SlideShare a Scribd company logo

Introduction to PCI DSS

Saumya Vishnoi
Saumya Vishnoi

This talk was presented in NULL Delhi chapter meet in 2014, as an insight into the world of PCI (Payment Card Industry) and the 12 requirements of PCI DSS

Technology
1 of 37
A Dive into Payment Card Industry (PCI) By Saumya Vishnoi
About me • Working as Security Consultant in SISA information Security • PCI-QSA
Why is this Important ? • 2013– Year of Braches • Biggest breaches– • Target credit card breach • US beauty products chain ’Sally Beauty’ breach • Adobe breach Credit Card Information!!!!
• Credit Card data is one of the most valuable target for cyber criminals WHY ? That is where the Money is ;)
Payment Card
Payments Brands
Banks • Issuer Bank • Acquirer Bank
How a card Transaction Works ? (Card Present) Cardholder Merchants Issuer Acquirer (Merchant Bank) Acqu. Processor Issuing Processor
How a card Transaction Works ? (Card Not Present) Cardholder Acquirer (Merchant Bank) Acqu. Processor Issuer Issuing Processor E-Commerce Merchant Payment Gateway
Three Core Processing Actions – Authentication • Validation of cardholders identity and card being used – Authorization • Issuer approves or declines purchase – Settlement • Transfer of funds into merchant account once product/service shipped or delivered
Protection of Card Information
PCI-SSC • PCI Security Standard Council--- An independent industry standards body providing oversight of the development and management of Payment Card Industry Security Standards on a global basis. • Founded by ---- American Express, Discoverer Financial Services, JCB International, MasterCard Worldwide, VISA Inc.
PCI-PTS • PCI Pin Transaction Security • Set of security requirements focused on characteristics and management of devices related to payment processing activities. • For manufactures to be followed during the design, manufacture and transport of the device.
PA-DSS • Payment Application Data Security Standard • For only software applications that store, process or transmit card holder data as part of authorization and settlement. • Applied to only off the shelf sold application
PCI DSS Data Security Standard
PCI DSS Applicability • It applies to- • Systems that Store, Process and Transmit Card holder data • Systems that provide security services or may impact the security of Card Data Environment (CDE) • Any other Components or devices located within or connected to CDE
Card Holder Data
PCI-DSS Assessments • Qualified Assessors: • Self-Assessments Questionnaire:
Global Merchant Levels Level American Express MasterCard Visa 1 Merchants processing 2.5 million American Express Card transactions annually or any merchant that American Express otherwise deems a Level 1. Merchants processing over 6 million MasterCard transaction (all channels) annually, identified by another payment card brand as Level 1 or compromised merchants Large Merchants processing over 6,000,000 Visa transactions annually (all channels), or global merchants identified as Level 1 by any VISA region. 2 Merchants processing 50,000 to 2.5 million American Express transactions annually or any merchant that American Express otherwise deems a Level 2 Merchants processing 1 million to 6 million MasterCard transactions annually All Merchants meeting the Level 2 criteria of competing payment brand Merchants processing 1 million to 6 million Visa Transactions annually (all channels). 3 Merchants processing less than 50,000 American Express transaction annually Merchants processing over 20,000 MasterCard e-commerce transactions annually. All Merchants meeting the level 3 criteria of competing brand Merchants processing 20,000 to 1 million Visa e- commerce transactions annually. 4 N/A All other MasterCard merchants Merchants processing less than 20,000 Visa e- commerce transactions annually and all other merchants processing up to 1 million transactions annually
Requirement 1 Install and maintain a firewall configuration to protect cardholder data • Firewall and Router hardening • Firewall rule review • Firewall rule justification
Requirement 2 Do not use vendor-supplied defaults for system passwords and other security parameters • Removal of defaults– settings, credentials • Hardening • Encrypted non-console access
Requirement 3 Protect stored cardholder data • Storage of card holder data • Not storing sensitive authentication data* • Security of data while storage • Masking of PAN*
Requirement 4 Encrypt transmission of cardholder data across open, public networks • Secure transmission – wired • Secure transmission – wireless • End user messaging
Requirement 5 Protect all systems against malware and regularly update anti-virus software or programs • Anti-Virus • Update and scan settings • Logs –generated , stored
Requirement 6 Develop and maintain secure systems and applications • Risk ranking • Patching • Change Control • Secure development • Web Application Firewall
Requirement 7 Restrict access to cardholder data by business need to know • Access rights assigned on need to know basis • User creation and deletion process
Requirement 8 Identify and authenticate access to system components • Unique user ID • User access review • 2-factor authentication for remote access
Requirement 9 Restrict physical access to cardholder data • Physical access control • CCTV • Visitor Policy • Physical security of Media • Secure Destruction of Media • Protecting POS devices from tempering
Requirement 10 Track and monitor all access to network resources and cardholder data • Enable Logs • Time synchronization • FIM on logs • Log review • Retention period
Requirement 11 Regularly test security systems and processes • Wireless scan • Internal VA • Internal PT • External VA • External PT • Application Testing • FIM
Requirement 12 Maintain a policy that addresses information security for all personnel • Information Security Policy • Risk assessment • Awareness training • Background verification
References • PCI_DSS Requirements and Security Assessment Procedure version 2.0 • PCI_DSS Requirements and Security Assessment Procedure version 3.0 • PCI Quick Reference Guide
Questions ?
Thank You saum98@gmail.com

