Abstract image of a woman sitting on books and studying on a laptop

PruebaJLF.pptx

Download as PPTX, PDF
J
JoseLuna802663

This document provides an overview of PCI compliance and security standards. It discusses the objectives of PCI DSS training, an introduction to PCI and the Payment Card Industry Security Standards Council, an overview of the PCI DSS requirements and framework, definitions of cardholder data and merchant levels, how compliance applies to different entity types, and resources for further information. The training is intended to help participants understand goals of PCI, key concepts such as cardholder data and merchant levels, and compliance responsibilities for different organizations that handle credit card transactions.

Business
1 of 21
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
1 04.08.21 PCI Program Office
2 04.08.21 PCI DSS Security Awareness Program
3 Objectives PCI Overview PCI Security Standards Council Structure of the PCI DSS PCI DSS v3.2.1 High Level Overview PCI DSS Card Holder Data PCI Standard & State Laws How PCI DSS Compliance is applied PCI DSS & Merchant Levels PCI Transaction Cash Flow Requirements for Service Providers PCI Industry Groups & Issues PCI Overview PCI DSS Compliance PCI Scope & Resources Agenda
PCI Overview 01 4 04.08.21
OBJECTIVES After you complete this course, you should be able to: Understand the key PCI DSS goals and be aware that PCI has been incorporated in State Law Be familiar with types of entities/merchants that PCI DSS compliance applies to Gain knowledge of current issues and resources for PCI 5 04.08.21  Be familiar with PCI and the Data Security Standards  Be aware of the PCI Security Standards Council  Understand the meaning of Cardholder Data  Be aware of the various merchant levels
PCI OVERVIEW What is PCI? There are three standards related to credit card security: Payment Card Industry Data Security Standard (PCI DSS) Payment Application Data Security Standard, or PA-DSS PCI PIN Transaction Security (PCI PTS) 6  PCI = Payment Card Industry  PCI Security Standards Council - Visa, Mastercard, American Express, Discover, JCB International
PCI SECURITY STANDARDS COUNCIL 7 PCI Security Standards Council was launched in 2006. PCI SSC founding payment brands are: American Express, Discover Financial, JCB International, MasterCard, Visa, Inc. The PCI SSC is responsible for the development, management, education, and awareness of the PCI Security Standards (PCI DSS).
8 TECHNICAL SOLUTIONS & SETTINGS POLICIES AND PROCEDURES TRAINING PCI-DSS contains 12 high-level requirements including 260 controls categorized into 3 areas: Section title STRUCTURE OF THE PCI DSS
PCI DSS Compliance 02 9
PCI DATA SECURITY STANDARD – HIGH LEVEL OVERVIEW 10
PCI CARD HOLDER DATA 11
PCI DSS applies globally to all merchants and service providers that store, process, use, or transmit cardholder data. Below are some types of entities that PCI DSS compliance applies to: PCI Compliance Applications • Retail - online sites, brick & mortar, mail/phone order • Hospitality - restaurants, hotels • Transportation - airlines, car rentals, taxi, limo • Utilities - gas, electric, water. • Service Providers – Cloud Security providers, data hosting providers, managed services etc. • Telecommunications - cable, wireless services, phone • Healthcare/Education - hospitals, doctors, dentists, colleges • Financial Services - banks, insurance, credit card processors. 12
PCI DSS is not a governmental regulation, its an Industry Standard and is relevant wherever credit cards are accepted. PCI DSS is validated either through a self- assessment questionnaire (SAQ) or through an annual on- site audit performed by a Qualified Security Assessor (QSA) How to validate depends upon the number of transactions your organization processes per year [refer to Merchant levels slide] Some states have incorporated some PCI DSS requirements into privacy and data breach laws Compliance with PCI DSS is not required by federal law in the United States. However, the laws of some U.S. states either refer to PCI DSS directly or make equivalent provisions. PAYMENT CARD INDUSTRY DATA SECURITY STANDARD 13
PCI Scope & Resources 03 14
MERCHANT LEVELS AT PCI DSS PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accept, transmit or store any cardholder data. Visa - Merchant Level - Descriptions Any merchant — regardless of acceptance channel — processing over 6M Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system. Any merchant processing fewer than 20,000 Visa e- commerce transactions per year, and all other merchants — regardless of acceptance channel — processing up to 1M Visa transactions per year. Any merchant — regardless of acceptance channel — processing 1M to 6M Visa transactions per year. Any merchant processing 20,000 to 1M Visa e- commerce transactions per year. Level 1 Level 2 Level 4 Level 3 15
PCI – TRANSACTION CASH FLOW 16
PCI DSS REQUIREMENTS FOR SERVICE PROVIDERS 17 Some of the key PCI DSS requirements relative to Service Providers:  Service providers with remote access to customer premises (for example, for support of POS systems or servers) must use a unique authentication credential (such as a password/phrase) for each customer. (PCI 8.5.1)  Implement a process for the timely detection and reporting of failures of critical security control systems, including but not limited to failure of: Firewalls, IPS/IDS, FIM, Anti-virus, Physical Access Controls, Logical Access Controls, Audit Logging Mechanisms, Segmentation Controls (if used). (PCI 10.8)  If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods. (PCI 11.3.4.1)  Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess or otherwise store, process or transmit on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment. (PCI 12.8.2)  Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment. (PCI 12.9)  Perform reviews at least quarterly to confirm personnel are following security policies and operational procedures. Reviews must cover the following processes: Daily log reviews, Firewall rule-set reviews, Applying configuration standards to new systems, Responding to security alerts, and Change management processes (PCI 12.11)
PCI SCOPE 18 • The PCI DSS defines scope as “the PCI DSS security requirements apply to all system components included in or connected to the cardholder data environment.” • A cardholder data environment (CDE) is comprised of people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data. • Here’s a list of areas that are very likely in scope in any environment where credit card data is present: • Networking devices: switches, routers • Firewalls • Servers • Data Center – Physical Security • Portable Media – tapes, USB devices • Point-of-sale (POS) devices • Wireless devices – access points • Applications/databases (that handle credit card data)
RESOURCES Official PCI Security Standards Website www.PCISecurityStandards.org PCI DSS 3.2.1 Link https://www.pcisecuritystandards.org/document_libr ary?category=pcidss&document=pci_dss PCI INDUSTRY GROUPS/FORUMS PCI Knowledge Base https://www.pcisecuritystandards.org/faq/ INDUSTRY GROUPS & RESOURCES 19
Thank you 20
21 Kyndryl is currently a wholly-owned subsidiary of International Business Machines Corporation with the intent that Kyndryl will be spun-out.

