TITLE GOES HERE - PowerPoint

Report as inappropriate Your report has been received

Shared by: fjzhxb

Tags

Page Title, line break, browser window, The Title, code segments, preformatted text, travel journal, trip journal, Introduction Guide, Personal Trip

Stats

views:: 49
posted:: 12/18/2009
language:: English
pages:: 27

Public Domain

Document Sample

Credit Card Security

National Association of State Treasurers
December 4, 2007
Seana Pitt Global Merchant Policy & Data Quality

LOBAL
NETWORK OPERATIONS

GLOBALMERCHANTNETWORKGROUP

Agenda

 Why Data Security is important to you  PCI Security Standards Council – Industry Alignment  Beginning the journey to PCI DSS Compliance  Incident Response

LOBAL
NETWORK OPERATIONS
2

GLOBALMERCHANTNETWORKGROUP

Source: © 2006 American Express Travel Related Services Company, Inc. All rights reserved. This is confidential, proprietary and trade secret information of American Express Travel Related Services Company, Inc.

Do you want to see your name make these headlines?

BJ’s Wholesale Club Settles FTC Charges

TransUnion LLC. employee laptop stolencontaining more than 3,000 consumers’ SS#’s

TJX- 40MM Accounts Exposed

Data on 26.5 million veterans stolen from home

LOBAL
NETWORK OPERATIONS
3

GLOBALMERCHANTNETWORKGROUP

Risk Associated with A Data Compromise . .
Risk of negative media exposure due to…  Perception that you have not properly protected or secured data shared with third parties  Belief that you are sharing too much or unnecessary data with third parties  Perception that you are behind the competition or below industry standards in providing policies and tools to secure customer data

Public Relations

Financial

Your potential cost related to a compromise…  Cost of fraud, lost goods or services, interrupted sales  Loss of repeat customers
 Adverse impact on company share price  Monetary damages arising from litigation Legal ramifications if there was a security breach…  Cardmembers, individually and as class-action members, may seek damages incurred from theft, fraud, or other misuse-use of the Cardmember’s data.  Might lead to governmental sanctions

Regulatory/ Compliance

LOBAL
NETWORK OPERATIONS
4

GLOBALMERCHANTNETWORKGROUP

Why does Data Security matter for all of us?
The importance of keeping customer data safe and secure is vital to consumers, merchants and the entire payment industry. We all have a shared interest in protecting our mutual customers and overall business.

Merchant
– – Customer Confidence Negative Brand Perception

Payment Industry
– Consumer/Merchant Confidence

Shared Interests 1. 2. 3. Public Relations Financial Regulatory/ Compliance

Consumer
– Erosion of Confidence – Fear of Shopping Online – Identify Theft
Source: © 2006 American Express Travel Related Services Company, Inc. All rights reserved. This is confidential, proprietary and trade secret information of American Express Travel Related Services Company, Inc.

LOBAL
NETWORK OPERATIONS
5

GLOBALMERCHANTNETWORKGROUP

PCI Security Standard Council

LOBAL
NETWORK OPERATIONS

GLOBALMERCHANTNETWORKGROUP

The PCI Security Standards Council

An open global forum, launched in September 2006, for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection.

LOBAL
NETWORK OPERATIONS
7

GLOBALMERCHANTNETWORKGROUP

Payment Card Industry (PCI) Data Security Standards

Previously, Visa, Mastercard, Amex and Discover had their own variation of a data security standards and policies with different compliance regulations, which caused confusion among merchants. In order to alleviate the confusion, they joined together and formed a single approach to establishing standards that safeguards customer information. This is known as the Payment Card Industry (PCI) Data Security Standards.

American Express DSOP

Discover Network DISC

MasterCard Intl. SDP

Visa CISP

Payment Card Industry (PCI) Data Security Standards

LOBAL
NETWORK OPERATIONS
8

GLOBALMERCHANTNETWORKGROUP

PCI Security Standards Council Objectives
 Issue new standards  Enhance payment account security

 Create awareness and drive adoption  Foster participation and gather feedback  Manage the qualification and approval testing process for ASVs,QSAs and PED Labs  Maintain a current list of approved QSAs, ASVs and PED Certified Devices

LOBAL
NETWORK OPERATIONS
9

GLOBALMERCHANTNETWORKGROUP

Get Involved – Join PCI Security Standards Council

Become a Participating Organization and get your Seat at the Table, Board Representation & SIGs
Financial Institutions Merchants Gateways Processors Service Providers EFT Networks Associations Vendors

LOBAL
NETWORK OPERATIONS
10

GLOBALMERCHANTNETWORKGROUP

PCI SSC Participating Organization Privileges Vote and Run for Participating Organization Board of Advisors.
Comment on DSS, SAQ, PED and on other PCI SSC documentation, prior to public release. Attend Community Meetings Attend Quarterly Webinar Meetings

Recommend new initiatives and standards

Reserve Your Seat at the Table

LOBAL
NETWORK OPERATIONS
11

GLOBALMERCHANTNETWORKGROUP

Compliance: Card Brands and the Council
A comprehensive brand specific data security compliance program will drive continued trust in that brand and reduce the risks associated with data compromises.
Card Brand Compliance

Policy that defines stakeholders contractual terms and obligations

• Segmented by Level • Outlines compliance documentation and time frames

• Compliance fines and/or incentives to drive adoption Incident Response • Reduces financial, brand and legal process to manage a data risk compromise

LOBAL
NETWORK OPERATIONS
12

GLOBALMERCHANTNETWORKGROUP

An open standards body that will provide security standards for the payment card industry

• Management of the PCI Data Security Standard
• Maintains list of qualified PCI assessors (auditors and scanners)

• PCI standards is not a compliance program; that responsibility rests with acquirers/ brands.
• Employing a single, uniform set of standards for all brands helps merchants focus on driving to a secure transaction environment

LOBAL
NETWORK OPERATIONS
13

GLOBALMERCHANTNETWORKGROUP

The PCI Data Security Standard

The PCI DSS version 1.1 is a set of comprehensive requirements for enhancing payment account data security.
The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer payment data.

LOBAL
NETWORK OPERATIONS
14

GLOBALMERCHANTNETWORKGROUP

Beginning the PCI DSS Compliance Journey

LOBAL
NETWORK OPERATIONS

GLOBALMERCHANTNETWORKGROUP

Your Mission Six Goals, Twelve Requirements
Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data 3. Protect stored data

4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program Implement Strong Access Control Measures 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business needto-know 8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks 10.Track and monitor all access to network resources and cardholder data 11.Regularly test security systems and processes Maintain an Information Security Policy 12.Maintain a policy that addresses information security
16
Source: © 2006 American Express Travel Related Services Company, Inc. All rights reserved. This is confidential, proprietary and trade secret information of American Express Travel Related Services Company, Inc.

LOBAL
NETWORK OPERATIONS

GLOBALMERCHANTNETWORKGROUP

Commit this chart to memory Data Storage Guidelines

* Data elements must be protected when stored in conjunction with PAN

LOBAL
NETWORK OPERATIONS
17

GLOBALMERCHANTNETWORKGROUP

Getting Started
Establish your team


Becoming PCI compliant is not just a IT project requires a cross company effort
 Finance, Business Planning, Risk, Operations, IT, Legal

Develop your internal “sales” pitch


Will need to ensure you can articulate the why this is important to all key stakeholders

Promote the concept that PCI compliance is not a one time event


Account Security needs to become part of your companies DNA

LOBAL
NETWORK OPERATIONS
18

GLOBALMERCHANTNETWORKGROUP

Get Organized
Pre assessment – first big decision


Internal review or bring in a QSA

Make sure you don’t reinvent the wheel, some of the work may already be done:
 

Evaluate and align PCI with other compliance and regulatory requirements Look at internal audit and controls & info security policy and procedure

Where is your payment data?


Do you have complete and accurate network diagrams of all systems that house payment data Do you need the payment data is all the places you found it??



LOBAL
NETWORK OPERATIONS
19

GLOBALMERCHANTNETWORKGROUP

Look For Quick Hits
Eliminating Sensitive Authentication Data from your environment


Reduces risk immediately

Reduce the scope of the project


Remove account payment data from systems that do not have a critical business function

 May yield some cost reduction benefit to help your business case


Segment your network – if possible try to isolate your payment processing environment

LOBAL
NETWORK OPERATIONS
20

GLOBALMERCHANTNETWORKGROUP

Establish Your Project Plan
The Pre Assessment should have identified your PCI compliance gaps.

Project Plans should focus on :

 

Risk Assessment and business impact of gaps Focus on closing those gaps that will deliver biggest risk improvement first
Build it or Buy It??  Is there an opportunity use external solutions  Chose your solution providers wisely

LOBAL
NETWORK OPERATIONS
21

GLOBALMERCHANTNETWORKGROUP

Asked Questions Along the Way
PCI SSC is here to help
To Date over 1100 questions submitted to TWG by QSAs, ASVs and Merchants
Responses developed by all five payment brands help “pave-the-way” for PCI DSS evolution

Technical FAQ available on PCI SSC website in 3Q 2007

Questions about the standards or supporting documents: info@pcisecuritystandards.org

LOBAL
NETWORK OPERATIONS
22

GLOBALMERCHANTNETWORKGROUP

Share Your Experience & Best Practices Provide Feedback on Standards Attend PCI SSC community meetings Leverage your peers

LOBAL
NETWORK OPERATIONS
23

GLOBALMERCHANTNETWORKGROUP

Incident Response

LOBAL
NETWORK OPERATIONS

GLOBALMERCHANTNETWORKGROUP

Incident Response Management
A quick, thoughtful and consistent response process is critical to meet the needs of all stakeholders and protect our customers.
Team Event Notification Data Compromise Database Loss Prevention • • • • • Area of Expertise Investigation & root cause analysis Protect enterprise assets System impact analysis Protect system Prevent fraudulent transactions

• Customers
• Media

Information Security
Fraud GCO & Compliance

• Regulators
• Credit Card Companies

• Law Enforcement

• • •
• •

Legal & Regulatory Implications Assess misuse/ potential for misuse Determine Customer legal notification
Monitor accounts for ongoing fraud, Card replacement if necessary

Privacy Risk Mgmt

LOBAL
NETWORK OPERATIONS
25

GLOBALMERCHANTNETWORKGROUP

Incident Response Management

Initial Discovery During A Compromise
• • • What data elements have been exposed? Name Address Phone E-mail

•
• •

Social Security Number
AXP Account Number CID Code

Initial Discovery

Factual Assessment

• •

•
•

Password/PIN
Driver’s License

•
• • •

Date of Birth

Other Financial Institution Account Number How long has the information been exposed? Number of customers/records?

Develop Draft Communications:

Communication Strategy

• Media • Customer Service

• Regulators •Credit Card Companies

LOBAL
NETWORK OPERATIONS
26

GLOBALMERCHANTNETWORKGROUP

Thank You - Questions Important Contact Info
 PCI Security Standards Council: www.pcisecuritystandards.org  American Express: www.americanexpress.com/datasecurity  Seana Pitt – ph 888-833-9540/ seana.pitt@aexp.com

LOBAL
NETWORK OPERATIONS
27

GLOBALMERCHANTNETWORKGROUP