SlideShare a Scribd company logo
1 of 36
A practical guide to PCI compliance
Matthew Page, IT security manager, Leeds Beckett University
14/11/2017
A Practical Guide to PCI
Compliance
Matthew Page – IT Security Manager
PCI ISA
• To help those who are starting out on the PCI compliance journey
• Where to find help and documentation
• Formal courses tend to discuss the 12 requirements rather than how to
become compliant
• It can be quite daunting, so I aim to provide an overview of PCI
• I’m not going to discuss:
– The requirements in detail
– The payment cycle
*For further information on these please review the documents
referenced in the resources section.
A Practical Guide to PCI
The Purpose of this Presentation
A Practical Guide to PCI
• Payment Card Industries
What is PCI?
A Practical Guide to PCI
• Payment card data and transactions, not direct debits or
PayPal payments
What is PCI?
*Courtesy of PCIDSSSIG
A Practical Guide to PCI
• Its not a legal requirement
• It’s a contractual requirement
• 12 main requirements (essentially a check list)
• Mainly technical requirements with procedural and policy
based requirements
• Who is PCI compliant?
What is PCI?
A Practical Guide to PCI
• Its very valuable data to hackers
• US company Target breach 2013-2014
– 40 millions card details affected
– Cost target $350 million
– 46% drop in profits
– 1-3 million cards sold on the black market
– Resignation of CEO
• Reputational impact
Why Protect this Data?
*Data source Axelos Resilia
A Practical Guide to PCI
6 Goals of PCI Compliance
A Practical Guide to PCI
Goal 1 – Build and maintain a secure network and systems
*Barclaycard
Associated Requirements
1. Install and maintain a firewall
configuration to protect
cardholder data
2. Do not use vendor-supplied
defaults for system passwords
and other security parameters
A Practical Guide to PCI
Goal 2 – Protect Cardholder data
*Barclaycard
Associated Requirements
3. Protect stored cardholder data
4. Encrypt transmission of
cardholder data across open,
public networks
A Practical Guide to PCI
Goal 3 – Maintain a vulnerability management program
*Barclaycard
Associated Requirements
5. Protect all systems against
malware and regularly update
antivirus software or programs
6. Develop and maintain secure
systems and applications
(patching and config)
A Practical Guide to PCI
Goal 4 – Implement strong access control measures
*Barclaycard
Associated Requirements
7. Restrict access to cardholder
data by business need to
know
8. Identify and authenticate
access to system components
9. Restrict physical access to
cardholder data
A Practical Guide to PCI
Goal 5 – Regularly monitor and test networks
*Barclaycard
Associated Requirements
10. Track and monitor all access
to network resources and
cardholder data
11. Regularly test security
systems and processes (pen
tests, vulnerability scans, etc.)
A Practical Guide to PCI
Goal 6 – Maintain an information security policy
*Barclaycard
Associated Requirements
12. Maintain a policy that
addresses information
security for all personnel
A Practical Guide to PCI
Where are you now?
*Barclaycard
• Many of the goals and
requirements will be already in
place
• Some may need fine tuning and
some will need significant effort
to bring into line with the
standard
A Practical Guide to PCI
• 12 high level requirements
• All the requirements have sub requirements totalling over 300 across the
standard
• That’s a lot!
• Very expensive to adhere to them all and time consuming to support and
maintain
• Good news, hopefully you won’t have to adhere to them all
• That’s not to say you should take short cuts
• Depending on your environment you may not need to comply
with all the requirements to be compliant
• This is where SAQs will help
12 Requirements & Sub Requirements
A Practical Guide to PCI
The SAQs
A Practical Guide to PCI
The SAQs
Web Payments
• A and A-EP
A Practical Guide to PCI
Payment Terminals
(Chip & Pin)
• B, B-IP & P2PE
The SAQs
A Practical Guide to PCI
Merchants who
use a payment
application system
or Virtual Terminal
to process card
payments
• C & C-VT
The SAQs
A Practical Guide to PCI
Merchants who
store cardholder
data
• D
The SAQs
Requirement Description SAQ D SAQ C SAQ C-VT B-IP B A-EP* A P2PE
1 Firewall config Full Partial Partial Partial Partial
2 Vendor defaults Full Partial Partial Partial Partial Partial
3 Stored CHD Full Partial Partial Partial Partial Partial Partial
4 Encryption Full Partial Partial Partial Partial Partial
5 AV & patching Full Partial Partial Partial
6 Development Full Partial Partial Partial Partial
7 Restrict access Full Partial Partial Partial Partial Partial
8 Identify & authenticate Full Partial Partial Partial Partial Partial
9 Restrict physical access Full Partial Partial Partial Partial Partial Partial Partial
10 Track and monitor Full Partial Partial
11 Vulnerability testing Full Partial Partial Partial
12 Policies Full Partial Partial Partial Partial Partial Partial Partial
A Practical Guide to PCI
• Refer to the ‘PCI SAQ Instructions and Guidelines’
document to determine which of your merchant accounts
align with which SAQ and speak to your acquirer to confirm
SAQ Requirements
A Practical Guide to PCI
PCI SAQ Instructions and Guidelines Document
A Practical Guide to PCI
Merchant Levels & Assessment Criteria
Level Merchant criteria Validation requirements
1 Merchants processing more than six million Visa
transactions annually via all channels or global
merchants identified as level one by any Visa
region.
 Annual Report on Compliance (ROC) to follow an on-site audit by either a Qualified Security
Assessor or qualified internal security resource
 Quarterly network scan by Approved Scan Vendor (ASV)
 Attestation of Compliance form
QSA Services
• PCI assessment
• ROC
• Attestation sign off
• Gap analysis
ASV
• Tool to scan the network environment for Vulnerabilities. Any
high vulnerabilities are failures.
A Practical Guide to PCI
Merchant Levels
Level Merchant criteria Validation requirements
1 Merchants processing more than six million Visa
transactions annually via all channels or global
merchants identified as level one by any Visa
region.
 Annual Report on Compliance (ROC) to follow an on-site audit by either a Qualified Security
Assessor or qualified internal security resource
 Quarterly network scan by Approved Scan Vendor (ASV)
 Attestation of Compliance form
2 Merchants processing one million to six million Visa
transactions annually via all channels.
 Annual Self-Assessment Questionnaire (SAQ)
 Quarterly network scan by ASV
 Attestation of Compliance form
A Practical Guide to PCI
Merchant Levels
Level Merchant criteria Validation requirements
1 Merchants processing more than six million Visa
transactions annually via all channels or global
merchants identified as level one by any Visa
region.
 Annual Report on Compliance (ROC) to follow an on-site audit by either a Qualified Security
