pci security standards council - emv connection · pci pts pin entry devices ecosystem of payment...
TRANSCRIPT
![Page 1: PCI Security Standards Council - EMV Connection · PCI PTS Pin Entry Devices Ecosystem of payment devices, applications, infrastructure and users Software Developers PCI PA-DSS Payment](https://reader035.vdocuments.us/reader035/viewer/2022062922/5f081bc77e708231d4206113/html5/thumbnails/1.jpg)
Guiding open standards for global payment card security
PCI Security Standards Council Guiding open standards for global payment card security
Bob Russo, General Manager December 2013
![Page 2: PCI Security Standards Council - EMV Connection · PCI PTS Pin Entry Devices Ecosystem of payment devices, applications, infrastructure and users Software Developers PCI PA-DSS Payment](https://reader035.vdocuments.us/reader035/viewer/2022062922/5f081bc77e708231d4206113/html5/thumbnails/2.jpg)
Guiding open standards for global payment card security 2
Get Involved PCI DSS and EMV
Why PCI DSS 3.0?
Agenda
![Page 3: PCI Security Standards Council - EMV Connection · PCI PTS Pin Entry Devices Ecosystem of payment devices, applications, infrastructure and users Software Developers PCI PA-DSS Payment](https://reader035.vdocuments.us/reader035/viewer/2022062922/5f081bc77e708231d4206113/html5/thumbnails/3.jpg)
Guiding open standards for global payment card security
About the PCI Council
Open, global forum Founded 2006
Guiding open standards for payment card security
• Development • Management • Education • Awareness
![Page 4: PCI Security Standards Council - EMV Connection · PCI PTS Pin Entry Devices Ecosystem of payment devices, applications, infrastructure and users Software Developers PCI PA-DSS Payment](https://reader035.vdocuments.us/reader035/viewer/2022062922/5f081bc77e708231d4206113/html5/thumbnails/4.jpg)
Guiding open standards for global payment card security
Expanding Global Representation
![Page 5: PCI Security Standards Council - EMV Connection · PCI PTS Pin Entry Devices Ecosystem of payment devices, applications, infrastructure and users Software Developers PCI PA-DSS Payment](https://reader035.vdocuments.us/reader035/viewer/2022062922/5f081bc77e708231d4206113/html5/thumbnails/5.jpg)
Guiding open standards for global payment card security
Manufacturers
PCI PTS Pin Entry Devices
Ecosystem of payment devices, applications, infrastructure and users
Software Developers
PCI PA-DSS Payment Applications
PCI Security & Compliance
P2PE
Merchants & Service Providers
PCI DSS Secure Environments
PCI Security Standards Suite Protection of Cardholder Payment Data
![Page 6: PCI Security Standards Council - EMV Connection · PCI PTS Pin Entry Devices Ecosystem of payment devices, applications, infrastructure and users Software Developers PCI PA-DSS Payment](https://reader035.vdocuments.us/reader035/viewer/2022062922/5f081bc77e708231d4206113/html5/thumbnails/6.jpg)
Guiding open standards for global payment card security
PCI Community Feedback Process
Changes made per our lifecycle
• Open standards development process
• Feedback from our global PCI community
• Feedback period started in Fall of 2011
![Page 7: PCI Security Standards Council - EMV Connection · PCI PTS Pin Entry Devices Ecosystem of payment devices, applications, infrastructure and users Software Developers PCI PA-DSS Payment](https://reader035.vdocuments.us/reader035/viewer/2022062922/5f081bc77e708231d4206113/html5/thumbnails/7.jpg)
Guiding open standards for global payment card security
Market Trends & Drivers
Weak or default passwords
Lack of employee education
Security deficiencies introduced by third parties
Slow self-detection
Source: 2013 Trustwave Global Security Report
![Page 8: PCI Security Standards Council - EMV Connection · PCI PTS Pin Entry Devices Ecosystem of payment devices, applications, infrastructure and users Software Developers PCI PA-DSS Payment](https://reader035.vdocuments.us/reader035/viewer/2022062922/5f081bc77e708231d4206113/html5/thumbnails/8.jpg)
Guiding open standards for global payment card security
Key Considerations
What will improve payment security?