Recommended

PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS ComplianceSaumya Vishnoi
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overviewokrantz
 
PCI DSS
PCI DSSPCI DSS
PCI DSSDuy Do Phan
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overviewsameh Abulfotooh
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuideAlienVault
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfControlCase
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxDr Madhu Aman Sharma
 
Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates VISTA InfoSec
 

Recommended

PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS ComplianceSaumya Vishnoi
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overviewokrantz
 
PCI DSS
PCI DSSPCI DSS
PCI DSSDuy Do Phan
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overviewsameh Abulfotooh
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuideAlienVault
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfControlCase
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxDr Madhu Aman Sharma
 
Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates VISTA InfoSec
 
ISO_ 27001:2022 Controls & Clauses.pptx
ISO_ 27001:2022 Controls & Clauses.pptxISO_ 27001:2022 Controls & Clauses.pptx
ISO_ 27001:2022 Controls & Clauses.pptxforam74
 
ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2Tanmay Shinde
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2Kimberly Simon MBA
 
PCI DSS Compliance Checklist
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance ChecklistControlCase
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 IntroductionAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013scttmcvy
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentationMidhun Nirmal
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemMuhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
ISO 27001
ISO 27001ISO 27001
ISO 27001n|u - The Open Security Community
 
A practical guides to PCI compliance
A practical guides to PCI complianceA practical guides to PCI compliance
A practical guides to PCI complianceJisc
 
ISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdfISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Iso 27001 Checklist
Iso 27001 ChecklistIso 27001 Checklist
Iso 27001 ChecklistCraig Willetts ISO Expert
 
Infosec Audit Lecture_4
Infosec Audit Lecture_4Infosec Audit Lecture_4
Infosec Audit Lecture_4Obrina Candra, CISA, ISMS-LA
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001Imran Ahmed
 
ISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyControlCase
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001technakama
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC FrameworkRishi Kant
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overviewJulia Urbina-Pineda
 
ISMS User_Awareness Training.pptx
ISMS User_Awareness Training.pptxISMS User_Awareness Training.pptx
ISMS User_Awareness Training.pptxMukesh Pant
 
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)Miminten
 
PCI DSS Compliance Readiness
PCI DSS Compliance ReadinessPCI DSS Compliance Readiness
PCI DSS Compliance ReadinessAl Abbas, PMP, CISSP, MBA, MSc
 

More Related Content

What's hot

ISO_ 27001:2022 Controls & Clauses.pptx
ISO_ 27001:2022 Controls & Clauses.pptxISO_ 27001:2022 Controls & Clauses.pptx
ISO_ 27001:2022 Controls & Clauses.pptxforam74
 
ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2Tanmay Shinde
 
PCI DSS Compliance Checklist
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance ChecklistControlCase
 
Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013scttmcvy
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentationMidhun Nirmal
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
A practical guides to PCI compliance
A practical guides to PCI complianceA practical guides to PCI compliance
A practical guides to PCI complianceJisc
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001Imran Ahmed
 
ISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyControlCase
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001technakama
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC FrameworkRishi Kant
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overviewJulia Urbina-Pineda
 
ISMS User_Awareness Training.pptx
ISMS User_Awareness Training.pptxISMS User_Awareness Training.pptx
ISMS User_Awareness Training.pptxMukesh Pant
 

What's hot (20)

ISO_ 27001:2022 Controls & Clauses.pptx
ISO_ 27001:2022 Controls & Clauses.pptxISO_ 27001:2022 Controls & Clauses.pptx
ISO_ 27001:2022 Controls & Clauses.pptx
 
ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2
 
PCI DSS Compliance Checklist
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance Checklist
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 Introduction
 
Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentation
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management System
 
ISO 27001
ISO 27001ISO 27001
ISO 27001
 
A practical guides to PCI compliance
A practical guides to PCI complianceA practical guides to PCI compliance
A practical guides to PCI compliance
 
ISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdfISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdf
 
Iso 27001 Checklist
Iso 27001 ChecklistIso 27001 Checklist
Iso 27001 Checklist
 
Infosec Audit Lecture_4
Infosec Audit Lecture_4Infosec Audit Lecture_4
Infosec Audit Lecture_4
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001
 
ISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of Privacy
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC Framework
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overview
 
ISMS User_Awareness Training.pptx
ISMS User_Awareness Training.pptxISMS User_Awareness Training.pptx
ISMS User_Awareness Training.pptx
 

Similar to Introduction to PCI DSS

PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)Miminten
 
Adventures in PCI Wonderland
Adventures in PCI WonderlandAdventures in PCI Wonderland
Adventures in PCI WonderlandMichele Chubirka
 
pci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.pptpci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.pptgealehegn
 
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdfpci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdfssuserbcc088
 
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...Stephanie Gutowski
 
PCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should carePCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should careSean D. Goodwin
 
PCI compliance and fraud prevention for non profits
PCI compliance and fraud prevention for non profitsPCI compliance and fraud prevention for non profits
PCI compliance and fraud prevention for non profitsNetSquared Vancouver
 
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantMelanie Beam
 
eCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Merchants
 
You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…Rochester Security Summit
 
PCI DSS Compliance for Web Applications
PCI DSS Compliance for Web ApplicationsPCI DSS Compliance for Web Applications
PCI DSS Compliance for Web ApplicationsSavan Gadhiya
 
Payment Card Industry Security Standards
Payment Card Industry Security StandardsPayment Card Industry Security Standards
Payment Card Industry Security StandardsAshintha Rukmal
 
Payment Card Industry Introduction 2010
Payment Card Industry Introduction 2010Payment Card Industry Introduction 2010
Payment Card Industry Introduction 2010Donald E. Hester
 
Introduction to PCI APR 2010
Introduction to PCI APR 2010Introduction to PCI APR 2010
Introduction to PCI APR 2010Donald E. Hester
 
Payment Card Industry Compliance for Local Governments CSMFO 2009
Payment Card Industry Compliance for Local Governments CSMFO 2009Payment Card Industry Compliance for Local Governments CSMFO 2009
Payment Card Industry Compliance for Local Governments CSMFO 2009Donald E. Hester
 
PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011Donald E. Hester
 
Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010Donald E. Hester
 

Similar to Introduction to PCI DSS (20)

PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
 
PCI DSS Compliance Readiness
PCI DSS Compliance ReadinessPCI DSS Compliance Readiness
PCI DSS Compliance Readiness
 
Adventures in PCI Wonderland
Adventures in PCI WonderlandAdventures in PCI Wonderland
Adventures in PCI Wonderland
 
pci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.pptpci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.ppt
 
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdfpci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
 
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
 
Pci dss-for-it-providers
Pci dss-for-it-providersPci dss-for-it-providers
Pci dss-for-it-providers
 
PCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should carePCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should care
 
PCI compliance and fraud prevention for non profits
PCI compliance and fraud prevention for non profitsPCI compliance and fraud prevention for non profits
PCI compliance and fraud prevention for non profits
 
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
 
eCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain Media
 
You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…
 
PCI DSS Compliance for Web Applications
PCI DSS Compliance for Web ApplicationsPCI DSS Compliance for Web Applications
PCI DSS Compliance for Web Applications
 
