PCI-DSS Compliance and Protection Payment Card Industry Data - - PowerPoint PPT Presentation

February 2013

PCI-DSS Compliance and Protection

Payment Card Industry Data Security Standards

Network Security

What is PCI-DSS

“The Payment Card Industry Data Security Standards is a set of comprehensive requirements for enhancing payment account data security and forms industry best practice for any entity that stores, processes and/or transmits cardholder data. This comprehensive standard is intended to help organisations proactively protect customer account data.”

Simply put...a set of standards to protect Merchants and customers when dealing with cardholder account data electronically

Why are we here?

• IGA stores have experienced multiple Back

Office System/Point of Sale hacks due to insufficient network security

• Results in brand equity damage

(e.g. bad publicity, decreased sales, police investigations, media exposure)

• Ongoing “real” risk of attacks
• Banks now require a yearly PCI-DSS

compliance audit completed and certificate issued

What are the requirements?

• Build & maintain a secure network

– Install and maintain a firewall configuration to protect data – Do not use vendor supplied defaults for system passwords & other security parameters

• Protect Cardholder Data

– Protect stored cardholder data – Encrypt transmission of cardholder data and sensitive information across open public networks

Cont...What are the requirements?

• Maintain a vulnerability management

program

– Use and regularly update anti-virus software – Develop and maintain secure systems and applications

• Implement strong access control measures

– Restrict access to cardholder data by business ‘need to know’ – Assign a unique ID to each person with computer access – Restrict physical access to cardholder data

Cont...What are the requirements?

• Regularly monitor & test networks

– Track and monitor all access to network resources and cardholder data – Regularly test security systems and processes

• Maintain an information security policy

– Maintain a policy that addresses information security

What are my options?

• DIY – implement each of the 12

requirements and employ an Approved Scanning Vendor to regularly test all network equipment, hosts and applications for known vulnerabilities.

• Implement Metcash PCI-DSS Compliance

Offer with Self Assessment (referred to as the MAKO Solution)

– Approx cost of $139 per month over 3 years includes installation and basic wiring

Mako Secured Managed Network

Mako Features

• Secure network for all “business related”

activities including enterprise class virus protection (eg. Card transactions)

• Separate network for “personal” use
• Pre-population of Self Assessment PCI-DSS

compliance form

• Metcash endorsed product, installation
• 24/7 support nationally
• 3G redundancy backup capability

TIR Subsidy

• TIR will offer a subsidy during the first 3

years to non compliant IGA Retailers who take up the MFG/Mako Solution

– 1st year - 50% subsidy – 2nd year - 35% subsidy – 3rd year – 25% subsidy – 4th year + no further subsidy

What next?

• Metcash ‘to do’ list includes:

– Finalise Legals and installation strategy – Update Metcash Advantage Marketing Material – Communicate Offer to Retailers – Monitor Compliance - ongoing

• TIR position?

– Wait for outcome of Metcash assessment – Communicate to TIR Retailers