Assessor or qualified internal security resource
 Quarterly network scan by Approved Scan Vendor (ASV)
 Attestation of Compliance form
2 Merchants processing one million to six million Visa
transactions annually via all channels.
 Annual Self-Assessment Questionnaire (SAQ)
 Quarterly network scan by ASV
 Attestation of Compliance form
3 Merchants processing 20,000 to one million Visa e-
commerce transactions annually.
 Use a service provider that has certified their PCI DSS compliance (certified providers are
listed on Visa Europe’s website: www.visaeurope.com)
OR
 Have certified their own PCI DSS compliance to the acquirer (who must, on request, be able
to validate that compliance to Visa Europe) (SAQ)
A Practical Guide to PCI
Merchant Levels
Level Merchant criteria Validation requirements
1 Merchants processing more than six million Visa
transactions annually via all channels or global
merchants identified as level one by any Visa
region.
 Annual Report on Compliance (ROC) to follow an on-site audit by either a Qualified Security
Assessor or qualified internal security resource
 Quarterly network scan by Approved Scan Vendor (ASV)
 Attestation of Compliance form
2 Merchants processing one million to six million Visa
transactions annually via all channels.
 Annual Self-Assessment Questionnaire (SAQ)
 Quarterly network scan by ASV
 Attestation of Compliance form
3 Merchants processing 20,000 to one million Visa e-
commerce transactions annually.
 Use a service provider that has certified their PCI DSS compliance (certified providers are
listed on Visa Europe’s website: www.visaeurope.com)
OR
 Have certified their own PCI DSS compliance to the acquirer (who must, on request, be able
to validate that compliance to Visa Europe) (SAQ)
4 E-commerce merchants only
Merchants processing fewer than 20,000 Visa e-
commerce transactions annually.
 Use a service provider that has certified their PCI DSS compliance (certified providers are
listed on Visa Europe’s website: www.visaeurope.com)
OR
 Have certified their own PCI DSS compliance to the acquirer (who must, on request, be able
to validate that compliance to Visa Europe) (SAQ)
A Practical Guide to PCI
• Who are the acquirers?
An acquiring bank (simply known as an acquirer) is a bank that processes credit or debit card payments on behalf of a merchant. The
acquirer enables merchants to accept card payments.
• They can help provide information regarding the number of merchant accounts in
use and the volume of transactions being processed through them
• They are responsible for ensuring their associated merchants are PCI compliant
and will ask you to provide an AOC
• If you are unable to do this you may start to receive threatening letters
Acquirers
A Practical Guide to PCI
• Who are the acquirers?
An acquiring bank (simply known as an acquirer) is a bank that processes credit or debit card payments on behalf of a merchant. The
acquirer enables merchants to accept card payments.
• They can help provide information regarding the number of merchant accounts in
use and the volume of transactions being processed through them
• They are responsible for ensuring their associated merchants are PCI compliant
and will ask you to provide an AOC
• If you are unable to do this you may start to receive threatening letters
Acquirers
• Don’t be afraid to challenge your acquirer
• Find your business relationship manager and build a relationship
A Practical Guide to PCI
• Identify where payments are being taken through out the university
• Identify how card data traverses the network
• Is cardholder data stored as part of the process?
• Identify the SAQ level
• Identify Merchant level
• Speak to your acquirer they will help verify your Merchant and SAQ
levels
Your Payment Gateways
A Practical Guide to PCI
• Are card payments segregated from the rest of your
network?
• Can you segregate your networks?
• Avoid storing card holder data
• Be aware of the problems with descoping
– perceptions that the entire network is as secure as the card
holder environment when in fact they have been descoped and
therefore may not be maintained to the same standard.
• Determine the cost of descoping is it just easier to
include everything?
• Remember PCI should be part of data
security strategy
Reduce the Scope
A Practical Guide to PCI
• Its project - create a plan
• Use the prioritised approach
provided by PCI
• Collaborative approach with:
– IT
– Finance
– Governance
– Other relevant departments
– Acquirers
• Who should drive the project?
– IT
– Finance
– Governance
– ?
• Get buy in
– You can’t do this alone
The PCI Project
A Practical Guide to PCI
• Find a QSA
https://www.pcisecuritystandards.org/assessors_and_so
lutions/qualified_security_assessors
• Your Acquirer
• Merchant levels
• MasterCard https://www.mastercard.us/en-
us/merchants/safety-security/security-
recommendations/merchants-need-to-know.html
• Visa https://www.visaeurope.com/receiving-
payments/security/merchants
• PCIDSSSIG
– Training courses
– Foundation, Practitioner and ISA (free if you are
a member)
– Resources http://www.pcidsssig.org.uk/
• PCI Document library
https://www.pcisecuritystandards.org/document_library
• PCI Prioritised approach
https://www.pcisecuritystandards.org/documents/Priorit
ized-Approach-for-PCI_DSS-v3_2.pdf
• Guidance for Network Segmentation
https://www.pcisecuritystandards.org/documents/Guida
nce-PCI-DSS-Scoping-and-
Segmentation_v1_1.pdf?agreement=true&time=15100
49283753
Resources
A Practical Guide to PCI
• It’s a check list so you can take one step at a time
• Training/reading/familarise yourself with the standard
• Get Project buy in
• Speak to people (Finance, Acquirers, staff)
• Determine the scope
• Work with the acquirers
• The goals of PCI are just the best practice elements we should all be
implementing.
• Different security/compliance standards will aid each other
• You don’t need to be an ISA, but it helps.
Final Thoughts
Questions?
A Practical Guide to PCI
• Find a QSA
https://www.pcisecuritystandards.org/assessors_and_so
lutions/qualified_security_assessors
• Your Acquirer
• Merchant levels
• MasterCard https://www.mastercard.us/en-
us/merchants/safety-security/security-
recommendations/merchants-need-to-know.html
• Visa https://www.visaeurope.com/receiving-
payments/security/merchants
• PCIDSSSIG
– Training courses
– Foundation, Practitioner and ISA (free if you are
a member)
– Resources http://www.pcidsssig.org.uk/
• PCI Document library
https://www.pcisecuritystandards.org/document_librar
y
• PCI Prioritized approach
https://www.pcisecuritystandards.org/documents/Prior
itized-Approach-for-PCI_DSS-v3_2.pdf
• Guidance for Network Segmentation
https://www.pcisecuritystandards.org/documents/Guid
ance-PCI-DSS-Scoping-and-
Segmentation_v1_1.pdf?agreement=true&time=1510
049283753
Resources

