The Problem

The Payment Card Industry Data Security Standard (PCI DSS), a set of comprehensive requirements for enhancing payment account data security, was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Inc. International, to help facilitate the broad adoption of consistent data security measures on a global basis. The PCI DSS is a detailed series of 130+ requirements that anyone who stores or transfers credit card data has to comply with. However due to the protection it offers, the PCI DSS is fast becoming a security standard for all sensitive data that needs to be protected. The goal of the standard is to ensure security of data in transit and at rest while ensuring compliance is maintained. While the major credit card companies are aggressively fining merchants who do not comply and can even revoke card payment privileges, the cost of a breach is known to be significantly more expensive due to the loss in consumer confidence, drops in share value, the costs of repairing the breach, exposure to possible lawsuits and the increased level of Federal and State oversight.

The PCI DSS must be met by all organizations (merchants and service providers) that transmit, process or store payment card data. The PCI DSS (sometimes referred to as a compliance standard) is a contractual obligation applied and enforced - by means of fines or other restrictions - directly by the payment providers themselves. In June 2009, compliance with PCI DSS has even become required by law in the State of Nevada, and other governemtns and regulators are sure to follow.

United States: June 2009 - Nevada becomes the first state to mandate compliance with PCI DSS. According to the law, which amends NRS 603A “Security of Personal Information”, any organization that does business in the state must “comply with the current version” of the PCI DSS as adopted by the PCI Security Standards Council “or its successor organization.” The law further states that companies must comply by the deadlines established by the PCI SSC. (It should be noted here that the PCI SSC does not set the compliance deadlines. These are set by the individual card brands.)

The law is scheduled to go into effect on January 1st, 2010. For anyone involved in information security management or compliance, this is a really big deal. PCI has just been catapulted from a contractual obligation to a full legal requirement.

The Nevada law ups the ante by making this an actual legal requirement, but the standard itself remains the same. And as far as actual enforcement goes, the Nevada law says nothing about penalties whereas PCI has the ability to fine non-compliant companies. The bigger change is for companies that deal with non-credit card personal data. The Nevada law defines nonpublic personal information as a social security number, driver’s license number, or account number in combination with a password. It mandates the use of encryption for the transfer of such data outside of a company's control (this requirement existed in various forms in previous Nevada legislation as well).

The Solution

Don't re-invent the wheel.

While the PCI Standard was not written to map specifically to ISO27001, ISO17799, CobiT or any other existing framework, it sits clearly within the ISO 27001/27002/27005 frameworks. Organizations that have implemented an ISO 27001 Information Security Management System (ISMS) should be able, with minor additional work, to also demonstrate their conformance with the PCI standard. After providing you with the information you need in order to better understand PCI DSS and how it uniquely applies to your organization, we will show you how to leverage your existing ISO 27001 Information Security Management System that you learned about in the prerequisite session, Information Security Governance: Risk Management, Controls Strategy, and Compliance, to fulfill PCI DSS requirements.

How We Can Help You

Certified Information Security has the knowledge and experience to train your people how to manage your information security to comply with PPCI DSS. Allen Keele, the firm's founder, is a CISSP, CIS, CISM, and CFE. He has delivered custom-developed information security and compliance training sessions to organizations throughout the world, including the United States, Caribbean, Africa, Europe, and Asia. In two days, this session will help your organization find its way towards achieving compliance on via straightest path possible that is appropriate for your organization.  

The Payment Card Industry's Data Security Standard (PCI DSS) applies to different degrees and with different deadlines to various organizations. While the PCI DSS is a common standard, each payment brand has its own compliance program. Note that there may be regional variations for VISA (eg USA and Canada), while MasterCard has a single global standard, and that acquiring banks - not the payment brands - are usually responsible for enforcement. All detailed compliance enquiries should therefore be directed to one's acquiring bank. The PCI DSS Compliance programs for each of the five founding members of the PCI Security Standards Counsel (DSS) are:

