got credit cards? - ppai expo got credit cards - pci... · introduction adam taylor •vice...
TRANSCRIPT
![Page 1: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/1.jpg)
Got Credit Cards?PCI Compliance for Small and Medium Companies
![Page 2: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/2.jpg)
IntroductionAdam Taylor
• Vice President of Development at Essent Corporation
• Promotional Product Industry Specialist
• Working with Suppliers and Distributors for 15 years
• 2018 PPAI Technology Committee Appointee
![Page 3: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/3.jpg)
The Big Questions to Ask
• What is in scope?
• Is it in compliance?
![Page 4: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/4.jpg)
Table of Contents
• What is PCI and Why Should I Care?
• Scoping
• PCI Requirements
• How to Comply
![Page 5: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/5.jpg)
Abstract/Goals
• New to PCI• Background of what PCI is
and why it’s important• Ideas of where to go next
• Veterans to PCI• Bring PCI Back to the
forefront• Reinforce Continued
Diligence• Learn something New
![Page 6: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/6.jpg)
What is PCI Compliance?
• As an Industry we care about consumer product safety. PCI is about consumer safety of the payment card transaction
• Who does it impact?• All entities that store, process,
and/or transmit cardholder data
![Page 7: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/7.jpg)
Poll: Who has started on their PCI Compliance Journey?
![Page 8: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/8.jpg)
Poll: Who has completed it?
![Page 9: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/9.jpg)
PCI Compliance is a Never-Ending Journey
![Page 10: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/10.jpg)
PCI Compliance Journey
• It’s a never ending journey
• Make it part of your BAU culture
![Page 11: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/11.jpg)
In The News
94 Million Records Stolen in 2006/2007
http://www.computerworld.com/article/2539588/security0/tjx-violated-nine-of-12-pci-controls-at-time-of-breach--court-filings-say.html
![Page 12: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/12.jpg)
In The News
40 million credit and debit cards potentially compromised in 2013
https://www.nytimes.com/2014/09/20/business/ex-employees-say-home-depot-left-data-vulnerable.html
![Page 13: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/13.jpg)
In The News
Data Breach Compromises 56 Million Credit Cards in 2014
https://www.computerworld.com/article/2487425/cybercrime-hacking/target-breach-happened-because-of-a-basic-network-segmentation-error.html
![Page 14: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/14.jpg)
In The News
143 million accounts compromised in 2017
https://www.wired.com/story/equifax-breach-no-excuse/
![Page 15: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/15.jpg)
Audience Participation!
![Page 16: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/16.jpg)
Scenario Analysis & Scoping
![Page 17: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/17.jpg)
System Topology
• Identify how Payment Card information gets into your organization
• Take a close look at that system that the Payment Card was entered into
• How is it connected in the network?
• What is the internet firewall?• What else is it connected to?
![Page 18: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/18.jpg)
Audience Participation: Draw the way Payment Card data flows
through your ecosystem.
![Page 19: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/19.jpg)
Lets take a look at some system examples.
![Page 20: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/20.jpg)
Web Browser
3rd Party Website
Ecommerce Example #1
Database
Business Management
System
Payment Gateway Service
![Page 21: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/21.jpg)
Web Browser
3rd Party Website
Ecommerce Example #2
Database
Business Management
System
Payment Gateway Service
![Page 22: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/22.jpg)
On Premise BMS Processing
Database
Business Management
System
Payment Gateway Service
![Page 23: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/23.jpg)
3rd Party Cloud Based BMS Processing
Database
Business Management
System
Payment Gateway Service
Cloud BMS
![Page 24: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/24.jpg)
Reality Some of Us Face ...
Database
Business Management
System
Payment Gateway Service
Cloud BMS
Internet
![Page 25: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/25.jpg)
Reality Most of Us Face …
![Page 26: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/26.jpg)
Process Flow: Taking Payment Card Info by Phone• VOIP?
