Littlewoods Visa Credit Card - PowerPoint

Document Sample
Littlewoods Visa Credit Card - PowerPoint Powered By Docstoc
					Introduction to PCI/DSS
      The essence of the problem…

    TEXT          TEXT         TEXT           TEXT

    Effective from 1st October 2009 all eCommerce
  merchants processing one million Visa transactions or
                  fewer per year must:

    Use a compliant Service Provider for their payment
 processing that has certified their PCI DSS compliance to
process, store and transmit card and account data to Visa.
          The essence of the problem…

Companies who have suffered include:
       TEXT                TEXT               TEXT                TEXT
TJ Maxx - loss of credit card data resulting in very large fine, adverse press
RBS Worldpay - very large fine, had to reapply for PCI certification
Large US retailer - HSBC conducting an audit on behalf of Visa
LexisNexis - up to 310,000 people affected by security breach
Best Western Hotels - 8 Million people affected, value of data lost ~£2.8Billion
Orange & Littlewoods - guilty of DPA breach by not keeping information secure

In essence, can you afford significant fines, application rework,
  business suspension, brand erosion or customer defection?
             These are the very real consequences.
      Introduction to PCI/DSS

    TEXT          TEXT         TEXT          TEXT

The Payment Card Industry Data Security Standard (PCI DSS)
provides a detailed, 12 requirements structure for securing
cardholder data that is stored, processed and/or transmitted
by merchants and other organisations.
          Introduction to PCI/DSS

     •Install and maintain a firewall configuration to protect cardholder data

     •Do not use vendor-supplied defaults for system passwords and other security
      TEXT                           TEXT                         TEXT                      TEXT
     •Protect stored cardholder data

     •Encrypt transmission of cardholder data across open, public networks

     •Use and regularly update anti-virus software or programs

     •Develop and maintain secure systems and applications

     •Restrict access to cardholder data by business need-to-know

     •Assign a unique ID to each person with computer access

     •Restrict physical access to cardholder data

     •Track and monitor all access to network resources and cardholder data

     •Regularly test security systems and processes

     •Maintain a policy that addresses information security for employees and contractors
              Mitigation of Risk

The identification, assessment, treatment and management of risks is a core
objective - the risk may never be mitigated but accepted by a business. If you take the
opportunity to become PCI TEXT
             TEXT                                                   for a
                               DSS compliant, a mandatory stepTEXT credit card
merchant, there are other obligations that the organisation must meet to maintain
compliance with law:

      The Data Protection Act 1998
      Computer Misuse Act 2000
      The Electronic Communications Act 2002
      Regulatory Investigatory Powers Act 2000

PCI DSS is a regulation that forms part of your contractual agreement as a merchant.
The above are UK Laws that are obligatory; PCI builds on these laws because of the
sensitivity of the data.

Commercially, the failure to comply is stark. Fail a PCI audit and you may face a fine or
suspension of service. Be found guilty of one of the above Acts and you go to Jail!!
              Mitigation of Risk

External Threats:

           TEXT             TEXT            TEXT              TEXT

          Denial of Service preventing your customers from using the service
          Organised Crime
          Scanning your infrastructure to determine weaknesses
          Unauthorised access to data and services
          Breaking into the network to steal credit card data or personal data
          Compromising your servers so they can be used to attack other companies
          Theft of Digital Certificate
         Malicious programs including viruses do disrupt or to steal company data
          Purposely changing website content or displaying inappropriate
              Mitigation of Risk

Internal Threats:

           TEXT               TEXT             TEXT               TEXT

           Disgruntled employees wishing to cause harm to the brand
           Internal theft of credit cards or financial fraud
           Application “back doors” to allow out of hours access to card holder data
           Unauthorised access, modification or deletion of files
             Mitigation of Risk

Unintentional Threats:

           TEXT              TEXT              TEXT               TEXT

          Accidental modification of files and data
          Accidental changes that create significant vulnerabilities
          Accidental disclosure of confidential or card holder data
            How a Security Policy is built?

        What?                  Who?               Why?                 How?

    The building of a      The policy affects   It is owned by       No policy is built
    security policy is a   everyone NOT         the business at      in isolation, the
    business project       just IT              Board level          Information
    NOT an IT project                                                Security Policy
                                                                     defines the Roles
                                                                     & Responsibilities
                                                                     with regards to
                                                                     security for the

The Information Security Policy drives a security aware culture and appropriate controls
     and must be aligned to the business goals and support the business objectives
                 How a Security Policy is built?

                                                Sets the security controls for the organisation, stipulates roles and
                                                 responsibilities and security strategy - this is a mandatory policy.
          TEXT            Corporate TEXT                 TEXT                         TEXT
      TEXT                  TEXT                     TEXT
                            Policy                       Drives what security should look like in the organisation,
                                                         the components that make the secure environment and
                 Architectures                             the standards that must be met to maintain a good
                                                           security posture - this too is mandatory and directly
                 and Standards                                  support the organisations security policy.

                                                                     Describes the steps to achieve good security
                    Processes &                                       and also good security working practices -
                                                                       and directly supports the organisations
                    Procedures                                         security policy. This is also mandatory.

Security Technical Standards describes how specific components should be built and the detailed configurations.
This is a technical document for system administrators. This should directly support the security policy and is
mandatory. All of this is good management practice – but is also forms the basis of PCI compliance, and is a core
requirement. The Security policies must be strategically aligned to show good corporate responsibility to the
custodianship of data.
            How does a Security Policy work?

The Security policy is owned by a member of the Board.
           TEXT                  TEXT                TEXT                  TEXT
     IT are responsible for delivering parts of the policy but not owning it
     Normally the IT Director is the custodian

At a lower level, the development team should have access to the development
systems BUT not the live systems.

     No single individual should have access to live & development environments, this
    breaches PCI & DPA guidelines
     A clear distinction should be made between who works in development and who works
    in operations. This is covered by HR policy which is also derived from the Security Policy

The Development systems should not contain any live data; the Security Policy for
the server build & data would prevent that.
How does a Security Policy work?

TEXT     TEXT      TEXT       TEXT

Description: Littlewoods Visa Credit Card document sample