More Related Content

What's hot

PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuideAlienVault
 
Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013scttmcvy
 
Introduction: CISSP Certification
Introduction: CISSP CertificationIntroduction: CISSP Certification
Introduction: CISSP CertificationSam Bowne
 
How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...Hernan Huwyler, MBA CPA
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfControlCase
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)Kimberly Simon MBA
 
ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...
ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...
ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...himalya sharma
 
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPrivacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPECB
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
PCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should carePCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should careSean D. Goodwin
 
An Overview of ISO 27102 - Information security management guidelines for cyb...
An Overview of ISO 27102 - Information security management guidelines for cyb...An Overview of ISO 27102 - Information security management guidelines for cyb...
An Overview of ISO 27102 - Information security management guidelines for cyb...KeithSpencer21
 
PCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed IntroductionPCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed IntroductionControlCase
 
Payment Card Industry Security Standards
Payment Card Industry Security StandardsPayment Card Industry Security Standards
Payment Card Industry Security StandardsAshintha Rukmal
 

What's hot (20)

PCI DSS for Penetration Testing
PCI DSS for Penetration TestingPCI DSS for Penetration Testing
PCI DSS for Penetration Testing
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step Guide
 
Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2
 
Looking Forward to PCI DSS v4.0
Looking Forward to PCI DSS v4.0Looking Forward to PCI DSS v4.0
Looking Forward to PCI DSS v4.0
 
Introduction: CISSP Certification
Introduction: CISSP CertificationIntroduction: CISSP Certification
Introduction: CISSP Certification
 
How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdf
 
27001.pptx
27001.pptx27001.pptx
27001.pptx
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)
 
Payment Card Industry
Payment Card IndustryPayment Card Industry
Payment Card Industry
 
ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...
ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...
ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...
 
