1 / 26

Compliance With The PCI DSS

Compliance With The PCI DSS. University of North Carolina Controllers Workshop. October 28, 2013. Government. Higher Education. Healthcare. 6%. 33%. 8%. Financial Services. 14%. 17%. 22%. Other. Retailers. Higher Ed Is Vulnerable. Past 3 Years.

helena
Download Presentation

Compliance With The PCI DSS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Compliance With The PCI DSS University of North Carolina Controllers Workshop October 28, 2013

  2. Government Higher Education Healthcare 6% 33% 8% Financial Services 14% 17% 22% Other Retailers Higher Ed Is Vulnerable Past 3 Years Source: Privacy Rights Clearinghouse

  3. A Campus Is A “City" • Challenges for PCI Compliance: • Open networks and systems • Scope conversations complex • Overloaded staff • Fiscal constraints

  4. PCI in Higher Education Source: 2012 Treasury Institute PCI Workshop

  5. PCI in Higher Education Source: 2012 Treasury Institute PCI Workshop

  6. PCI in Higher Education Source: 2012 Treasury Institute PCI Workshop

  7. PCI in Higher Education Source: 2012 Treasury Institute PCI Workshop

  8. SOFTWARE DEVELOPERS MERCHANTS & PROCESSORS MANUFACTURERS PCI PA-DSS PCI Security & Compliance PCI PTS PCI DSS Payment Application Vendors PIN Transaction Security Data Security Standard Ecosystem of payment devices, applications, infrastructure and users PCI…

  9. Responsible for managing the PCI DSS and certifying QSAs and ASVs Responsible for enforcing and monitoring merchant compliance with the PCI DSS CREDIT CARD SECURITY Merchant Bank Responsible for safeguarding credit card data and complying with the PCI DSS Communicates and educates merchants on PCI DSS and reports compliance status to Card Associations PCI Relationships

  10. PCI DSS: 6 Goals, 12 Requirements Control Objective Requirements IT! IT! IT! IT!

  11. Teamwork! Finance IT/ Network Merchants QSA

  12. Merchant Levels Most Colleges and Universities

  13. Validation Requirements

  14. Move as far to the left as possible! 11 286 Self-Assessment Questionnaires

  15. Penalties can be Huge • In the event of a breach the bank can make the merchant responsible for: • Fines from card associations • Up to $500,000 • + Cost to notify victims • + Cost to replace cards • + Cost for any fraudulent transactions • + Forensics • + Level 1 certification • Bad Publicity – Priceless!

  16. Why is Compliance Important?

  17. Can I assess myself? • Short answer: Maybe (but you probably don’t want to) • Long answer: You can assess yourself, provided: • You follow audit procedures • Your acquirer agrees • An approved officer (think President or CFO) signs on the “dotted line” (attesting to the veracity of the results) • You’re absolutely sure you’re going to do it right

  18. PCI DSS Assessment Your Campus ? PA-DSS Internet Service Provider PCI DSS Level 1 Payment Application PCI DSS SAQ ? A/B/C/D?

  19. Internet Payment Server Cell Phones Dept PCs Printers Laptops How do they do it? • SQL injection • Cross-site scripting • Key logging • Social Engineering

  20. What can they do with it? + + = $$ + = ( )

  21. Internet How can you prevent it? • Strategic Scope • Only payment systems are in scope • Better all around Payment Server Cell Phones Dept PCs Printers Laptops

  22. Case Study: The commercial software was PA-DSS certified, but 1 – Firewall configuration 7 – Access to system components and cardholder data 8– Assign unique ID to each person with computer access 9 – Restrict physical access 11– Regularly test security systems and processes 12– Maintain a policy that addresses information security

  23. Managing Compliance

  24. Compliance Finish Line! ?

  25. PCI Compliance Discovery and Assessment Remediation Validation • Payments Analysis • Merchant Discovery • Documentation • Preliminary Scanning • Gap Analysis • Correct Problems • Compensating • Controls • ROC or SAQ • Submission • Quarterly Scanning • Penetration Testing Re-Validate every 12 mos

  26. Ron King, CampusGuard rking@campusguard.com (972) 964-8884

More Related