pci dss: why it matters
DESCRIPTION
Presentación de Steve Wilson de VISA sobre la visión de esta marca del porqué de contemplar la implantación de PCI DSS dentro de la empresa y los beneficios que aporta su implantación.TRANSCRIPT
For Visa Internal Use OnlyThis information is not intended, and should not be
construed, as an offer to sell, or as a solicitationof an offer to purchase, any securities
PCI DSS – Why it matters
Steve WilsonHead of Information Security ComplianceVisa Europe
Madrid7 November 2007
Presentation Identifier.2Information Classification as NeededThis information is not intended, and should not be construed, as an offerto sell, or as a solicitation of an offer to purchase, any securities
2PCI DSS – Why it matters For Visa Internal Use Only
What is PCI DSS ?
• ‘Common sense’ approach to data security• Closely linked to other standards
• BS 7799• ISO 27001• Sarbannes Oxley etc
• Focussed on card data• Owned and managed by PCI SSC (independent of the card
schemes)• Any organisation can become a participant
For Visa Internal Use OnlyThis information is not intended, and should not be
construed, as an offer to sell, or as a solicitationof an offer to purchase, any securities
Why is PCI DSS important ?
Presentation Identifier.4Information Classification as NeededThis information is not intended, and should not be construed, as an offerto sell, or as a solicitation of an offer to purchase, any securities
4PCI DSS – Why it matters For Visa Internal Use Only
A simple equation
Data = identity = money
Presentation Identifier.5Information Classification as NeededThis information is not intended, and should not be construed, as an offerto sell, or as a solicitation of an offer to purchase, any securities
5PCI DSS – Why it matters For Visa Internal Use Only
A Visa card…
Card number Expiry date
Presentation Identifier.6Information Classification as NeededThis information is not intended, and should not be construed, as an offerto sell, or as a solicitation of an offer to purchase, any securities
6PCI DSS – Why it matters For Visa Internal Use Only
A Visa card…(cont.)
CVV2
The card account number, plus a three-digit Card Verification Value 2 (CVV2) is indent-printed on the signature panel
Magnetic Stripe made up of “Track 1” and “Track 2” data
Track data and CVV2 should never be stored after authorisation
Presentation Identifier.7Information Classification as NeededThis information is not intended, and should not be construed, as an offerto sell, or as a solicitation of an offer to purchase, any securities
7PCI DSS – Why it matters For Visa Internal Use Only
Card data is retained by companies for 3 weeks or longer after authorisation
Reasons given include:– Marketing purposes – As a unique customer identifier– Fraud analysis– Customer profiling
Presentation Identifier.8Information Classification as NeededThis information is not intended, and should not be construed, as an offerto sell, or as a solicitation of an offer to purchase, any securities
8PCI DSS – Why it matters For Visa Internal Use Only
Data security and your brand
-How much would your brand be worth if you lose your consumers trust?
-Would your consumers stay with you?
-Would your shareholders stay with you?
Presentation Identifier.9Information Classification as NeededThis information is not intended, and should not be construed, as an offerto sell, or as a solicitation of an offer to purchase, any securities
9PCI DSS – Why it matters For Visa Internal Use Only
Your brand needs security!
-Compromises do happen everyday, everywhere
-In the consumer’s view, consumers, card schemes and merchants share responsibility for protecting their card data
¹Source: Javelin Strategy and Research 2007
Yet… 63% of consumers views merchants as the weakest link when it comes to protecting their data…¹
Presentation Identifier.10Information Classification as NeededThis information is not intended, and should not be construed, as an offerto sell, or as a solicitation of an offer to purchase, any securities
10PCI DSS – Why it matters For Visa Internal Use Only
Merchants as the weakest link
Presentation Identifier.11Information Classification as NeededThis information is not intended, and should not be construed, as an offerto sell, or as a solicitation of an offer to purchase, any securities
11PCI DSS – Why it matters For Visa Internal Use Only
Consumer confidence seriously impacted by a data breachIn the case of a breach….