More Related Content

PDF
Reduce PCI Scope - Maximise Conversion - Whitepaper
Shaun O'keeffe
 
PPT
PCI DSS
Duy Do Phan
 
PDF
PCI-DSS for IDRBT
Shanmugavel Sankaran
 
PPTX
Educause+PCI+briefing+4-19-20162345.pptx
gealehegn
 
PPT
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
Melanie Beam
 
PPT
eCommerce Summit Atlanta Mountain Media
eCommerce Merchants
 
PPTX
PCI DSS Compliance Readiness
Al Abbas, PMP, CISSP, MBA, MSc
 
PDF
Pci ssc quick reference guide
Mohammad Makchudul Alam (Arif)
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Shaun O'keeffe
 
PCI DSS
Duy Do Phan
 
PCI-DSS for IDRBT
Shanmugavel Sankaran
 
Educause+PCI+briefing+4-19-20162345.pptx
gealehegn
 
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
Melanie Beam
 
eCommerce Summit Atlanta Mountain Media
eCommerce Merchants
 
PCI DSS Compliance Readiness
Al Abbas, PMP, CISSP, MBA, MSc
 
Pci ssc quick reference guide
Mohammad Makchudul Alam (Arif)
 

Similar to PruebaJLF.pptx (20)

PPTX
SFISSA - PCI DSS 3.0 - A QSA Perspective
Mark Akins
 
PDF
Quick Reference Guide to the PCI Data Security Standard
- Mark - Fullbright
 
PDF
PCI-DSS_Overview
sameh Abulfotooh
 
DOCX
PCI DSS 6 Key Objectives You Must Know for Compliance.docx
BORNSEC CONSULTING
 
