will you be pci dss compliant by september 2010
play

Will you be PCI DSS Compliant by September 2010? Michael DSa, Visa - PowerPoint PPT Presentation

Jul 17, 2023 •228 likes •581 views

Will you be PCI DSS Compliant by September 2010? Michael DSa, Visa Canada Presentation to OWASP Toronto Chapter Presentation to OWASP Toronto Chapter Toronto, ON 19 August 2009 Security Environment As PCI DSS compliance rates rise, new

  1. Will you be PCI DSS Compliant by September 2010? Michael D’Sa, Visa Canada Presentation to OWASP Toronto Chapter Presentation to OWASP Toronto Chapter Toronto, ON 19 August 2009

  2. Security Environment As PCI DSS compliance rates rise, new compromise trends emerge Compliance Milestone Compromise Trend • PCI DSS compliance is • Issuers and processors adopted by acquiring increasingly targeted; non-U.S. participants in North America. compromises increasing rapidly • Merchants and service • Data criminals seek capture of providers reduce historical cardholder data in transit through storage of cardholder data sniffer attacks • PCI DSS compliance improves • Compromises of small and among large merchants medium size merchants increase • E-commerce and payment • SQL injection attacks on non- channel websites better payment sites to gain access to secured payment environment Account Information Security | 19 August 2009 Visa Public Information Classification as Needed Presentation Identifier.2 2

  3. Compromises in the Media - Myths and Facts Myths Facts • PCI DSS compliant entities have • As of today, no compromised entity been breached has been found to be compliant at the time of the breach • PCI DSS should prevent and detect • PCI DSS does not address unauthorized network access and unauthorized network access and sniffer* attacks sniffer* attacks installation of sniffers • Visa does support encryption for • Visa does not support both online and batch files encryption • Encryption does not eliminate the • Encryption of data transmission risk of data being “sniffed” if data is can prevent recent compromises decrypted at any point PCI DSS continues to serve as a robust foundation to protect cardholder data in a static data environment *Sniffers are used by hackers to monitor and capture data in transit over an internal network Account Information Security | 19 August 2009 Visa Public Information Classification as Needed Presentation Identifier.3 3

  4. Common cyber vulnerabilities that lead to attacks on a network Cyber Vulnerabilities � No segmentation and/or firewall � Un-patched systems and/or default configuration � No logging � No encryption or authentication on Wireless Access Points � Security not written into payment applications � Sniffer attacks � Remote access misconfigurations Account Information Security | 19 August 2009 Visa Public Information Classification as Needed Presentation Identifier.4 4

  5. Forensic Findings*… � The majority of all E-commerce merchant breaches are tied back to external hackers as opposed to insiders. On the other hand the number of “inside jobs” for Brick/Mortar data breaches still remains significantly higher. � More than 80% of E-commerce merchant breaches could have been easily prevented if some basic security measures were in place. � 20-25% of E-commerce merchant breaches were the result of SQL Injection – an attack that can be perpetrated quickly, easily and using any basic web browser from anywhere on the internet. browser from anywhere on the internet. � Vulnerability Scanning is still critically important. � Some breached e-merchants were undergoing scans, but were not looking at their reports. � Some of these merchants were looking at the reports, but didn’t bother to remediate the reported vulnerabilities. � Some of these reported vulnerabilities were known for over 12 months, but never addressed. * Source: Verizon Business Powered by CyberTrust (2008) Account Information Security | 19 August 2009 Visa Public Information Classification as Needed Presentation Identifier.5 5

