Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação

41
PCI Payment Protection Resources for Small Merchants Carlos Caetano Associate Regional Director Brazil at PCI Security Standards Council

Transcript of Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação

Page 1: Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação

PCI Payment Protection Resources for Small Merchants

Carlos CaetanoAssociate Regional Director – Brazil atPCI Security Standards Council

Page 2: Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação

Agenda

Background

Resources

Call to Action

What’s Next

Intro

Page 3: Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação

Intro

Page 4: Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação

What is the PCI Security Standards Council?

Collaboration

Education

Simplified solutions for merchants

Page 5: Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação

What does PCI Council Produce?Standards, Best Practices & Services

Training – Assessors, Acquirers, Integrators

Validation & Qualification – Equipment, Service Providers, Assessors, Investigators

Payment Equipment Payment Software Merchant & Payment Service

Provider Environments

Page 6: Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação

What’s this all about?

Page 7: Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação

Why?Small businesses around the world are increasing targets for payment data theft

77% believe that their company is safe from cyber attacks

80% of websites attacked everyday belong to small merchants

Nearly half of global cyberattacks in 2015 were against small businesses

48% of small businesses have been hit by at least one cyber-attack in the past 12 months

20% see cyber security as a top business priority

10% have never invested in improving the security of their website

54% of SMEs who say they’re concerned their business could be at risk from an attack

Page 8: Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação

Current Threats

SQL Injection

Weak Passwords

Spear Phishing

Malware / Ransomware

Remote Attack Vector

Poor Patching

“No locale, industry or organization is bulletproof

when it comes to the compromise of data”

Verizon 2016 DBIR

Page 9: Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação

Birth and Rebirth of a Data Breach

Target phishingcampaign against

vendor

Person clicks on email and malware installation occurs

Keylogger deployed and client’s environment static

auth credentials stolen for final target access

Malware installed directly in final victm’s POS system

Malware functionalities of scraping RAM and exporting data, establishment

of control and persistence

Source: Verizon 2016 Data Breach Investigations Report

Page 10: Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação

Small Merchant

Task Force

Page 11: Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação

PCI Small Merchant Task ForceObjective

Collaborate with the PCI community to address the needs of the small merchant market segment by providing guidance that:

• Is simple, easy to understand and relevant to the unique needs of small merchants

• Helps small merchants understand their responsibility for protecting payment card data and to identify and mitigate areas of risk in their environment

• Provides small merchants with the information needed when assessing their own environment, working with a QSA, and/or considering a new payment channel, vendor or service provider

Page 12: Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação

Global Participation: Merchants & Merchant Partners

“If the larger merchants and financial institutions themselves cannot be protected from data breaches, you can imagine how difficult protection is for independent small business owners.”

“An issue that many small businesses have is that they

do not have the in-house resources to be experts in

all aspects of running a business. Small businesses rely on external expertise to

simplify the complicated.”

Page 13: Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação

Meet Mary, Ms. Small Business

• “How do I sell more wine?”

• “How do I differentiate my customers’ experience in a saturated market?”

• “How do I find and keep good employees?”

• Her bank.

• The 1-800 number on the sticker that’s on her payment system.

• To understand why/how she’s at risk.

• The right questions to ask her bank and her payment system vendor for help.

• Simple steps she can take.

On her mind Her needsHer dilemma Who she calls

Mary, wine bar owner

• She wants to do the right thing for her customers and her business

• BUT, she doesn’t have time to understand

“SSL Rootkits”

Page 14: Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação

Content Development Approach

Audience

Simple, not exhaustive

Accessible

Measurable

Page 15: Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação

Simplifying Security

Page 16: Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação

Simplifying SecurityPayment Protection Resources for Small Merchants

Page 17: Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação

Simplifying SecurityGuide to Safe Payments

Page 18: Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação

Simplifying SecurityGuide to Safe Payments – Understanding Your Risk

Page 19: Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação

Simplifying SecurityGuide to Safe Payments – Understanding Your Risk

Page 20: Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação

Simplifying SecurityGuide to Safe Payments – Protecting Your Business with Security Basics

