This lesson provides an introduction to the payment card industry (PCI), self-regulation measures that protect valuable cardholder data, and the importance of compliance with security standards. You will learn about four main topics:
PCI at a Glance
Regulatory Environment
Compliance Validation Requirements
Compromise Statistics
2 / 33
Section Objectives
By the end of this section, you will be able to list the major players in the Payment Card Industry and recognize the life cycle of a credit card transaction, the various merchant acceptance channels and the Visa and MasterCard merchant levels.
Topics
The Payment Card Industry
Processing Credit Card Transactions
Data Supporting a Transaction
Merchant Acceptance Channels
Visa/MasterCard Merchant Levels
3 / 33
***l imageTermWidget***r ***l widgetTitle***r ***l /widgetTitle***r ***l activityInstructions***r ***l p***r ***l b***r Instructions***l /b***r ***l /p***r ***l br/***r ***l p***r ***l i***r Click on each image to learn more about the major PCI players. Click the forward arrow for more images. ***l /i***r ***l /p***r ***l br/***r ***l /activityInstructions***r ***l pageContent***r ***l p***r PCI stands for the Payment Card Industry, which is an association of the major card brands, associated banks and anyone who processes or uses credit cards. ***l /p***r ***l br/***r ***l /pageContent***r ***l imageItem***r ***l itemImage***r ../assets/creditcards3.png***l /itemImage***r ***l itemText***r ***l /itemText***r ***l contentArea***r ***l text***r ***l p***r The major ***l b***r Card Brands***l /b***r , including Visa, MasterCard, Discover, JCB and American Express, are each comprised of financial institutions that issue credit cards and/or sign merchants to accept credit cards for payment of goods and services.***l /p***r ***l br/***r ***l /text***r ***l image***r ***l /image***r ***l audio***r ***l /audio***r ***l /contentArea***r ***l /imageItem***r ***l imageItem***r ***l itemImage***r ../assets/citybuilding.png***l /itemImage***r ***l itemText***r ***l /itemText***r ***l contentArea***r ***l text***r ***l p***r An ***l b***r Acquirer***l /b***r is a financial institution that signs up merchants to accept credit card payments and makes sure the merchant gets reimbursed for the credit card payments they accept on behalf of their customers.***l /p***r ***l br/***r ***l /text***r ***l image***r ***l /image***r ***l audio***r ***l /audio***r ***l /contentArea***r ***l /imageItem***r ***l imageItem***r ***l itemImage***r ../assets/user_support.png***l /itemImage***r ***l itemText***r ***l /itemText***r ***l contentArea***r ***l text***r ***l p***r ***l b***r Processors***l /b***r provide authorization and settlement services for all credit card transactions for each of the card types accepted by a merchant. All transactions require a front-end and back-end processor.***l /p***r ***l br/***r ***l /text***r ***l image***r ***l /image***r ***l audio***r ***l /audio***r ***l /contentArea***r ***l /imageItem***r ***l imageItem***r ***l itemImage***r ../assets/citybuilding2.png***l /itemImage***r ***l itemText***r ***l /itemText***r ***l contentArea***r ***l text***r ***l p***r An***l b***r Issuer***l /b***r is a financial institution that provides consumers with branded cards or other branded products.***l /p***r ***l br/***r ***l /text***r ***l image***r ***l /image***r ***l audio***r ***l /audio***r ***l /contentArea***r ***l /imageItem***r ***l imageItem***r ***l itemImage***r ../assets/building2.png***l /itemImage***r ***l itemText***r ***l /itemText***r ***l contentArea***r ***l text***r ***l p***r ***l b***r Independent Sales Organization***l /b***r (ISO)/ ***l b***r Merchant Service Provider***l /b***r (MSP) is a company or organization that provides transaction processing solutions to merchants, such as point of sale systems.***l /p***r ***l br/***r ***l /text***r ***l image***r ***l /image***r ***l audio***r ***l /audio***r ***l /contentArea***r ***l /imageItem***r ***l imageItem***r ***l itemImage***r ../assets/foodshop.png***l /itemImage***r ***l itemText***r ***l /itemText***r ***l contentArea***r ***l text***r ***l p***r A ***l b***r Merchant***l /b***r is a store, restaurant, online retailer, hotel, airline or other entity that accepts credit cards as payment.***l /p***r ***l br/***r ***l /text***r ***l image***r ***l /image***r ***l audio***r ***l /audio***r ***l /contentArea***r ***l /imageItem***r ***l imageItem***r ***l itemImage***r ../assets/user5.png***l /itemImage***r ***l itemText***r ***l /itemText***r ***l contentArea***r ***l text***r ***l p***r A ***l b***r Cardholder***l /b***r is a consumer using a payment card during a purchase.***l /p***r ***l br/***r ***l /text***r ***l image***r ***l /image***r ***l audio***r ***l /audio***r ***l /contentArea***r ***l /imageItem***r ***l instructionsBoxTitle***r The Players***l /instructionsBoxTitle***r ***l briefInstructions***r ***l /briefInstructions***r ***l instructionsBtnText***r Instructions***l /instructionsBtnText***r ***l /imageTermWidget***r ***l activityAudio***r ***l instructionAudio***r ***l /instructionAudio***r ***l contentAudio***r ***l /contentAudio***r ***l /activityAudio***r ***l altTags***r ***l closeAlt***r ***l /closeAlt***r ***l instructAlt***r ***l /instructAlt***r ***l submitAlt***r ***l /submitAlt***r ***l playPauseAlt***r ***l /playPauseAlt***r ***l muteUnmuteAlt***r ***l /muteUnmuteAlt***r ***l replayAlt***r ***l /replayAlt***r ***l stepPrevAlt***r ***l /stepPrevAlt***r ***l stepNextAlt***r ***l /stepNextAlt***r ***l restartAlt***r ***l /restartAlt***r ***l /altTags***r
4 / 33
***l p***r When a cardholder uses their credit card to make a purchase, each of the major players in the Payment Card Industry has a role. ***l /p***r ***l br/***r ***l p***r ***l b***r Instructions***l /b***r ***l /p***r ***l br/***r ***l p***r ***l i***r Click the forward arrow to step through the credit card transaction process.***l /i***r ***l /p***r ***l br/***r ***l p***r A ***l b***r Cardholder***l /b***r uses a credit card to make a purchase. The merchant swipes the card and transmits an authorization request to the Acquirer. ***l /p***r ***l br/***r ***l p***r For transactions where the credit card is not physically presented to the Merchant (such as a phone order), the Merchant can input the card account number and other information.***l /p***r ***l br/***r ../assets/step_1.png***l p***r The ***l b***r Acquirer***l /b***r sends an authorization request to the Processor. The Processor passes the request to the Issuer, who approves or declines the transaction. The Processor then returns the authorization response back to the Acquirer.***l /p***r ***l br/***r ../assets/step_2.png***l p***r The ***l b***r Acquirer***l /b***r then forwards the authorization response to the credit card terminal or software. The Merchant receives an authorization number (or decline code) and completes the transaction accordingly by requesting the Cardholder's signature and/or providing them a copy of their receipt. ***l /p***r ***l br/***r ../assets/step_3.png***l p***r The ***l b***r Merchant***l /b***r deposits the transaction receipt with the Acquirer and the Acquirer credits the Merchant's account. ***l /p***r ***l br/***r ../assets/step_4.png***l p***r The ***l b***r Acquirer***l /b***r submits the transaction for settlement via the Processor. The Processor then requests that the Issuer reimburse the Acquirer for the cost of the transaction.***l /p***r ***l br/***r ../assets/step_5.png***l p***r The ***l b***r Processor ***l /b***r then requests that the Issuer debit the Cardholder's account for the amount of the sale. The Issuer also posts the transaction to the Cardholder's account, which will appear in the Cardholder's monthly statement.***l /p***r ***l br/***r ../assets/step_6.pngIntroduction InstructionsFeedbackResume Activity
5 / 33
