PCI-DSS Compliance and Protection Payment Card Industry Data Security Standards Network Security February 2013
What is PCI-DSS “The Payment Card Industry Data Security Standards is a set of comprehensive requirements for enhancing payment account data security and forms industry best practice for any entity that stores, processes and/or transmits cardholder data. This comprehensive standard is intended to help organisations proactively protect customer account data.” Simply put...a set of standards to protect Merchants and customers when dealing with cardholder account data electronically
Why are we here? • IGA stores have experienced multiple Back Office System/Point of Sale hacks due to insufficient network security • Results in brand equity damage (e.g. bad publicity, decreased sales, police investigations, media exposure) • Ongoing “real” risk of attacks • Banks now require a yearly PCI-DSS compliance audit completed and certificate issued
What are the requirements? • Build & maintain a secure network – Install and maintain a firewall configuration to protect data – Do not use vendor supplied defaults for system passwords & other security parameters • Protect Cardholder Data – Protect stored cardholder data – Encrypt transmission of cardholder data and sensitive information across open public networks
Cont... What are the requirements? • Maintain a vulnerability management program – Use and regularly update anti-virus software – Develop and maintain secure systems and applications • Implement strong access control measures – Restrict access to cardholder data by business ‘need to know’ – Assign a unique ID to each person with computer access – Restrict physical access to cardholder data
Cont... What are the requirements? • Regularly monitor & test networks – Track and monitor all access to network resources and cardholder data – Regularly test security systems and processes • Maintain an information security policy – Maintain a policy that addresses information security
What are my options? • DIY – implement each of the 12 requirements and employ an Approved Scanning Vendor to regularly test all network equipment, hosts and applications for known vulnerabilities. • Implement Metcash PCI-DSS Compliance Offer with Self Assessment (referred to as the MAKO Solution) – Approx cost of $139 per month over 3 years includes installation and basic wiring
Mako Secured Managed Network
Mako Features • Secure network for all “business related” activities including enterprise class virus protection (eg. Card transactions) • Separate network for “personal” use • Pre-population of Self Assessment PCI-DSS compliance form • Metcash endorsed product, installation • 24/7 support nationally • 3G redundancy backup capability
TIR Subsidy • TIR will offer a subsidy during the first 3 years to non compliant IGA Retailers who take up the MFG/Mako Solution – 1 st year - 50% subsidy – 2 nd year - 35% subsidy – 3 rd year – 25% subsidy – 4 th year + no further subsidy
What next? • Metcash ‘to do’ list includes: – Finalise Legals and installation strategy – Update Metcash Advantage Marketing Material – Communicate Offer to Retailers – Monitor Compliance - ongoing • TIR position? – Wait for outcome of Metcash assessment – Communicate to TIR Retailers
Recommend
More recommend
