pci compliance means pci compliance full form pci compliance process pci compliance levels pci compliance aws pci compliance certificate pci compliance checklist pci compliance report pci compliance azure pci compliance audit pci compliance australia pci compliance assessment pci compliance aoc pci compliance acronym pci compliance authorize.net the pci compliance process is saq a pci compliance what is a pci compliance what is a pci compliance fee what is a pci compliance scan what is a pci compliance audit what is a pci compliance certificate what is a pci compliance test pci compliance barclaycard pci compliance breach pci compliance bank account information pci compliance badge pci compliance basics pci compliance best practices pci compliance benefits pci compliance blog saq b pci compliance pci compliance checklist 2020 pci compliance cloud pci compliance checklist pdf pci compliance cost calculator pci compliance companies list pci compliance checklist 2019 c-vt pci compliance saq c pci compliance pci compliance docker containers pci compliance definition pci compliance data pci compliance documents pci compliance department pci compliance dss pci compliance debit cards pci compliance database saq d pci compliance pci compliance d pci compliance ensures protection of pci compliance elavon pci compliance encryption pci compliance email pci compliance europe pci compliance ecommerce pci compliance expiration date pci compliance examples pcie compliance pcie compliance mode pcie compliance mode v1.0a pci compliance freshdesk pci compliance for websites pci compliance for payment gateway pci compliance fee pci compliance fines pci compliance first data pci compliance for dummies pci compliance guidelines pci compliance guide pci compliance google cloud pci compliance government pci compliance goals pci compliance gcp pci compliance global payments pci compliance gdpr g suite pci compliance pci compliance help pci compliance hosting pci compliance healthcare pci compliance hardware pci compliance history pci compliance handbook pci compliance host not detected pci compliance hsm pci compliance india pci compliance in aws pci compliance in azure pci compliance is pci compliance interview questions pci compliance ireland pci compliance iframe pci compliance issues pci compliance jobs pci compliance javascript pci compliance java pci compliance jquery version pci compliance japan pci compliance java version pci compliance job description pci compliance jquery pci compliance kubernetes pci compliance key rotation pci compliance key management pci compliance kiosk pci compliance key points pci compliance kafka pci compliance ssh keys pci compliance encryption keys pci compliance logo pci compliance login pci compliance level 1 pci compliance laws pci compliance list pci compliance level 4 requirements pci compliance level 3 pci compliance magento pci compliance manager pci compliance manager scam pci compliance malaysia pci compliance meme pci compliance merchant services pci compliance manager sysnet pci compliance nz pci compliance network pci compliance network segmentation pci compliance network diagram pci compliance network scan pci compliance nonprofits pci compliance news pci compliance nsw plug n pay pci compliance pci compliance on aws pci compliance online pci compliance officer pci compliance overview pci compliance over the phone pci compliance open ports pci compliance online payments pci compliance office 365 o que é pci compliance pci compliance pdf pci compliance paypal pci compliance payment gateway pci compliance password policy pci compliance policy pci compliance policy pdf pci compliance policy template p card pci compliance pci compliance qualys pci compliance questionnaire answers pci compliance quiz answers pci compliance questionnaire pci compliance questions pci compliance qsa pci compliance quickbooks pci compliance quiz pci compliance requirements pci compliance requirements 2020 pci compliance retail stores pci compliance recommendation pci compliance regulations pci compliance remote access pci compliance reddit pci compliance scan pci compliance standards pci compliance scan tool pci compliance salesforce pci compliance stripe pci compliance shopify pci compliance scan tool free pci compliance software tools pci compliance to the database administrator at a large retailer pci compliance testing pci compliance testing tools pci compliance to the database administrator pci compliance training pci compliance tls pci compliance trustwave pci compliance test free at&t pci compliance bb&t pci compliance pci compliance uk pci compliance usa pci compliance uk meaning pci compliance uk checklist pci compliance uk cost pci compliance using stripe pci compliance updates pci compliance united states pci compliance