PDF
Pcidss qr gv3_1
leon bonilla
 
PDF
PCI DSS Data Security Compliance Program Overview
- Mark - Fullbright
 
PDF
PCI_Presentation_OASIS
Dermot Clarke
 
DOCX
Securing SaaS: Your Roadmap to PCI DSS v4.0 Compliance
rajverma416485
 
PDF
Pci standards, from participation to implementation and review
isc2-hellenic
 
PPT
Evolution Pci For Pod1
Amanda Squires@Pod1
 
PDF
Payment System Risk. Visa
Internet Security Auditors
 
PDF
Visa Compliance Mark National Certification
Mark Pollard
 
PDF
Data Center Audit Standards
Keyur Thakore
 
PDF
Approach & methodology - PCI DSS (1).pdf
suridhalder
 
PPTX
Payment card industry data security standard
sallychiu
 
PPT
pci-comp pci requirements and controls.ppt
gealehegn
 
PPT
PCI DSS Certification
hodonoghue
 
PPTX
PCI DSS for Penetration Testing
Network Intelligence India
 
PPTX
Presentation Pci-dss compliance on the cloud
Hassan EL ALLOUSSI
 
PDF
PCI Certification and remediation services
Tariq Juneja
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
Mark Akins
 
Quick Reference Guide to the PCI Data Security Standard
- Mark - Fullbright
 
PCI-DSS_Overview
sameh Abulfotooh
 
PCI DSS 6 Key Objectives You Must Know for Compliance.docx
BORNSEC CONSULTING
 
Pcidss qr gv3_1
leon bonilla
 
PCI DSS Data Security Compliance Program Overview
- Mark - Fullbright
 
PCI_Presentation_OASIS
Dermot Clarke
 
Securing SaaS: Your Roadmap to PCI DSS v4.0 Compliance
rajverma416485
 
Pci standards, from participation to implementation and review
isc2-hellenic
 
Evolution Pci For Pod1
Amanda Squires@Pod1
 
Payment System Risk. Visa
Internet Security Auditors
 
Visa Compliance Mark National Certification
Mark Pollard
 
Data Center Audit Standards
Keyur Thakore
 
Approach & methodology - PCI DSS (1).pdf
suridhalder
 
Payment card industry data security standard
sallychiu
 
pci-comp pci requirements and controls.ppt
gealehegn
 
PCI DSS Certification
hodonoghue
 
PCI DSS for Penetration Testing
Network Intelligence India
 
Presentation Pci-dss compliance on the cloud
Hassan EL ALLOUSSI
 
PCI Certification and remediation services
Tariq Juneja
 
Ad

Recently uploaded (20)

PDF
757557697-CERTIKIT-ISO22301-Implementation-Guide-v6.pdf
purdiantayo1
 
PPTX
PPT Hafizullah Oria- Final Thesis Exam.pptx
Ehsanullah Oria
 
PDF
Nante Industrial Plug Socket Connector Sustainability Insights
gdhdgee963
 
PDF
Handouts for Housekeeping.pdfbababvsvvNnnh
MarkallainFrancisco
 
PDF
From Legacy to Velocity: how we rebuilt everything in 8 months.
Product-Tech Team
 
PPTX
Warehouse. B pptx
manojx177
 
PPTX
Enterprises are Classified into Two Categories
Vidhyapriyadharshini1
 
PPTX
Hospitality & tourism management.pptxHospitality & tourism management.pptx
Nida Mahmood
 
PDF
The Evolution of Legal Communication through History (www.kiu.ac.ug)
publication11
 
PPTX
Hospitality & tourism management.pptxHospitality & tourism management.pptx
Nida Mahmood
 
PDF
El futuro empresarial 2024 una vista gen
dannflolo1
 
PPTX
Capital Investment in IS Infrastracture and Innovation (SDG9)
ephryllaneb
 
PDF
COVID-19 Primer for business case prep.pdf
AakritiGupta862151
 
PPTX
Biomass_Energy_PPT_FIN AL________________.pptx
gloryjsingh
 
PDF
The Impact of Historical Events on Legal Communication Styles (www.kiu.ac.ug)
publication11
 