1. Amex DSOP
2. Discover Card DISC
3. JCB Card PCI DSS
4. MasterCard SDP
5. VISA US CISP
6. VISA EUROPE AIS
7. VISA CANADA AIS
8. VISA ASIA AIS

In short, the PCI DSS provides the best practices for securing sensitive information shared and transmitted by merchants when processing transactions, but how it is enforced is really up to the various credit card companies and acquiring banks themselves. If you are a merchant or service provider that transmits, processes, or stores payment card data, you can be sure that PCI DSS applies to your organization, and you will be forced to prove compliance at some point - if you haven't been forced already. This means PCI DSS should be a focus of your information security governance, and its requirements must be integrated into your information security management system.

Complying with PCI DSS first requires understanding the business environment and compliance needs of your organization, and then knowing how to interpret and fulfil the requirements of the PCI DSS standard itself. Modules expose attendees to what PCI DSS is and how it uniquely applies to his or her organization's compliance requirements. After introducing attendees to the business compliance environment of PCI DSS, this course goes on to provide an overview of the essential components of the standard:

This course follows the the latest PCI DSS version 1.2 in focusing on control objectives and standard-specific configuration requirements. Essential terms, questions, and discussion issues help students understand and retain the material.

While the PCI Standard was not written to map specifically to ISO27001, ISO17799, CobiT or any other existing framework, it sits clearly within the ISO 27001/27002/27005 frameworks. Organizations that have implemented an ISO 27001 Information Security Management System (ISMS) should be able, with minor additional work, to also demonstrate their conformance with the PCI standard. In two days, this session will help your organization find its way towards achieving compliance on via straightest path possible that is appropriate for your organization. After providing you with the information you need in order to better understand PCI DSS and how it uniquely applies to your organization, we will show you how to leverage your existing ISO 27001 Information Security Management System that you learned about in the prerequisite session above, Information Security Governance: Risk Management, Controls Strategy, and Compliance, to fulfill PCI DSS requirements.

Recommended Attendance by Organization

If you are a merchant or service provider (eg - bank, ISP, transaction processor) processor that transmits, processes, or stores payment card data, you can be sure that PCI DSS applies to your organization wherever you do such business in the world, and you will be forced to prove compliance at some point - if you haven't been forced already. This means PCI DSS should be a focus of your information security governance, and its requirements must be integrated into your information security management system.

United States: June 2009 - Nevada becomes the first state to mandate compliance with PCI DSS. According to the law, which amends NRS 603A “Security of Personal Information”, any organization that does business in the state must “comply with the current version” of the PCI DSS as adopted by the PCI Security Standards Council “or its successor organization.” The law further states that companies must comply by the deadlines established by the PCI SSC. (It should be noted here that the PCI SSC does not set the compliance deadlines. These are set by the individual card brands.)

The law went into effect on January 1st, 2010. For anyone involved in information security management or compliance, this is a really big deal. PCI has just been catapulted from a contractual obligation to a full legal requirement.

The Nevada law ups the ante by making this an actual legal requirement, but the standard itself remains the same. And as far as actual enforcement goes, the Nevada law says nothing about penalties whereas PCI has the ability to fine non-compliant companies. The bigger change is for companies that deal with non-credit card personal data. The Nevada law defines nonpublic personal information as a social security number, driver’s license number, or account number in combination with a password. It mandates the use of encryption for the transfer of such data outside of a company's control (this requirement existed in various forms in previous Nevada legislation as well).

Recommended Attendance by Position

• Compliance managers / officers
• Information security managers
• IT managers
• Database administrators
• IT / Systems Auditors
• Operations auditors

Why should all of these people attend?

Because they all lead, share, or support various roles and responsibilities that are crucial for managing information security and compliance for the organization.

Course Prerequisite

After providing you with the information you need in order to better understand PCI DSS and how it uniquely applies to your organization, we will show you how to leverage your existing ISO 27001 Information Security Management System that you learned about in the recommended prerequisite session, Information Security Governance: Risk Management, Controls Strategy, and Compliance, to fulfill PCI DSS requirements.

Session Leader: Allen Keele