Thanks to visit codestin.com
Credit goes to www.scribd.com

0% found this document useful (0 votes)
11 views42 pages

PCI Training

The document outlines the Payment Card Industry Data Security Standards (PCI DSS) training for merchants, detailing the objectives, compliance requirements, and consequences of non-compliance. It emphasizes the importance of protecting cardholder data through various methods such as encryption, tokenization, and compliance with all 12 PCI DSS requirements. Additionally, it provides an overview of merchant levels and validation requirements, along with best practices for data security.

Uploaded by

kcnswymdn
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
11 views42 pages

PCI Training

The document outlines the Payment Card Industry Data Security Standards (PCI DSS) training for merchants, detailing the objectives, compliance requirements, and consequences of non-compliance. It emphasizes the importance of protecting cardholder data through various methods such as encryption, tokenization, and compliance with all 12 PCI DSS requirements. Additionally, it provides an overview of merchant levels and validation requirements, along with best practices for data security.

Uploaded by

kcnswymdn
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 42

Paym ent Card Industry

Data Security Standards


(PCI DSS)
for Merchants
Objectives

After completing this training, the merchant will be able to:

● Understand the purpose and requirem ents of PCI DSS


● Consider the consequences and how to avoid PCI DSS Non -Com pliance
● Evaluate methods for protecting cardholder data
Training
● Part 1: Introduction to PCI DSS
Outline
● Part 2: PCI DSS Non-
Compliance

● Part 3: Protecting the


Consum er
Scope: Who Needs This Training?

Merchants who provide products


or services that involve the
processing, storing, or
transm ission of account data.
Intro to PCI DSS
Key Compliance Players

PCI SSC- Paym ent Card Industry Security Standards Council

● Global industry standards body providing oversight on the ongoing developm ent,
enhancem ent, and implem entation of the Paym ent Card Industry Data Security
Standards (PCI DSS).

Paym ent Card Brands: Visa, Mastercard, American Express, Discover, JCB International

● All brands incorporate the PCI Data Security Standard into their data security
compliance program s
● Participate in the tracking and enforcem ent of merchant compliance deadlines
PCI DSS: An Overview

● PCI DSS - Paym ent Card Industry Data Security Standard

○ Standards that globally govern all entities that store, process, or transm it
cardholder data
○ Applicable to all merchants regardless of size/volum e
○ Requires annual assessm ent (either SAQ - Self Assessm ent Questionnaire or by
engaging QSA - Qualified Security Assessor)
○ Com prised of 12 requirem ents with a total of 220 sub-requirem ents
○ Pass or fail, no partial compliance
○ Com prised of both technical and non-technical security controls
PCI DSS Requirements
1. Install and maintain a firewall configuration to 7. Restrict access to cardholder data by
protect cardholder data business need to know
2. Do not use vendor-supplied defaults for system 8. Identify and authenticate access to
passwords and other security param eters system components
3. Protect stored cardholder data 9. Restrict physical access to cardholder
data
4. Encrypt transmission of cardholder data across
open, public networks 10.Track and monitor all access to
network resources and cardholder
5. Protect all system s against malware and
data
regularly update anti-virus software program s
11.Regularly test security system s and
6. Develop and maintain secure system s and
processes
applications
12.Maintain a policy that addresses
inform ation security for all personnel
PCI Merchant Levels and Validation Requirements

Level Criteria Requirem ents

Level 1 Merchants processing over 6 million Annual:


transactions annually across all channels. ● Report on Compliance (ROC) by a Qualified Security
Assessor (QSA)
● Submit an Attestation of Compliance (AOC)

Quarterly:
● Network scan by an Approved Scan Vendor (ASV)

Level 2 1 to 6 million transactions annually across all Annual:


channels ● Self-Assessm ent Questionnaire (SAQ) completed by a
certified Internal Security Assessor (ISA) or engage a QSA
for an Onsite Audit
● Submit an Attestation of Compliance (“AOC”) form.

Quarterly:
● Network scan by an Approved Scan Vendor (ASV)
PCI Merchant Levels and Validation Requirements
Level Criteria Requirem ents

Level 3 20,000 to 1 million e-com m erce transactions Annual:


annually ● Self-Assessm ent Questionnaire (SAQ)
● Submit an Attestation of Compliance (“AOC”) form.

Quarterly:
● Quarterly network scan by an Approved Scan Vendor (
ASV)

Level 4 Merchants processing less than 20,000 Annual:


ecomm erce transactions annually and all ● Self-Assessm ent Questionnaire (SAQ)
other merchants processing up to 1 million ● Submit an Attestation of Compliance (“AOC”) form.
transactions annually.
Quarterly:
● Quarterly network scan by an Approved Scan Vendor (
ASV) (if applicable)
Knowledge Check
True or False?

Merchants can select which of the 12 PCI DSS requirem ents


they feel best apply to their business to abide by?
True or False?

Merchants can select which of the 12 PCI DSS requirem ents


they feel best apply to their business to abide by?