violation pci compliance vendors pci compliance violation fines pci compliance version pci compliance verification pci compliance vs certification pci compliance visa pci compliance validation pci compliance wiki pci compliance work from home pci compliance website pci compliance worldpay pci compliance what is it pci compliance windows 7 pci compliance woocommerce pci compliance what does it mean pci compliance x-frame-options pci compliance windows xp pci compliance checklist xls pci dss compliance checklist xls xcharge pci compliance xenapp pci compliance edgerouter x pci compliance pci compliance youtube pci compliance yes with ccw pci dss compliance youtube pci compliance what can you store yardi pci compliance yapstone pci compliance pci compliance zendesk pci compliance new zealand pci dss compliance new zealand zuora pci compliance zscaler pci compliance zoho pci compliance zoom pci compliance zyxel pci compliance z/os pci compliance pci compliance 101 pci compliance 12 requirements pci compliance 12 steps pci compliance 12.8 pci compliance 10.7 pci compliance 1.1.7 pci compliance 11.2.1 pci compliance 10.4 pci 1 compliance level 1 pci compliance magento 1 pci compliance tier 1 pci compliance requirements level 1 pci compliance requirements sha-1 pci compliance tier 1 pci compliance level 1 merchant pci compliance pci compliance 2019 pci compliance 2020 pci compliance 2fa pci compliance 2.0 pci compliance 2 factor authentication pci compliance 2018 pci compliance 2checkout pci compliance 2.2 pci 2 compliance magento 2 pci compliance level 2 pci compliance requirements level 2 pci compliance sha-2 pci compliance 2-factor authentication pci compliance soc 2 vs pci compliance magento 2 community pci compliance pci compliance 3.2 pci compliance 3rd party pci compliance 3.0 pci compliance 3des pci compliance 3.2 pdf pci compliance 3.2.1 pci compliance 3d secure pci compliance 3.4 pci 3 compliance level 3 pci compliance level 3 pci compliance requirements pci compliance 4.0 pci compliance 4.2 pci compliance 4th edition pci compliance level 4 pci compliance last 4 digits pci compliance level 4 self assessment pci compliance port 443 pci 4 compliance level 4 pci compliance level 4 pci compliance requirements shift4 pci compliance level 4 merchant pci compliance level 4 pci dss compliance pci 5 compliance pci compliance port 500 pci compliance requirement 5 sonicwall pci compliance port 500 pci compliance 6.1 pci compliance 6.2 pci compliance 6.6 pci compliance requirement 6 pci dss 6.6 compliance 6 pci dss compliance goals 6 compliance groups for pci dss pci compliance 7.1.2 pci compliance windows 7 end of life pci compliance centos 7 pci dss compliance windows 7 windows 7 pci compliance rapid 7 pci compliance dashboard centos 7 pci compliance windows 7 pci dss compliance pci compliance 8.5 pci compliance 8.7 pci compliance port 80 pci compliance requirement 8 8x8 pci compliance pci compliance 90 days pci compliance requirement 9 physical access pci compliance requirement 9
PCI COMPLIANCE
PAYMENT CARD INDUSTRY
DATA SECURITY STANDARD (PCI
DSS) COMPLIANCE
1
PAYMENT CARD INDUSTRY DATA SECURITY
STANDARD (PCI DSS) COMPLIANCE:-
•SECURITY STANDARDS FOR ORGANIZATIONS THAT HANDLE
BRANDED CREDIT CARDS FROM THE MAJOR ISSUERS –
MASTERCARD, VISA, DISCOVER, AMEX AND JCB.
•STANDARDS CREATED TO INCREASE CONTROLS AROUND
CARDHOLDER DATA AND REDUCE CREDIT CARD FAUD.
•ORIGINALLY 5 SEPARATE PROGRAMS .
•FORMED PAYMENT CARD SECURITY STANDARDS COUNCIL.
•PCI DSS V 1.0 RELEASED IN DECEMBER 2004.
3
WHO MUST COMPLY?
• ANYONE COLLECTING CARD HOLDER
DATA
• REGARDLESS OF SIZE
4
PCI DATA SECURITY STANDARD –
HIGH LEVEL OVERVIEW
BUILD & MAINTAIN A SECURE NETWORK AND SYSTEMS
• • INSTALL AND MAINTAIN A FIREWALL CONFIGURATION TO PROTECT CARDHOLDER
DATA
• • DO NOT USE VENDOR SUPPLIED DEFAULTS FOR SYSTEM PASSWORDS AND OTHER
SECURITY
• PROTECT CARDHOLDER DATA
• • PROTECT STORED CARDHOLDER DATA
• • ENCRYPT TRANSMISSION OF CARDHOLDER DATA ACROSS OPEN PUBLIC NETWORKS
• MAINTAIN A VULNERABILITY MANAGEMENT PROGRAM
• • PROTECT ALL SYSTEMS AGAINST MALWARE AND REGULARLY UPDATE ANTI-VIRUS
SOFTWARE OR PROGRAMS
• • DEVELOP AND MAINTAIN SECURE SYSTEMS AND APPLICATIONS
5
CARDHOLDER DATA
• PAN - FULL ACCOUNT NUMBER OF CARD
• CARDHOLDER NAME - HOW IT READS ON THE CARD • EXPIRATION
DATE
• SERVICE CODE - 3 OR 4 DIGITS ON MAGNETIC STRIP THAT SPECIFIES
THE ACCEPTANCE REQUIREMENT
• FULL TRACK DATA - DATA ON THE MAGNETIC STRIP
• CVC - CALCULATED THROUGH A SPECIFIC ALGORITHM USING
NUMBER OF ITEMS ABOUT THE ACCOUNT
• PIN - GENERATED BY CARDHOLDER (EX - ATM CASH ADVANCE)
10
STORAGE OF CARDHOLDER
INFORMATION
• PCI DSS REQUIREMENTS 3.3 AND 3.4 APPLY ONLY TO
PAN. IF PAN IS STORED WITH OTHER ELEMENTS OF
CARDHOLDER DATA, ONLY THE PAN MUST BE
RENDERED UNREADABLE ACCORDING TO PCI DSS
REQUIREMENT 3.4.