Payment Card Industry Security Standards
Payment Card Industry Security StandardsPayment Card Industry Security Standards
Payment Card Industry Security Standards
 
PCI DSS for Penetration Testing
PCI DSS for Penetration TestingPCI DSS for Penetration Testing
PCI DSS for Penetration Testing
 
Payment Card Industry Introduction 2010
Payment Card Industry Introduction 2010Payment Card Industry Introduction 2010
Payment Card Industry Introduction 2010
 
Introduction to PCI APR 2010
Introduction to PCI APR 2010Introduction to PCI APR 2010
Introduction to PCI APR 2010
 
Payment Card Industry Compliance for Local Governments CSMFO 2009
Payment Card Industry Compliance for Local Governments CSMFO 2009Payment Card Industry Compliance for Local Governments CSMFO 2009
Payment Card Industry Compliance for Local Governments CSMFO 2009
 
PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011
 
Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010
 

More from Saumya Vishnoi

Kickstart your infosec career
Kickstart your infosec careerKickstart your infosec career
Kickstart your infosec careerSaumya Vishnoi
 
Privacy frameworks 101
Privacy frameworks 101Privacy frameworks 101
Privacy frameworks 101Saumya Vishnoi
 
GDPR for Security Professionals
GDPR for Security ProfessionalsGDPR for Security Professionals
GDPR for Security ProfessionalsSaumya Vishnoi
 
Taming the compliance beast in cloud
Taming the compliance beast in cloudTaming the compliance beast in cloud
Taming the compliance beast in cloudSaumya Vishnoi
 
Security Ecosystem of Digital Wallets
Security Ecosystem of Digital Wallets Security Ecosystem of Digital Wallets
Security Ecosystem of Digital Wallets Saumya Vishnoi
 
Beyond the Virtual World- Physical security and its importance
Beyond the Virtual World- Physical security and its importanceBeyond the Virtual World- Physical security and its importance
Beyond the Virtual World- Physical security and its importanceSaumya Vishnoi
 

More from Saumya Vishnoi (6)

Kickstart your infosec career
Kickstart your infosec careerKickstart your infosec career
Kickstart your infosec career
 
Privacy frameworks 101
Privacy frameworks 101Privacy frameworks 101
Privacy frameworks 101
 
GDPR for Security Professionals
GDPR for Security ProfessionalsGDPR for Security Professionals
GDPR for Security Professionals
 
Taming the compliance beast in cloud
Taming the compliance beast in cloudTaming the compliance beast in cloud
Taming the compliance beast in cloud
 
Security Ecosystem of Digital Wallets
Security Ecosystem of Digital Wallets Security Ecosystem of Digital Wallets
Security Ecosystem of Digital Wallets
 
Beyond the Virtual World- Physical security and its importance
Beyond the Virtual World- Physical security and its importanceBeyond the Virtual World- Physical security and its importance
Beyond the Virtual World- Physical security and its importance
 

Recently uploaded

FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 

Recently uploaded (20)

FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 

Introduction to PCI DSS

  • 1. A Dive into Payment Card Industry (PCI) By Saumya Vishnoi
  • 2. About me • Working as Security Consultant in SISA information Security • PCI-QSA
  • 3. Why is this Important ? • 2013– Year of Braches • Biggest breaches– • Target credit card breach • US beauty products chain ’Sally Beauty’ breach • Adobe breach Credit Card Information!!!!
  • 4. • Credit Card data is one of the most valuable target for cyber criminals WHY ? That is where the Money is ;)
  • 8. How a card Transaction Works ? (Card Present) Cardholder Merchants Issuer Acquirer (Merchant Bank) Acqu. Processor Issuing Processor
  • 9. How a card Transaction Works ? (Card Not Present) Cardholder Acquirer (Merchant Bank) Acqu. Processor Issuer Issuing Processor E-Commerce Merchant Payment Gateway
  • 10. Three Core Processing Actions – Authentication • Validation of cardholders identity and card being used – Authorization • Issuer approves or declines purchase – Settlement • Transfer of funds into merchant account once product/service shipped or delivered
  • 11. Protection of Card Information
  • 12. PCI-SSC • PCI Security Standard Council--- An independent industry standards body providing oversight of the development and management of Payment Card Industry Security Standards on a global basis. • Founded by ---- American Express, Discoverer Financial Services, JCB International, MasterCard Worldwide, VISA Inc.
  • 13.
  • 14. PCI-PTS • PCI Pin Transaction Security • Set of security requirements focused on characteristics and management of devices related to payment processing activities. • For manufactures to be followed during the design, manufacture and transport of the device.
  • 15. PA-DSS • Payment Application Data Security Standard • For only software applications that store, process or transmit card holder data as part of authorization and settlement. • Applied to only off the shelf sold application
  • 17.
  • 18. PCI DSS Applicability • It applies to- • Systems that Store, Process and Transmit Card holder data • Systems that provide security services or may impact the security of Card Data Environment (CDE) • Any other Components or devices located within or connected to CDE
  • 20. PCI-DSS Assessments • Qualified Assessors: • Self-Assessments Questionnaire:
  • 21.
  • 22. Global Merchant Levels Level American Express MasterCard Visa 1 Merchants processing 2.5 million American Express Card transactions annually or any merchant that American Express otherwise deems a Level 1. Merchants processing over 6 million MasterCard transaction (all channels) annually, identified by another payment card brand as Level 1 or compromised merchants Large Merchants processing over 6,000,000 Visa transactions annually (all channels), or global merchants identified as Level 1 by any VISA region. 2 Merchants processing 50,000 to 2.5 million American Express transactions annually or any merchant that American Express otherwise deems a Level 2 Merchants processing 1 million to 6 million MasterCard transactions annually All Merchants meeting the Level 2 criteria of competing payment brand Merchants processing 1 million to 6 million Visa Transactions annually (all channels). 3 Merchants processing less than 50,000 American Express transaction annually Merchants processing over 20,000 MasterCard e-commerce transactions annually. All Merchants meeting the level 3 criteria of competing brand Merchants processing 20,000 to 1 million Visa e- commerce transactions annually. 4 N/A All other MasterCard merchants Merchants processing less than 20,000 Visa e- commerce transactions annually and all other merchants processing up to 1 million transactions annually
  • 23. Requirement 1 Install and maintain a firewall configuration to protect cardholder data • Firewall and Router hardening • Firewall rule review • Firewall rule justification
  • 24. Requirement 2 Do not use vendor-supplied defaults for system passwords and other security parameters • Removal of defaults– settings, credentials • Hardening • Encrypted non-console access
  • 25. Requirement 3 Protect stored cardholder data • Storage of card holder data • Not storing sensitive authentication data* • Security of data while storage • Masking of PAN*
  • 26. Requirement 4 Encrypt transmission of cardholder data across open, public networks • Secure transmission – wired • Secure transmission – wireless • End user messaging
  • 27. Requirement 5 Protect all systems against malware and regularly update anti-virus software or programs • Anti-Virus • Update and scan settings • Logs –generated , stored
  • 28. Requirement 6 Develop and maintain secure systems and applications • Risk ranking • Patching • Change Control • Secure development • Web Application Firewall
  • 29. Requirement 7 Restrict access to cardholder data by business need to know • Access rights assigned on need to know basis • User creation and deletion process
  • 30. Requirement 8 Identify and authenticate access to system components • Unique user ID • User access review • 2-factor authentication for remote access
  • 31. Requirement 9 Restrict physical access to cardholder data • Physical access control • CCTV • Visitor Policy • Physical security of Media • Secure Destruction of Media • Protecting POS devices from tempering
  • 32. Requirement 10 Track and monitor all access to network resources and cardholder data • Enable Logs • Time synchronization • FIM on logs • Log review • Retention period
  • 33. Requirement 11 Regularly test security systems and processes • Wireless scan • Internal VA • Internal PT • External VA • External PT • Application Testing • FIM
  • 34. Requirement 12 Maintain a policy that addresses information security for all personnel • Information Security Policy • Risk assessment • Awareness training • Background verification
  • 35. References • PCI_DSS Requirements and Security Assessment Procedure version 2.0 • PCI_DSS Requirements and Security Assessment Procedure version 3.0 • PCI Quick Reference Guide

Editor's Notes

  1. OCTAVE Overview
  2. OCTAVE Overview