Global applicability and local market concerns
Appropriate sunset dates for other standards or requirements
Cost/benefit of changes to infrastructure
Cumulative impact of any changes
![Page 9: PCI Security Standards Council - EMV Connection · PCI PTS Pin Entry Devices Ecosystem of payment devices, applications, infrastructure and users Software Developers PCI PA-DSS Payment](https://reader035.vdocuments.us/reader035/viewer/2022062922/5f081bc77e708231d4206113/html5/thumbnails/9.jpg)
Guiding open standards for global payment card security
Why PCI DSS 3.0?
Visit www.pcisecuritystandards.org to view this infographic
![Page 10: PCI Security Standards Council - EMV Connection · PCI PTS Pin Entry Devices Ecosystem of payment devices, applications, infrastructure and users Software Developers PCI PA-DSS Payment](https://reader035.vdocuments.us/reader035/viewer/2022062922/5f081bc77e708231d4206113/html5/thumbnails/10.jpg)
Guiding open standards for global payment card security
PCI DSS, PA-DSS 3.0 – Key Themes
Make PCI your compass, not your roadmap
Education Awareness Flexibility
Security as a Shared
Responsibility
![Page 11: PCI Security Standards Council - EMV Connection · PCI PTS Pin Entry Devices Ecosystem of payment devices, applications, infrastructure and users Software Developers PCI PA-DSS Payment](https://reader035.vdocuments.us/reader035/viewer/2022062922/5f081bc77e708231d4206113/html5/thumbnails/11.jpg)
Guiding open standards for global payment card security
At a Glance…
• 12 core security principles of PCI DSS remain the same
• Several new sub-requirements that will impact PCI DSS security efforts
• Future implementation dates provided for more significant
changes
• Clarified PCI DSS Applicability
• Enhanced testing procedures to clarify level of validation expected for each requirement
• Aligned language between requirements and testing procedures for consistency
• Instructions for Report on Compliance (ROC) reporting now separate ROC reporting template
![Page 12: PCI Security Standards Council - EMV Connection · PCI PTS Pin Entry Devices Ecosystem of payment devices, applications, infrastructure and users Software Developers PCI PA-DSS Payment](https://reader035.vdocuments.us/reader035/viewer/2022062922/5f081bc77e708231d4206113/html5/thumbnails/12.jpg)
Guiding open standards for global payment card security
Maintaining Compliance
Best Practices for Implementing PCI DSS into Business-as-Usual (BAU) Processes • Focus on security not
compliance • PCI DSS is not a once-a-year
activity • Don’t forget about people
![Page 13: PCI Security Standards Council - EMV Connection · PCI PTS Pin Entry Devices Ecosystem of payment devices, applications, infrastructure and users Software Developers PCI PA-DSS Payment](https://reader035.vdocuments.us/reader035/viewer/2022062922/5f081bc77e708231d4206113/html5/thumbnails/13.jpg)
Guiding open standards for global payment card security
Understanding Intent of Requirements
![Page 14: PCI Security Standards Council - EMV Connection · PCI PTS Pin Entry Devices Ecosystem of payment devices, applications, infrastructure and users Software Developers PCI PA-DSS Payment](https://reader035.vdocuments.us/reader035/viewer/2022062922/5f081bc77e708231d4206113/html5/thumbnails/14.jpg)
Guiding open standards for global payment card security
Strong Authentication
8.4 Include guidance for users:
• Selecting strong authentication credentials
• Protecting authentication credentials
• Not reusing previous passwords
• Changing passwords if suspicion of compromise
8.5.7 Provide authentication procedures and policies to all users
PCI DSS v2.0 PCI DSS v3.0
![Page 15: PCI Security Standards Council - EMV Connection · PCI PTS Pin Entry Devices Ecosystem of payment devices, applications, infrastructure and users Software Developers PCI PA-DSS Payment](https://reader035.vdocuments.us/reader035/viewer/2022062922/5f081bc77e708231d4206113/html5/thumbnails/15.jpg)
Guiding open standards for global payment card security
Security Policies and Procedures
