS compliant
• PA-DSS certified applications do not make you compliant, but they help you get there
Presentation Identifier.24Information Classification as NeededTel Aviv - !8th September 200824Visa Europe
Merchant Compliance Validation
1. Processing more than 6 million Visa transactions per year, compromised in the last yearAnnual on-site security audit and quarterly network scan
2. Processing 1 million to 6 million Visa transactions per yearAnnual self assessment questionnaire audit and quarterly network scan
3. Processing 20,000 to 1 million Visa e-com transactions per yearAnnual self assessment questionnaire audit and quarterly network scan
4. Processing up to 20,000 Visa e-com transactions per year and all merchants processing up to 1 million Visa transactions per yearRecommended annual self assessment questionnaire audit and quarterly network scan
Presentation Identifier.25Information Classification as NeededTel Aviv - !8th September 200825Visa Europe
Service Provider Compliance Validation
1. All VisaNet processors, payment gateways and Internet payment service providers regardless of volumesAnnual on-site security audit and quarterly network scan
2. Any service provider not in level 1 and stores, processes or transmits more than 1 million Visa accounts or transactions per yearAnnual on-site security audit and quarterly network scan
3. Any service provider not in level 1 and stores, processes or transmits less than 1 million Visa accounts or transactions per year Annual self assessment questionnaire audit and quarterly network scan
Presentation Identifier.26Information Classification as NeededTel Aviv - !8th September 200826Visa Europe
Compliance Management
If you do not comply
• There are levels of fines that are imposed
• There are fines for data compromise
Ultimate Sanction
• Prohibition by all brands to deal with card and card data
Presentation Identifier.27Information Classification as NeededTel Aviv - !8th September 200827Visa Europe
However it is a Journey….
• No expectation of immediate compliance
• However…..
• No open ended deadlines to comply
• Evidence of commitment to comply
• Planned approach
• Compliance is a 24 hour a day activity – not a once a year activity to satisfy an audit