PCI DSS Protecting your business
-
Upload
leonard-fuller -
Category
Documents
-
view
24 -
download
6
description
Transcript of PCI DSS Protecting your business
Visa Europe Confidential
PCI DSSProtecting your business
Lara Fiorani, Visa Europe
Basel
25 April, 2006
Presentation Identifier.2Information Classification as NeededVisa Europe Basel 25 April 2006
Agenda
Account Information Security Programme and the Payment Card Industry (PCI) Data Security Standards
PCI DSS - Protecting your business
Plans for 2006
Presentation Identifier.3Information Classification as NeededVisa Europe Basel 25 April 2006
Account Information Security Programme
-The Payment Card Industry Data Security Standards (PCI DSS) were developed jointly by Visa and MasterCard and are endorsed by Amex, JCB, Discovery, Diners
• Work is under way to promote the establishment of PCICo, an independent industry body that will act as custodian of the PCI DSS
Visa promotes the implementation of the PCI DSS through its Account Information Security Programme (AIS)
AIS is part of a wider Visa strategy to make the card industry more secure
Presentation Identifier.4Information Classification as NeededVisa Europe Basel 25 April 2006
Account Information Security (AIS) alongside other Visa security products
POSEnvironment
Online e-comm Back office,systems
Chip & PIN Verified by Visa AIS
Presentation Identifier.5Information Classification as NeededVisa Europe Basel 25 April 2006
Why do we need PCI DSS?
40M credit cards hacked
Breach at third party payment processor affects 22 million Visa cards and 14 million MasterCards.
June 20, 2005: 5:04 PM EDT Jeanne Sahadi, CNN/Money senior writer
Presentation Identifier.6Information Classification as NeededVisa Europe Basel 25 April 2006
Why do we need PCI DSS?
From The Times, Saturday April 15 2006 :
The Times contacted 14 customers whose details had been passed to it by a US company that monitors […] chat rooms. They were astonished when a reporter read out their credit card numbers.
The names had been taken from unidentified British servers. By ringing the individuals on each list and checking which purchases they had made on the day the details were stolen, The Times was led to two reputable companies — one a supplier of travel goods based in Amesbury, Wiltshire, with a database of more than 20,000 customers, the other a computer sales company in Sheffield. Neither company was aware that its systems had been targeted.
[Jonathan Richards, ‘Revealed: how credit cards are plundered on the net’, The Times, Saturday April 15 2006]
Presentation Identifier.7Information Classification as NeededVisa Europe Basel 25 April 2006
Key role of beyond facilitator of payments?
External pressure on Visa to protect personal financial information
Q28: Aside from Visa being a facilitator of purchases or a processor of transactions, when you think of Visa and the role you expect it to play in society, which one of the following best describes your expectations of what Visa should be – educator on financial issues, protector of personal financial information, contributor to economic growth, or something else? If you have a different expectation for Visa, please let me know. Base: Total Respondents, n=2044
35
33
17
8
1
4
0% 20% 40% 60%
Top mentions
Protector of personal financial information
Contributor to economic growth
Educator on financial issues
Something else
Other
Don’t know
Presentation Identifier.8Information Classification as NeededVisa Europe Basel 25 April 2006
In addition: Data Security is a major concern for customers worldwide
64
62
58
57
56
55
49
48
0% 20% 40% 60% 80% 100%
Natural disasters (drought, earthquakes, floods, fires, hurricanes)
*Loss of trust in governments/businesses/ institutions
Spread of disease, or health epidemics
Having a credit card, debit card, or some type of payment card lost or stolen
Losing your primary source of income (such as your job)
Terrorism in the world or in your country
Protecting the environment
Having your personal or financial info lost or stolen
Base: All respondents, except (*) not asked in China
Top 3 Box (Rated 8-10)
Presentation Identifier.9Information Classification as NeededVisa Europe Basel 25 April 2006
Recent Visa Europe experience
-Remarkable increase in compromises in Europe, regardless of acceptance channels
• Full track two data being targeted
-Processors and IPSPs remotely targeted
-Increase in compromises at non e-commerce Merchants
-E-commerce still a target
• Fraud migrating to card not present sector because of increased security in face to face (EMV chip)
Presentation Identifier.10Information Classification as NeededVisa Europe Basel 25 April 2006
Benefits of compliance with PCI DSS
Ensures protection of the brands and reputation of all parties
• Visa
• Acquiring banks
• Merchants
• Service providers
Helps gaining and maintains consumer confidence in payment systems
•Secures customers
•Makes them come back
Presentation Identifier.11Information Classification as NeededVisa Europe Basel 25 April 2006
Compliance with PCI DSS- Systems benefit
More aware of how your
business works
Provides you with greater awareness of security
measures and preventative options
available
Helps you identify and address weaknesses in your security
Systems
Presentation Identifier.12Information Classification as NeededVisa Europe Basel 25 April 2006
Compliance with PCI DSS - Financial Benefits
Financial
Avoid cost of reaction to cybercrime
suspension from trading
consultancy fees
consultancy fees
police involvement
law suits
Avoid cost of fraud
Protects you from card schemes
post-compromise penalties
Presentation Identifier.13Information Classification as NeededVisa Europe Basel 25 April 2006
Compliance with PCI DSS- Reputational Benefits
Reputation
Brand damage alone may put a company out
of business!