1.5 Security policies and operational procedures for managing firewalls are documented and in use
2.5 Security policies and operational procedures for managing vendor defaults and security parameters are documented and in use
12.1.1 Maintain a security policy that addresses all PCI DSS requirements
12.2 Develop daily operational security procedures that are consistent with requirements in the PCI DSS
PCI DSS v2.0 PCI DSS v3.0
![Page 16: PCI Security Standards Council - EMV Connection · PCI PTS Pin Entry Devices Ecosystem of payment devices, applications, infrastructure and users Software Developers PCI PA-DSS Payment](https://reader035.vdocuments.us/reader035/viewer/2022062922/5f081bc77e708231d4206113/html5/thumbnails/16.jpg)
Guiding open standards for global payment card security
Consistent Assessment Procedures
• Enhanced testing procedures
• Clarify what it means to “verify” a requirement has been met
Promote consistent validation methods
• Combine template with reporting instructions
• Clarify level of detail required
• Reduce repetition
Improve reporting
![Page 17: PCI Security Standards Council - EMV Connection · PCI PTS Pin Entry Devices Ecosystem of payment devices, applications, infrastructure and users Software Developers PCI PA-DSS Payment](https://reader035.vdocuments.us/reader035/viewer/2022062922/5f081bc77e708231d4206113/html5/thumbnails/17.jpg)
Guiding open standards for global payment card security
Flexibility: PCI DSS Requirements
![Page 18: PCI Security Standards Council - EMV Connection · PCI PTS Pin Entry Devices Ecosystem of payment devices, applications, infrastructure and users Software Developers PCI PA-DSS Payment](https://reader035.vdocuments.us/reader035/viewer/2022062922/5f081bc77e708231d4206113/html5/thumbnails/18.jpg)
Guiding open standards for global payment card security
Log Reviews
10.6.1 Review at least daily: • All security events • Logs from systems that store,
process, or transmit CHD/SAD • Logs of system components that
perform security functions
10.6.2 Review other logs periodically as determined by the organization’s annual risk assessment
10.6. Review logs for all system components at least daily
PCI DSS v2.0 PCI DSS v3.0
![Page 19: PCI Security Standards Council - EMV Connection · PCI PTS Pin Entry Devices Ecosystem of payment devices, applications, infrastructure and users Software Developers PCI PA-DSS Payment](https://reader035.vdocuments.us/reader035/viewer/2022062922/5f081bc77e708231d4206113/html5/thumbnails/19.jpg)
Guiding open standards for global payment card security
Security as a Shared Responsibility
. • Outsourcing PCI DSS responsibilities Guidance
• Service providers use unique credential per customer
Requirement 8
• Service providers acknowledge responsibility
Requirement 12
![Page 20: PCI Security Standards Council - EMV Connection · PCI PTS Pin Entry Devices Ecosystem of payment devices, applications, infrastructure and users Software Developers PCI PA-DSS Payment](https://reader035.vdocuments.us/reader035/viewer/2022062922/5f081bc77e708231d4206113/html5/thumbnails/20.jpg)
Guiding open standards for global payment card security
Physical Security for POS Devices
9.9 Protect devices that capture payment card data from tampering and substitution
• Maintain an up-to-date list of devices
• Periodically inspect device surfaces to detect tampering or substitution
• Provide training for personnel to be aware of attempted tampering or replacement of devices
![Page 21: PCI Security Standards Council - EMV Connection · PCI PTS Pin Entry Devices Ecosystem of payment devices, applications, infrastructure and users Software Developers PCI PA-DSS Payment](https://reader035.vdocuments.us/reader035/viewer/2022062922/5f081bc77e708231d4206113/html5/thumbnails/21.jpg)
Guiding open standards for global payment card security
Penetration Testing and Effective Scoping
11.3 Implement a penetration testing methodology
11.3.4 If segmentation is used, perform penetration tests to verify that the segmentation methods are operational and effective.
