north carolina community college system iips conference spring 2009 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
PCI Compliance PowerPoint Presentation
Download Presentation
PCI Compliance

Loading in 2 Seconds...

play fullscreen
1 / 14

PCI Compliance - PowerPoint PPT Presentation


  • 414 Views
  • Uploaded on

North Carolina Community College System IIPS Conference – Spring 2009. PCI Compliance. Jason Godfrey IT Security Manager (919) 807-7054 godfreyj@nccommunitycolleges.edu. Agenda. PCI Data Security Standard (DSS) Latest Data Security Standard Compliant Process Becoming Compliant

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'PCI Compliance' - star


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
north carolina community college system iips conference spring 2009
North Carolina Community College System

IIPS Conference – Spring 2009

PCI Compliance

Jason Godfrey

IT Security Manager

(919) 807-7054

godfreyj@nccommunitycolleges.edu

agenda
Agenda
  • PCI Data Security Standard (DSS)
  • Latest Data Security Standard
  • Compliant Process
  • Becoming Compliant
  • Maintaining Compliance
  • Determining Which SAQ
  • General Tips
  • Prioritizing Milestones
  • Challenges
  • Additional Information
  • Q & A - Open forum
latest data security standard
Latest Data Security Standard
  • Current version is 1.2
  • Released October 2008
  • Majority of changes are explanatory and clarifications
  • Three enhancements
    • Section 4.1.1 – Testing requirements and wireless encryption standards
    • Appendix D: attestations and compliance forms
    • Appendix E: attestations and compliance forms
compliance process
Compliance Process

Compliance (Process\Procedures)

  • Validation (SAQ\ Vulnerability Scans)

Attestation

becoming compliant
Becoming Compliant

1. PCI DSS Scoping – determine what system components are governed by PCI DSS

2. Sampling – examine the compliance of a subset of system components in scope

3. Compensating Controls – QSA validates alternative control technologies/processes

4. Reporting – merchant/organization submits required documentation

5. Clarifications – merchant/organization clarifies/updates report statements (if applicable)

general tips
General Tips
  • Never store sensitive card data
    • Full content of the magnetic strip
    • Card validation codes and values
    • PIN blocks
  • Contact your POS vendor regarding PCI compliance
  • Don’t store card holder data if you don’t need it
  • Minimize scope
  • Prioritize requirements
prioritizing milestones 1
Prioritizing Milestones1
  • Remove sensitive authentication data and limit data retention.
  • Protect the perimeter, internal, and wireless networks.
  • Secure payment card applications.
  • Monitor and control access to your systems.
  • Protect stored cardholder data (security classes).
  • Finalize remaining compliance efforts, and ensure all controls are in place.

1 The Prioritized Approach to Pursue PCI DSS Compliance

challenges
Challenges
  • Documenting policies, processes, and procedures
  • Storing backups in secured manner (off-site is preferable)
  • Separation of duties
  • Local payment card applications
  • Hardware and software
    • CCTV
    • File monitoring
    • Audit trails
  • Internal and external penetration tests
  • Training
  • Management buy-in and user acceptance
additional information
Additional Information
  • PCI Council

https://www.pcisecuritystandards.org

  • PCI Council Navigating the SAQ

https://www.pcisecuritystandards.org/pdfs/pci_dss_saq_navigating_dss.pdf

  • PCI Council Quick Guide

https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf

  • PCI Prioritized Approach

https://www.pcisecuritystandards.org/education/docs/Prioritized_Approach_PCI_DSS_1_2.pdf

    • Trustwave
    • General Questions – (800) 363-1621
    • support@trustwave.com
additional information1
Additional Information
    • System Office – contact the CIS Help Desk
  • US CERT

http://www.us-cert.gov/

  • SANS Institute

http://www.sans.org/

  • NC ITS State-wide Security Manual

http://www.scio.state.nc.us/SITPoliciesAndStandards/Statewide_Information_Security_Manual.asp

  • Open Source applications
    • Network Security Tool (NST)
    • Snort
    • Untangle
    • Zenoss