***l p***r One way the PCI DSS protects cardholder data is by restricting what kinds of data can be stored and how they can be stored. On this page you will step through the different types of cardholder data that are involved in a transaction and the storage restrictions on each.***l /p***r ***l br/***r ***l p***r ***l b***r Instructions***l /b***r ***l /p***r ***l br/***r ***l p***r ***l i***r Click the forward arrow to learn more about the data displayed on and stored in a credit card.***l /i***r ***l /p***r ***l br/***r ***l p***r ***l b***r Primary Account Number (PAN)***l /b***r ***l /p***r ***l br/***r ***l p***r Payment card number (credit or debit) that identifies the issuer and the particular cardholder account.***l /p***r ***l br/***r ***l p***r PANs should only be stored when it is absolutely necessary for authorization. (For instance, a hotel reservation system must store a guest's PAN for a specified time period.) Whenever it is stored, the PAN must ***l b***r always***l /b***r be encrypted.***l /p***r ***l br/***r ../assets/sa_cardfront1_pan.png***l p***r ***l b***r Expiration Date***l /b***r ***l /p***r ***l br/***r ***l p***r Expiration dates provide another layer of fraud protection when transactions are processed manually.***l /p***r ***l br/***r ***l p***r According to the PCI DSS, expiration dates can be stored; however, they must be protected (such as through encryption) when stored in conjunction with the PAN.***l /p***r ***l br/***r ../assets/sa_cardfront2_exp.png***l p***r ***l b***r Cardholder Name***l /b***r ***l /p***r ***l br/***r ***l p***r The customer to whom a card is issued ***l i***r or***l /i***r an individual authorized to use the card.***l /p***r ***l br/***r ***l p***r The cardholder's name must be protected (such as through encryption) if stored in conjunction with the PAN.***l /p***r ***l br/***r ../assets/sa_cardfront3_name.png***l p***r ***l b***r Magnetic Stripe or Track***l /b***r ***l /p***r ***l br/***r ***l p***r Contains sensitive account information that should ***l b***r ***l i***r never***l /i***r ***l /b***r be stored by a merchant's system ***l b***r ***l i***r for any reason***l /i***r ***l /b***r . There are two types of magnetic stripe data:***l br/***r ***l br/***r ***l li***r ***l b***r Track 1***l /b***r contains the cardholder's name as well as account number and other discretionary data.***l /li***r ***l li***r ***l b***r Track 2***l /b***r contains cardholder's account, encrypted PIN, plus other discretionary data. Track 2 is most common.***l /li***r ***l /p***r ***l br/***r ../assets/sa_cardback4_mag.png***l p***r ***l b***r Card Validation Code***l /b***r ***l /p***r ***l br/***r ***l p***r For most card brands, a three-digit number printed on the back of the payment card. (On American Express cards, it is a four-digit number on the front.) This number is an added security feature for card-not-present transactions. It should ***l b***r ***l i***r never***l /i***r ***l /b***r be stored ***l b***r ***l i***r for any reason***l /i***r ***l /b***r .***l /p***r ***l br/***r ***l p***r This number goes by different names according to the different card brands, including CAV (card authentication value), CVC (card validation code), CVV or CVV2 (card verification value) and CSC (card security code).***l /p***r ***l br/***r ../assets/sa_cardback5_cvc.png***l p***r ***l b***r Chip and PIN***l /b***r ***l /p***r ***l br/***r ***l p***r In Europe, the magnetic stripe and card validation code are being replaced with a chip and PIN system. Rather than swipe a magnetic stripe, consumers holding ***l i***r EMV***l /i***r (Europay, MasterCard & Visa) cards enter a PIN that is tied to their card's chip.***l /p***r ***l br/***r ***l p***r Like the magnetic stripe and card validation code, the encrypted PIN block should ***l b***r ***l i***r never***l /i***r ***l /b***r be stored ***l b***r ***l i***r for any reason***l /i***r ***l /b***r .***l /p***r ***l br/***r ../assets/sa_cardfront6_chip.pngWhat Data Can I Store?Instructions***l p***r A merchant should ***l b***r only***l /b***r store data that appears on the front of the payment card, ***l b***r only***l /b***r with all required protections in place and ***l b***r only***l /b***r as necessary for business. ***l /p***r ***l br/***r Point to RememberResume Activity
6 / 33
***l p***r Which two types of payment card data can ***l b***r never***l /b***r be stored under ***l b***r any***l /b***r circumstances?***l /p***r ***l br/***r ***l p***r ***l b***r Instructions***l /b***r ***l /p***r ***l br/***r ***l p***r ***l i***r Select all answers that apply and click Submit.***l /i***r ***l /p***r ***l br/***r sample***l p***r Magnetic Stripe or PIN Block***l /p***r ***l br/***r true***l p***r Expiration Date***l /p***r ***l br/***r ***l p***r Cardholder Name***l /p***r ***l br/***r ***l p***r Card Validation Code***l /p***r ***l br/***r true***l p***r Primary Account Number (PAN)***l /p***r ***l br/***r ***l p***r ***l b***r Correct!***l /b***r While the PAN, cardholder name and expiration date can be stored in a protected form when necessary, the magnetic stripe/encrypted PIN block and validation code can ***l i***r never***l /i***r be stored for any reason (PCI DSS Requirement 3.2).***l /p***r ***l br/***r ***l p***r ***l b***r Incorrect.***l /b***r While the PAN, cardholder name and expiration date can be stored in a protected form when necessary, the magnetic stripe/encrypted PIN block and validation code can ***l i***r never***l /i***r be stored for any reason (PCI DSS Requirement 3.2).***l /p***r ***l br/***r QuestionView QuestionAnswerSubmitView Answer
7 / 33
***l clickAndRevealWidget***r ***l activityInstructions***r ***l p***r There are many software and hardware solutions that enable merchants to process credit card transactions, categorized into five major ***l i***r acceptance channels***l /i***r . A merchant's chosen acceptance channel is a factor in determining what actions the merchant must perform to show proof of compliance with PCI regulations.***l /p***r ***l br/***r ***l p***r ***l i***r You will learn more about the Payment Card Industry standards and complance validation requirements in the next section.***l /i***r ***l /p***r ***l br/***r ***l p***r ***l b***r Instructions***l /b***r ***l /p***r ***l br/***r ***l p***r ***l i***r Click Begin to start the activity. Then, click each flash card to learn more about the merchant acceptance channels. ***l /i***r ***l /p***r ***l br/***r ***l /activityInstructions***r ***l imageItems***r ***l imageItem***r ***l itemImage***r ***l /itemImage***r ***l itemText***r ***l text***r POS-Dial Up Terminal***l /text***r ***l audio***r ***l /audio***r ***l /itemText***r ***l contentArea***r ***l text***r ***l p***r Point of sale terminal that is connected to a regular phone line and does ***l i***r not***l /i***r use the Internet to process credit card transactions.***l /p***r ***l br/***r ***l /text***r ***l image***r ***l /image***r ***l audio***r ***l /audio***r ***l /contentArea***r ***l /imageItem***r ***l imageItem***r ***l itemImage***r ***l /itemImage***r ***l itemText***r ***l text***r POS-IP Terminal***l /text***r ***l audio***r ***l /audio***r ***l /itemText***r ***l contentArea***r ***l text***r ***l p***r Point of sale terminal that uses the Internet to process credit card transactions.