  6. Forensic Findings*… Approximately 50% of the E-commerce merchants’ breaches tied back to issues with third parties. These tend to fall into three sub-categories: 1. Outsourcing of the payment function (shopping cart check-out). The third party suffers a breach and the merchant’s transaction data is compromised. 2. The e-commerce merchant sends transaction information to a third party, and permits the third party to connect into their e-commerce environment directly to pull the order fulfillment and transaction data. The third party suffers a to pull the order fulfillment and transaction data. The third party suffers a compromise and the hacker exploits the connectivity that the third party has into the merchant to compromise the transaction data. 3. The shared hosting provider scenario. Many e-commerce sites are being hosted in shared environments. In these shared scenarios there is little to no segmentation between the various e-commerce sites that may exist in the shared environment. One merchant or entity that is hosted in the environment can suffer a breach and then the hacker gains access to the database – which can contain transaction information for dozens or even hundreds of merchants. * Source: Verizon Business Powered by CyberTrust (2008) Account Information Security | 19 August 2009 Visa Public Information Classification as Needed Presentation Identifier.6 6

  7. What Are We Up Against? Malicious individuals continue to evolve attacks in an effort to obtain cardholder data that is processed, stored or PROCESSING STORAGE transmitted Complexity Sniffers Wireless intrusion Database hack Stolen Receipts/Cards Time TRANSMISSION Account Information Security | 19 August 2009 Visa Public Information Classification as Needed Presentation Identifier.7 7

  8. Compromise Event Impacts When Cardholder Data is Compromised 1. Financial Liability - Fines - Fines - Cost of forensic exam - Fraud Liability Compromised Entity 2. Brand/Reputation Damage 3. Disruption of Service Account Information Security | 19 August 2009 Visa Public Information Classification as Needed Presentation Identifier.8 8

  9. Visa’s Data Security Program Account Information Security is a Visa mandated program that outlines the minimum level of security for any entity that transmits, processes, or stores transmits, processes, or stores Visa account information. The AIS program utilizes the PCI Data Security Standard and related suite of documents. Account Information Security | 19 August 2009 Visa Public Information Classification as Needed Presentation Identifier.9 9

  10. Compliance Validation Summary – Merchants Annual Visa Merchant Self- Vulnerability On-site Transaction Type Assessment Scan Review Volume Questionnaire � � 1 over All 6,000,000 Quarterly Annual � � � � 1,000,000 2 2 All All to to 6,000,000 Annual Quarterly � � 20,000 3 E-commerce to Volume 1,000,000 Annual Quarterly � � B/M and MOTO 4 < 1,000,000 All other E-comm merchants < 20,000 Annual Annual Account Information Security | 19 August 2009 Visa Public Information Classification as Needed Presentation Identifier.10 10

  11. Compliance Validation Summary – Service Providers Service Provider Self- Vulnerability On-site Type Assessment Scan Review Questionnaire � � � � VisaNet processors or any service provider that stores, 1 1 processes and/or transmits over 300,000 transactions per year Quarterly Annual � � Any service provider that stores, 2 processes and/or transmits less than 300,000 transactions per year Annual Quarterly Account Information Security | 19 August 2009 Visa Public Information Classification as Needed Presentation Identifier.11 11

  12. Deadlines � Level 1, 2, and 3 merchants were required to complete their validation compliance review by 31 December 2005. � Visa Canada agreed not to levy fines if a merchant had a reasonable action plan in place � � Visa Inc announced a global date (September 30, 2010), which Visa Inc announced a global date (September 30, 2010), which enforces fines on L1 merchants who have not completed their DSS validation reviews � Fines will be levied to the respective Acquirers of non- compliant L1 merchants after September 30, 2010 � Visa Canada will announce an end date for L2 and L3 merchants Account Information Security | 19 August 2009 Visa Public Information Classification as Needed Presentation Identifier.12 12

  13. PCI Training in Canada PCI DSS 1.2 Training Location: Toronto June 16, 17 PCI PA-DSS Training Location: Toronto Location: Toronto June 18 PCI DSS 1.2 Training Location: Vancouver September 9/10 Account Information Security | 19 August 2009 Visa Public Information Classification as Needed Presentation Identifier.13 13

  14. PCI DSS Prioritized Approach What is the Prioritized Approach? The Prioritized Approach is a new educational resource from the Council. It offers guidance on how to focus guidance on how to focus PCI DSS implementation efforts in a way that expedites the security of cardholder data. Account Information Security | 19 August 2009 Visa Public Information Classification as Needed Presentation Identifier.14 14

