How is skimming used to target PCI data?
Copying payment card numbers by tampering with POS devices, ATMs, Kiosks or copying the magnetic stripe using
... [Show More] handheld skimmers.
How is phishing used to target PCI data?
By doing reconnaissance work through social engineering and or breaking in using software vulnerabilities or e-mails.
How can Payment Data be Monetized?
By skimming the card to get the full track of data, and then making another like card. Using the card information in a "Card-not-present transactions such as e-commerce or mail order, Telephone order. Card data is also sold in bulk to other criminals who perform their own fraud using the stolen data.
Who all are targeted ?
Retail, Food and Beaverage, Hospitality, Financial Services, non-profit. EVERYONE!
What is the PCI SSC ?
Payment Card Industry Security Service Counsel is an independent industry standards body providing oversight of the development and management of Payment Card Industry Data Security Standards on a global basis.
What are some of the PCI SSC founding payment brands.
American Express, Discover Financial, JCB International, Master Card, Visa inc.
What are the Resources provided by the PCI SSC?
PCI DSS, PA-DSS, P2PE, PTS (POI, HSM and PIN) Card Production, and supporting documents.
Roster of QSAs, PA-QSAs, PCIPs, ASVs, validated payment applications, PTS Devices, and P2PE solutions
PCI Security Standards Counsil FAQs
Education and Outreach programs
Participating Organization Membership, Community Meetings, feedback.
What is the overview of PCI DSS?
Covers security of the envrionments that store, process or transmit account data.
Environements receive account data from payment applications and other seoucres (e.g.., acquirers)
what is the overview of PCI PA-DSS
Covers secure payment applications to support PCI DSS compliance
Payment application recieves account data from PIN-entry devices (PEDs) or other devices and begins payment transaction.
What is the overview of PCI P2PE
Covers encryption, decryption, and Key management requirements for point to point encryption solutions.
What is the overview of PCI PTS-POI?
Covers the protection of sensitive data at the point of interaction devices and their secure components, including cardholder PINs and account data, and the cryptographic keys used in connection with the protection of that cardholder data.
What is the overview of PCI PTS-PIN Security?
Covers secure management, processing and transmission of personal identification number (PIN) data during online and offline payment card transaction processing.
What is the overview of PCI PTS-HSM
Covers physical, logical and device security requirements for securiing hardware security modules.
What is the overview of PCI Card Production
Covers physical and logical security requirements for systems and business processes.
What PCI DSS compliance program does American Express develop and maintain?
Data Security Operating Policy (DSOP)
What PCI DSS compliance program does Discover develop and maintain?
Discover Information Security Compliance (DISC)
What PCI does DSS compliance program does JCB develop and maintain?
Data Security Program
What PCI does DSS compliance program dose MasterCard develop and maintain?
Site Data Protection
What PCI does DSS compliance program dose VISA Inc develop and maintain?What PCI does DSS compliance program dose MasterCard develop and maintain?
Cardholder Information Security Program (CISP) Account Information Security (AIS) program
What is all included in the Payment brand Compliance programs?
Tracking and enforcement
Penalties, fees, compliance deadlines
Validation process and who needs to validate.
Approval and posting of compliant entities
Definition of merchant and services provider levels.
What are Payment brands responsible for
Defining rules for forensic investigations and responding to account data compromises
Monitoring and facilitation investigations of account data compromise to completion.
What is PA-DSS?
Payment Application Data Security Standard.
What does PA-DSS applies to?
Third party payment applications such as POS, shopping carts, etc.....
What does a PA-DSS do?
Ensures a payment application can function in a PCI DSS compliant manner.
If a merchant uses a PA-DSS does it mean they are PCI-DSS compliant?
No
Are PA-DSS in scope for PCI DSS?
Yes
What is a PCI P2PE?
Point to Point Encryption.
What all must be included in a P2PE solution.
Secure encryption of payment card at the point of interaction.
P2PE-vallidated applications at the point of interaction.
Secure management of encryption and decryption devices.
Management of the decryption environment and all decrypted account data.
Use of secure encryption methodolaogfies and cryptographic key operations, including key generation, distribution, loading/injection, administration and usage.
What is the relationship between PA-DSS and PCI DSS?
PA-DSS must facilitate and not prevent DSS compliance.
What is the relationship between P2PE and PCI-DSS?
Incorprates requirements from PTS, PCI=DSS, PA-DSS and PCI PIN to protect account data from the point of capture until it reaches the payment processor.
What does PTS stand for?
PIN Transaction Security
what is PTS?
PTS is a set of modular evaluation requirements managed by PCI SSC, for PIN acceptance POI terminals.
What is the PTS program about?
The program ensures terminals cannot be manipluated or attached to allow the capture of Sensitive Authentication data, nor allow access to clear-text PINs or Keys.
What does SRED stand for?
Secure Read and Exchange Module
What does SRED allow?
It allows terminals to b approved for the security encrption of cardholder data as part of the Point to Point Encryption prgram.
What does PIN mean?
Personal Identification Number.
What are required in the PCI PIN security Requirements
Management, processing and transmission.
What is a Cardholder?
Customer, individual making a purchase of goods or services. The process could involve a card present or not present transaction.
Who is the Issuer?
Bank or organization issuing a payment card on behalf of a Payment Brand (e.g. Visa, Master Card)
Which Payment Brands issue credit cards directly?
American Express, Discover, JCB
Who is the Merchant?
Organization accepting the payment card for payment during a purchase.
What is an Acquirer?
This is the Bank or entity the merchant uses to process their payment card transactions.
What does the Acquirer do?
It receives authorization request from the merchant and forwards it to the issuer for approval.
Provides authorization, clearing and settlement services to merchants. [Show Less]