***l /p***r ***l br/***r ***l /text***r ***l image***r ***l /image***r ***l audio***r ***l /audio***r ***l /contentArea***r ***l /imageItem***r ***l imageItem***r ***l itemImage***r ***l /itemImage***r ***l itemText***r ***l text***r Touch Screen & Computer***l /text***r ***l audio***r ***l /audio***r ***l /itemText***r ***l contentArea***r ***l text***r ***l p***r A sophisticated device such as a touch screen terminal or a computer running payment software that uses the Internet to process card transactions.***l /p***r ***l br/***r ***l /text***r ***l image***r ***l /image***r ***l audio***r ***l /audio***r ***l /contentArea***r ***l /imageItem***r ***l imageItem***r ***l itemImage***r ***l /itemImage***r ***l itemText***r ***l text***r e-Commerce***l /text***r ***l audio***r ***l /audio***r ***l /itemText***r ***l contentArea***r ***l text***r ***l p***r A website that accepts and processes credit card transactions.***l /p***r ***l br/***r ***l /text***r ***l image***r ***l /image***r ***l audio***r ***l /audio***r ***l /contentArea***r ***l /imageItem***r ***l imageItem***r ***l itemImage***r ***l /itemImage***r ***l itemText***r ***l text***r Multiple***l /text***r ***l audio***r ***l /audio***r ***l /itemText***r ***l contentArea***r ***l text***r ***l p***r Any combination of the payment acceptance channels listed above.***l /p***r ***l br/***r ***l /text***r ***l image***r ***l /image***r ***l audio***r ***l /audio***r ***l /contentArea***r ***l /imageItem***r ***l /imageItems***r ***l optionalFeedback***r ***l text***r ***l /text***r ***l audio***r ***l /audio***r ***l boxTtitle***r Feedback***l /boxTtitle***r ***l /optionalFeedback***r ***l instructionsBoxTitle***r Activity: Acceptance Channels***l /instructionsBoxTitle***r ***l beginBtnText***r Begin***l /beginBtnText***r ***l instructionsBtnText***r Instructions***l /instructionsBtnText***r ***l flipInstructText***r Click to flip...***l /flipInstructText***r ***l fleedbackBtnText***r Feedback***l /fleedbackBtnText***r ***l /clickAndRevealWidget***r ***l activityAudio***r ***l instructionAudio***r ***l /instructionAudio***r ***l /activityAudio***r ***l altTags***r ***l closeAlt***r ***l /closeAlt***r ***l instructAlt***r ***l /instructAlt***r ***l submitAlt***r ***l /submitAlt***r ***l playPauseAlt***r ***l /playPauseAlt***r ***l muteUnmuteAlt***r ***l /muteUnmuteAlt***r ***l replayAlt***r ***l /replayAlt***r ***l stepPrevAlt***r ***l /stepPrevAlt***r ***l stepNextAlt***r ***l /stepNextAlt***r ***l restartAlt***r ***l /restartAlt***r ***l feedbackBtnAlt***r ***l /feedbackBtnAlt***r ***l /altTags***r
8 / 33
***l p***r The Payment Card Industry defines a merchant's level according to the number of payment card transactions it processes each year. Your merchant level directly impacts your compliance validation requirements, so it is important for you to recognize your level and the validation actions associated with it.***l /p***r ***l br/***r ***l p***r ***l b***r Instructions***l /b***r ***l /p***r ***l br/***r ***l p***r ***l i***r Click View to see the table. Roll over the information buttons to learn about the merchant levels set by Visa and MasterCard.***l /i***r ***l /p***r ***l br/***r n/a../assets/merchant_levels.png***l p***r ***l b***r Level 1***l /b***r ***l /p***r ***l br/***r ***l p***r Any merchant, regardless of acceptance channel, that:***l li***r Processes over 6 million MasterCard transactions per year***l /li***r ***l li***r Has suffered a hack or an attack that resulted in an account data compromise***l /li***r ***l li***r Visa or MasterCard determines should meet the Level 1 merchant requirements***l /li***r ***l li***r Has been identified by any other payment card brand as Level 1***l /li***r ***l /p***r ***l br/***r n/a1502655558../assets/blue_orb.png***l p***r ***l b***r Level 2***l /b***r ***l /p***r ***l br/***r ***l p***r Any merchant, regardless of acceptance channel, that:***l li***r Processes greater than one million but less than or equal to six million total combined MasterCard and Maestro transactions annually***l /li***r ***l li***r Processes 1 million to 6 million Visa transactions annually (all channels)***l /li***r ***l /p***r ***l br/***r n/a2122655558../assets/blue_orb.png***l p***r ***l b***r Level 3***l /b***r ***l /p***r ***l br/***r ***l p***r Any merchant, regardless of acceptance channel, that:***l li***r Processes greater than 20,000 combined MasterCard and Maestro e-commerce transactions annually but less than or equal to one million total combined MasterCard and Maestro ecommerce transactions annually***l /li***r ***l li***r Processes 20,000 to 1 million Visa e-commerce transactions annually***l /li***r ***l /p***r ***l br/***r n/a2762655558../assets/blue_orb.png***l p***r ***l b***r Level 4***l /b***r ***l /p***r ***l br/***r ***l p***r Any merchant, regardless of acceptance channel, that: ***l li***r All other MasterCard merchants***l /li***r ***l li***r Process less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually***l /li***r ***l /p***r ***l br/***r n/a3412655558../assets/blue_orb.pngn/aTable: Merchant LevelsInstructionsView
9 / 33
***l p***r Based on the number of transactions a merchant performs each year, merchants are categorized by the card brands into four levels. Level 1 merchants are often large commercial businesses and Level 4 merchants are smaller individually owned businesses. ***l /p***r ***l br/***r ***l p***r ***l b***r Instructions***l /b***r ***l /p***r ***l br/***r ***l p***r ***l i***r Click Begin to check your knowledge. Match the merchant level with the appropriate description by dragging and dropping the boxes on the left to the matching answers on the right. ***l /i***r ***l /p***r ***l br/***r ***l p***r Processes over 6 million transactions per year, regardless of acceptance channel, or has suffered a security breach.***l /p***r ***l br/***r ***l p***r Level 1 Merchant***l /p***r ***l br/***r ***l p***r Incorrect. Please try again.***l /p***r ***l br/***r ***l p***r Processes 1 to 6 million transactions, regardless of acceptance channel.***l /p***r ***l br/***r ***l p***r Level 2 Merchant***l /p***r ***l br/***r ***l p***r Incorrect. Please try again.***l /p***r ***l br/***r ***l p***r Processes 20,000 to 1 million e-commerce transactions.***l /p***r ***l br/***r ***l p***r Level 3 Merchant***l /p***r ***l br/***r ***l p***r Incorrect. Please try again.***l /p***r ***l br/***r ***l p***r Processes fewer than 20,000 e-commerce transactions and less than 1 million transactions, regardless of acceptance channel.***l /p***r ***l br/***r ***l p***r Level 4 Merchant***l /p***r ***l br/***r ***l p***r Incorrect. Please try again.***l /p***r ***l br/***r ***l p***r It is important for a merchant to know what their level is because it is the main factor in determining what actions the merchant must perform to show proof of compliance with PCI regulations.***l /p***r ***l br/***r ***l p***r ***l i***r You will learn more about the Payment Card Industry regulatory environment in the next section.***l /i***r ***l /p***r ***l br/***r ***l p***r ***l /p***r ***l br/***r sampleIntroductionReturnMerchant Level & ComplianceInstructionsSubmitBegintrue
10 / 33
Section Objectives
By the end of this section, you will be able to recognize the regulatory environment for PCI and high level compliance requirements.