  15. PCI DSS Prioritized Approach How can the Prioritized Approach help with compliance? The Prioritized Approach does not provide a short cut or tricks to achieve PCI DSS compliance. It does however deliver key benefits, such as: � Helps businesses identify highest risk targets � � Creates a common language around PCI DSS implementation efforts � Enables merchants to demonstrate progress on compliance process to key stakeholders – banks, acquirers, QSAs, others. Account Information Security | 19 August 2009 Visa Public Information Classification as Needed Presentation Identifier.15 15

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Non Compliant Compliant 1. Non Submission of Data string upload to the IDP by End the portal

Non Compliant Compliant 1. Non Submission of Data string upload to the IDP by End the portal

Non Delegated CFO Forum Presented by National Treasury 07 November 2016 Compliant and When? Non Compliant Compliant 1. Non Submission of Data string upload to the IDP by End the portal by due dates November 2016. and compliant to:

253 views • 7 slides
7 Top Tips for Creating Compliant Sales Presentations How to organise Create compliant

7 Top Tips for Creating Compliant Sales Presentations How to organise Create compliant

7 Top Tips for Creating Compliant Sales Presentations How to organise Create compliant Streamline the content content approval process About Simplifje Simplifje is a leading provider of business We offer a number of distinct products

333 views • 5 slides
Results presentation for the year ended 30 June 2010 8 September 2010 1 1 De Vessey Village,

Results presentation for the year ended 30 June 2010 8 September 2010 1 1 De Vessey Village,

Full Year 2010 Results presentation for the year ended 30 June 2010 8 September 2010 1 1 De Vessey Village, Sleaford 8 September 2010 Bob Lawson Chairman Full Year 2010 Full Year 2010 David Thomas Group Finance Director 8 September 2010

852 views • 61 slides
Company Overview O September 2010 September 2010 C Disclaimer This document has been prepared

Company Overview O September 2010 September 2010 C Disclaimer This document has been prepared

Company Overview O September 2010 September 2010 C Disclaimer This document has been prepared as a summary only, and does not contain all information about the Companys assets and liabilities, financial position and performance, profits

214 views • 18 slides
-Technical Assessment Sub-Group 1 14 th September 2010 14th September 2010 SMDG Meeting 1 1

-Technical Assessment Sub-Group 1 14 th September 2010 14th September 2010 SMDG Meeting 1 1

Smart Meter Design Group -Technical Assessment Sub-Group 1 14 th September 2010 14th September 2010 SMDG Meeting 1 1 www.ofgem.gov.uk Agenda 1. Introductions 2. Background 3. Terms of Reference 4. Outline Plan 5. Todays deliverables

628 views • 17 slides
Corporate Parenting Panel Safeguarding Presentation 13 September 2010 13 September 2010 Chris

Corporate Parenting Panel Safeguarding Presentation 13 September 2010 13 September 2010 Chris

Corporate Parenting Panel Safeguarding Presentation 13 September 2010 13 September 2010 Chris Hogan / Colin Rodden Childrens Services and Lifelong Learning Why Corporate Parents should have checks? Access to personal information

233 views • 7 slides
In Healthcar In Healthcare CREATIVE OR NON-COMPLIANT? Laura Pietromica Customer Advisor &amp;

In Healthcar In Healthcare CREATIVE OR NON-COMPLIANT? Laura Pietromica Customer Advisor &amp;

Smar Smart De t Device Usa vice Usage ge In Healthcar In Healthcare CREATIVE OR NON-COMPLIANT? Laura Pietromica Customer Advisor &amp; Consultant HIMSS Analytics Certified 11 August 2019 Creative AGENDA Non-Compliant Final

331 views • 20 slides
Investor Presentation September 2010 Best Bank in UAE (Euromoney 2010) I Among the

Investor Presentation September 2010 Best Bank in UAE (Euromoney 2010) I Among the