Answer: False - Merchants must abide by all 12 requirem ents to


be considered passing compliance - no partial compliance.
PCI DSS Non-Com pliance
Consequences of Non-Compliance

● Account Data Breach

● Brand / Market Reputational Dam age

● Fine Assessm ents

● Account closure and/or loss of privilege to offer paym ent card


processing
Tools & Strategies to Avoid Non-Com pliance

● Annual Security Assessm ent - includes incident response plan in the


event of a data breach

● Quarterly Network Scans (as applicable)

● Consult with industry professionals (acquirer, qualified security


assessor, card brands, sponsor bank, vendors, etc.)
Knowledge Check
Practice Question

TRUE or FALSE:

Merchants can complete an annual security assessm ent to


avoid non-com pliance penalties?
Practice Question

TRUE or FALSE:

Merchants can complete an annual security assessm ent to


avoid non-com pliance penalties?

Answer: True - Perform ing an annual security assessm ent will


address requirem ents to avoid non-com pliance penalties.
Protecting the Consum er
Best Practices for Protecting Data

● Encryption

● Tokenization

● Truncation and Masking


Encryption

● PCI requires all transm ission of cardholder data over the Internet to be
encrypted at all times.

● Not all encryption is created equal.

● If encryption keys are used, key managem ent processes and policies
must be follow ed.

● In paym ents, most processors and gatew ays use Hardw are Security
Modules to encrypt/decrypt data.
Tokenization
● Uses softw are and/or hardware to substitute prim ary account
number (PAN) with meaningless digits.

● Can be reversible or irreversible.

● Merchants and service providers never see PAN.

● Does not reduce or eliminate PCI compliance scope but does


effectively limit the amount of cardholder data in the environm ent.
Truncation and Masking

● Truncation applies to storage of PAN and renders portions of the PAN


unreadable and unrecoverable.

● Masking is a technique to “mask” portions of the PAN before it is


displayed or printed. The full PAN is still stored.

● Truncated PAN is NOT considered cardholder data.

● Masked PAN IS considered cardholder data since the full PAN is still be
stored.

● Use truncation over masking whenever possible.


What is PII?

Personally Identifiable Inform ation (PII) is any data that could potentially be used to
identify a particular person.

● Full Name ● Bank account number

● Social Security Number ● Email address

● Driver’s License Number ● Credit Card number, Debit Card


Number, Account number
● State Issued ID card number combined with a security code,
access code, PIN or password.
Processing, Storing, and Sharing PCI & PII

● Must be encrypted when being transm itted over public Internet.

● Storing CVV, PIN block, and service code is prohibited by PCI.

● Store only what is necessary for business operations.

● PII data protection laws vary by state to state.

● Make every effort to “de-value” data by using truncation and


tokenization.

● Privacy policy dictates how, what, and with whom PII data is stored and
shared.
Knowledge Check
Practice Question

TRUE or FALSE:

Data can be sent over a public network unencrypted?


Practice Question

TRUE or FALSE:

Data can be sent over a public network unencrypted?

Answer: False - Data must be encrypted when transm itted over


public internet.
Knowledge Check-
Final Assessm ent
Question 1:

In PCI DSS an SAQ is a:


A. Single Account Quota
B. Self Assessm ent Questionnaire
C. Security Assessm ent Questionnaire
D. Security Applicability Quiz
Question 2:

VISA, MasterCard, American Express, and Discover are referred to as:


A. Paym ents processors
B. Paym ent card brands
C. Merchants
D. PCI SSC
Question 3:

Access to cardholder data should be based on:

A. Business convenience
B. Employee’s mood
C. Business need to know
D. Workload for the day
Question 4:

Which one below is not PII?


A. Social Security Num ber
B. Driver’s License Number
C. Email Address
D. Favorite Color
Question 5:

TRUE or FALSE?

Truncated PAN is still considered cardholder


data.
Question 6:

An annual Report on Com pliance (ROC) is required from a merchant at


which PCI Level?

A. Level 1
B. Level 2
C. Level 3
D. Level 4
Question 7:

TRUE or FALSE:

Merchants never see PAN when tokenization is utilized.


Question 8:

PCI Com pliance is mandatory for merchants accepting what


volum e of credit card transactions annually?
A. Less than 1 million transactions annually
B. From 1 million to 6 million transactions annually
C. More than 6 million transactions annually
D. All merchants regardless of size must be compliant if
they accept credit cards
Question: 9

TRUE or FALSE?

Merchants should use vendor-supplied defaults for system


passw ords and other security param eters.
Question 10:

Best practices for protecting cardholder data include all the


follow ing except:
A. Tokenization
B. Encryption
C. Truncation
D. Covering
Answer Key

Q1: B Q6: A
Q2: B Q7: TRUE
Q3: C Q8: D
Q4: D Q9: FALSE
Q5: FALSE Q10: D
Congratulations!

Your successful completion of this course serves as


acknowledgem ent of the PCI DSS requirem ents. Thank you for
protecting our consum ers!

For additional PCI DSS information,


please visit: https://www.pcisecuritystandards.org/

You might also like