Topics
PCI SSC & PCI DSS
Why Regulate?
Benefits of Compliance
Risks of Non-Compliance
11 / 33
PCI stands for the Payment Card Industry, which is an association of the major card brands, associated banks and anyone who processes or uses credit cards. The PCI creates contractual information security standards in order to protect cardholder data.
Instructions
Roll over each topic to learn more about PCI requirements.
***l optionWidget***r ***l options***r ***l option***r ***l optionTitle***r Payment Card Industry Security Standards Council (PCI SSC)***l /optionTitle***r ***l content***r ***l p***r The ***l i***r Payment Card Industry Security Standards Council ***l /i***r (PCI SSC) is an independent body created by the major card brands that is responsible for developing, communicating and maintaining industry security standards.***l /p***r ***l br/***r ***l /content***r ***l audio***r ***l /audio***r ***l /option***r ***l option***r ***l optionTitle***r Payment Card Industry Data Security Standard (PCI DSS)***l /optionTitle***r ***l content***r ***l p***r The Payment Card Industry Data Security Standard (PCI DSS) is a set of twelve requirements and sub-requirements created by the PCI Security Standards Council to ensure the secure handling of credit card information. ***l /p***r ***l br/***r ***l /content***r ***l audio***r ***l /audio***r ***l /option***r ***l option***r ***l optionTitle***r PCI DSS Scope***l /optionTitle***r ***l content***r ***l p***r All card network members (banks), merchants (sellers) and service providers that store, process or transmit cardholder data are required to adhere to the PCI DSS.***l /p***r ***l br/***r ***l /content***r ***l audio***r ***l /audio***r ***l /option***r ***l option***r ***l optionTitle***r Compliance Validation Requirements***l /optionTitle***r ***l content***r ***l p***r Payment Card Industry members who store, process or transmit cardholder data are contractually required to provide proof (validation) that their business is meeting the twelve requirements outlined in the PCI DSS. ***l /p***r ***l br/***r ***l p***r Validation requirements are mandated actions that must be performed to prove compliance with the PCI DSS. A merchant's validation requirements are based on their merchant level and the acceptance channel(s) they use to process credit cards.***l /p***r ***l br/***r ***l /content***r ***l audio***r ***l /audio***r ***l /option***r ***l option***r ***l optionTitle***r PCI DSS Enforcement***l /optionTitle***r ***l content***r ***l p***r Individual card brands and banks are responsible for enforcing compliance with the PCI DSS. For most hotels, compliance with the PCI DSS is enforced through your acquiring bank.***l /p***r ***l br/***r ***l /content***r ***l audio***r ***l /audio***r ***l /option***r ***l /options***r ***l /optionWidget***r ***l altTags***r ***l closeAlt***r ***l /closeAlt***r ***l instructAlt***r ***l /instructAlt***r ***l submitAlt***r ***l /submitAlt***r ***l playPauseAlt***r ***l /playPauseAlt***r ***l muteUnmuteAlt***r ***l /muteUnmuteAlt***r ***l replayAlt***r ***l /replayAlt***r ***l stepPrevAlt***r ***l /stepPrevAlt***r ***l stepNextAlt***r ***l /stepNextAlt***r ***l restartAlt***r ***l /restartAlt***r ***l /altTags***r
12 / 33
***l p***r A merchant who only processes 3-4 transactions per year is ***l b***r not***l /b***r required to be PCI DSS compliant.***l /p***r ***l br/***r ***l p***r ***l b***r Instructions***l /b***r ***l /p***r ***l br/***r ***l p***r ***l i***r Click to select your answer.***l /i***r ***l /p***r ***l br/***r sample***l p***r True***l /p***r ***l br/***r ***l p***r ***l b***r Incorrect***l /b***r . Anyone who processes, transmits or stores cardholder data, regardless of how many transactions per year, must comply with the PCI DSS. ***l /p***r ***l br/***r ***l p***r Even if a merchant uses a third party vendor to manage their card processing functions, they are still required to validate their compliance. Additionally, it is the responsibility of the merchant to ensure they are using compliant vendors.***l /p***r ***l br/***r ***l p***r False***l /p***r ***l br/***r ***l p***r ***l b***r Correct!***l /b***r Anyone who processes, transmits or stores cardholder data, regardless of how many transactions per year, must comply with the PCI DSS. ***l /p***r ***l br/***r ***l p***r Even if a merchant uses a third party vendor to manage their card processing functions, they are still required to validate their compliance. Additionally, it is the responsibility of the merchant to ensure they are using compliant vendors.***l /p***r ***l br/***r trueTrue or False?View QuestionAnswerView Answer
13 / 33
***l p***r Why do you think the Payment Card Industry regulates and enforces security standards?***l /p***r ***l br/***r ***l p***r ***l b***r Instructions***l /b***r ***l /p***r ***l br/***r ***l p***r ***l i***r Type your answer in the space provided, then click Submit to receive feedback from industry experts.***l /i***r ***l /p***r ***l br/***r ***l p***r Regulations and security standards help prevent identity theft, which occurs when someone gains unauthorized access to personal information.***l /p***r ***l br/***r ***l p***r Reducing identity theft also reduces identity fraud, which is the unauthorized use of someone's personal information. Identity theft and fraud costs the industry billions a year and victims spend hours to weeks restoring their affairs.***l /p***r ***l br/***r ***l p***r Maintaining standards designed to protect cardholder information builds consumer trust in the Payment Card Industry and businesses that accept credit card payments.***l /p***r ***l br/***r Take a GuessClick on each expert to see their response.Please enter an answer.Type hereSubmit
14 / 33