NBAD is UAEs Number One Bank Investor Presentation September 2010 Best Bank in UAE (Euromoney 2010) I Among the worlds 50 safest banks in 2010 (Global Finance) Disclaimer The information contained herein has been prepared by

561 views • 32 slides
Fighting Counterfeit and Non-Compliant Products KEITH SMITH Deputy Director BEAMA Installation

Fighting Counterfeit and Non-Compliant Products KEITH SMITH Deputy Director BEAMA Installation

Electrical Safety First 17th November 2015 Fighting Counterfeit and Non-Compliant Products KEITH SMITH Deputy Director BEAMA Installation 2 Extract from EC communication on 28 th October 2015 The increasing number of illegal and non-compliant

195 views • 16 slides
Joining Forces to Fight Counterfeit, Substandard and Non-Compliant Products KEITH SMITH Deputy

Joining Forces to Fight Counterfeit, Substandard and Non-Compliant Products KEITH SMITH Deputy

EDA FORUM 10 th September 2015 Joining Forces to Fight Counterfeit, Substandard and Non-Compliant Products KEITH SMITH Deputy Director BEAMA Installation PETER SMEETH Director ACI Sec Gen BCA Presentation to EDA Regional Business Forum 10

947 views • 57 slides
Oriola-KD Corporation January-September 2010 Eero Hautaniemi President and CEO 28 October 2010

Oriola-KD Corporation January-September 2010 Eero Hautaniemi President and CEO 28 October 2010

Oriola-KD Corporation January-September 2010 Eero Hautaniemi President and CEO 28 October 2010 Key Figures January-September 2010 1-9/ 2010 1-9/ 2009 Change % Q3/ 2010 Q3/ 2009 Change % 1401.5 1125.8 + 24% 498.5 379.2 Net sales,

479 views • 21 slides
Chapter 19 Islamic-Compliant Financing of Commercial Real Estate Jonathan Lawrence, Partner,

Chapter 19 Islamic-Compliant Financing of Commercial Real Estate Jonathan Lawrence, Partner,

Chapter 19 Islamic-Compliant Financing of Commercial Real Estate Jonathan Lawrence, Partner, K&amp;L Gates LLP 19.1 Introduction CRE has been an increasingly important asset class for Islamic-compliant transactions and banks since the

515 views • 30 slides
Eld r d G ld C r Eldorado Gold Corporation r ti September 2010 September 2010

Eld r d G ld C r Eldorado Gold Corporation r ti September 2010 September 2010

Eld r d G ld C r Eldorado Gold Corporation r ti September 2010 September 2010 www.eldoradogold.com 1 Forward-Looking Statements Certain of the statements made in this Presentation may contain forward-looking statements within the meaning of

609 views • 45 slides
20/03/2015 SHARIA COMPLIANT TRUSTS: SOME RECENT CASE STUDIES Thursday 19 March 2015 Piers

20/03/2015 SHARIA COMPLIANT TRUSTS: SOME RECENT CASE STUDIES Thursday 19 March 2015 Piers

20/03/2015 SHARIA COMPLIANT TRUSTS: SOME RECENT CASE STUDIES Thursday 19 March 2015 Piers Master (Charles Russell Speechlys) Lorraine Wheeler (First Names Group) - Chair STEP Jersey is sponsored by: Sharia compliant trusts Presentation

333 views • 7 slides
2 nd Quarter 2010 Financial Results September 21 st , 2010 Disclaimer Forward-looking

2 nd Quarter 2010 Financial Results September 21 st , 2010 Disclaimer Forward-looking

Conference Call Presentation 2 nd Quarter 2010 Financial Results September 21 st , 2010 Disclaimer Forward-looking statements are based on the beliefs and assumptions of Araucos management and on information currently available to the

608 views • 23 slides
Interim Report January September 2010 Strategy and financial targets 27 Oct 2010 3 Next

Interim Report January September 2010 Strategy and financial targets 27 Oct 2010 3 Next