Cost

Ease

Risk Mitigation

Page 21: Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação

Simplifying SecurityGuide to Safe Payments – Protecting Your Business with Security Basics

Page 22: Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação

Simplifying SecurityGuide to Safe Payments – Where to Get Help

Payment Brand List

• List of Compliant Service Providers

PCI DSS and Related Guidance

• More about PCI DSS• PCI DSS Self-Assessment

Questionnaires• Guide: Skimming Prevention: Overview

of Best Practices for Merchants

• List of Validated Payment Applications• List of Approved PTS Devices• List of Approved Scanning Vendors• List of Qualified Integrators/Resellers• List of P2PE Validated Solutions

PCI Council Listings

Page 23: Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação

Simplifying SecurityCommon Payment Systems

Page 24: Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação

Simplifying SecurityCommon Payment Systems

Page 25: Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação

Simplifying SecurityCommon Payment Systems - Example

YES

This IS my setup.Show me the details.

NO

This IS NOT my setup.Show me the next step.

BACKto previous diagram.

Mag Stripe

RISK PROFILE

Chip

TYPE 2 PROTECTIONS

LOWER LOWER

Page 26: Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação

Simplifying SecurityCommon Payment Systems - Example

Page 27: Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação

Simplifying SecurityE-commerce example

YES

This IS my setup.Show me the details.

NO

This IS NOT my setup.Show me the next step.

BACKto previous diagram.

RISK PROFILE

TYPE 10 PROTECTIONS

LOWER

Page 28: Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação

Simplifying Security E-commerce example

Page 29: Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação

Simplifying SecurityQuestions to Ask Your Vendors

Page 30: Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação

Simplifying SecurityGlossary of Payment Information Security Terms

Page 31: Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação

How Can You Help?

Page 32: Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação

Restaurateurs are not technology experts. They areskilled in culinary arts, general business managementand hospitality. Like many small businesses, they arereliant on the expertise of others in the cybersecurityspace. In order for small restaurants to thrive in thedigital age, they will need significant help from thebroader technology and security community.

David Matthews, National Restaurant Association, PCI Small Merchant Taskforce Co-Chair

Page 33: Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação

Call to Action

Visit PCI SSC website

Download

Share

Co-brand

https://www.pcisecuritystandards.org/pci_security/small_merchant

How You Can Help

Page 34: Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação

Regional Participant Organizations

Page 35: Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação

Participating Organization Benefits

• Advance review of standards and supporting materials before release, with the opportunity to provide feedback

• Complimentary attendance at annual Community Meetings hosted by the Council

• Substantial training discounts; courses are offered in instructor-led and eLearning formats

• Nominate and vote for representatives to stand for election to the Council’s Board of Advisors

• Drive the Special Interest Groups (SIGs) that provide the Council with understanding and guidance on particular topics or technologies

769PCI Council

Participating

Organizations

Join us: www.pcisecuritystandards.org/get_involved/participating_organizations

Page 36: Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação

Attend South America Forum and Save

We Need You!

All attendees of the South America Forum will receive a

$1,500 savings on a PCI Participation Organization

membership.Discount Code will be

provided at event.

Check PCI website for more info on the August 2017 event

Page 37: Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação

Get Trained and Ready to Support the IndustryBecome a PCI Professional – you’ll be in good company

• Over 2,500 of your colleagues have become PCIPs - why not join them and show off your PCI knowledge?

• Get the three-year credential that’s not tied to your employer.

• When you do, you can show off your professional status since you’ll be listed on the PCI website!

https://www.pcisecuritystandards.org/program_training_and_qualification/pci_professional_qualification

Page 38: Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação

What’s Next?

Page 39: Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação

Based on feedback, enhance current small merchant materials as needed

Evaluate and propose simple-to-use alternate validation tools and/or SAQs

Formalize communications strategy and determine effectiveness of dissemination methods

2016 / 2017 Focus

Page 40: Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação

Resources

Check Our

Document Library

for New Resources

www.pcisecuritystandards.org

Page 41: Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação

Thank You