***l p***r The PCI DSS aims to reduce financial fraud through heightened network security capabilities of whoever processes payment card information. There are many benefits of PCI DSS compliance.***l /p***r ***l br/***r ***l p***r ***l b***r Instructions***l /b***r ***l /p***r ***l br/***r ***l p***r ***l i***r Click on each topic to learn more about the benefits of compliance with the PCI DSS.***l /i***r ***l /p***r ***l br/***r Security Best PracticesUsing security best practices can prevent the theft of sensitive information, such as card holder data or personally identifiable information, which leads to fraud.Uphold Brand NameSecurity breaches can be devastating to a business's reputation. Following measures to protect customers' valuable information helps to maintain consumer confidence and brand value. IntroductionInstructions
15 / 33
***l root***r ***l gui***r ***l interface***r ***l stage/***r ***l top src='' border=''/***r ***l left src='' border=''/***r ***l right src='' border=''/***r ***l bubble path='../images/swf'/***r ***l /interface***r ***l context***r ***l text***r ***l p***r You learned on the previous page that compliance with the PCI DSS confers many business benefits. Likewise, non-compliance with the standard puts your business at risk for several serious consequences.***l /p***r ***l br/***r ***l /text***r ***l font face='arial' size='11' color='0x000000' bold='false' underline='false' italic='false' bgcolor='0xffffff'/***r ***l /context***r ***l instructions***r ***l text***r ***l p***r ***l b***r Instructions***l /b***r ***l /p***r ***l br/***r ***l p***r ***l i***r Click Begin to view a conversation between two merchants who have suffered security breaches. The forward arrow allows you to move through the dialogue.***l /i***r ***l /p***r ***l br/***r ***l /text***r ***l font face='arial' size='11' color='0x000000' bold='false' underline='false' italic='false' bgcolor='0xffffff'/***r ***l /instructions***r ***l feedback***r ***l text***r ***l p***r ***l li***r Regulatory fines and penalties, and additional costs to reverse damages in the event of a security breach.***l /li***r ***l li***r Higher costs to process credit card transactions, as well as stricter compliance validation requirements being imposed after a breach.***l /li***r ***l li***r Loss of customer confidence and loyalty.***l /li***r ***l /p***r ***l br/***r ***l /text***r ***l font face='arial' size='11' color='0x000000' bold='false' underline='false' italic='false' bgcolor='0xffffff'/***r ***l /feedback***r ***l person name='Diana' img='../assets/avatardiana.png'***r ***l font face='arial' size='11' color='0x000000' bold='false' underline='false' italic='false' bgcolor='0xffffff'/***r ***l /person***r ***l person name='Don' img='../assets/avatardon.png'***r ***l font face='arial' size='11' color='0x000000' bold='false' underline='false' italic='false' bgcolor='0xffffff'/***r ***l /person***r ***l /gui***r ***l speech***r ***l dialogue person='Diana'***r ***l text***r ***l p***r I had no idea my point of sale system wasn't compliant. I just bought it a year ago.***l /p***r ***l br/***r ***l /text***r ***l feedback***r ***l /feedback***r ***l audio***r ***l /audio***r ***l /dialogue***r ***l dialogue person='Don'***r ***l text***r ***l p***r Thats what I thought when my store's system was hacked. Since I had a new system, I figured I was safe, but the security on my wireless network wasn't set up properly. That's how the hackers got in.***l /p***r ***l br/***r ***l /text***r ***l feedback***r ***l /feedback***r ***l audio***r ***l /audio***r ***l /dialogue***r ***l dialogue person='Diana'***r ***l text***r ***l p***r I was storing track data on my hard drive and I didn't even realize it. The criminals were in my system for almost six months stealing card numbers. Now I have a huge mess on my hands.***l /p***r ***l br/***r ***l /text***r ***l feedback***r ***l /feedback***r ***l audio***r ***l /audio***r ***l /dialogue***r ***l dialogue person='Don'***r ***l text***r ***l p***r After I was notified my business was compromised, I was required to have an on-site forensic audit to figure out how the breach happened. The audit alone cost me $15,000 up front. I wasn't even able to use a payment plan because I'm now considered high risk.***l /p***r ***l br/***r ***l /text***r ***l feedback***r ***l /feedback***r ***l audio***r ***l /audio***r ***l /dialogue***r ***l dialogue person='Diana'***r ***l text***r ***l p***r My bank put a holding period on all the money that comes in from my credit card transactions. I'm also being fined $25 for each card that was stolen. The hackers got away with 500 cards; it's all really adding up.***l /p***r ***l br/***r ***l /text***r ***l feedback***r ***l /feedback***r ***l audio***r ***l /audio***r ***l /dialogue***r ***l dialogue person='Don'***r ***l text***r ***l p***r I understand. It has been almost a year since my breach, and I still haven't resolved everything. I'm still paying on various fines and fees, and on top of it all, I've lost customers. If my system had been compliant, it could have helped prevent all of this. ***l /p***r ***l br/***r ***l /text***r ***l feedback***r ***l /feedback***r ***l audio***r ***l /audio***r ***l /dialogue***r ***l /speech***r ***l titleBox***r ***l instrTitle***r A Compliance Conversation***l /instrTitle***r ***l feedTitle***r Consequences of Non-Compliance***l /feedTitle***r ***l /titleBox***r ***l /root***r ***l activityAudio***r ***l instructionAudio***r ***l /instructionAudio***r ***l feedbackAudio***r ***l /feedbackAudio***r ***l /activityAudio***r ***l altTags***r ***l closeAlt***r ***l /closeAlt***r ***l instructAlt***r ***l /instructAlt***r ***l submitAlt***r ***l /submitAlt***r ***l playPauseAlt***r ***l /playPauseAlt***r ***l muteUnmuteAlt***r ***l /muteUnmuteAlt***r ***l replayAlt***r ***l /replayAlt***r ***l stepPrevAlt***r ***l /stepPrevAlt***r ***l stepNextAlt***r ***l /stepNextAlt***r ***l restartAlt***r ***l /restartAlt***r ***l feedbackCloseBtnAlt***r ***l /feedbackCloseBtnAlt***r ***l /altTags***r ***l instructionBtnText***r Instructions***l /instructionBtnText***r ***l beginBtnText***r Begin***l /beginBtnText***r ***l feedbackCloseBtnText***r Close***l /feedbackCloseBtnText***r
16 / 33
Section Objectives
By the end of this section, you will be able to list and describe the PCI DSS validation actions required for each merchant level and recognize the difference between point-in-time compliance and continuous compliance.
