1 / 15

Secure Payment Card Data: Compliance & Best Practices

Join us at the EDUCAUSE Security Conference in Denver to discuss Payment Card Industry Data Security Standards, Banner Security in SunGard, identity management best practices, encryption, and regulatory compliance.

twila
Download Presentation

Secure Payment Card Data: Compliance & Best Practices

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. EDUCAUSE Security Conference Denver, Colorado April 10 to 12, 2006 Bob Beer Biggs Engineering 117 (419) 772-2396 r-beer@onu.edu

  2. Topics • SunGard Security in Banner • Identity Management • Payment Card Industry-Data Security Standard

  3. Banner Security BOFJoy R. Hughes, CIO George Mason • SunGardHE should not do identity management • Security feature requests include negative performance items • Encryption • Change tracking • Field level audit trails • Current product performance

  4. Banner Security cont. • Support for regulatory compliance • Security emphasized at the pre-implementation stage

  5. Miscellaneous Banner Discussion • Best/Recommended practices missing • Sensitive data not masked • Auto-generated ID are sequential • