compliance
play

COMPLIANCE Jon Bonham CISA, QSA Director, Enterprise Risk and - PowerPoint PPT Presentation

Oct 23, 2022 •227 likes •484 views

E-COMMERCE AND PCI COMPLIANCE Jon Bonham CISA, QSA Director, Enterprise Risk and Compliance AGENDA About The Speaker About Coalfire E-Commerce The Good - the benefits The Bad - what could go wrong The Ugly- how to truly

  1. E-COMMERCE AND PCI COMPLIANCE Jon Bonham CISA, QSA Director, Enterprise Risk and Compliance

  2. AGENDA • About The Speaker • About Coalfire • E-Commerce • The Good - the benefits • The Bad - what could go wrong • The Ugly- how to truly mess it up • Questions and Answers

  3. ABOUT THE SPEAKER • Jon Bonham – CISA, QSA • Director of ERC with Coalfire Systems • Has been working with Enterprise clients for eight years • Has worked with Enterprise customers from coast to coast

  4. ABOUT COALFIRE  QSA for the state of North Carolina  Agencies, Departments, Colleges and Universities are all set up on Coalfire’s Coalfire One platform for scans and SAQs.  Coalfire has a division set up just to handle state and local government as well as higher education and large diverse hospital systems.

  5. ABOUT COALFIRE  Coalfire is a leader in PCI, HIPAA, FERPA, FISMA, GLBA and Personal information auditing and assessments.  Has been around since before PCI was started. Was part of the Visa and MasterCard security programs prior to PCI.  Independent: Coalfire doesn’t provide managed services to their customers.  Coalfire is vendor agnostic so they don’t care who you use for any hardware, software, managed services or card processing. They work for their customers as a trusted partner and advisor.

  6. PRODUCTS, SERVICES OR FEES

  7. RISK AND REQUIREMENTS

  8. SAQ # of ASV Scan Penetration Test Description Validation Questions Required Required Type v3.0 v3.0 V3.0 Card-not-present merchants: All payment processing functions A 24 No No fully outsourced, no electronic cardholder data storage E-commerce merchants re-directing to a third-party website for A-EP 139 Yes Yes payment processing, no electronic cardholder data storage Merchants with only imprint machines or only standalone dial-out payment terminals: No e-commerce or electronic cardholder data B 41 No No storage Merchants with standalone, IP-connected payment terminals: No B-IP 83 Yes No e-commerce or electronic cardholder data storage Merchants with payment application systems connected to the C 139 Yes Yes Internet: No e-commerce or electronic cardholder data storage Merchants with web-based virtual payment terminals: No e- C-VT 73 No No commerce or electronic cardholder data storage All other SAQ-eligible merchants D-MER 326 Yes Yes SAQ-eligible service providers D-SP 347 Yes Yes Hardware payment terminals in a validated PCI P2PE solution P2PE 35 No No only: No e-commerce or electronic cardholder data storage

  9. NEW REQUIREMENTS IN SAQ - A If you do send people from your web site to a third party processor to process the credit cards then all credit card information should be typed into the processors web site. The web server that hosts your web page has been brought into scope with the latest PCI Data Security Standard (DSS) and all factory settings must be changed, All unnecessary default accounts removed or disabled before installing a system on the network. PCI-DSS Req 2.1a and 2.1b

  10. THE GOOD • 24 control questions to prove compliance • No scans required • No penetration testing required

  11. WHAT HAPPENS WHEN THE RULES CHANGE?

  12. WINGING IT

  13. THE BAD • It doesn’t mean the people are bad. They may just need better policies and procedures or better training. • Many are just trying to help. • Typing the information into the web site for the customer. • Setting up workstations for the customers to type it in themselves. • Directing customers to places to process online. • Employees aren’t well trained on credit card security.

  14. THE UGLY

  15. WHIZ KIDS

  16. PAYMENT FLOW

  17. PAYMENT APPLICATIONS 2006 PA-BP • Payment applications must be reviewed by QSA for vulnerabilities. 2008 PA-DSS • PA-DSS mandated

  18. DEVELOPING YOUR OWN CODE 6.4 Follow change control processes and procedures for all changes to system components. 6.5 Prevent common coding vulnerabilities in software development processes by training developers in secure coding techniques and developing applications based on secure coding guidelines – including how sensitive data is handled in memory. 6.6 Ensure all public-facing web applications are protected against known attacks, either by performing application vulnerability assessment at least annually and after any changes, or by installing an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) in front of public-facing web applications, to continually check all traffic.

  19. SAQ # of ASV Scan Penetration Test Description Validation Questions Required Required Type v3.0 v3.0 V3.0 Card-not-present merchants: All payment processing functions A 24 No No fully outsourced, no electronic cardholder data storage E-commerce merchants re-directing to a third-party website for A-EP 139 Yes Yes payment processing, no electronic cardholder data storage Merchants with only imprint machines or only standalone dial-out payment terminals: No e-commerce or electronic cardholder data B 41 No No storage Merchants with standalone, IP-connected payment terminals: No B-IP 83 Yes No e-commerce or electronic cardholder data storage Merchants with payment application systems connected to the C 139 Yes Yes Internet: No e-commerce or electronic cardholder data storage Merchants with web-based virtual payment terminals: No e- C-VT 73 No No commerce or electronic cardholder data storage All other SAQ-eligible merchants D-MER 326 Yes Yes SAQ-eligible service providers D-SP 347 Yes Yes Hardware payment terminals in a validated PCI P2PE solution P2PE 35 No No only: No e-commerce or electronic cardholder data storage

  20. REQUIREMENT 12.8 Req. 12.8 Are policies and procedures maintained and implemented to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data as follows: Req. 12.8.1 Is a list of service providers maintained?

  21. REQUIREMENT 12.8 Req. 12.8.2 Is a written agreement maintained that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess or otherwise store, process, or transmit on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment?

  22. REQUIREMENT 12.8 Req. 12.8.3 Is there an established process for engaging service providers, including proper due diligence prior to engagement? Req. 12.8.4 Is a program maintained to monitor service providers’ PCI DSS compliance status at least annually?

  23. YOU DON’T KNOW WHAT YOU DON’T KNOW Manage by walking around and asking questions. Find out what people are actually doing and not just what you think they are doing. Don’t get stung.

  24. QUESTIONS Jon Bonham CISA, QSA Jbonham@coalfire.com

  25. SQUARE OR SIMILAR DEVICES

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Compliance Overview and Compliance by Design [CbD] aka Doing the Right Things at the Right

Compliance Overview and Compliance by Design [CbD] aka Doing the Right Things at the Right

Compliance Overview and Compliance by Design [CbD] aka Doing the Right Things at the Right Time ASQ Meeting, 14 August 2012, Santa Ana, CA Dr. Raymond W. Brullo, DPM Compliance Officer , FDA Los Angeles District Office, Irvine, CA Doctor

516 views • 40 slides
Compliance Plans Kelly S. McIntosh July 20, 2017 Roadmap The importance of compliance and

Compliance Plans Kelly S. McIntosh July 20, 2017 Roadmap The importance of compliance and

Compliance Plans Kelly S. McIntosh July 20, 2017 Roadmap The importance of compliance and compliance programs Common compliance issues know your risk areas! Guidance for drafting or updating your compliance plan Elements of

1.16k views • 50 slides
OFFICE OF UNIVERSITY COMPLIANCE OFFICE OF UNIVERSITY COMPLIANCE Who We Are: Joint Audit and

OFFICE OF UNIVERSITY COMPLIANCE OFFICE OF UNIVERSITY COMPLIANCE Who We Are: Joint Audit and

OFFICE OF UNIVERSITY COMPLIANCE OFFICE OF UNIVERSITY COMPLIANCE Who We Are: Joint Audit and Compliance Committee President Kimberly Fearney Associate Vice President & Chief Compliance Officer Liz Vitullo Executive Assistant Omar

127 views • 8 slides
Education Governance & Compliance Committee April 6, 2018 What is Compliance?

Education Governance & Compliance Committee April 6, 2018 What is Compliance?

Compliance in Higher Education Governance & Compliance Committee April 6, 2018 What is Compliance? Conformity in fulfilling official requirements * Certification or confirmation that the doer of an actionmeets the

506 views • 14 slides
COMPLIANCE 2.0 RANDS CONTRIBUTION TO THE EVOLUTION OF CORPORATE COMPLIANCE AND NEXT STEPS

COMPLIANCE 2.0 RANDS CONTRIBUTION TO THE EVOLUTION OF CORPORATE COMPLIANCE AND NEXT STEPS

COMPLIANCE 2.0 RANDS CONTRIBUTION TO THE EVOLUTION OF CORPORATE COMPLIANCE AND NEXT STEPS PREPARED FOR: RAND CENTER FOR CORPORATE ETHICS AND GOVERNANCE ADVISORY BOARD PANEL : DONNA BOEHME PRINCIPAL, COMPLIANCE STRATEGISTS LLC MICHAEL

526 views • 13 slides
Corporate Compliance Programs: Weaving an Effective Compliance Web Simply put, corporate

Corporate Compliance Programs: Weaving an Effective Compliance Web Simply put, corporate

Corporate Compliance Programs: Weaving an Effective Compliance Web Simply put, corporate compliance programs are designed to prevent and detect violations of the law. Compliance programs make good business sense because they: reduce the

144 views • 12 slides
Fleet Compliance Awareness Workshop Compliance Questions Fleet Compliance Awareness Workshop

Fleet Compliance Awareness Workshop Compliance Questions Fleet Compliance Awareness Workshop

Fleet Compliance Awareness Workshop Compliance Questions Fleet Compliance Awareness Workshop Question 1 Q 1. When is the best time to carry out a daily vehicle check? [ a ] During a break [ b ] When the engine is running [ c ] Upon taking the

1.11k views • 69 slides
Achieving Compliance through Strategic Compliance Planning Symposium on Strategic Compliance in

Achieving Compliance through Strategic Compliance Planning Symposium on Strategic Compliance in

Achieving Compliance through Strategic Compliance Planning Symposium on Strategic Compliance in Indonesia through the Labour Inspection System Nancy Leppink Chief Labour Administration/Labour Inspection/ Occupational Safety and Health

605 views • 28 slides
COMPLIANCE CHARTER G A R Y N I M A X A S S I S T A N T V I C E P R E S I D E N T F O R C O

COMPLIANCE CHARTER G A R Y N I M A X A S S I S T A N T V I C E P R E S I D E N T F O R C O

COMPLIANCE CHARTER G A R Y N I M A X A S S I S T A N T V I C E P R E S I D E N T F O R C O M P L I A N C E U.S. Federal Sentencing Guidelines The compliance programs objective is to establish and promote standards that meet these seven

394 views • 4 slides
Compliance for Experts June 27, 2012 Presenters John Misgen, CPA Senior Compliance

Compliance for Experts June 27, 2012 Presenters John Misgen, CPA Senior Compliance

Bank Secrecy Act Compliance for Experts June 27, 2012 Presenters John Misgen, CPA Senior Compliance Consultant with CliftonLarsonAllen LLP for more than six years Has provided regulatory compliance assistance, including

605 views • 41 slides
Conference Jeremy Smith Compliance Manager Erin OHern Director of League Compliance Services

Conference Jeremy Smith Compliance Manager Erin OHern Director of League Compliance Services

NCUL Compliance Conference Jeremy Smith Compliance Manager Erin OHern Director of League Compliance Services Meet the Presenter As Compliance Manager, Jeremy Smith oversees compliance services for PolicyWorks' partner Credit Union

2.25k views • 157 slides
Internal Audit and Compliance Reporting Summary March 14, 2019 1 Compliance Long Range Plan

Internal Audit and Compliance Reporting Summary March 14, 2019 1 Compliance Long Range Plan

Internal Audit and Compliance Reporting Summary March 14, 2019 1 Compliance Long Range Plan One of the core requirements from the Compliance Resource Group (CRG) was that Compliance should develop a 3-5 year strategic plan to model the

793 views • 13 slides
Merchant PCI Compliance - Update PCI Compliance Reminders - Portal Access: www.pciapply.com/NWP

Merchant PCI Compliance - Update PCI Compliance Reminders - Portal Access: www.pciapply.com/NWP

Merchant PCI Compliance - Update PCI Compliance Reminders - Portal Access: www.pciapply.com/NWP - Agents have access to the Aperia Client Management Portal Experience - Get your user credentials! - Support/Compliance Center/Help Desk/QSA

66 views • 6 slides
Building a Culture of Compliance and Ethics Core Elements 1. Compliance standards (policies

Building a Culture of Compliance and Ethics Core Elements 1. Compliance standards (policies

Building a Culture of Compliance and Ethics Core Elements 1. Compliance standards (policies procedures and standards of conduct) 2. Dedicated compliance specialist & committee 3. Conducting training and education 4. Developing open lines

154 views • 11 slides
Compliance Athena Yiallourou AML Committee www.cfa.org.cy www.cfa.org.cy 1 1 AML AND

Compliance Athena Yiallourou AML Committee www.cfa.org.cy www.cfa.org.cy 1 1 AML AND

CYPRUS FIDUCIARY ASSOCIATION Induction Course in Administrative Services Compliance Athena Yiallourou AML Committee www.cfa.org.cy www.cfa.org.cy 1 1 AML AND COMPLIANCE CONTENT The content of the Compliance session will include

594 views • 48 slides
Enforcement: Compliance - Show Cause - Removal by: Sarah Patel Pacheco Crain Caton & James

Enforcement: Compliance - Show Cause - Removal by: Sarah Patel Pacheco Crain Caton & James

Enforcement: Compliance - Show Cause - Removal by: Sarah Patel Pacheco Crain Caton & James P.C . I F YOU THINK COMPLIANCE IS EXPENSIVE TRY NON - COMPLIANCE Former U.S. Deputy Attorney General Paul McNutty COMPLIANCE COMPLIANCE

528 views • 17 slides
E-Commerce enablers and suppliers survey main results overview Presentation Contents

E-Commerce enablers and suppliers survey main results overview Presentation Contents

July 2010 E-Commerce enablers and suppliers survey main results overview Presentation Contents Survey Background Participating entities Survey topics Future Vision Respondents recommendations Page 2 E-Commerce enablers

319 views • 21 slides
Revised Tax Audit Report Revised Tax Audit Report Form Nos. 3CA, 3CB, 3CD: Form Nos. 3CA, 3CB,

Revised Tax Audit Report Revised Tax Audit Report Form Nos. 3CA, 3CB, 3CD: Form Nos. 3CA, 3CB,

Revised Tax Audit Report Revised Tax Audit Report Form Nos. 3CA, 3CB, 3CD: Form Nos. 3CA, 3CB, 3CD: Important Changes Important Changes -CA Anuj J. Sharedalal At Ahmedabad Branch of WIRC of ICAI C.R. Sharedalal & Co.

1.2k views • 93 slides
Preliminary Results for the 52 weeks ended 27 December 2009 The Team Chris Moore Chief Executive

Preliminary Results for the 52 weeks ended 27 December 2009 The Team Chris Moore Chief Executive

Preliminary Results for the 52 weeks ended 27 December 2009 The Team Chris Moore Chief Executive Officer Lee Ginsberg Chief Financial Officer 2 Financial Highlights for 2009 40% Another record year 30% +31.4% 20% +27.8% +26.0% 10%

921 views • 51 slides
The State of Web Standards Larry Masinter Xerox Palo Alto Research Center May 1996 Purpose of

The State of Web Standards Larry Masinter Xerox Palo Alto Research Center May 1996 Purpose of

The State of Web Standards Larry Masinter Xerox Palo Alto Research Center May 1996 Purpose of this talk Describe the standards process Survey current Web-related standards Introduce acronyms and buzzwords Describe

1.06k views • 91 slides
Digital Orchestration Episerver Is More Than a Content and E-Commerce System Hi! Im Casper

Digital Orchestration Episerver Is More Than a Content and E-Commerce System Hi! Im Casper

Digital Orchestration Episerver Is More Than a Content and E-Commerce System Hi! Im Casper Rasmussen [ smusn] Partnership Overview Premium Partner , globally certified by Episerver Leading 16+ year relationship between organizations

400 views • 26 slides
A Combined LIFO-Priority Scheme for Overload Control of E-commerce Web Servers Naresh Singhmar

A Combined LIFO-Priority Scheme for Overload Control of E-commerce Web Servers Naresh Singhmar

Introduction Our Contribution Experiments and Results A Combined LIFO-Priority Scheme for Overload Control of E-commerce Web Servers Naresh Singhmar Vipul Mathur Varsha Apte D. Manjunath Indian Institute of Technology - Bombay Powai,

743 views • 45 slides
OPTIMIZING CAMPAIGNS AND INVENTORY: ADVENTURES OF THE EEEO INSIDE AN EEEO Robert Petkovi Web

OPTIMIZING CAMPAIGNS AND INVENTORY: ADVENTURES OF THE EEEO INSIDE AN EEEO Robert Petkovi Web

Agrokor Digital Marketing Department OPTIMIZING CAMPAIGNS AND INVENTORY: ADVENTURES OF THE EEEO INSIDE AN EEEO Robert Petkovi Web Analyst Agrokor Why me? Robert Petkovi in numbers 1990s Psychology 1996 web

550 views • 30 slides
Company presentation Cuprins Content About us

Company presentation Cuprins Content About us

Company presentation Cuprins Content About us .................................................................................................................................... 3 Objectives

580 views • 22 slides

More recommend