Topics
Validation Actions
Validation Requirements by Merchant Level
Continuous Compliance
17 / 33
***l imageTermWidget***r ***l widgetTitle***r ***l /widgetTitle***r ***l activityInstructions***r ***l p***r ***l b***r Instructions***l /b***r ***l /p***r ***l br/***r ***l p***r ***l i***r Click on each validation action to learn more.***l /i***r ***l /p***r ***l br/***r ***l /activityInstructions***r ***l pageContent***r ***l p***r There are three actions a merchant can perform to validate their compliance with the PCI DSS. Depending on their level and acceptance channel, a merchant may be required to perform more than one validation action.***l /p***r ***l br/***r ***l /pageContent***r ***l imageItem***r ***l itemImage***r ***l /itemImage***r ***l itemText***r On-site PCI Data Security Assessment***l /itemText***r ***l contentArea***r ***l text***r ***l p***r An on-site assessment is an audit performed by a Qualified Security Assessor (QSA) to determine if a business is in compliance with the PCI DSS.***l /p***r ***l br/***r ***l p***r Details of the assessment findings must be documented in a ***l b***r Report on Compliance ***l /b***r (ROC). The ROC includes the compliance status for each PCI DSS requirement and recommendations for addressing areas of non-compliance.***l /p***r ***l br/***r ***l /text***r ***l image***r ***l /image***r ***l audio***r ***l /audio***r ***l /contentArea***r ***l /imageItem***r ***l imageItem***r ***l itemImage***r ***l /itemImage***r ***l itemText***r Self-Assessment Questionnaire (SAQ)***l /itemText***r ***l contentArea***r ***l text***r ***l p***r The SAQ is a self-evaluation form completed by merchants that collects information on how they store, process and transmit cardholder data. The SAQ is used to determine compliance with the PCI DSS, and the results of the questionnaire are reported to the merchant's acquirer or card brand(s).***l /p***r ***l br/***r ***l p***r There are five versions of the SAQ (labeled A,B, C, C-VT and D), and merchants and service providers complete the one that best fits their business.***l /p***r ***l br/***r ***l /text***r ***l image***r ***l /image***r ***l audio***r ***l /audio***r ***l /contentArea***r ***l /imageItem***r ***l imageItem***r ***l itemImage***r ***l /itemImage***r ***l itemText***r Vulnerability Scan ***l /itemText***r ***l contentArea***r ***l text***r ***l p***r Vulnerability scanning is a tool used to determine if a merchant's Internet connections or websites have any security weaknesses. The merchant's system is accessed through the Internet, and tests are run to check for vulnerabilities in the network, operating system or software.***l /p***r ***l br/***r ***l p***r Vulnerability scanning also checks that systems are properly configured and maintained in a way that will protect cardholder data. The PCI DSS requires that external vulnerability scans be performed by an Authorized Scanning Vendor (ASV).***l /p***r ***l br/***r ***l /text***r ***l image***r ***l /image***r ***l audio***r ***l /audio***r ***l /contentArea***r ***l /imageItem***r ***l instructionsBoxTitle***r Introduction***l /instructionsBoxTitle***r ***l briefInstructions***r ***l /briefInstructions***r ***l instructionsBtnText***r Instructions***l /instructionsBtnText***r ***l /imageTermWidget***r ***l activityAudio***r ***l instructionAudio***r ***l /instructionAudio***r ***l contentAudio***r ***l /contentAudio***r ***l /activityAudio***r ***l altTags***r ***l closeAlt***r ***l /closeAlt***r ***l instructAlt***r ***l /instructAlt***r ***l submitAlt***r ***l /submitAlt***r ***l playPauseAlt***r ***l /playPauseAlt***r ***l muteUnmuteAlt***r ***l /muteUnmuteAlt***r ***l replayAlt***r ***l /replayAlt***r ***l stepPrevAlt***r ***l /stepPrevAlt***r ***l stepNextAlt***r ***l /stepNextAlt***r ***l restartAlt***r ***l /restartAlt***r ***l /altTags***r
18 / 33
***l p***r As you have already learned a merchant's validation requirements are determined by their merchant level and acceptance channel. ***l b***r ***l i***r ***l e***r Merchants are required to validate their compliance annually.***l /e***r ***l /i***r ***l /b***r The table contains the PCI DSS validation requirements by merchant level.***l /p***r ***l br/***r ***l p***r ***l b***r Instructions***l /b***r ***l /p***r ***l br/***r ***l p***r ***l i***r Click View to see the diagram. Roll over ***l i***r the information buttons***l /i***r to learn about validation requirements, or roll over the levels to review their criteria.***l /i***r ***l /p***r ***l br/***r n/a../assets/merchant_validation.png***l p***r Level 1: Merchants processing over 6 million transactions per year***l /p***r ***l br/***r n/a1652726060../assets/blue_orb.png***l p***r Level 2: Merchants processing 1 million to 6 million transactions***l /p***r ***l br/***r n/a2302726060../assets/blue_orb.png***l p***r Level 3: Merchants processing 20,000 to 1 million e-commerce transactions***l /p***r ***l br/***r n/a2952726060../assets/blue_orb.png***l p***r Level 4: Merchant processing less than 20,000 e-commerce transactions and less than 1 million transactions***l /p***r ***l br/***r n/a3652726060../assets/blue_orb.png***l p***r ***l li***r Annual On-site PCI DSS Data Security Assessment***l /li***r ***l li***r ***l i***r Quarterly Network Scan***l /i***r ***l /li***r ***l /p***r ***l br/***r n/a193448../assets/blue_orb.png***l p***r ***l li***r Annual PCI Self-Assessment Questionnaire (SAQ)/Annual On-Site PCI Data Security Assessment***l /li***r ***l li***r ***l i***r Quarterly Network Scan***l /i***r ***l /li***r ***l /p***r ***l br/***r n/a260448../assets/blue_orb.png***l p***r ***l li***r Annual PCI Self-Assessment Questionnaire (SAQ)***l /li***r ***l li***r ***l i***r Quarterly Network Scan***l /i***r ***l /li***r ***l /p***r ***l br/***r n/a327448../assets/blue_orb.png***l p***r ***l li***r Annual PCI Self-Assessment Questionnaire (SAQ)***l /li***r ***l li***r ***l i***r Quarterly Network Scan***l /i***r ***l /li***r ***l /p***r ***l br/***r n/a394448../assets/blue_orb.png***l p***r ***l li***r Qualified Security Assessor (QSA)***l /li***r ***l li***r ***l i***r Approved Scanning Vendor (ASV)***l /i***r ***l /li***r ***l /p***r ***l br/***r n/a193595../assets/blue_orb.png***l p***r ***l li***r Merchant***l /li***r ***l li***r ***l i***r Approved Scanning Vendor (ASV)***l /i***r ***l /li***r ***l /p***r ***l br/***r n/a260595../assets/blue_orb.png***l p***r ***l li***r Merchant***l /li***r ***l li***r ***l i***r Approved Scanning Vendor (ASV)***l /i***r ***l /li***r ***l /p***r ***l br/***r n/a327595../assets/blue_orb.png***l p***r ***l li***r Merchant***l /li***r ***l li***r ***l i***r Approved Scanning Vendor (ASV)***l /i***r ***l /li***r ***l /p***r ***l br/***r n/a394595../assets/blue_orb.pngn/aDiagram: Validation RequirementsInstructionsView
19 / 33
***l p***r Once a merchant validates their compliance, they do not need to perform any further compliance actions for one year.***l /p***r ***l br/***r ***l p***r ***l b***r Instructions***l /b***r ***l /p***r ***l br/***r ***l p***r ***l i***r Click to select your answer.***l /i***r ***l /p***r ***l br/***r sample***l p***r True***l /p***r ***l br/***r ***l p***r ***l b***r Incorrect.***l /b***r Although compliance only has to be validated once per year, it is important to remember that continuous compliance must be maintained.***l /p***r ***l br/***r ***l p***r False***l /p***r ***l br/***r ***l p***r ***l b***r Correct.***l /b***r Although compliance only has to be validated once per year, it is important to remember that continuous compliance must be maintained.***l /p***r ***l br/***r trueTrue or False?View QuestionAnswerView Answer
20 / 33
Validating compliance demonstrates that a merchant's business was compliant at a point in time: the time of validation. However, there are a number of daily, weekly, monthly, quarterly and annual procedures to follow for a merchant to maintain their compliance status throughout the year.