Identity & Access Management by K. K. Mookhey
Identity & Access Management by K. K. MookheyIdentity & Access Management by K. K. Mookhey
Identity & Access Management by K. K. Mookhey
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
 
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPrivacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
 
PCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should carePCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should care
 
An Overview of ISO 27102 - Information security management guidelines for cyb...
An Overview of ISO 27102 - Information security management guidelines for cyb...An Overview of ISO 27102 - Information security management guidelines for cyb...
An Overview of ISO 27102 - Information security management guidelines for cyb...
 
PCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed IntroductionPCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed Introduction
 
Payment Card Industry Security Standards
Payment Card Industry Security StandardsPayment Card Industry Security Standards
Payment Card Industry Security Standards
 

Similar to A practical guides to PCI compliance

PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)Miminten
 
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantMelanie Beam
 
eCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Merchants
 
PCI_Presentation_OASIS
PCI_Presentation_OASISPCI_Presentation_OASIS
PCI_Presentation_OASISDermot Clarke
 
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...Stephanie Gutowski
 
Payment Card Industry Compliance for Local Governments CSMFO 2009
Payment Card Industry Compliance for Local Governments CSMFO 2009Payment Card Industry Compliance for Local Governments CSMFO 2009
Payment Card Industry Compliance for Local Governments CSMFO 2009Donald E. Hester
 
PCI Compliance 101
PCI Compliance 101PCI Compliance 101
PCI Compliance 101pgalletta
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperShaun O'keeffe
 
PCI compliance and fraud prevention for non profits
PCI compliance and fraud prevention for non profitsPCI compliance and fraud prevention for non profits
PCI compliance and fraud prevention for non profitsNetSquared Vancouver
 
PCI DSS Data Security Compliance Program Overview
PCI DSS Data Security Compliance Program OverviewPCI DSS Data Security Compliance Program Overview
PCI DSS Data Security Compliance Program Overview- Mark - Fullbright
 
Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010Donald E. Hester
 
PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011Donald E. Hester
 
You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…Rochester Security Summit
 
Maze & Associates PCI Compliance Tracker for Local Governments
Maze & Associates PCI Compliance Tracker for Local GovernmentsMaze & Associates PCI Compliance Tracker for Local Governments
Maze & Associates PCI Compliance Tracker for Local GovernmentsDonald E. Hester
 
Visa Compliance Mark National Certification
Visa Compliance Mark National CertificationVisa Compliance Mark National Certification
Visa Compliance Mark National CertificationMark Pollard
 
Data Center Audit Standards
Data Center Audit StandardsData Center Audit Standards
Data Center Audit StandardsKeyur Thakore
 

Similar to A practical guides to PCI compliance (20)

Payment System Risk. Visa
Payment System Risk. VisaPayment System Risk. Visa
Payment System Risk. Visa
 
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
 
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
 
eCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain Media
 
PCI DSS Compliance Readiness
PCI DSS Compliance ReadinessPCI DSS Compliance Readiness
PCI DSS Compliance Readiness
 
PCI_Presentation_OASIS
PCI_Presentation_OASISPCI_Presentation_OASIS
PCI_Presentation_OASIS
 
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
 
Payment Card Industry Compliance for Local Governments CSMFO 2009
Payment Card Industry Compliance for Local Governments CSMFO 2009Payment Card Industry Compliance for Local Governments CSMFO 2009
Payment Card Industry Compliance for Local Governments CSMFO 2009
 
PruebaJLF.pptx
PruebaJLF.pptxPruebaJLF.pptx
PruebaJLF.pptx
 
PCI Compliance 101
PCI Compliance 101PCI Compliance 101
PCI Compliance 101
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - Whitepaper
 
PCI compliance and fraud prevention for non profits
PCI compliance and fraud prevention for non profitsPCI compliance and fraud prevention for non profits
PCI compliance and fraud prevention for non profits
 
PCI DSS Data Security Compliance Program Overview
PCI DSS Data Security Compliance Program OverviewPCI DSS Data Security Compliance Program Overview
PCI DSS Data Security Compliance Program Overview
 
Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010
 
PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011
 
You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…
 
E commerce overview
E commerce overviewE commerce overview
E commerce overview
 
Maze & Associates PCI Compliance Tracker for Local Governments
Maze & Associates PCI Compliance Tracker for Local GovernmentsMaze & Associates PCI Compliance Tracker for Local Governments
Maze & Associates PCI Compliance Tracker for Local Governments
 
Visa Compliance Mark National Certification
Visa Compliance Mark National CertificationVisa Compliance Mark National Certification
Visa Compliance Mark National Certification
 
Data Center Audit Standards
Data Center Audit StandardsData Center Audit Standards
Data Center Audit Standards
 

More from Jisc

Digital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptxDigital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptxJisc
 
Open Access book publishing understanding your options (1).pptx
Open Access book publishing understanding your options (1).pptxOpen Access book publishing understanding your options (1).pptx
Open Access book publishing understanding your options (1).pptxJisc
 
Scottish Universities Press supporting authors with requirements for open acc...
Scottish Universities Press supporting authors with requirements for open acc...Scottish Universities Press supporting authors with requirements for open acc...
Scottish Universities Press supporting authors with requirements for open acc...Jisc
 
