PCI Foundation

Created by

Patrick Forrest

Cards (102)

Payment Security Management System (PSMS) 
Sector-focused framework for applying policies, procedures, evidence collection and supporting activities
Our training is developed to meet the specific needs of higher and further education institutions, and builds on over a decade of experience of delivering this type of training
Information Security 
Payment Security
The payer (consumer, student or parent)
Expects a good payment experience that is seamless and secure
Expects compliance with legal, regulatory and contractual obligations
Trusts the merchant (institution) with their personal data
Payment card transactions and use of emerging payment solutions increasing
The scammer (hacker, threat actor, fraudster, criminal)
Commits fraud for financial gain
The education sector is an attractive target
Monetise stolen personal and payment card data
Target attacks on e-commerce
Target vulnerabilities on critical infrastructure
Skimming and tampering fraud
Social engineering to steal credentials
The third party 
Payment Acceptance
Payment Service Providers
Service Providers
Third Parties
Tenants
All will need to demonstrate compliance with appropriate standards
The acquirer 
A financial institution that processes payment cards transactions on behalf of the merchant
A contractual agreement with the merchant to comply with PCI DSS
Non-compliance charges and fines passed to merchants
Charges per MID, per transaction
Accountability for Payment Security (COO, CFO, Director of Finance)
Non compliance letters to accountable owner
Sector viewed as high risk
A breach could impact the ability to take payments
The merchant 
Must protect the institution's reputation
Must protect personal data
Must comply with legal, regulatory and contractual obligations
Must be accountable and be able to demonstrate compliance
Sustainability, the need to embed into business-as-usual processes
Maintain the ability to take payments
Avoid fines and reduce risk of financial loss
Payment Security is a cost of doing business
Maintain reputation and credibility
Reduce the risk of a data breach and fines
Meets legal, contractual and regulatory compliance with DPA, GDPR, PCI DSS
Payment Security is a business opportunity
Changes to payment acceptance can improve security
Transform, improve and embed business processes
Reduce your scope to mitigate risk
Reduce the risk of operational downtime
Addresses gaps and inconsistences in PCI DSS
Card Data Environment (CDE) 
The systems components, people and processes that store, process or transmit cardholder data or sensitive authentication data
System components that may not store, process or transmit cardholder/SAD data have unrestricted connectivity to system components that do
Payment Security Environment (PSE)
The Payment Security Environment looks to encapsulate all elements of the technology, systems, people and processes which can impact "payment security" in the broadest sense
Encourages and nurtures a security mindset by going beyond a compliance focused approach
Scoping 
1. Identify
2. Locate and Document
3. Identify other Systems/processes/personnel
4. Minimise Scope
5. Implement PCI Requirements
6. Maintain/Monitor
Your CDE will need: Multiple Locations
Various Staff (And 24/7)
Variety of Customers And their differing demands
Use Multiple Technologies
Be Managed by Multiple Teams/Depts
Online, F2F, Moto, Vending
Your CDE will need: Managed & Maintained Contracts
A Virtual Vault Of all evidence
Training Courses For every group of CDE staff
Archive of Previous Evidence Management & Maintenance of Records Of everything to do with CDE
Governance of Policies
Your CDE may be directly or indirectly supported by: Network & Communication Services
IT Services
Acquirers, Payment Service Providers
Estates & Utility Services / Access Controls
Contractors & Suppliers
Your CDE may be impacted by: People
Physical location
Institution's activities
Policies, legislation, contracts etc.
Restructure
Third parties operating on campus
In-house or third party technical failures
Security incident or breach
People in the CDE 
Working in the CDE
Impacting the CDE
Supporting the CDE
"Ensure that security policies & operational procedures for... Are documented, in use & known to all affected parties."
Cardholder Data & Sensitive Authentication Data: The PAN is the defining CHD factor
CHD is allowed to be stored, but PAN must be rendered unreadable
SAD should never be stored after authorisation
Anywhere that CHD is stored, processed or transmitted needs to be PCI compliant
Cardholder Data 
Primary Account Number (PAN)
Cardholder Name
Expiry Date
Service Code
Documenting cardholder data flows using a dataflow diagram assists in identifying the locations of all CHD that transmitted within the network
Information Security 
Confidentiality - Assigning permissions to sensitive data using a principle of least privileges necessary and preventing any unauthorised access
Integrity - Ensuring that data is up to date, accurate and reliable
Availability - Ensuring that data is accessible when required
British Airways: 500,000 data subjects, £183m fine from ICO, Vulnerability exploited in out of date software
Student jailed for using a keylogger to up his exam marks, Sentenced to 4 months in prison
3 Universities IT systems attacked, "We just don't know" when disruption caused by a "major cyber-attack" will be fixed, Ransomware attack, IT systems still disabled a week after being hit, Reputational damage
GDPR at a glance: Data Controllers must report the breach (even whilst still investigating) to the ICO within 72 hours of becoming aware
Individuals have right to move, copy of transfer data
There are two tiers of fines: Administrative: €10 million/2% turnover, Principle failing: €20 million/4% turnover
Consent to processing is no longer allowed to be assumed. Affirmative action required
Applies to your organisation and any other business you partner with to process data on your behalf
Refocuses and expands on the rights an individual has and what they must be provided
Privacy must be built in and considered throughout the lifecycle of the data
Your organisation must appoint a data protection officer to monitor, inform & advise
The 7 Principles of GDPR: Lawfulness, fairness & transparency
Purpose Limitation
Data Minimisation
Accuracy
Storage Limitation
Security
Accountability
PCI DSS 
Minimum Controls
Global Standard
Assumptions
Prescriptive
Security 
Keeping the safe locked 24/7
Something we do every day
Customer Expectation
Business Expectation
Acquirer Expectation
Compliance 
Reporting the safe was locked on the day we checked it
A point in time view
PCI DSS v4 – what is it and goals?
GDPR Principles 
Lawfulness, fairness & transparency
Purpose Limitation
Data Minimisation
Accuracy
Storage Limitation
Security
Accountability
GDPR "Security" Principle 
Keeping the safe locked 24/7
Payment Security Standards 
Cyber Security Frameworks and Infosec Standards
PCI DSS 
Minimum Controls
Global Standard
Assumptions
Prescriptive
Security 
Keeping the safe locked 24/7
Something we do every day
Customer Expectation
Business Expectation
Acquirer Expectation
Compliance 
Reporting the safe was locked on the day we checked it
A point in time view
How do you think a significant data breach would impact your institution?
Consequences of non-compliance/breach 
PCI DSS: Fines from card schemes, Higher acquiring fees, Forensic Investigation, Replacement cards, Cover fraudulent spend, Non-compliance could lead to a data breach
GDPR: Fines from regulating bodies (ICO in the UK) up to £20 Million or 4% of annual turnover, whichever is higher, Reputational damage, Operational downtime, Loss of assets (sensitive data), Financial loss, Further legal action
Average cost of a Data Breach (IBM 2022): Global Average cost of a data breach ($4.35m), £3.8M; Global Average cost per lost record ($164), £143; Average cost of data breach in UK ($5.05M), £4.4M; 277 Average time to contain a data breach days