PPTX
IndustrialAIGuerillaInnovatorsARCPodcastEp3.pptx
Colin Masson
 
PDF
BeMetals_Presentation_September_2025.pdf
DerekIwanaka2
 
PDF
Не GPT єдиним: можливості AI в бізнес-аналізі | Вебінар з Тетяною Перловською
E-5
 
DOCX
Handbook of entrepreneurship- Chapter 10 - Feasibility analysis by Subin K Mohan
DrSubinKMohan
 
DOCX
“Strategic management process of a selected organization”.Nestle-docx.docx
mkamumin08
 
757557697-CERTIKIT-ISO22301-Implementation-Guide-v6.pdf
purdiantayo1
 
PPT Hafizullah Oria- Final Thesis Exam.pptx
Ehsanullah Oria
 
Nante Industrial Plug Socket Connector Sustainability Insights
gdhdgee963
 
Handouts for Housekeeping.pdfbababvsvvNnnh
MarkallainFrancisco
 
From Legacy to Velocity: how we rebuilt everything in 8 months.
Product-Tech Team
 
Warehouse. B pptx
manojx177
 
Enterprises are Classified into Two Categories
Vidhyapriyadharshini1
 
Hospitality & tourism management.pptxHospitality & tourism management.pptx
Nida Mahmood
 
The Evolution of Legal Communication through History (www.kiu.ac.ug)
publication11
 
Hospitality & tourism management.pptxHospitality & tourism management.pptx
Nida Mahmood
 
El futuro empresarial 2024 una vista gen
dannflolo1
 
Capital Investment in IS Infrastracture and Innovation (SDG9)
ephryllaneb
 
COVID-19 Primer for business case prep.pdf
AakritiGupta862151
 
Biomass_Energy_PPT_FIN AL________________.pptx
gloryjsingh
 
The Impact of Historical Events on Legal Communication Styles (www.kiu.ac.ug)
publication11
 
IndustrialAIGuerillaInnovatorsARCPodcastEp3.pptx
Colin Masson
 
BeMetals_Presentation_September_2025.pdf
DerekIwanaka2
 
Не GPT єдиним: можливості AI в бізнес-аналізі | Вебінар з Тетяною Перловською
E-5
 
Handbook of entrepreneurship- Chapter 10 - Feasibility analysis by Subin K Mohan
DrSubinKMohan
 
“Strategic management process of a selected organization”.Nestle-docx.docx
mkamumin08
 
