what everybody ought to know about pci dss and pa-dss
DESCRIPTION
What Everybody Ought to Know About PCI DSS and PA-DSS. Learn how to comply with the training requirements of PCI DSS, protect cardholder data, avoiding social engineering and malicious downloads and how to update software and anti-virus programs.TRANSCRIPT
Navigating PCI Compliance:A Risk Avoidance Strategy
Google Hangout Session
July 23, 2014
This Is Where it All Began
December 15, 2004PCI DSS V1.0 is launced
Payment Credit Card Security Standards
Who is the PCI Security Standards Council?
• The PCI Security Standards Council is an open global forum responsible for the development, management, education, and awareness of the PCI Security Standards
• Work closely with the five founding global payment brands: American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc.
• PCI Council official launch occurred in 2006
• Current Data Security Standard is V3.0 published in November 2013
• Standards Committee has established: Data Security Standard (PCI DSS), Payment Application Data Security Standard (PA-DSS), and PIN Transaction Security (PTS) requirements.
What is PCI DSS and PA-DSS?
• PCI Data Security Standard (PCI DSS) provides an actionable framework for developing a robust payment card data security process including prevention, detection and appropriate reaction to security incidents.
• This applies to any organization with a Merchant ID (MID)
• PCI DSS V3.0 requirements must be completed by December 31st
• Payment Application Data Security Standard (PA-DSS) is the global security standard created by the PCI Council in an effort to provide the definitive data standard for software vendors that develop payment applications
• (ie. POS application or website ecommerce)
How Does This Affect My Business?
Managing the Requirements:
• Companies that accept, process, transmit, or store payment credit cardholder data must adhere to PCI Compliance requirements
• Having a SSL certificate for your website is not enough as this doesn’t prevent malicious attacks or intrusions from occurring
• If you electronically store cardholder data post authorization or if your processing systems have any internet connectivity, a quarterly scan by a PCI SSC Approved Scanning Vendor (ASV) is required
Positive Impact and Benefits:
• Compliance with the PCI DSS means that your systems are secure, and you earn customer’s trust in managing their personal information resulting in future business potential
• Helps you to be better prepared to comply with other regulations as they come along, such as HIPAA, SOX, etc.
• Establishes a baseline corporate security strategy
• Assists in identification of methods to improve the efficiency of your IT infrastructure
What Happens if I don’t Comply?
• Payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations
• Banks will also most likely either terminate your relationship or increase transaction fees if your organization is non PCI compliant
• Potential for lost revenues, customer transitions, and an overall negative image in the marketplace could negatively impact future earnings potential
• Liable for lawsuits, insurance claims, cancelled accounts, payment card issuer fines, along with government fines
Security Training Requirements for PCI DSS V3.0
Current State of Data Security
• Breaches make headlines
• Businesses at risk regardless of size
• The enemy is getting smarter
• Companies must:
• Understand the threats
• Take steps to protect themselves and their customers.
• Industry demand has never been higher
• The weakest link: The human • Social engineering
• Lost/compromised login credentials
• Careless behavior accounts for most incidents
Need for Training
Reduce the Risk – Don’t Store Data
• Don’t store any payment card data
• The less you have, the smaller a target you’ll be
• Know what your vendors are storing.
Reducing Risk – 3rd Party Data Security
• Use PCI validated Point of Sale systems
• Confirm that your vendors follow the PCI DSS and the PA DSS
• Talk to your bank about reviewing your technology and data storage practices
Reducing Risk – Strong Passwords
• Changing default passwords could have helped avoid the majority of compromises.
• Nearly 80% of breaches of confidential consumer information involved compromised passwords.
Reducing Risk – Updating Software
• Hackers take advantage of software bugs
• Product vendors deal with this by releasing software updates and patches
• Use automated alert services
Become Part of the Solution
1. Understanding of PCI Compliance and Requirements
2. Ongoing Education and Awareness
3. Take Steps to Safeguard your Business
4. Get Involved
5. Have a Plan