PCI-DSS

DON’T FALL IN ...

Agenda

• Intro

• Buzzwords

• PCI – What is it?

• PCI – Do’s and Don'ts

• How to eat an Elephant

• Divide & Conquer

• Questions & Answers

Intro … who is this clown?

• Realex Payments … Platform Operations Security Lead

• Certified … CISA. CISM. SSCP. CISSP.

• Former Chair of the Irish Information Security Forum

• Current Item Writer for ISC2

• Responsible for PCI Compliance in Realex Payments

Buzzwords

• Member organisations Card Schemes are made up of member organisations who can be

Acquirers, Issuers, or both

• Merchant Merchants are entities that “accept” Card transactions.

Levels 1 – 4, with varying requirements for validation (by volume)

• Acquirer Acquiring Bank - handles Merchant lines of credit

• Issuer Issuing Bank – offers cards to Cardholder

• Cardholder Consumers. Customers … Punters

• Service Provider Entities that service the processing, storing, transport of card

information on behalf of Merchants, Acquirers, or Issuers

Merchant Levels … 1 to 4

Level Criteria Validation

1 Process more than 6 Million txns ROC – Report on Compliance

QSA – Qualified Security Assessor

ASV – Approved Scanning Vendor

Attestation of Compliance

2 Process 1 to 6 Million txns SAQ – Self Assessment Questionnaire

ASC – Approved Scanning Vendor

Attestation of Compliance

3 Process 20,000 to 1 Million txns SAQ

ASV (if applicable)

Attestation of Compliance

4 All other merchants SAQ – recommended

ASV (if applicable)

Validation requirements typically set by Acquirer

PCI … What is it?

• PCI DSS - Payment Card Industry Data Security Standard

• Published by the PCI Security Standards Council (PCI-SSC)

• PCI-SSC = Visa, MasterCard, Discover, American Express, JCB

• Baseline Information Security Standard that applies to ANY

business that “accept, capture, store, transmit, or process

Credit or Debit card data” – No exceptions.

• Information Security BASELINE. PCI is a floor. Not a ceiling.

PCI … Do’s

• Visit the PCI-SCC website (www.pcisecuritystandards.org)

• Read the FAQ (Frequently Asked Questions) Knowledge Base

• SAQ – Self Assessment Questionnaire

• A – Mail Order Telephone Order Merchants

• B – Imprint Only Merchants

• CVT – Virtual Terminals

• C – Merchants with Internet Payment Applications

• D – All other merchant types

PCI … Do’s … Prioritised Approach

• Have a clear, accurate and relevant Network Diagram.

• Inventory … cover your assets

• Data … where does it come from, and where does it go?

The Holy Trinity

• Policy Document

• Prioritised Approach Document

• Self Assessment Questionnaire

PCI … Don’ts

• Don’t PANIC - Don’t fall for the FUD. Don’t fall in The Hole.

• Don’t boil the ocean – Scope and Segmentation are crucial

• Don’t forget that PCI applies to your organisation, not your

chosen hardware or software products and tools

• Don’t think you can “buy” compliance with products

• Don’t confuse “Compliant” for “Secure”

• Don’t ignore PCI … it’s not going away

How to eat an Elephant …

PCI … 6 Objectives / Milestones

PCI … Divide & Conquer

• 225 individual tests, checks & proof points

• 12 Requirements

• 6 Objectives

• Prioritised Approach Document is your pal

Questions & Answers …

For your further reading enjoyment …

www.pcisecuritystandards.org/

www.pcisecuritystandards.org/faq/

www.pcisecuritystandards.org/security_standards/getting_started.php

www.visaeurope.com/en/businesses__retailers/payment_security/downloads__resources.aspx

www.iisf.ie

Irish Information Security Forum LinkedIn group … members only, just tell them I sent you!