网络研讨会：PCI DSS小商户资源.pdf

PCI Council Small Merchant Security Resources 4 August 2016 Sylvia Auyeung, Director, Merchant Risk Lester Chan, Director, Merchant Security Visa Public Disclaimer The information or recommendations contained herein are provided "AS IS" and intended for informational purposes only and should not be relied upon for operational, marketing, legal, technical, tax, financial or other advice. When implementing any new strategy or practice, you should consult with your legal counsel to determine what laws and regulations may apply to your specific circumstances. The actual costs, savings and benefits of any recommendations or programs may vary based upon your specific business needs and program requirements. By their nature, recommendations are not guarantees of future performance or results and are subject to risks, uncertainties and assumptions that are difficult to predict or quantify. Assumptions were made by us in light of our experience and our perceptions of historical trends, current conditions and expected future developments and other factors that we believe are appropriate under the circumstance. Recommendations are subject to risks and uncertainties, which may cause actual and future results and trends to differ materially from the assumptions or recommendations. Visa is not responsible for your use of the information contained herein (including errors, omissions, inaccuracy or non-timeliness of any kind) or any assumptions or conclusions you might draw from its use. Visa makes no warranty, express or implied, and explicitly disclaims the warranties of merchantability and fitness for a particular purpose, any warranty of non-infringement of any third party's intellectual property rights, any warranty that the information will meet the requirements of a client, or any warranty that the information is updated and will be error free. To the extent permitted by applicable law, Visa shall not be liable to a client or any third party for any damages under any theory of law, including, without limitation, any special, consequential, incidental or punitive damages, nor any damages for loss of business profits, business interruption, loss of business information, or other monetary loss, even if advised of the possibility of such damages. 2 PCI Council Small Merchant Security Resources and Compliance | 4 August 2016 Visa Public Agenda • Global Data Compromises • PCI Council Small Merchant Taskforce and Materials • Guide to Safe Payments • Common Payment Systems • Questions to Ask Your Vendor • Key Takeaways 3 PCI Council Small Merchant Security Resources and Compliance | 4 August 2016 Visa Public Global Data Compromises Breach trends by merchant level Large breach events (levels 1 & 2) Entity Type • • • 4 2012 2013 2014 2015 % % % % Level 1 <1% 1% 1% <1% Level 2 <1% 1% 1% <1% Level 3 1% 4% 4% 5% Level 4 95% 92% 93% 92% Agent Other <1% 2% 1% <1% 1% 0% 2% 0% Total 100% 100% 100% 100% As a proportion of the total number of breach events, L4s remain the vast majority of compromise cases (93% in 2014-2015) At-risk accounts in 2015 were largely attributed to L4 merchants 2012 2014 2015 • Fewer level 1 and 2 breaches in 2015 • Threat actors are targeting smaller interconnected merchants in large numbers • Restaurants and “other retail” make up the biggest portion of total known breaches • Quick service restaurants, supermarkets, and lodging make up the other top MCCs Level 4 merchants outnumber L1s in the US PCI Council Small Merchant Security Resources and Compliance | 4 August 2016 2013 Visa Public Small Merchant Taskforce as a Merchant Resource Formed to help improve payment data security for small businesses Participants Purpose • Communicate unique small business • Collaboration from dozens of small merchant owners and security challenges franchisees • Simplify understanding of PCI DSS • Co-chaired by Barclaycard and • Provide educational materials that National Restaurant relates to small businesses Association 5 PCI Council Small Merchant Security Resources and Compliance | 4 August 2016 Visa Public Products • Materials that are easy to understand • Tips for improved security implementation • Small merchant resources 1 – Guide to Safe Payments Infographic with easy-to-understand guidance on data security basics Understanding Your Risk 6 PCI Council Small Merchant Security Resources and Compliance | 4 August 2016 Protecting Your Business with These Security Basics Visa Public Where to Get Help * Source: PCI SSC Guide to Safe Payments Helping Small Merchants Understand Risk Diagrams and illustrations to explain security basics The impact of breaches to small businesses 7 What’s at risk? Understanding data on a payment card PCI Council Small Merchant Security Resources and Compliance | 4 August 2016 