• Person answering phone takes the Payment Card info
• Person transfers to the Accounting Department and they repeat the process
![Page 27: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/27.jpg)
Process Flow: Entering Payment Card Info into Your System• Employee gets the Payment
Card Information from the Buyer
• Employee is logged into their computer
• Employee is on the network• Employee opens the System• Employee enters the data on
the system and it’s sent over the network to processor
![Page 28: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/28.jpg)
Process Flow:Brick and Mortar• End User walks to Kiosk
• End User hands card to Clerk
• Clerk enters Card into system
Or
• End User walks to Kiosk
• End User Inserts card into Terminal
![Page 29: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/29.jpg)
Breaking down the 12 PCI Requirements
![Page 30: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/30.jpg)
PCI Requirements: Firewall
Requirement #1
• Install and maintain a firewall configuration to protect cardholder data• ~22 requirements
![Page 31: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/31.jpg)
2017 non-compliance attributed to data breach
Source: SecurityMetrics' Payment Card Industry Forensic Investigation
![Page 32: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/32.jpg)
PCI Requirements: Passwords
• Requirement #2 - Do not use vendor-supplied defaults for system passwords and other security parameters• ~12 requirements
![Page 33: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/33.jpg)
2017 non-compliance attributed to data breach
Source: SecurityMetrics' Payment Card Industry Forensic Investigation
![Page 34: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/34.jpg)
PCI Requirements: Stored Data
• Requirement #3: Protect stored cardholder data• ~23 requirements
![Page 35: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/35.jpg)
2017 non-compliance attributed to data breach
Source: SecurityMetrics' Payment Card Industry Forensic Investigation
![Page 36: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/36.jpg)
PCI Requirements: Encryption
• Requirement #4: Encrypt transmission of cardholder data across open, public networks• ~4 requirements
![Page 37: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/37.jpg)
2017 non-compliance attributed to data breach
Source: SecurityMetrics' Payment Card Industry Forensic Investigation
![Page 38: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/38.jpg)
PCI Requirements: Antivirus
• Requirement #5: Protect all systems against malware and regularly update antivirus software or programs• ~6 requirements
![Page 39: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/39.jpg)
2017 non-compliance attributed to data breach
Source: SecurityMetrics' Payment Card Industry Forensic Investigation
![Page 40: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/40.jpg)
PCI Requirements: Security
• Requirement #6 - Develop and maintain secure systems and applications• ~29 requirements
![Page 41: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/41.jpg)
2017 non-compliance attributed to data breach
Source: SecurityMetrics' Payment Card Industry Forensic Investigation
![Page 42: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/42.jpg)
PCI Requirements: Access
• Requirement #7 - Restrict access to cardholder data by business need-to-know• ~10 requirements
![Page 43: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/43.jpg)
2017 non-compliance attributed to data breach
Source: SecurityMetrics' Payment Card Industry Forensic Investigation
![Page 44: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/44.jpg)
PCI Requirements: Access ID
• Requirement #8 - Identify and authenticate access to system components• ~25 requirements
![Page 45: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/45.jpg)
2017 non-compliance attributed to data breach
Source: SecurityMetrics' Payment Card Industry Forensic Investigation
![Page 46: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/46.jpg)
PCI Requirements: Physical Access
• Requirement #9 - Restrict physical access to cardholder data• ~27 requirements
![Page 47: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/47.jpg)
2017 non-compliance attributed to data breach
Source: SecurityMetrics' Payment Card Industry Forensic Investigation
![Page 48: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/48.jpg)
PCI Requirements: Monitor
• Requirement #10 - Track and monitor all access to network resources and cardholder data• ~34 requirements
![Page 49: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/49.jpg)
2017 non-compliance attributed to data breach
Source: SecurityMetrics' Payment Card Industry Forensic Investigation
![Page 50: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/50.jpg)
PCI Requirements: Testing
• Requirement #11 - Regularly test security systems and processes• ~17 requirements
![Page 51: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/51.jpg)
2017 non-compliance attributed to data breach
Source: SecurityMetrics' Payment Card Industry Forensic Investigation
![Page 52: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/52.jpg)
PCI Requirements: Policy
• Requirement #12 - Maintain a policy that addresses information security for all personnel• ~41 requirements
![Page 53: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/53.jpg)
2017 non-compliance attributed to data breach
Source: SecurityMetrics' Payment Card Industry Forensic Investigation
![Page 54: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/54.jpg)
PCI Requirements Summary
• Sweet only 12 requirements!• I can start this in Q4 after I get everything else done
• OMG ~250 requirements!• I’ll never get that done, I don’t have time for that! I’m
just not going to start!
