Data Security in Payment Card Industry Dharshan Shantamurthy, SISA Information Security _part1 pptx
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (1.5 MB, 16 trang )
Data Security in Payment Card Industry
Dharshan Shantamurthy, SISA Information Security (www.sisainfosec.com)
This is trial version
www.adultpdf.com
Objective
• Understanding the need for Security in Payment Card Industry and
Overview of the Standards
• 5 Common Pitfalls in PCI DSS
• Risk Assessment in PCI DSS Version 2.0
This is trial version
www.adultpdf.com
Its safe to keep your eyes open when
you jump!
This is trial version
www.adultpdf.com
Card
Card
Card Number
Chip and PIN cards fall within scope of PCI DSS
Expiry Date
This is trial version
www.adultpdf.com
Card contd.
Magnetic Stripe is
made up of “Track1”
and
“Track 2” data
The card account number, plus a three-digit card verification value 2 (CVV2) is indent-printed
on the signature panel.
This is trial version
www.adultpdf.com
Card Present Transaction Flow
Payment Card Industry Actors – “Card Present”
Issuing
Processor
Acquirer
Processor
Acquirer
(Merchant
Bank)
Merchants Cardholder
This is trial version
www.adultpdf.com
Card Not Present Transaction Flow
Payment Card Industry Actors – “Card Not Present”
Acquirer
Processor
Acquirer
(Merchant
Bank)
Issuing
Processor
E-Commerce
Merchant
Cardholder
Issuer
Payment
Gateway
This is trial version
www.adultpdf.com
Card Frauds
Payment Card Fraud Evolution
1983 Re-embossed counterfeit fraud
1988 Re-encoded counterfeit fraud
1989 Card not present fraud/ fraud applications
1991 Never received issued fraud
1992 Merchant fraud
1994 Identity Theft
2000 Skimmed counterfeit
2002 Communications interception
Now Server Hacking/ E-Business Merchant server hacking/ Chip sniffing
and card counterfeit/ Fake terminals
Future ????
This is trial version
www.adultpdf.com
Card Frauds
Today’s Risks
This is trial version
www.adultpdf.com
Card Frauds
Street Prices
This is trial version
www.adultpdf.com
Compliance Requirement Shared by All Payment Brands
• Any Entity that stores, processes and/or transmits Account Data must comply
with the PCI Data Security Standard (DSS). Account Data consists of cardholder
data and sensitive authentication data
• Entities include, but are not limited to:
– Merchants
– Acquirers
– Service Providers
– Trusted Third Parties
• Each brand has their own set of compliance requirements based on this general
requirement.
- Requirements for validation of compliance vary by payment brand.
PCI DSS Overview
PCI DSS Overview
This is trial version
www.adultpdf.com
PCI DSS in nutshell
The PCI Security Standards
This is trial version
www.adultpdf.com
PCI DSS Sphere of Protection
This is trial version
www.adultpdf.com
PCI DSS Compliance Program
Assessment
• Scoping
• PCI Risk Assessment
• Gap Analysis
Remediation
• Mitigation
• Milestone Reviews
Certification
• Audit
• ROC/AOC
• Certificate of
Compliance
Note: The Number of Steps may increase or decrease depending on the nature, size
and complexity of the CDE
This is trial version
www.adultpdf.com
5 Common Pitfalls
• Ineffective PCI Risk Assessment (Req 12.1.2)
• Time Constraint – Underestimating PCI
• PCI Specific Training/Awareness
• Investment – trying to cut corners
• Project Management – many stakeholders
This is trial version
www.adultpdf.com
THANK YOU
Those interested to learn more on PCI Risk
Assessment (emphasis in the new PCI 2.0) can collect
FREE Access Code OR visit www.SMART-RA.COM
E-mail:
This is trial version
www.adultpdf.com
