get pci compliant - martin gronow direct
Post on 14-Jan-2015
353 Views
Preview:
DESCRIPTION
TRANSCRIPT
How to tackle the PCI Issue
Corporate PresentationGrand Connaught Rooms – 1st May 2012
Martin Gronow – Product Line Manager – TTB
Peter Jackson – Head of Risk Consultancy Group - IRM
Information Risk Management Plc
Information Risk Management Plc
3rd Floor Winchester House | 259 – 269 Old Marylebone Road | London NW1 5RA | UK Tel+44 (0)20 7808 6420 | Fax +44 (0)20 7808 6421
info@irmplc.com http://www.irmplc.com
IRM is a company registered in England with Company Number 3612719.
IRM Key Facts & Background
• Founded in 1998 to provide assurance services to FTSE 250 companies• Technical Assurance• Network Security• Data forensics
• Joined CESG CHECK Scheme in 2001• Joined PCI DSS Scheme in 2005• Progressed into business risk consulting
• Compliance• Standards
• Defined CREST standards for network forensics
• Virtual team supplier to MoD and GCHG
Background• PCI DSS Services• Security Risk Assessment• Security Management• Technical Assurance• Network forensics managed services• Security Management Services
Service Portfolio
• NetFACTS• OmniPORT
Managed Services
“IRM has worked extremely hard to be flexible to meet our changing demands and requirements. They are our security partner of choice” CISO, Cable & Wireless Worldwide
Security, Privacy, TrustInformation Risk Management Plc
Information Risk Management Plc
3rd Floor Winchester House | 259 – 269 Old Marylebone Road | London NW1 5RA | UK Tel+44 (0)20 7808 6420 | Fax +44 (0)20 7808 6421
info@irmplc.com http://www.irmplc.com
IRM is a company registered in England with Company Number 3612719.
Our Capability
CLAS and CHECK (Team Leader/ Team Member)PCI QSA / QFICISCO CCSPCHECKPOINT CCSA / CCSECISA / CISMSANS GIAC CHTQOSSTMM OPST / OPSA / TrainerGSECLead Auditor ISO 27001MBCSMScEnCeCISMPISC (2) CISSPISEB Business Continuity PractitionerConsultants background checked prior to employmentConsultants are cleared up to DV as required
Certifications
“IRM’s consultants are active within the security industry and sit on various panels and have been instrumental in establishing bodies such as CREST. “
Example Clients & Frameworks
Information Risk Management Plc
3rd Floor Winchester House | 259 – 269 Old Marylebone Road | London NW1 5RA | UK Tel+44 (0)20 7808 6420 | Fax +44 (0)20 7808 6421
info@irmplc.com http://www.irmplc.com
IRM is a company registered in England with Company Number 3612719.
Requirement For PCI
Fines for non-compliancy can include the following:
• Fines of $500,000 per data security incident
• Fines of $50,000 per day for non-compliance with
published standards
• Liability for all fraud losses incurred from
compromised account numbers
• Liability for the cost of re-issuing cards associated
with the compromise
• Suspension of merchant accounts
What is PCI DSS?
Stands for Payment Card Industry Data Security Standard
Purpose - Protecting Cardholder data to help prevent fraud.
Scope – any business that stores, processes or transmits cardholder data – including taking payments over the phone.
If these calls are recorded they become subject to PCI DSS.
Its requirement is the removal of the sensitive authentication data as per the table below. Violation is subject to fines.
CARDHOLDER DATA SENSITIVE AUTHENTICATION DATA
• Primary Account Number (PAN)• Cardholder name• Service Code• Expiration Date
• Full Magnetic Stripe Data• CAV2/CVC2/CVV2/CID • PIN/PIN Block
Data must encrypted or not stored Must not be stored
PCI EnforcementMerchants are classified according to the number of transactions processed.
•
Any merchant processing over 6m MasterCard and Visa card transactions per year
Any merchant processing 1m-6m Visa or MasterCard transactions per year
Any eCommerce merchant processing up to 1m
Visa or MasterCard transactions per year
Any merchant processing <20k or up to 1m Visa or MasterCard
transactions per year
Level 1
Level 2
Level 3
Level 4
Is PCI Mandatory?
• Yes – PCI compliance is a contractual obligation• Visa/Mastercard require all Merchants & Service
providers to be validated against PCI DSS V2.0• Smaller merchants not required to explicitly validate
compliance but…. • None compliance but may trigger penalties and/or
fines in the event of a breach.• Data breaches can be subject to Data Protection laws • The Information Commissioners' Office regards
compliance with PCI as basic best practice
The one big thing:
Cloud-based Hosted call recording solution
- Designed specifically to help customers meet PCI DSS
- Delivered with minimal cost, effort or disruption
The next big thing:
Hosted Call Recording PCI helps Prevent fraud.
- Removes sensitive information from vulnerable areas
- Live Agent telephone ordering
Simple but flexible:
- No complex integration
- Ideal for Remote workers or 3rd party Call Handling
- Disaster Recovery solution
Product/Proposition Overview
Benefits of Hosted Call Recording
Pay as you go serviceNo Set-up fees or capital investment
- No Maintenance or Upgrade costs
- Simple monthly charge
No capacity worriesCalls automatically recorded as they transit the network
- Record inbound, outbound or both
- No line or equipment limits
- Store for 1 day, 100 days or forever
Simple but flexible:
- Recordings stored at multiple locations
- Secure retrieval interface
- Ideal for Remote workers or 3rd party Call Handling
top related