![Page 55: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/55.jpg)
How to Comply: Prioritized Approach
https://www.pcisecuritystandards.org/document_library
Helps you identify and hit highest risk areas first for quick wins
• Phase 1 – 4%
• Phase 2 – 37%
• Phase 3 – 10%
• Phase 4 – 21%
• Phase 5 – 12%
• Phase 6 – 15%
![Page 56: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/56.jpg)
How to Comply: Merchant Levels
• Merchant Levels• Level One: Over 6m Payment Card transactions per year
• QSA required• Annual Report on Compliance (ROC) by Qualified Security Assessor (QSA) • Quarterly network scan by Approved Scanning Vendor (ASV) • Penetration Test • Internal Scan • Attestation of Compliance Form
• Level Two: 1m to 6m Payment Card transactions per year• Level Three: 20k to 1m Payment Card transactions per year• Level Four: Under 20k Payment Card transactions a year
• Annual SAQ• Quarterly network scan by ASV• Attestation of Compliance Form• Additional requirements depending on SAQ type (e.g. Penetration Test, Internal
Scan)
![Page 57: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/57.jpg)
How to Comply:The Self Assessment Questionnaire• SAQ
• Which is right for you?• Good news there’s a chart for that
![Page 58: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/58.jpg)
SAQ
![Page 59: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/59.jpg)
How to Comply: A 6-Step Process
ScopeDetermine which system components and networks are in scope for PCI DSS
Good news: You started this today!☺ 1
![Page 60: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/60.jpg)
How to Comply: A 6-Step Process
AssessExamine the compliance of system components in scope following the testing procedures for each PCI DSS requirement.
Use the Prioritized Approach 2
![Page 61: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/61.jpg)
How to Comply: A 6-Step Process
ReportAssessor and/or entity completes required documentation (e.g. Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC)), including documentation of all compensating controls
Know if you are eligible for SAQ, and what SAQ to do
3
![Page 62: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/62.jpg)
How to Comply: A 6-Step Process
AttestComplete the appropriate Attestation of Compliance (AOC)
Sign off on the SAQ 4
![Page 63: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/63.jpg)
How to Comply: A 6-Step Process
SubmitSubmit the SAQ, ROC, AOC and other requested supporting documentation such as ASV scan reports to the acquirer (for merchants) or to the payment brand/requestor (for service providers)
Send it out
5
![Page 64: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/64.jpg)
How to Comply: A 6-Step Process
RemediateIf required, perform remediation to address requirements that are not in place, and provide an updated report.
Repair and report 6
![Page 65: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/65.jpg)
Reference Links
• References• https://www.pcisecuritystandards.org/documents/PCIDSS_QR
Gv3_2.pdf?agreement=true&time=1506439109190
• https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2.pdf?agreement=true&time=1506629950439
• https://www.pcisecuritystandards.org/document_library
• Attach Prioritized Approach
• Attach Quick Guide
• PCI_DSS_V3-2
![Page 66: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/66.jpg)
The Big Questions to Ask
• What is in scope?
• Is it in compliance?
![Page 67: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/67.jpg)
Review
• What is PCI and Why Should I Care?
• Scoping
• PCI Requirements
• How to Comply
![Page 68: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/68.jpg)
Thank You!Connect on LinkedIn! http://linkedin.com/in/adam-taylor-a8510b2
![Page 69: Got Credit Cards? - PPAI Expo Got Credit Cards - PCI... · Introduction Adam Taylor •Vice President of Development at Essent Corporation •Promotional Product Industry Specialist](https://reader036.vdocument.in/reader036/viewer/2022071015/5fce93881077533dfc0018a8/html5/thumbnails/69.jpg)
Please complete your session evaluation now to receive credit for session
attendance.