How Bloomsbury is supporting authors with UKRI long-form open access requirem...
How Bloomsbury is supporting authors with UKRI long-form open access requirem...How Bloomsbury is supporting authors with UKRI long-form open access requirem...
How Bloomsbury is supporting authors with UKRI long-form open access requirem...Jisc
 
Jisc Northern Ireland Strategy Forum 2023
Jisc Northern Ireland Strategy Forum 2023Jisc Northern Ireland Strategy Forum 2023
Jisc Northern Ireland Strategy Forum 2023Jisc
 
Jisc Scotland Strategy Forum 2023
Jisc Scotland Strategy Forum 2023Jisc Scotland Strategy Forum 2023
Jisc Scotland Strategy Forum 2023Jisc
 
Jisc stakeholder strategic update 2023
Jisc stakeholder strategic update 2023Jisc stakeholder strategic update 2023
Jisc stakeholder strategic update 2023Jisc
 
JISC Presentation.pptx
JISC Presentation.pptxJISC Presentation.pptx
JISC Presentation.pptxJisc
 
Community-led Open Access Publishing webinar.pptx
Community-led Open Access Publishing webinar.pptxCommunity-led Open Access Publishing webinar.pptx
Community-led Open Access Publishing webinar.pptxJisc
 
The Open Access Community Framework (OACF) 2023 (1).pptx
The Open Access Community Framework (OACF) 2023 (1).pptxThe Open Access Community Framework (OACF) 2023 (1).pptx
The Open Access Community Framework (OACF) 2023 (1).pptxJisc
 
Are we onboard yet University of Sussex.pptx
Are we onboard yet University of Sussex.pptxAre we onboard yet University of Sussex.pptx
Are we onboard yet University of Sussex.pptxJisc
 
JiscOAWeek_LAIR_slides_October2023.pptx
JiscOAWeek_LAIR_slides_October2023.pptxJiscOAWeek_LAIR_slides_October2023.pptx
JiscOAWeek_LAIR_slides_October2023.pptxJisc
 
UWP OA Week Presentation (1).pptx
UWP OA Week Presentation (1).pptxUWP OA Week Presentation (1).pptx
UWP OA Week Presentation (1).pptxJisc
 
An introduction to Cyber Essentials
An introduction to Cyber EssentialsAn introduction to Cyber Essentials
An introduction to Cyber EssentialsJisc
 
MarkChilds.pptx
MarkChilds.pptxMarkChilds.pptx
MarkChilds.pptxJisc
 
RStrachanOct23.pptx
RStrachanOct23.pptxRStrachanOct23.pptx
RStrachanOct23.pptxJisc
 
ISDX2 Oct 2023 .pptx
ISDX2 Oct 2023 .pptxISDX2 Oct 2023 .pptx
ISDX2 Oct 2023 .pptxJisc
 
FerrellWalker.pptx
FerrellWalker.pptxFerrellWalker.pptx
FerrellWalker.pptxJisc
 
ExpertsknightOct23.pptx
ExpertsknightOct23.pptxExpertsknightOct23.pptx
ExpertsknightOct23.pptxJisc
 
BeyondBlended17Oct23.pptx
BeyondBlended17Oct23.pptxBeyondBlended17Oct23.pptx
BeyondBlended17Oct23.pptxJisc
 

More from Jisc (20)

Digital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptxDigital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptx
 
Open Access book publishing understanding your options (1).pptx
Open Access book publishing understanding your options (1).pptxOpen Access book publishing understanding your options (1).pptx
Open Access book publishing understanding your options (1).pptx
 
Scottish Universities Press supporting authors with requirements for open acc...
Scottish Universities Press supporting authors with requirements for open acc...Scottish Universities Press supporting authors with requirements for open acc...
Scottish Universities Press supporting authors with requirements for open acc...
 
How Bloomsbury is supporting authors with UKRI long-form open access requirem...
How Bloomsbury is supporting authors with UKRI long-form open access requirem...How Bloomsbury is supporting authors with UKRI long-form open access requirem...
How Bloomsbury is supporting authors with UKRI long-form open access requirem...
 
Jisc Northern Ireland Strategy Forum 2023
Jisc Northern Ireland Strategy Forum 2023Jisc Northern Ireland Strategy Forum 2023
Jisc Northern Ireland Strategy Forum 2023
 
Jisc Scotland Strategy Forum 2023
Jisc Scotland Strategy Forum 2023Jisc Scotland Strategy Forum 2023
Jisc Scotland Strategy Forum 2023
 
Jisc stakeholder strategic update 2023
Jisc stakeholder strategic update 2023Jisc stakeholder strategic update 2023
Jisc stakeholder strategic update 2023
 
JISC Presentation.pptx
JISC Presentation.pptxJISC Presentation.pptx
JISC Presentation.pptx
 
Community-led Open Access Publishing webinar.pptx
Community-led Open Access Publishing webinar.pptxCommunity-led Open Access Publishing webinar.pptx
Community-led Open Access Publishing webinar.pptx
 