Ad

PruebaJLF.pptx

  • 3. 3 Objectives PCI Overview PCI Security Standards Council Structure of the PCI DSS PCI DSS v3.2.1 High Level Overview PCI DSS Card Holder Data PCI Standard & State Laws How PCI DSS Compliance is applied PCI DSS & Merchant Levels PCI Transaction Cash Flow Requirements for Service Providers PCI Industry Groups & Issues PCI Overview PCI DSS Compliance PCI Scope & Resources Agenda
  • 5. OBJECTIVES After you complete this course, you should be able to: Understand the key PCI DSS goals and be aware that PCI has been incorporated in State Law Be familiar with types of entities/merchants that PCI DSS compliance applies to Gain knowledge of current issues and resources for PCI 5 04.08.21  Be familiar with PCI and the Data Security Standards  Be aware of the PCI Security Standards Council  Understand the meaning of Cardholder Data  Be aware of the various merchant levels
  • 6. PCI OVERVIEW What is PCI? There are three standards related to credit card security: Payment Card Industry Data Security Standard (PCI DSS) Payment Application Data Security Standard, or PA-DSS PCI PIN Transaction Security (PCI PTS) 6  PCI = Payment Card Industry  PCI Security Standards Council - Visa, Mastercard, American Express, Discover, JCB International
  • 7. PCI SECURITY STANDARDS COUNCIL 7 PCI Security Standards Council was launched in 2006. PCI SSC founding payment brands are: American Express, Discover Financial, JCB International, MasterCard, Visa, Inc. The PCI SSC is responsible for the development, management, education, and awareness of the PCI Security Standards (PCI DSS).
  • 8. 8 TECHNICAL SOLUTIONS & SETTINGS POLICIES AND PROCEDURES TRAINING PCI-DSS contains 12 high-level requirements including 260 controls categorized into 3 areas: Section title STRUCTURE OF THE PCI DSS
  • 10. PCI DATA SECURITY STANDARD – HIGH LEVEL OVERVIEW 10
  • 11. PCI CARD HOLDER DATA 11
  • 12. PCI DSS applies globally to all merchants and service providers that store, process, use, or transmit cardholder data. Below are some types of entities that PCI DSS compliance applies to: PCI Compliance Applications • Retail - online sites, brick & mortar, mail/phone order • Hospitality - restaurants, hotels • Transportation - airlines, car rentals, taxi, limo • Utilities - gas, electric, water. • Service Providers – Cloud Security providers, data hosting providers, managed services etc. • Telecommunications - cable, wireless services, phone • Healthcare/Education - hospitals, doctors, dentists, colleges • Financial Services - banks, insurance, credit card processors. 12
  • 13. PCI DSS is not a governmental regulation, its an Industry Standard and is relevant wherever credit cards are accepted. PCI DSS is validated either through a self- assessment questionnaire (SAQ) or through an annual on- site audit performed by a Qualified Security Assessor (QSA) How to validate depends upon the number of transactions your organization processes per year [refer to Merchant levels slide] Some states have incorporated some PCI DSS requirements into privacy and data breach laws Compliance with PCI DSS is not required by federal law in the United States. However, the laws of some U.S. states either refer to PCI DSS directly or make equivalent provisions. PAYMENT CARD INDUSTRY DATA SECURITY STANDARD 13
  • 15. MERCHANT LEVELS AT PCI DSS PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accept, transmit or store any cardholder data. Visa - Merchant Level - Descriptions Any merchant — regardless of acceptance channel — processing over 6M Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system. Any merchant processing fewer than 20,000 Visa e- commerce transactions per year, and all other merchants — regardless of acceptance channel — processing up to 1M Visa transactions per year. Any merchant — regardless of acceptance channel — processing 1M to 6M Visa transactions per year. Any merchant processing 20,000 to 1M Visa e- commerce transactions per year. Level 1 Level 2 Level 4 Level 3 15
  • 16. PCI – TRANSACTION CASH FLOW 16
  • 17. PCI DSS REQUIREMENTS FOR SERVICE PROVIDERS 17 Some of the key PCI DSS requirements relative to Service Providers:  Service providers with remote access to customer premises (for example, for support of POS systems or servers) must use a unique authentication credential (such as a password/phrase) for each customer. (PCI 8.5.1)  Implement a process for the timely detection and reporting of failures of critical security control systems, including but not limited to failure of: Firewalls, IPS/IDS, FIM, Anti-virus, Physical Access Controls, Logical Access Controls, Audit Logging Mechanisms, Segmentation Controls (if used). (PCI 10.8)  If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods. (PCI 11.3.4.1)  Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess or otherwise store, process or transmit on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment. (PCI 12.8.2)  Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment. (PCI 12.9)  Perform reviews at least quarterly to confirm personnel are following security policies and operational procedures. Reviews must cover the following processes: Daily log reviews, Firewall rule-set reviews, Applying configuration standards to new systems, Responding to security alerts, and Change management processes (PCI 12.11)
  • 18. PCI SCOPE 18 • The PCI DSS defines scope as “the PCI DSS security requirements apply to all system components included in or connected to the cardholder data environment.” • A cardholder data environment (CDE) is comprised of people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data. • Here’s a list of areas that are very likely in scope in any environment where credit card data is present: • Networking devices: switches, routers • Firewalls • Servers • Data Center – Physical Security • Portable Media – tapes, USB devices • Point-of-sale (POS) devices • Wireless devices – access points • Applications/databases (that handle credit card data)
  • 19. RESOURCES Official PCI Security Standards Website www.PCISecurityStandards.org PCI DSS 3.2.1 Link https://www.pcisecuritystandards.org/document_libr ary?category=pcidss&document=pci_dss PCI INDUSTRY GROUPS/FORUMS PCI Knowledge Base https://www.pcisecuritystandards.org/faq/ INDUSTRY GROUPS & RESOURCES 19
  • 21. 21 Kyndryl is currently a wholly-owned subsidiary of International Business Machines Corporation with the intent that Kyndryl will be spun-out.