Common payment terms and types of POS terminals Visa Public Different risk for different environments and payment systems * Source: PCI SSC Guide to Safe Payments Protect Your Small Business Easy security controls with costs, ease, and risk mitigation scores 8 PCI Council Small Merchant Security Resources and Compliance | 4 August 2016 Visa Public * Source: PCI SSC Guide to Safe Payments Where to Get Help? Resources and links 9 PCI Council Small Merchant Security Resources and Compliance | 4 August 2016 Visa Public * Source: PCI SSC Guide to Safe Payments 2 – Common Payment Systems Detailed resource on payment system types and how to secure them 1 2 3 Before protecting payment card theft, understand how to accept payments Understand equipment, vendors, partners and how they all fit together Using diagrams and visuals to identify the type of payment system used 4 Understand the type of associated risks with each type of payment system Identify which visual most closely represents the merchant’s payment system 5 Understand the security steps and controls to protect them Protect card data and merchant business with security basics Identify risks and threats 10 PCI Council Small Merchant Security Resources and Compliance | 4 August 2016 Visa Public * Source: PCI SSC Common Payment Systems Dial-Up Payment Terminal Diagram (Simple Model) OVERVIEW THREATS RISKS PROTECTIONS 11 PCI Council Small Merchant Security Resources and Compliance | 4 August 2016 Visa Public * Source: PCI SSC Common Payment Systems Secure Card Reader Diagram (Sophisticated Model) Descriptions of more complex point of sale environments With thorough explanations of risk, threats and controls to protect these more complex environments 12 PCI Council Small Merchant Security Resources and Compliance | 4 August 2016 Visa Public * Source: PCI SSC Common Payment Systems 3 – Questions to Ask your Vendors Helps small merchants know what is needed from vendors and service providers • Explains the function of vendor or service provider • Depending on the type, the applicable PCI standard or program • Includes what to look for and helpful links to card brand programs • 12 simple questions to ask 13 PCI Council Small Merchant Security Resources and Compliance | 4 August 2016 Visa Public * Source: PCI SSC Small Merchant Questions to Ask Your Vendor Sample Vendor Q&A Includes desired answer and recommended action based on responses CATEGORY: How secure is your product? QUESTION: Does your product/solution protect payment card information using strong encryption? DESIRED ANSWER FROM VENDOR RECOMMENDATION ACTION YES Encryption is a way of securing information so it is less likely to be stolen. If you can, select from the List of PCI P2PE Validated Solutions, where card data is secured as soon as you receive it and is protected as it travels through your network. If NO, consider another vendor or solution. 14 PCI Council Small Merchant Security Resources and Compliance | 4 August 2016 Visa Public * Source: PCI SSC Small Merchant Questions to Ask Your Vendor Key Takeaways Easy-to-use toolkit to help small merchants with payment system security • Small merchant breaches continue to occur • Simplified PCI DSS validation exercises • Taskforce formed to address the needs of small businesses and franchisees • Focused on protecting customer’s cardholder data rather than IT and security • Guide focuses on risk and includes diagrams, costs, and ease of implementation matrix • Payment diagrams designed to show data flows from simple to complex systems • Q&A resource for working with vendors • Glossary to help with payment terms and information security definitions • Links for additional references and where to look for help 15 PCI Council Small Merchant Security Resources and Compliance | 4 August 2016 Visa Public Resources Upcoming Webinars – Training page on www.visa.com/cisp • Protect the Payments System From Account Testing and Fraudulent Authorizations – August 9, 2016 • Guarding Against Card Not Present Fraud – August 24, 2016 Visa Data Security Website – www.visa.com/cisp • • • • Alerts, Bulletins Best Practices, White Papers Webinars Visa Global Registry of Service Providers – http://www.visa.com/splisting/ PCI Security Standards Council Website – www.pcissc.org • • • • Small Merchant Resources - https://www.pcisecuritystandards.org/pci_security/small_merchant Data Security Standards – PCI DSS, PA-DSS, P2PE, and PTS Programs – QSA, ASV, PA-QSA, PFI, ISA, PCIP, and QIR Fact Sheets – ATM Security, Mobile Payments Acceptance, Tokenization, Cloud Computing, and many more… 16 PCI Council Small Merchant Security Resources and Compliance | 4 August 2016 Visa Public Thank you for attending! PCI Council Small Merchant Security Resources and Compliance | 4 August 2016 Visa Public