49% of consumers believe merchants to be the most likely source of the data breach
3 out of 4 consumers won’t shop again at a compromised merchant
Investing in PCI DSS should be part of your consumer retention plans
Presentation Identifier.12Information Classification as NeededThis information is not intended, and should not be construed, as an offerto sell, or as a solicitation of an offer to purchase, any securities
12PCI DSS – Why it matters For Visa Internal Use Only
Media and regulators are watching us…
-National and European Government are showing increasing interest in the area of account information security
• The European Commission is considering legislation on the duty to notify (suspicion of breach and actual compromise) – already adopted in California, Minnesota and Texas
-Media increasingly questioning industry compliance and progress…..
Presentation Identifier.13Information Classification as NeededThis information is not intended, and should not be construed, as an offerto sell, or as a solicitation of an offer to purchase, any securities
13PCI DSS – Why it matters For Visa Internal Use Only
Security and your corporate social responsibility strategy
84% of consumers want to shop at merchants who are security market leaders
A secure merchant secures consumers trust!
Can you retain your shareholders if you lose your customers?
Presentation Identifier.14Information Classification as NeededThis information is not intended, and should not be construed, as an offerto sell, or as a solicitation of an offer to purchase, any securities
14PCI DSS – Why it matters For Visa Internal Use Only
Security/IT benefits
A socially responsible merchant is fully aware of how its systems work and what it is doing to protect card data in their possession
PCI DSS makes you aware of issues;
-This enables you to fix them
-This works towards protecting consumers and shareholders trust in your brand
Presentation Identifier.15Information Classification as NeededThis information is not intended, and should not be construed, as an offerto sell, or as a solicitation of an offer to purchase, any securities
15PCI DSS – Why it matters For Visa Internal Use Only
Financial benefits
-The sheer financial cost of a compromise may prove hard to bear
-Large retailers indicate that their business case for investing in PCI DSS is based on the potential financial cost of reacting to a data breach
Presentation Identifier.16Information Classification as NeededThis information is not intended, and should not be construed, as an offerto sell, or as a solicitation of an offer to purchase, any securities
16PCI DSS – Why it matters For Visa Internal Use Only
Costing the reaction to a data breach
= € 10,000,000¹+Hiring security firms to contain the compromise+Replacing systems+Increased customer service costs+Actual costs of internal investigations+Outside legal defence fees+Discounted services offered+Lost employee productivity +Financial hit from lost customers
¹Figure is based on the average cost of containing a compromise based on research by the Ponemon Institute
Presentation Identifier.17Information Classification as NeededThis information is not intended, and should not be construed, as an offerto sell, or as a solicitation of an offer to purchase, any securities
17PCI DSS – Why it matters For Visa Internal Use Only
Some Tips from Large Merchants in Europe and US
Sr. management sponsorship is mandatory• Assign dedicated people• PCI DSS is as much about people and business processes as it is
systems • Map and document your business processes
– Trace cardholder from point of sale to billing and settlement.– Map systems, applications and databases that support these
processes – Re-engineer processes to remove duplicate or unnecessary data
• Reduce the scope as much as possible– Segment cardholder data network from rest of network– If you don’t need it, don’t store it!
• Engage a QSA early on in the project
Presentation Identifier.18Information Classification as NeededThis information is not intended, and should not be construed, as an offerto sell, or as a solicitation of an offer to purchase, any securities
18PCI DSS – Why it matters For Visa Internal Use Only
Considerations
-We need to reduce our information footprint
-We need to rethink ways of achieving the same marketing ad fraud objectives without storing data unnecessarily
-We need to prioritise the removal of magstripe and card verification data
Presentation Identifier.19Information Classification as NeededThis information is not intended, and should not be construed, as an offerto sell, or as a solicitation of an offer to purchase, any securities
19PCI DSS – Why it matters For Visa Internal Use Only
Support from Visa Europe
Collateral available from Visa Europe website
http://www.visaeurope.com/aboutvisa/security/ais/main.jsp• Merchant implementation guides
-Service Provider guides• Available in English, French, Spanish, German, Italian
• List of certified Service Providers
• Work with Acquiring banks to provide• Merchant training• Guidance on specific issues
For Visa Internal Use OnlyThis information is not intended, and should not be
construed, as an offer to sell, or as a solicitationof an offer to purchase, any securities
Thank you