![Page 22: PCI Security Standards Council - EMV Connection · PCI PTS Pin Entry Devices Ecosystem of payment devices, applications, infrastructure and users Software Developers PCI PA-DSS Payment](https://reader035.vdocuments.us/reader035/viewer/2022062922/5f081bc77e708231d4206113/html5/thumbnails/22.jpg)
Guiding open standards for global payment card security
Effective Dates for v3.0 PCI DSS
V3.0 is effective on January 1st 2014
Version 2.0 is valid until December 31st 2014
Different supporting documents
Check our website for the latest documents
Do not mix and match
![Page 23: PCI Security Standards Council - EMV Connection · PCI PTS Pin Entry Devices Ecosystem of payment devices, applications, infrastructure and users Software Developers PCI PA-DSS Payment](https://reader035.vdocuments.us/reader035/viewer/2022062922/5f081bc77e708231d4206113/html5/thumbnails/23.jpg)
Guiding open standards for global payment card security
EMV Chip Roadmap in US
![Page 24: PCI Security Standards Council - EMV Connection · PCI PTS Pin Entry Devices Ecosystem of payment devices, applications, infrastructure and users Software Developers PCI PA-DSS Payment](https://reader035.vdocuments.us/reader035/viewer/2022062922/5f081bc77e708231d4206113/html5/thumbnails/24.jpg)
EMV Chip Helps Reduce Face-to-Face Fraud
![Page 25: PCI Security Standards Council - EMV Connection · PCI PTS Pin Entry Devices Ecosystem of payment devices, applications, infrastructure and users Software Developers PCI PA-DSS Payment](https://reader035.vdocuments.us/reader035/viewer/2022062922/5f081bc77e708231d4206113/html5/thumbnails/25.jpg)
EMV Needs PCI
EMV chip needs PCI
![Page 26: PCI Security Standards Council - EMV Connection · PCI PTS Pin Entry Devices Ecosystem of payment devices, applications, infrastructure and users Software Developers PCI PA-DSS Payment](https://reader035.vdocuments.us/reader035/viewer/2022062922/5f081bc77e708231d4206113/html5/thumbnails/26.jpg)
Even EMV Chip Needs PCI
![Page 27: PCI Security Standards Council - EMV Connection · PCI PTS Pin Entry Devices Ecosystem of payment devices, applications, infrastructure and users Software Developers PCI PA-DSS Payment](https://reader035.vdocuments.us/reader035/viewer/2022062922/5f081bc77e708231d4206113/html5/thumbnails/27.jpg)
Guiding open standards for global payment card security
Terminal Security
![Page 28: PCI Security Standards Council - EMV Connection · PCI PTS Pin Entry Devices Ecosystem of payment devices, applications, infrastructure and users Software Developers PCI PA-DSS Payment](https://reader035.vdocuments.us/reader035/viewer/2022062922/5f081bc77e708231d4206113/html5/thumbnails/28.jpg)
Guiding open standards for global payment card security
PTS Listings
![Page 29: PCI Security Standards Council - EMV Connection · PCI PTS Pin Entry Devices Ecosystem of payment devices, applications, infrastructure and users Software Developers PCI PA-DSS Payment](https://reader035.vdocuments.us/reader035/viewer/2022062922/5f081bc77e708231d4206113/html5/thumbnails/29.jpg)
Guiding open standards for global payment card security
And Emerging Technologies?
+People Processes Technology Security + =
![Page 30: PCI Security Standards Council - EMV Connection · PCI PTS Pin Entry Devices Ecosystem of payment devices, applications, infrastructure and users Software Developers PCI PA-DSS Payment](https://reader035.vdocuments.us/reader035/viewer/2022062922/5f081bc77e708231d4206113/html5/thumbnails/30.jpg)
Guiding open standards for global payment card security
Mobile Payment Acceptance
PCI Standards focus on merchant-acceptance
Mobile payment acceptance still evolving
Understand risk and use PCI SSC resources
PCI SSC is working with industry
![Page 31: PCI Security Standards Council - EMV Connection · PCI PTS Pin Entry Devices Ecosystem of payment devices, applications, infrastructure and users Software Developers PCI PA-DSS Payment](https://reader035.vdocuments.us/reader035/viewer/2022062922/5f081bc77e708231d4206113/html5/thumbnails/31.jpg)
Guiding open standards for global payment card security
Mobile Payment Acceptance
Guidelines published 2012-2013
• PCI Mobile Payment Acceptance Guidelines for Developers
• PCI Mobile Payment Acceptance Guidelines for Merchants as End-Users
• Accepting Mobile Payments with a Smartphone or Tablet
![Page 32: PCI Security Standards Council - EMV Connection · PCI PTS Pin Entry Devices Ecosystem of payment devices, applications, infrastructure and users Software Developers PCI PA-DSS Payment](https://reader035.vdocuments.us/reader035/viewer/2022062922/5f081bc77e708231d4206113/html5/thumbnails/32.jpg)
Guiding open standards for global payment card security
PCI Special Interest Groups
Visit www.pcisecuritystandards.org to download this guidance
![Page 33: PCI Security Standards Council - EMV Connection · PCI PTS Pin Entry Devices Ecosystem of payment devices, applications, infrastructure and users Software Developers PCI PA-DSS Payment](https://reader035.vdocuments.us/reader035/viewer/2022062922/5f081bc77e708231d4206113/html5/thumbnails/33.jpg)
Guiding open standards for global payment card security
2014 Special Interest Groups
Formal Security Awareness: Best
Practices for Implementing a Formal
Security Awareness Program
Penetration Testing
Guidance
![Page 34: PCI Security Standards Council - EMV Connection · PCI PTS Pin Entry Devices Ecosystem of payment devices, applications, infrastructure and users Software Developers PCI PA-DSS Payment](https://reader035.vdocuments.us/reader035/viewer/2022062922/5f081bc77e708231d4206113/html5/thumbnails/34.jpg)
Guiding open standards for global payment card security
ü Online Internal Security Assessor (ISA) Training
ü Corporate PCI Awareness – Let Us Come To You!
