For more informationvisit www.espiongroup.com 1

PCI DSS in RetailNow and into the Future

Presenter: Stephen O’Boyle, Head of Consultancy

© Espion Sept 2013

For more informationvisit www.espiongroup.com 2

Agenda

1. Current PCI process– Challenges for

• Small retailers• Large retailers

2. Point to Point Encryption (P2PE)3. PCI DSS v3 Highlights

– Clarification– Additional Guidance– Evolving Requirement

4. Summary

© Espion Sept 2013

For more informationvisit www.espiongroup.com 3

Current PCI process• PCI Standards - strong framework for protecting

payment card data• Principles apply to various environments and industry

verticals including small to large retailers– Cardholder data is processed, stored, or transmitted

• Size & type of business will determine the specificcompliance requirements that must be met

• Enforcement and fines managed by payment brands /acquirers– Not the PCI Council

© Espion Sept 2013

For more informationvisit www.espiongroup.com 4

Challenges

• Small Retailers– Awareness of compliance requirements– Implications of non-compliance

• Fines, reputational damage– Identifying correct scope– Performing a self assessment to the

appropriate SAQ

© Espion Sept 2013

For more informationvisit www.espiongroup.com 5

Challenges

• Large Retailers– Identifying scope– Staff awareness– Annual audits / SAQ– Maintaining compliance– P2PE

© Espion Sept 2013

For more informationvisit www.espiongroup.com 6

Point to Point Encryption• Point-to-Point Encryption (P2P Encryption) designed to

– Reduce PCI DSS scope– Protect cardholder data throughout electronic payment

processing cycle

• Protects data as soon as it is collected from a card swipeuntil the payment settlement process is complete

• Sometimes referred to as End-to-End Encryption• “...remember?no silver bullet to securing a payment

environment,” said Bob Russo, general manager, PCISSC– “Implementing one of these technologies will not automatically

make you compliant with the PCI DSS”.

© Espion Sept 2013

For more informationvisit www.espiongroup.com 7

Point to Point Encryption• Guidance produced on P2PE, compliant solution qualifies for

reduced scope. Guidance also states:– P2PE solutions do not eliminate the need to maintain PCI DSS

compliance for specific systems– Recognizes the need for a set of criteria to validate the

effectiveness of P2PE solutions so that merchants can haveconfidence that the solution they deploy properly securescardholder data

• Previously no global standardization of point-to-pointencryption technology or validation of its implementationexists in the industry.

© Espion Sept 2013

For more informationvisit www.espiongroup.com 8

PCI DSS v3 – Change Highlights

• Types of changes to the Standards arecategorized as follows:

1. Clarification

2. Additional Guidance

3. Evolving Requirement

© Espion Sept 2013

For more informationvisit www.espiongroup.com 9

Clarification - PCI DSS v3• Enhanced testing procedures to clarify the level of

validation expected for each requirement– To put more emphasis on the quality and consistency of

assessments.• Clarified that sensitive authentication data must not be

stored after authorization even if PAN is not present– To ensure better understanding of protection of sensitive

authentication data.• Clarified the intent and scope of daily log reviews

– To help entities focus log-review efforts on identifyingsuspicious activity and allow flexibility for review of less-critical logs events, as defined by the entity’s

© Espion Sept 2013

For more informationvisit www.espiongroup.com 10

Additional Guidance - PCI DSS v3• Added guidance for all requirements with content from

the former Navigating PCI DSS Guide– To assist understanding of security objectives and intent of

each requirement• Added guidance for implementing security into business-

as-usual (BAU) activities and best practices formaintaining on-going PCI DSS compliance– To address compromises where the organization had been

PCI DSS compliant but did not maintain that status.– Recommends focus on helping organizations take a

proactive approach to protect cardholder data that focuseson security, not compliance, and makes PCI DSS abusiness-as-usual practice.

© Espion Sept 2013

For more informationvisit www.espiongroup.com 11

Evolving Requirement - PCI DSS v3

• Update list of common vulnerabilities in alignment withOWASP, NIST, SANS, etc., for inclusion in secure codingpractices– To keep current with emerging threats

• Evaluate evolving malware threats for systems notcommonly affected by malware– To promote on-going awareness and due diligence to

protect systems from malware

© Espion Sept 2013

For more informationvisit www.espiongroup.com 12

Summary

• Current PCI process

• Point to Point Encryption (P2PE)

• Highlights of changes in PCI DSS v3

© Espion Sept 2013

For more informationvisit www.espiongroup.com 13

Questions

???

Contact: Stephen.oboyle@espiongroup.com

© Espion Sept 2013

For more informationvisit www.espiongroup.com 14

Information Risk, Security & Compliance

Digital Investigations & Litigation Support

Insight, Intelligence & Control

Technology & Product Distribution

Knowledge Transfer and Certification

© Espion Sept 2013

About Espion

Expertise, Innovation & IP

For more informationvisit www.espiongroup.com 15

About Espion

Seven locations andgrowing.

For more informationvisit www.espiongroup.com

About Espion

57 consultants and hiring.

For more informationvisit www.espiongroup.com

About Espion

Highly qualified andcontinuously developing.

For more informationvisit www.espiongroup.com

About Espion

A culture of achieving.