Data Security in Payment Card Industry Dharshan Shantamurthy, SISA Information Security (www.sisainfosec.com) This is trial version www.adultpdf.com Objective • Understanding the need for Security in Payment Card Industry and Overview of the Standards • 5 Common Pitfalls in PCI DSS • Risk Assessment in PCI DSS Version 2.0 This is trial version www.adultpdf.com Its safe to keep your eyes open when you jump! This is trial version www.adultpdf.com Card Card Card Number Chip and PIN cards fall within scope of PCI DSS Expiry Date This is trial version www.adultpdf.com Card contd. Magnetic Stripe is made up of “Track1” and “Track 2” data The card account number, plus a three-digit card verification value 2 (CVV2) is indent-printed on the signature panel. This is trial version www.adultpdf.com Card Present Transaction Flow Payment Card Industry Actors – “Card Present” Issuing Processor Acquirer Processor Acquirer (Merchant Bank) Merchants Cardholder This is trial version www.adultpdf.com Card Not Present Transaction Flow Payment Card Industry Actors – “Card Not Present” Acquirer Processor Acquirer (Merchant Bank) Issuing Processor E-Commerce Merchant Cardholder Issuer Payment Gateway This is trial version www.adultpdf.com Card Frauds Payment Card Fraud Evolution 1983 Re-embossed counterfeit fraud 1988 Re-encoded counterfeit fraud 1989 Card not present fraud/ fraud applications 1991 Never received issued fraud 1992 Merchant fraud 1994 Identity Theft 2000 Skimmed counterfeit 2002 Communications interception Now Server Hacking/ E-Business Merchant server hacking/ Chip sniffing and card counterfeit/ Fake terminals Future ???? This is trial version www.adultpdf.com Card Frauds Today’s Risks This is trial version www.adultpdf.com Card Frauds Street Prices This is trial version www.adultpdf.com [...]... of Steps may increase or decrease depending on the nature, size and complexity of the CDE This is trial version www.adultpdf.com 5 Common Pitfalls • Ineffective PCI Risk Assessment (Req 12.1.2) • Time Constraint – Underestimating PCI • PCI Specific Training/Awareness • Investment – trying to cut corners • Project Management – many stakeholders This is trial version www.adultpdf.com Those interested to...PCI DSS Overview Compliance Requirement Shared by All Payment Brands PCI DSS Overview • Any Entity that stores, processes and/or transmits Account Data must comply with the PCI Data Security Standard (DSS) Account Data consists of cardholder data and sensitive authentication data • Entities include, but are not limited to: – Merchants – Acquirers – Service Providers – Trusted... requirement - Requirements for validation of compliance vary by payment brand This is trial version www.adultpdf.com PCI DSS in nutshell The PCI Security Standards This is trial version www.adultpdf.com PCI DSS Sphere of Protection This is trial version www.adultpdf.com PCI DSS Compliance Program Assessment Remediation Certification • Scoping • PCI Risk Assessment • Gap Analysis • Mitigation • Milestone... corners • Project Management – many stakeholders This is trial version www.adultpdf.com Those interested to learn more on PCI Risk Assessment (emphasis in the new PCI 2.0) can collect FREE Access Code OR visit www.SMART-RA.COM E-mail: dharshan. shanthamurthy @sisa .in THANK YOU This is trial version www.adultpdf.com . Data Security in Payment Card Industry Dharshan Shantamurthy, SISA Information Security (www.sisainfosec.com) This is trial version www.adultpdf.com Objective • Understanding the need. version www.adultpdf.com Objective • Understanding the need for Security in Payment Card Industry and Overview of the Standards • 5 Common Pitfalls in PCI DSS • Risk Assessment in PCI DSS Version 2.0 This is trial. Flow Payment Card Industry Actors – Card Present” Issuing Processor Acquirer Processor Acquirer (Merchant Bank) Merchants Cardholder This is trial version www.adultpdf.com Card Not