1 / 41

Payment Card Industry Data Security Standard

Payment Card Industry Data Security Standard. Tom Davis and Chad Marcum Indiana University. PCI DSS, OMG! (and other TLAs ). PTS. SIG. ROC. PAN. SSC. PED. PCI. CID. ASV. QSA. SAQ. DSS. CVV. Before PCI DSS PCI SSC overview Higher Ed’s Voice Compliance vs. Security

fritzi
Download Presentation

Payment Card Industry Data Security Standard

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Payment Card IndustryData Security Standard Tom Davis and Chad Marcum Indiana University

  2. PCI DSS, OMG!(and other TLAs) PTS SIG ROC PAN SSC PED PCI CID ASV QSA SAQ DSS CVV

  3. Before PCI DSS • PCI SSC overview • Higher Ed’s Voice • Compliance vs. Security • IU’s approach

  4. before PCI DSS(circa 2003)

  5. VISA • Cardholder Information Security Program • MasterCard • Site Data Protection Program • American Express • Data Security Operating Policy • Discover • Information Security and Compliance Program • JCB • Data Security Program

  6. As fraud losses increased…

  7. Merging standards

  8. “… enhance payment account data security by driving education and awareness of the PCI Security Standards.”

  9. PCI Security Standards Suite

  10. Organization Stakeholders Executive Committee Board of Advisors Management Committee General Manager Marketing Wkg Group Legal QSA Committee Secretariat ASV Committee Technical Wkg Group DSS Task Forces (ad hoc) Technical Wkg Group PED Participating Organizations QSA Program Management ASV Program Management PA Program Management

  11. Organization Stakeholders Executive Committee Board of Advisors Management Committee General Manager Marketing Wkg Group Legal QSA Committee Secretariat ASV Committee Technical Wkg Group DSS Task Forces (ad hoc) Technical Wkg Group PED Participating Organizations QSA Program Management ASV Program Management PA Program Management

  12. Executive Committee

  13. “Participating organizations have an opportunity to influence the direction of PCI standards through: Participating Organizations

  14. “Participating organizations have an opportunity to influence the direction of PCI standards through: • active involvement in community meetings, • advance review of drafts of standards and supporting materials, and • regular dialogue with key stakeholders.” Participating Organizations

  15. National Association of College and University Business Officers

  16. National Association of College and University Business Officers Walt Conway Business Representative Tom Davis Technical Representative

  17. PCI DSS Lifecycle

  18. Compliance vs. Security

  19. Security?

  20. Robert Carr, CEO Heartland Payment Systems Inc.

  21. “… we certainly didn't understand the limitations of PCI and the entire assessment process. PCI compliance doesn't mean secure. We and others were declared PCI compliant shortly before the intrusions.” Robert Carr, CEO Heartland Payment Systems Inc.

  22. General Manager “(PCI DSS) is more about security than compliance.” Bob Russo, General Manager PCI Security Standards Council

  23. PCI DSS Overview • Applies to • all merchants that “store, process, or transmit cardholder data” • all payment (acceptance) channels, including brick-and-mortar, mail, telephone, e-commerce (Internet) • all forms, including electronic, paper, or oral • Includes 12 requirements, based on • administrative controls (policies, procedures, etc.) • physical security (locks, physical barriers, etc.) • technical security (passwords, encryption, etc.)

  24. PCI Data Security Standard – High Level Overview Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security

  25. Office of the Treasurer University Information Campus Security Office Network Infrastructure Departments (aka: Merchants) (IU has over 240 merchants)

  26. Office of the Treasurer University Information Campus Security Office Network Infrastructure Departments (aka: Merchants) (IU has over 240 merchants)

  27. Office of the Treasurer University Information Campus Security Office Network Infrastructure Departments (aka: Merchants) (IU has over 240 merchants)

  28. Office of the Treasurer University Information Campus Security Office Network Infrastructure Departments (aka: Merchants) (IU has over 240 merchants)

  29. Office of the Treasurer University Information Campus Security Office Network Infrastructure Departments (aka: Merchants) (IU has over 240 merchants)

  30. OS Scanners WSUS DNS Web app Scanners ADS Logs NTP PCI Virtual Network

  31. You’ll have to get your own.

  32. Maintaining and Sustaining Self-Assessment Questionnaires for each Dept/Unit each year -(about ~240 different merchants) Review of PCI virtual network Firewall rules, both to and from Closely working with our QSA on interpretations of the PCI DSS - Scope – Control – Guidance Change Management Program (which has existed at IU since before the 1990s) “…if done correctly and seen as a security starting point rather than a compliance end point, PCI is the antitheses of security theatre.” --Ben Rothke and Anton Chuvakin, PCI Shrugged: Debunking Criticisms of PCI DSS

  33. Resources • NACUBO Business Officer Magazine Article • http://tinyurl.com/yd2sjw8 • Walt Conway’s PCI blog • http://treasuryinstitutepcidss.blogspot.com/ • Treasury Institute Workshop • http://www.treasuryinstitute.org/resourcelibrary/PCI_2010/ • PCI Security Standards Council • https://www.pcisecuritystandards.org/

  34. Payment Card IndustryData Security Standard Tom Davis and Chad Marcum Indiana University

More Related