• SENSITIVE AUTHENTICATION DATA MUST NOT BE
STORED AFTER AUTHORIZATION, EVEN IF ENCRYPTED.
11
COMMON MYTHS OF PCI DSS
•MYTH 1 – OUTSOURCING CARD PROCESSING MAKES NSU COMPLIANT.
OUTSOURCING SIMPLIFIES PAYMENT CARD PROCESSING BUT DOES NOT PROVIDE
AUTOMATIC COMPLIANCE. NSU MUST PROTECT CARDHOLDER DATA WHEN RECEIVED,
PROCESS CHARGE BACKS AND REFUND.
• MYTH 2 – PCI COMPLIANCE IS AN OIIT PROJECT.
THE OIIT STAFF IMPLEMENTS TECHNICAL ASPECTS OF PCI RELATED SYSTEMS , BUT
COMPLIANCE IS MORE THAN A “PROJECT” WITH A BEGINNING AND END –ITS AN
ONGOING PROCESS OF ASSESSMENT, REMEDIATION AND REPORTING. PCI COMPLIANCE
IS A BUSINESS ISSUE THAT IS BEST ADDRESSED BY A MULTI-DISCIPLINARY TEAM.
13
•MYTH 3 – PCI WILL MAKE US SECURE.
COMPLETION OF A SYSTEM SCAN OR ASSESSMENT FOR PCI IS A
SNAPSHOT IN TIME.
•MYTH 4 – PCI IS UNREASONABLE; IT REQUIRES TOO MUCH.
MOST ASPECTS OF THE PCI DSS ARE ALREADY A COMMON BEST
PRACTICE FOR SECURITY. THE STANDARDS PROVIDE SIGNIFICANT
DETAIL, WHICH BENEFITS MERCHANTS AND PROCESSORS BY NOT
LEAVING THEM TO WONDER “WHERE DO I GO FROM HERE?”
14
COST OF NON-COMPLIANCE
•FINES AND PENALTIES
•CARD REISSUING COSTS
•LOSS OF CARD PROCESSING PRIVILEGES
•REPUTATIONAL RISK
15
BEST PRACTICES:-
• YOUR COMPUTER SCREEN AND TERMINAL
• LOCK YOUR DESK / LOCK DRAWER / OFFICE
• DO NOT WRITE DOWN CREDIT CARD SENSITIVE
AUTHENTICATION DATA
• DO NOT SHARE LOGIN INFORMATION
• DO NOT USE MEMORY STICKS ON NSU DEVICES
• DO NOT SEND CREDIT CARD INFORMATION VIA INTEROFFICE
MAIL
17
HOW TO PRACTICE PCI
COMPLIANCE
• DEVELOP AND MAINTAIN A SUSTAINABLE SECURITY
PROGRAM
• DEVELOP PROGRAM, POLICY, AND PROCEDURES
• DEVELOP PERFORMANCE METRICS TO MEASURE SUCCESS
• ASSIGN OWNERSHIP FOR COORDINATING SECURITY
ACTIVITIES
• EMPHASIZE SECURITY AND RISK MANAGEMENT TO
ATTAIN AND MAINTAIN COMPLIANCE
18
• CONTINUOUSLY MONITOR SECURITY CONTROLS
• DETECT AND RESPOND TO SECURITY CONTROL
FAILURES
• MAINTAIN SECURITY AWARENESS
• MONITORING COMPLIANCE OF THIRD-PARTY SERVICE
PROVIDERS
• EVOLVE THE COMPLIANCE PROGRAM TO ADDRESS
CHANGES
19
THANK YOU FOR WATCHING
20
Comments