21 / 33
***l p***r Why is it important to maintain compliance throughout the year?***l /p***r ***l br/***r ***l p***r ***l b***r Instructions***l /b***r ***l /p***r ***l br/***r ***l p***r ***l i***r Type your answer in the space provided, then click Submit to receive feedback from industry experts.***l /i***r ***l /p***r ***l br/***r ***l p***r The security measures required for compliance help to protect cardholder data from theft and fraud, which can happen at any time.***l /p***r ***l br/***r ***l p***r Implementing and maintaining security measures required by the PCI DSS can also help to protect personally identifiable information (PII), such as social security numbers, that may be collected, stored or processed by a merchant. ***l /p***r ***l br/***r ***l p***r Maintaining compliance by implementing and maintaining secure business practices makes it easier to meet annual validation requierments.***l /p***r ***l br/***r Take a GuessClick on each expert to see their response.Please enter an answer.Please type here.Submit
22 / 33
Section Objectives
By the end of this section, you will be able to cite key statistics about information security breaches in 2011.
Topics
Global Security Report
Breach Detection
Investigations by Industry
Targeted Data
Targeted Systems
23 / 33
The statistics on the following pages come from Trustwave's Global Security Report 2012. The report analyzes data gathered from nearly 2,000 penetration tests and more than 300 security incident and compromise investigations conducted in 2011.
Providing business and technical impact analysis, the report was compiled by SpiderLabs, the advanced security team at Trustwave responsible for delivery of incident response and forensics, penetration testing, application security and security research services.
24 / 33
***l p***r Who do you think is the first to detect a security breach?***l /p***r ***l br/***r ***l p***r ***l b***r Instructions***l /b***r ***l /p***r ***l br/***r ***l p***r ***l i***r Click to select your answer.***l /i***r ***l /p***r ***l br/***r sample***l p***r Law enforcement officals***l /p***r ***l br/***r ***l p***r ***l b***r Incorrect.***l /b***r 46% of breaches were detected by an external regulatory body (such as a credit card company) after a data pattern indicated there may be unauthorized access and usage of the organization's data.***l /p***r ***l br/***r ***l p***r The attacked organization***l /p***r ***l br/***r ***l p***r ***l b***r Incorrect.***l /b***r 46% of breaches were detected by an external regulatory body (such as a credit card company) after a data pattern indicated there may be unauthorized access and usage of the organization's data.***l /p***r ***l br/***r ***l p***r The public (e.g. a customer of the attacked organization)***l /p***r ***l br/***r ***l p***r ***l b***r Incorrect.***l /b***r 46% of breaches were detected by an external regulatory body (such as a credit card company) after a data pattern indicated there may be unauthorized access and usage of the organization's data.***l /p***r ***l br/***r ***l p***r ***l i***r Click Next to see the data.***l /i***r ***l /p***r ***l br/***r ***l p***r Regulator (e.g. a credit card company with access to the attacked organization's data)***l /p***r ***l br/***r ***l p***r ***l b***r Correct!***l /b***r 46% of breaches were detected by an external regulatory body (such as a credit card company) after a data pattern indicated there may be unauthorized access and usage of the organization's data.***l /p***r ***l br/***r ***l p***r ***l i***r Click Next to see the data.***l /i***r ***l /p***r ***l br/***r trueTake a GuessView QuestionAnswerView Answer
25 / 33
***l p***r Trustwave's SpiderLabs is one of only a handful of firms authorized to perform payment card breach investigations on behalf of the five major card brands. Let's take a closer look at breach detection.***l /p***r ***l br/***r ***l p***r ***l b***r Instructions***l /b***r ***l /p***r ***l br/***r ***l p***r ***l i***r Click View to see the data. Roll over the information buttons to learn about the different entities that initiated breach investigations in 2011.***l /i***r ***l /p***r ***l br/***r n/a../assets/method.png***l p***r In 2011, 46% of investigations were initiated through regulatory detection (i.e., by the card brand). Most cardholders experiencing fraud used their card legitimately with a merchant whose data was later stolen. When the appropriate card brands and the suspect merchant's processing bank obtained this information, they initiated an investigation of the merchant.***l /p***r ***l br/***r n/a243605../assets/blue_orb.png***l p***r The number of self-detected compromises decreased in the previous year; only 16% self-detected in 2011 compared to 20% in 2010. This may indicate a decline in resources for properly detecting incidents.***l /p***r ***l br/***r n/a210235../assets/blue_orb.png***l p***r Law enforcement notifications increased almost five-fold to 33%. This increase can be attributed to work performed by the United States Secret Service and Electronic Crime Task Force members.***l /p***r ***l br/***r n/a385184../assets/blue_orb.pngn/aGraph: Breach DetectionInstructionsView
26 / 33
***l p***r Which industry do you think experienced the most security breaches investigated in 2011?***l /p***r ***l br/***r ***l p***r ***l b***r Instructions***l /b***r ***l /p***r ***l br/***r ***l p***r ***l i***r Click to select your answer.***l /i***r ***l /p***r ***l br/***r sample***l p***r Food and Beverage***l /p***r ***l br/***r ***l p***r ***l b***r Correct!***l /b***r Food and Beverage again represented the highest percentage of incident response investigations by SpiderLabs in 2011.***l /p***r ***l br/***r ***l p***r ***l i***r Click Next to see the data.***l /i***r ***l /p***r ***l br/***r true***l p***r Hospitality***l /p***r ***l br/***r ***l p***r ***l b***r Incorrect.***l /b***r Food and Beverage again represented the highest percentage of incident response investigations by SpiderLabs in 2011.***l /p***r ***l br/***r ***l p***r ***l i***r Click Next to see the data.***l /i***r ***l /p***r ***l br/***r false***l p***r Retail***l /p***r ***l br/***r ***l p***r ***l b***r Incorrect.***l /b***r Food and Beverage again represented the highest percentage of incident response investigations by SpiderLabs in 2011.***l /p***r ***l br/***r ***l p***r ***l i***r Click Next to see the data.***l /i***r ***l /p***r ***l br/***r ***l p***r Financial Services***l /p***r ***l br/***r ***l p***r ***l b***r Incorrect.***l /b***r Food and Beverage again represented the highest percentage of incident response investigations by SpiderLabs in 2011.***l /p***r ***l br/***r ***l p***r ***l i***r Click Next to see the data.***l /i***r ***l /p***r ***l br/***r Take a GuessView QuestionAnswerView Answer
27 / 33
***l p***r As in most previous years, the food and beverage industry shouldered the brunt of data breaches. In 2011, this industry - comprised largely of small Level 4 merchants - represented 43.6% of all breaches investigated by SpiderLabs.***l /p***r ***l br/***r ***l p***r ***l b***r Instructions***l /b***r ***l /p***r ***l br/***r ***l p***r ***l i***r Click View to see the data. Roll over the information buttons to learn about incident investigations by industry.***l /i***r ***l /p***r ***l br/***r n/a../assets/industry_stats.png***l p***r Consistent from the prior year, the food and beverage, retail and hospitality industries accounted for about 85% of data breach investigations.***l /p***r ***l br/***r n/a93405../assets/blue_orb.png***l p***r In top targeted industries, the primary target was payment card data. Organized crime groups in particular continue to focus on these industries. While such businesses typically represent a smaller reward for attackers in comparison to large banks or payment processors, they continue to be targeted due to well-known payment system vulnerabilities and poor security practices.***l /p***r ***l br/***r n/a205305../assets/blue_orb.png***l p***r More than one-third of breached entities in food and beverage, retail and hospitality represented franchised businesses. Because many franchised businesses run standardized computer systems, if a security deficiency exists within a specific system, that deficiency will often be duplicated among the entire franchise base.***l /p***r ***l br/***r n/a146485../assets/blue_orb.pngn/aGraph: Investigations by IndustryInstructionsView
28 / 33