No compromises – no unwanted media
attention
Presentation Identifier.14Information Classification as NeededVisa Europe Basel 25 April 2006
If an organisation is certified compliant with PCI DSS..
-A compromise is less likely to happen.
-If it happens it may be: • Smaller
– reduced fraud cost • easier and cheaper to contain
– Less investment needed to bring the organisation into compliance
– Faster to bring the organisation into compliance
- If the forensics investigation confirms that the organisation was still PCI compliant at the time of compromise• Visa will not levy compromise fees
Presentation Identifier.15Information Classification as NeededVisa Europe Basel 25 April 2006
Sensitive Information
• Card number
• Expiry date
• Full Track 2 (for face to face transactions)
• CVV2 (for Card not Present transactions)
Track 2 and CVV2 should never be stored after authorisation
-NOT storing any of the above removes the need for PCI DSS validation
-If the information is stored, it has to be stored securely (encrypted)
Presentation Identifier.16Information Classification as NeededVisa Europe Basel 25 April 2006
Compliance Validation Requirements - Merchants
Level 1 - Merchants with 6,000,000+ transactions a year- all acceptance channels
Level 2&3 - E-commerce Merchants with 6,000,000 to 20,000 transactions a year
Level 4 – all other Merchants
Mandated Annual onsite audit, and Quarterly network scan
The audit can be done by a qualified auditor or by Merchant’s internal audit team, but has to assess compliance with the PCI Standards
Mandated Annual PCI Self-assessment questionnaire, and Quarterly network scan
Recommended annual PCI Self-assessment questionnaire and annual network scan
Presentation Identifier.17Information Classification as NeededVisa Europe Basel 25 April 2006
Merchants – next steps for 2006
ALL Merchants should be compliant with PCI DSS already• Regardless of Merchant size
• Data security should be ongoing work
-Difference is only in type of validation required
-Validation may be recommended for some categories, but compliance is mandated to be part of the Visa system
-All Merchants should make provisions to ensure than any third party they contract with is compliant
Presentation Identifier.18Information Classification as NeededVisa Europe Basel 25 April 2006
Visa – Recent and next steps
-Finished re-accreditation of Qualified Security Assessors
-Producing more awareness raising and support materials
-AIS as contractual requirement for all new merchant agreements
-New set of penalties for Acquirers with non-compliant Merchants
• If a Merchant commits to starting the work, they will be allowed reasonable time to work towards compliance
-Lowering the Level 1 threshold to include more non e-commerce Merchants
Presentation Identifier.19Information Classification as NeededVisa Europe Basel 25 April 2006
Conclusion
We are flexible, want to help you get started
PCI DSS adds value to your brand and consumers
PCI DSS protects your revenues
Based on ISO/BSS, tailoring these standards to cards industry
Presentation Identifier.20Information Classification as NeededVisa Europe Basel 25 April 2006
Visa OnLine
• https://www.eu.visaonline.com/eu_ais/
Visa Europe website
• www.visaeurope.com/acceptingvisa/datasecurity.html
Email: [email protected]
AIS Programme Manager: Lara Fiorani
• Tel: +44 207 795 5668
• Email: [email protected]
20
Where to find information on PCI DSS
Visa Europe Confidential
Thank you