The Open Access Community Framework (OACF) 2023 (1).pptx
The Open Access Community Framework (OACF) 2023 (1).pptxThe Open Access Community Framework (OACF) 2023 (1).pptx
The Open Access Community Framework (OACF) 2023 (1).pptx
 
Are we onboard yet University of Sussex.pptx
Are we onboard yet University of Sussex.pptxAre we onboard yet University of Sussex.pptx
Are we onboard yet University of Sussex.pptx
 
JiscOAWeek_LAIR_slides_October2023.pptx
JiscOAWeek_LAIR_slides_October2023.pptxJiscOAWeek_LAIR_slides_October2023.pptx
JiscOAWeek_LAIR_slides_October2023.pptx
 
UWP OA Week Presentation (1).pptx
UWP OA Week Presentation (1).pptxUWP OA Week Presentation (1).pptx
UWP OA Week Presentation (1).pptx
 
An introduction to Cyber Essentials
An introduction to Cyber EssentialsAn introduction to Cyber Essentials
An introduction to Cyber Essentials
 
MarkChilds.pptx
MarkChilds.pptxMarkChilds.pptx
MarkChilds.pptx
 
RStrachanOct23.pptx
RStrachanOct23.pptxRStrachanOct23.pptx
RStrachanOct23.pptx
 
ISDX2 Oct 2023 .pptx
ISDX2 Oct 2023 .pptxISDX2 Oct 2023 .pptx
ISDX2 Oct 2023 .pptx
 
FerrellWalker.pptx
FerrellWalker.pptxFerrellWalker.pptx
FerrellWalker.pptx
 
ExpertsknightOct23.pptx
ExpertsknightOct23.pptxExpertsknightOct23.pptx
ExpertsknightOct23.pptx
 
BeyondBlended17Oct23.pptx
BeyondBlended17Oct23.pptxBeyondBlended17Oct23.pptx
BeyondBlended17Oct23.pptx
 

Recently uploaded

Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceMartin Humpolec
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataCloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataSafe Software
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Babel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxBabel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxYounusS2
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
GenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncGenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncObject Automation
 

Recently uploaded (20)

Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your Salesforce
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataCloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
Babel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxBabel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptx
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
GenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncGenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation Inc
 