***l p***r Customer records were the most frequently targeted type of information in 2011.***l /p***r ***l br/***r ***l p***r ***l b***r Instructions***l /b***r ***l /p***r ***l br/***r ***l p***r ***l i***r Click to select your answer.***l /i***r ***l /p***r ***l br/***r sample***l p***r True***l /p***r ***l br/***r ***l p***r ***l b***r Correct!***l /b***r Continuing the trend of previous years, 89% of investigations involved the theft of customer records, including payment card data, personally identifiable information and other records, such as email addresses.***l /p***r ***l br/***r ***l p***r ***l i***r Click Next to see the data.***l /i***r ***l /p***r ***l br/***r true***l p***r False***l /p***r ***l br/***r ***l p***r ***l b***r Incorrect.***l /b***r Continuing the trend of previous years, 89% of investigations involved the theft of customer records, including payment card data, personally identifiable information and other records, such as email addresses.***l /p***r ***l br/***r ***l p***r ***l i***r Click Next to see the data.***l /i***r ***l /p***r ***l br/***r True or False?View QuestionAnswerView Answer
29 / 33
***l p***r Consistent with previous years, breaches of customer records, including payment card data, once again accounted for an overwhelming majority of the SpiderLabs caseload in 2011. The targeting of payment card data is to be expected, as hackers can sell this information through established black market networks for quick cash.***l /p***r ***l br/***r ***l p***r ***l b***r Instructions***l /b***r ***l /p***r ***l br/***r ***l p***r ***l i***r Click View to see the data. Roll over the information buttons to learn about incident investigations by types of data.***l /i***r ***l /p***r ***l br/***r n/a../assets/types_of_data.png***l p***r Active email addresses of consumers are valuable to attackers, as they can be used to launch further attacks like phishing or more sophisticated, targeted attacks. Cyber criminals continue to focus their efforts in this area due to the large number of available targets and well-established black markets where criminals are quickly able to turn items such as payment card data into cash with minimal effort.***l /p***r ***l br/***r n/a234820../assets/blue_orb.png***l p***r New this year, electronic protected health information (ePHI) theft investigations accounted for 3% of the caseload. This addition is attributed to the continued adoption of breach notification laws, and a maturing of information security policies within the health care industry.***l /p***r ***l br/***r n/a270683../assets/blue_orb.png***l p***r Usually authentication credentials are stolen to gather information the hacker can use to execute a later attack. In many cases such data, particularly from a consumer-focused organization, can be used in a targeted attack against a commercial or government organization.***l /p***r ***l br/***r n/a337470../assets/blue_orb.pngn/aGraph: Targeted DataInstructionsView
30 / 33
***l p***r Most breaches in 2011 occurred through e-commerce websites.***l /p***r ***l br/***r ***l p***r ***l b***r Instructions***l /b***r ***l /p***r ***l br/***r ***l p***r ***l i***r Click to select your answer.***l /i***r ***l /p***r ***l br/***r sample***l p***r True***l /p***r ***l br/***r ***l p***r ***l b***r Incorrect.***l /b***r E-commerce represented only 20% of the systems targeted in 2011, while software point of sale systems represented 75% of the systems targeted.***l /p***r ***l br/***r ***l p***r ***l i***r Click Next to see the data.***l /i***r ***l /p***r ***l br/***r ***l p***r False***l /p***r ***l br/***r ***l p***r ***l b***r Correct!***l /b***r E-commerce represented only 20% of the systems targeted in 2011, while software point of sale systems represented 75% of the systems targeted.***l /p***r ***l br/***r ***l p***r ***l i***r Click Next to see the data.***l /i***r ***l /p***r ***l br/***r trueTrue or False?View QuestionAnswerView Answer
31 / 33
***l p***r Information systems involved with payment processing continue to be the Achilles' heel of the payment industry and represent the easiest way for criminals to obtain payment card magnetic stripe data en masse.***l /p***r ***l br/***r ***l p***r ***l b***r Instructions***l /b***r ***l /p***r ***l br/***r ***l p***r ***l i***r Click View to see the data. Roll over***l i***r the information buttons ***l /i***r to learn about incident investigations by targeted systems.***l /i***r ***l /p***r ***l br/***r n/a../assets/system_types.png***l p***r Contrary to popular belief, in North America and Europe, physical point of sale systems are much more likely to be targeted than e-commerce websites. Emerging point-to-point encryption (P2PE) solutions have the potential to lower the risk of POS system breaches by protecting data in transit between merchants and their payment processing banks, or via the merchant's own internal systems.***l /p***r ***l br/***r n/a20019../assets/blue_orb.png***l p***r E-commerce targets increased from 9% in 2010 to 20% in 2011, largely due to additional data from the Asia-Pacific region, where e-commerce compromises are more common than software POS system compromise.***l /p***r ***l br/***r n/a200640../assets/blue_orb.png***l p***r Employee workstations and servers were the primary targets for the theft of trade secrets and credentials. In these cases, email with malicious intent was sent to targeted and specific employees.***l /p***r ***l br/***r n/a81523../assets/blue_orb.pngn/aGraph: Targeted SystemsInstructionsView
32 / 33
In the PCI Overview lesson, you learned about the major players in the Payment Card Industry and recognized the life cycle of a credit card transaction. You identified high level PCI requirements, as well as the PCI DSS validation actions required for each merchant level. Lastly, you learned key statistics about information security breaches in 2011. Keep these key PCI points in mind:
The Payment Card Industry Data Security Standard (PCI DSS) was developed by the major card brands to protect credit card information.
The PCI DSS is mandatory for all entities that store, process or transmit cardholder data, including merchants and service providers.
PCI DSS compliance is usually enforced by a merchant's acquiring bank.
There are four different merchant levels depending on the number of payment card transactions processed each year. The merchant level directly impacts compliance validation requirements.
PCI DSS compliance must be maintained continuously to help protect against costly cardholder data compromises, for which all card-accepting businesses are at risk.
According to Trustwave SpiderLabs' Global Security Report 2012, 89% of data targeted by hackers in 2011 was customer records - including cardholder data and other PII. PCI DSS compliance helps to keep this information secure.
33 / 33
Congratulations! You have completed the PCI Overview lesson. The Security Awareness Education (SAE) Portal tracks the completion of the lesson and unlocks the next lesson in the course.
To move on to the next lesson, click Exit in the top right navigation bar of this screen to return to the SAE Portal. Then, follow the directions you learned in the Course Navigation lesson to return to the Course Menu page, where you may select the next activity from the list.