ü Online Awareness Training in Four Hours
ü Qualified Integrators and Resellers (QIR)™ Program
ü PCI Professional Program (PCIP)™
To learn more, visit: www.pcisecuritystandards.org/training
Training Options
![Page 35: PCI Security Standards Council - EMV Connection · PCI PTS Pin Entry Devices Ecosystem of payment devices, applications, infrastructure and users Software Developers PCI PA-DSS Payment](https://reader035.vdocuments.us/reader035/viewer/2022062922/5f081bc77e708231d4206113/html5/thumbnails/35.jpg)
Guiding open standards for global payment card security
Qualified Integrators and Resellers (QIR)™
![Page 36: PCI Security Standards Council - EMV Connection · PCI PTS Pin Entry Devices Ecosystem of payment devices, applications, infrastructure and users Software Developers PCI PA-DSS Payment](https://reader035.vdocuments.us/reader035/viewer/2022062922/5f081bc77e708231d4206113/html5/thumbnails/36.jpg)
Guiding open standards for global payment card security
I’m using a “reputable” 3rd party, so they must be doing a secure installation.
This applies only to brick and mortar establishments.
I’m using a PA-DSS validated application, so I must be OK.
QIR Addresses Common Misconceptions
![Page 37: PCI Security Standards Council - EMV Connection · PCI PTS Pin Entry Devices Ecosystem of payment devices, applications, infrastructure and users Software Developers PCI PA-DSS Payment](https://reader035.vdocuments.us/reader035/viewer/2022062922/5f081bc77e708231d4206113/html5/thumbnails/37.jpg)
Guiding open standards for global payment card security
Payment Card Industry Professional (PCIP)™
Support your organization
Professional credibility
Competitive advantage
Global directory
Now Available
![Page 38: PCI Security Standards Council - EMV Connection · PCI PTS Pin Entry Devices Ecosystem of payment devices, applications, infrastructure and users Software Developers PCI PA-DSS Payment](https://reader035.vdocuments.us/reader035/viewer/2022062922/5f081bc77e708231d4206113/html5/thumbnails/38.jpg)
Guiding open standards for global payment card security
PCI SSC Website
• Documents library • Dedicated page for
small merchants • Listings of approved
companies and providers
• Videos and webinars • Frequently asked
questions microsite
![Page 39: PCI Security Standards Council - EMV Connection · PCI PTS Pin Entry Devices Ecosystem of payment devices, applications, infrastructure and users Software Developers PCI PA-DSS Payment](https://reader035.vdocuments.us/reader035/viewer/2022062922/5f081bc77e708231d4206113/html5/thumbnails/39.jpg)
Guiding open standards for global payment card security
Security is a shared responsibility
![Page 40: PCI Security Standards Council - EMV Connection · PCI PTS Pin Entry Devices Ecosystem of payment devices, applications, infrastructure and users Software Developers PCI PA-DSS Payment](https://reader035.vdocuments.us/reader035/viewer/2022062922/5f081bc77e708231d4206113/html5/thumbnails/40.jpg)
Guiding open standards for global payment card security
Get Involved – We Need Your Input
Join Learn Input Network
Nominate Vote Share Influence
![Page 41: PCI Security Standards Council - EMV Connection · PCI PTS Pin Entry Devices Ecosystem of payment devices, applications, infrastructure and users Software Developers PCI PA-DSS Payment](https://reader035.vdocuments.us/reader035/viewer/2022062922/5f081bc77e708231d4206113/html5/thumbnails/41.jpg)
Guiding open standards for global payment card security
Please visit our website at www.pcisecuritystandards.org
Questions?