President and CEO Mikael Mkinen 27 October 2010 Interim Report January September 2010 Strategy and financial targets 27 Oct 2010 3 Next corporate theme -1997 1997- 2002- 2004- 2007- 2010- 2015- Late 80s/ 2002 2004 2007 2010

430 views • 24 slides
2014 STATE OF E-COMMERCE IN DISTRIBUTION Featuring: Jonathan Bein, Ranga Bodla and Tom Gale

2014 STATE OF E-COMMERCE IN DISTRIBUTION Featuring: Jonathan Bein, Ranga Bodla and Tom Gale

Download handouts (PDF) : www.mdm.com/slides or info@mdm.com 2014 STATE OF E-COMMERCE IN DISTRIBUTION Featuring: Jonathan Bein, Ranga Bodla and Tom Gale March 20, 2014 Produced by: Event Sponsor: 1 Download handouts (PDF) :

649 views • 53 slides
price discrimina5on in e-commerce Nataliia Bielova INDES team

price discrimina5on in e-commerce Nataliia Bielova INDES team

Web tracking technologies &amp; price discrimina5on in e-commerce Nataliia Bielova INDES team 11 February 2016 Back in 1993 2 Today 3

898 views • 68 slides
CS 683 - Security and Privacy Fall 2019 Instructor: Karim Eldefrawy University of San Francisco

CS 683 - Security and Privacy Fall 2019 Instructor: Karim Eldefrawy University of San Francisco

CS 683 - Security and Privacy Fall 2019 Instructor: Karim Eldefrawy University of San Francisco http://www.cs.usfca.edu/~keldefrawy/teaching /fall2019/cs683/cs683_main.htm 1 Lecture 12 Transport Layer Security/ Secure Socket Layer (TLS/SSL)

615 views • 23 slides
Differentially-Private Federated Linear Bandits Introduction Federated Learning Contextual

Differentially-Private Federated Linear Bandits Introduction Federated Learning Contextual

Differentially- Private Federated Linear Bandits Dubey and Pentland June 2020 Differentially-Private Federated Linear Bandits Introduction Federated Learning Contextual Bandits Summary Background Abhimanyu Dubey and Alex Pentland

437 views • 20 slides
Electronic Commerce: A Killer (Application) for the Semantic Web? Dieter Fensel Vrije

Electronic Commerce: A Killer (Application) for the Semantic Web? Dieter Fensel Vrije

Sophia-Antipolis October 2001 Electronic Commerce: A Killer (Application) for the Semantic Web? Dieter Fensel Vrije Universiteit Amsterdam http://www.cs.vu.nl/~dieter, dieter@cs.vu.nl . Slide 1 Sophia-Antipolis October 2001 Contents 1.

978 views • 23 slides
Project Spotlight on Emerging Contestable Services Work rkshop Summary ry 20 June 2019

Project Spotlight on Emerging Contestable Services Work rkshop Summary ry 20 June 2019

Project Spotlight on Emerging Contestable Services Work rkshop Summary ry 20 June 2019 Background This document summarises themes from a workshop held on 28 May 2019 as part of a joint project seeking to understand how emerging technologies

636 views • 15 slides
Darcie Handt, Executive Director, ND Cares ND Cares Evolution ND Cares Coalition Strategic

Darcie Handt, Executive Director, ND Cares ND Cares Evolution ND Cares Coalition Strategic

Darcie Handt, Executive Director, ND Cares ND Cares Evolution ND Cares Coalition Strategic Planning Session 10/13/2015 10/06/2015 Medora becomes 1st ND Cares Community ND Cares Executive Director authorized under Office of the Adjutant General

536 views • 14 slides
Experience the power of Drupal as a platform for content and commerce Scalable cloud based

Experience the power of Drupal as a platform for content and commerce Scalable cloud based

Experience the power of Drupal as a platform for content and commerce Scalable cloud based e-commerce platform on Drupal with a common back office for managing sales of entry passes to multiple events Vimal Joseph Senior Manager, Technology

309 views • 27 slides

More recommend