A practical guides to PCI compliance

  • 1. A practical guide to PCI compliance Matthew Page, IT security manager, Leeds Beckett University 14/11/2017
  • 2. A Practical Guide to PCI Compliance Matthew Page – IT Security Manager PCI ISA
  • 3. • To help those who are starting out on the PCI compliance journey • Where to find help and documentation • Formal courses tend to discuss the 12 requirements rather than how to become compliant • It can be quite daunting, so I aim to provide an overview of PCI • I’m not going to discuss: – The requirements in detail – The payment cycle *For further information on these please review the documents referenced in the resources section. A Practical Guide to PCI The Purpose of this Presentation
  • 4. A Practical Guide to PCI • Payment Card Industries What is PCI?
  • 5. A Practical Guide to PCI • Payment card data and transactions, not direct debits or PayPal payments What is PCI? *Courtesy of PCIDSSSIG
  • 6. A Practical Guide to PCI • Its not a legal requirement • It’s a contractual requirement • 12 main requirements (essentially a check list) • Mainly technical requirements with procedural and policy based requirements • Who is PCI compliant? What is PCI?
  • 7. A Practical Guide to PCI • Its very valuable data to hackers • US company Target breach 2013-2014 – 40 millions card details affected – Cost target $350 million – 46% drop in profits – 1-3 million cards sold on the black market – Resignation of CEO • Reputational impact Why Protect this Data? *Data source Axelos Resilia
  • 8. A Practical Guide to PCI 6 Goals of PCI Compliance
  • 9. A Practical Guide to PCI Goal 1 – Build and maintain a secure network and systems *Barclaycard Associated Requirements 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters
  • 10. A Practical Guide to PCI Goal 2 – Protect Cardholder data *Barclaycard Associated Requirements 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks
  • 11. A Practical Guide to PCI Goal 3 – Maintain a vulnerability management program *Barclaycard Associated Requirements 5. Protect all systems against malware and regularly update antivirus software or programs 6. Develop and maintain secure systems and applications (patching and config)
  • 12. A Practical Guide to PCI Goal 4 – Implement strong access control measures *Barclaycard Associated Requirements 7. Restrict access to cardholder data by business need to know 8. Identify and authenticate access to system components 9. Restrict physical access to cardholder data
  • 13. A Practical Guide to PCI Goal 5 – Regularly monitor and test networks *Barclaycard Associated Requirements 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes (pen tests, vulnerability scans, etc.)
  • 14. A Practical Guide to PCI Goal 6 – Maintain an information security policy *Barclaycard Associated Requirements 12. Maintain a policy that addresses information security for all personnel
  • 15. A Practical Guide to PCI Where are you now? *Barclaycard • Many of the goals and requirements will be already in place • Some may need fine tuning and some will need significant effort to bring into line with the standard
  • 16. A Practical Guide to PCI • 12 high level requirements • All the requirements have sub requirements totalling over 300 across the standard • That’s a lot! • Very expensive to adhere to them all and time consuming to support and maintain • Good news, hopefully you won’t have to adhere to them all • That’s not to say you should take short cuts • Depending on your environment you may not need to comply with all the requirements to be compliant • This is where SAQs will help 12 Requirements & Sub Requirements
  • 17. A Practical Guide to PCI The SAQs
  • 18. A Practical Guide to PCI The SAQs Web Payments • A and A-EP
  • 19. A Practical Guide to PCI Payment Terminals (Chip & Pin) • B, B-IP & P2PE The SAQs
  • 20. A Practical Guide to PCI Merchants who use a payment application system or Virtual Terminal to process card payments • C & C-VT The SAQs
  • 21. A Practical Guide to PCI Merchants who store cardholder data • D The SAQs
  • 22. Requirement Description SAQ D SAQ C SAQ C-VT B-IP B A-EP* A P2PE 1 Firewall config Full Partial Partial Partial Partial 2 Vendor defaults Full Partial Partial Partial Partial Partial 3 Stored CHD Full Partial Partial Partial Partial Partial Partial 4 Encryption Full Partial Partial Partial Partial Partial 5 AV & patching Full Partial Partial Partial 6 Development Full Partial Partial Partial Partial 7 Restrict access Full Partial Partial Partial Partial Partial 8 Identify & authenticate Full Partial Partial Partial Partial Partial 9 Restrict physical access Full Partial Partial Partial Partial Partial Partial Partial 10 Track and monitor Full Partial Partial 11 Vulnerability testing Full Partial Partial Partial 12 Policies Full Partial Partial Partial Partial Partial Partial Partial A Practical Guide to PCI • Refer to the ‘PCI SAQ Instructions and Guidelines’ document to determine which of your merchant accounts align with which SAQ and speak to your acquirer to confirm SAQ Requirements
  • 23. A Practical Guide to PCI PCI SAQ Instructions and Guidelines Document
  • 24. A Practical Guide to PCI Merchant Levels & Assessment Criteria Level Merchant criteria Validation requirements 1 Merchants processing more than six million Visa transactions annually via all channels or global merchants identified as level one by any Visa region.  Annual Report on Compliance (ROC) to follow an on-site audit by either a Qualified Security Assessor or qualified internal security resource  Quarterly network scan by Approved Scan Vendor (ASV)  Attestation of Compliance form QSA Services • PCI assessment • ROC • Attestation sign off • Gap analysis ASV • Tool to scan the network environment for Vulnerabilities. Any high vulnerabilities are failures.
  • 25. A Practical Guide to PCI Merchant Levels Level Merchant criteria Validation requirements 1 Merchants processing more than six million Visa transactions annually via all channels or global merchants identified as level one by any Visa region.  Annual Report on Compliance (ROC) to follow an on-site audit by either a Qualified Security Assessor or qualified internal security resource  Quarterly network scan by Approved Scan Vendor (ASV)  Attestation of Compliance form 2 Merchants processing one million to six million Visa transactions annually via all channels.  Annual Self-Assessment Questionnaire (SAQ)  Quarterly network scan by ASV  Attestation of Compliance form
