visa europe confidential pci dss protecting your business lara fiorani, visa europe basel 25 april,...

Visa Europe Confidential

PCI DSSProtecting your business

Lara Fiorani, Visa Europe

Basel

25 April, 2006

Presentation Identifier.2Information Classification as NeededVisa Europe Basel 25 April 2006

Agenda

Account Information Security Programme and the Payment Card Industry (PCI) Data Security Standards

PCI DSS - Protecting your business

Plans for 2006


Account Information Security Programme

-The Payment Card Industry Data Security Standards (PCI DSS) were developed jointly by Visa and MasterCard and are endorsed by Amex, JCB, Discovery, Diners

• Work is under way to promote the establishment of PCICo, an independent industry body that will act as custodian of the PCI DSS

Visa promotes the implementation of the PCI DSS through its Account Information Security Programme (AIS)

AIS is part of a wider Visa strategy to make the card industry more secure


Account Information Security (AIS) alongside other Visa security products

POSEnvironment

Online e-comm Back office,systems

Chip & PIN Verified by Visa AIS


Why do we need PCI DSS?

40M credit cards hacked

Breach at third party payment processor affects 22 million Visa cards and 14 million MasterCards.

June 20, 2005: 5:04 PM EDT Jeanne Sahadi, CNN/Money senior writer


Why do we need PCI DSS?

From The Times, Saturday April 15 2006 :

The Times contacted 14 customers whose details had been passed to it by a US company that monitors […] chat rooms. They were astonished when a reporter read out their credit card numbers.

The names had been taken from unidentified British servers. By ringing the individuals on each list and checking which purchases they had made on the day the details were stolen, The Times was led to two reputable companies — one a supplier of travel goods based in Amesbury, Wiltshire, with a database of more than 20,000 customers, the other a computer sales company in Sheffield. Neither company was aware that its systems had been targeted.

[Jonathan Richards, ‘Revealed: how credit cards are plundered on the net’, The Times, Saturday April 15 2006]


Key role of beyond facilitator of payments?

External pressure on Visa to protect personal financial information

Q28: Aside from Visa being a facilitator of purchases or a processor of transactions, when you think of Visa and the role you expect it to play in society, which one of the following best describes your expectations of what Visa should be – educator on financial issues, protector of personal financial information, contributor to economic growth, or something else? If you have a different expectation for Visa, please let me know. Base: Total Respondents, n=2044

35

33

17

8

1

4

0% 20% 40% 60%

Top mentions

Protector of personal financial information

Contributor to economic growth

Educator on financial issues

Something else

Other

Don’t know


In addition: Data Security is a major concern for customers worldwide

64

62

58

57

56

55

49

48

0% 20% 40% 60% 80% 100%

Natural disasters (drought, earthquakes, floods, fires, hurricanes)

*Loss of trust in governments/businesses/ institutions

Spread of disease, or health epidemics

Having a credit card, debit card, or some type of payment card lost or stolen

Losing your primary source of income (such as your job)

Terrorism in the world or in your country

Protecting the environment

Having your personal or financial info lost or stolen

Base: All respondents, except (*) not asked in China

Top 3 Box (Rated 8-10)


Recent Visa Europe experience

-Remarkable increase in compromises in Europe, regardless of acceptance channels

• Full track two data being targeted

-Processors and IPSPs remotely targeted

-Increase in compromises at non e-commerce Merchants

-E-commerce still a target

• Fraud migrating to card not present sector because of increased security in face to face (EMV chip)


Benefits of compliance with PCI DSS

Ensures protection of the brands and reputation of all parties

• Visa

• Acquiring banks

• Merchants

• Service providers

Helps gaining and maintains consumer confidence in payment systems

•Secures customers

•Makes them come back


Compliance with PCI DSS- Systems benefit

More aware of how your

business works

Provides you with greater awareness of security

measures and preventative options

available

Helps you identify and address weaknesses in your security

Systems


Compliance with PCI DSS - Financial Benefits

Financial

Avoid cost of reaction to cybercrime

suspension from trading

consultancy fees

consultancy fees

police involvement

law suits

Avoid cost of fraud

Protects you from card schemes

post-compromise penalties


Compliance with PCI DSS- Reputational Benefits

Reputation

Brand damage alone may put a company out

of business!

No compromises – no unwanted media

attention


If an organisation is certified compliant with PCI DSS..

-A compromise is less likely to happen.

-If it happens it may be: • Smaller

– reduced fraud cost • easier and cheaper to contain

– Less investment needed to bring the organisation into compliance

– Faster to bring the organisation into compliance

- If the forensics investigation confirms that the organisation was still PCI compliant at the time of compromise• Visa will not levy compromise fees


Sensitive Information

• Card number

• Expiry date

• Full Track 2 (for face to face transactions)

• CVV2 (for Card not Present transactions)

Track 2 and CVV2 should never be stored after authorisation

-NOT storing any of the above removes the need for PCI DSS validation

-If the information is stored, it has to be stored securely (encrypted)


Compliance Validation Requirements - Merchants

Level 1 - Merchants with 6,000,000+ transactions a year- all acceptance channels

Level 2&3 - E-commerce Merchants with 6,000,000 to 20,000 transactions a year

Level 4 – all other Merchants

Mandated Annual onsite audit, and Quarterly network scan

The audit can be done by a qualified auditor or by Merchant’s internal audit team, but has to assess compliance with the PCI Standards

Mandated Annual PCI Self-assessment questionnaire, and Quarterly network scan

Recommended annual PCI Self-assessment questionnaire and annual network scan


Merchants – next steps for 2006

ALL Merchants should be compliant with PCI DSS already• Regardless of Merchant size

• Data security should be ongoing work

-Difference is only in type of validation required

-Validation may be recommended for some categories, but compliance is mandated to be part of the Visa system

-All Merchants should make provisions to ensure than any third party they contract with is compliant


Visa – Recent and next steps

-Finished re-accreditation of Qualified Security Assessors

-Producing more awareness raising and support materials

-AIS as contractual requirement for all new merchant agreements

-New set of penalties for Acquirers with non-compliant Merchants

• If a Merchant commits to starting the work, they will be allowed reasonable time to work towards compliance

-Lowering the Level 1 threshold to include more non e-commerce Merchants


Conclusion

We are flexible, want to help you get started

PCI DSS adds value to your brand and consumers

PCI DSS protects your revenues

Based on ISO/BSS, tailoring these standards to cards industry


Visa OnLine

• https://www.eu.visaonline.com/eu_ais/

Visa Europe website

• www.visaeurope.com/acceptingvisa/datasecurity.html

Email: [email protected]

AIS Programme Manager: Lara Fiorani

• Tel: +44 207 795 5668

• Email: [email protected]

20

Where to find information on PCI DSS

Visa Europe Confidential

Thank you

visa europe confidential pci dss protecting your business lara fiorani, visa europe basel 25 april,...

Documents