  • 26. A Practical Guide to PCI Merchant Levels Level Merchant criteria Validation requirements 1 Merchants processing more than six million Visa transactions annually via all channels or global merchants identified as level one by any Visa region.  Annual Report on Compliance (ROC) to follow an on-site audit by either a Qualified Security Assessor or qualified internal security resource  Quarterly network scan by Approved Scan Vendor (ASV)  Attestation of Compliance form 2 Merchants processing one million to six million Visa transactions annually via all channels.  Annual Self-Assessment Questionnaire (SAQ)  Quarterly network scan by ASV  Attestation of Compliance form 3 Merchants processing 20,000 to one million Visa e- commerce transactions annually.  Use a service provider that has certified their PCI DSS compliance (certified providers are listed on Visa Europe’s website: www.visaeurope.com) OR  Have certified their own PCI DSS compliance to the acquirer (who must, on request, be able to validate that compliance to Visa Europe) (SAQ)
  • 27. A Practical Guide to PCI Merchant Levels Level Merchant criteria Validation requirements 1 Merchants processing more than six million Visa transactions annually via all channels or global merchants identified as level one by any Visa region.  Annual Report on Compliance (ROC) to follow an on-site audit by either a Qualified Security Assessor or qualified internal security resource  Quarterly network scan by Approved Scan Vendor (ASV)  Attestation of Compliance form 2 Merchants processing one million to six million Visa transactions annually via all channels.  Annual Self-Assessment Questionnaire (SAQ)  Quarterly network scan by ASV  Attestation of Compliance form 3 Merchants processing 20,000 to one million Visa e- commerce transactions annually.  Use a service provider that has certified their PCI DSS compliance (certified providers are listed on Visa Europe’s website: www.visaeurope.com) OR  Have certified their own PCI DSS compliance to the acquirer (who must, on request, be able to validate that compliance to Visa Europe) (SAQ) 4 E-commerce merchants only Merchants processing fewer than 20,000 Visa e- commerce transactions annually.  Use a service provider that has certified their PCI DSS compliance (certified providers are listed on Visa Europe’s website: www.visaeurope.com) OR  Have certified their own PCI DSS compliance to the acquirer (who must, on request, be able to validate that compliance to Visa Europe) (SAQ)
  • 28. A Practical Guide to PCI • Who are the acquirers? An acquiring bank (simply known as an acquirer) is a bank that processes credit or debit card payments on behalf of a merchant. The acquirer enables merchants to accept card payments. • They can help provide information regarding the number of merchant accounts in use and the volume of transactions being processed through them • They are responsible for ensuring their associated merchants are PCI compliant and will ask you to provide an AOC • If you are unable to do this you may start to receive threatening letters Acquirers
  • 29. A Practical Guide to PCI • Who are the acquirers? An acquiring bank (simply known as an acquirer) is a bank that processes credit or debit card payments on behalf of a merchant. The acquirer enables merchants to accept card payments. • They can help provide information regarding the number of merchant accounts in use and the volume of transactions being processed through them • They are responsible for ensuring their associated merchants are PCI compliant and will ask you to provide an AOC • If you are unable to do this you may start to receive threatening letters Acquirers • Don’t be afraid to challenge your acquirer • Find your business relationship manager and build a relationship
  • 30. A Practical Guide to PCI • Identify where payments are being taken through out the university • Identify how card data traverses the network • Is cardholder data stored as part of the process? • Identify the SAQ level • Identify Merchant level • Speak to your acquirer they will help verify your Merchant and SAQ levels Your Payment Gateways
  • 31. A Practical Guide to PCI • Are card payments segregated from the rest of your network? • Can you segregate your networks? • Avoid storing card holder data • Be aware of the problems with descoping – perceptions that the entire network is as secure as the card holder environment when in fact they have been descoped and therefore may not be maintained to the same standard. • Determine the cost of descoping is it just easier to include everything? • Remember PCI should be part of data security strategy Reduce the Scope
  • 32. A Practical Guide to PCI • Its project - create a plan • Use the prioritised approach provided by PCI • Collaborative approach with: – IT – Finance – Governance – Other relevant departments – Acquirers • Who should drive the project? – IT – Finance – Governance – ? • Get buy in – You can’t do this alone The PCI Project
  • 33. A Practical Guide to PCI • Find a QSA https://www.pcisecuritystandards.org/assessors_and_so lutions/qualified_security_assessors • Your Acquirer • Merchant levels • MasterCard https://www.mastercard.us/en- us/merchants/safety-security/security- recommendations/merchants-need-to-know.html • Visa https://www.visaeurope.com/receiving- payments/security/merchants • PCIDSSSIG – Training courses – Foundation, Practitioner and ISA (free if you are a member) – Resources http://www.pcidsssig.org.uk/ • PCI Document library https://www.pcisecuritystandards.org/document_library • PCI Prioritised approach https://www.pcisecuritystandards.org/documents/Priorit ized-Approach-for-PCI_DSS-v3_2.pdf • Guidance for Network Segmentation https://www.pcisecuritystandards.org/documents/Guida nce-PCI-DSS-Scoping-and- Segmentation_v1_1.pdf?agreement=true&time=15100 49283753 Resources
  • 34. A Practical Guide to PCI • It’s a check list so you can take one step at a time • Training/reading/familarise yourself with the standard • Get Project buy in • Speak to people (Finance, Acquirers, staff) • Determine the scope • Work with the acquirers • The goals of PCI are just the best practice elements we should all be implementing. • Different security/compliance standards will aid each other • You don’t need to be an ISA, but it helps. Final Thoughts
  • 36. A Practical Guide to PCI • Find a QSA https://www.pcisecuritystandards.org/assessors_and_so lutions/qualified_security_assessors • Your Acquirer • Merchant levels • MasterCard https://www.mastercard.us/en- us/merchants/safety-security/security- recommendations/merchants-need-to-know.html • Visa https://www.visaeurope.com/receiving- payments/security/merchants • PCIDSSSIG – Training courses – Foundation, Practitioner and ISA (free if you are a member) – Resources http://www.pcidsssig.org.uk/ • PCI Document library https://www.pcisecuritystandards.org/document_librar y • PCI Prioritized approach https://www.pcisecuritystandards.org/documents/Prior itized-Approach-for-PCI_DSS-v3_2.pdf • Guidance for Network Segmentation https://www.pcisecuritystandards.org/documents/Guid ance-PCI-DSS-Scoping-and- Segmentation_v1_1.pdf?agreement=true&time=1510 049283753 Resources

Editor's Notes

  1. Thanks to Jisc for the late shift I hope you have all had a coffee at break
  2. Who is PCI compliant show of hands.
  3. Hacking techniques are changing
  4. Who is cyber essentials compliant show of hands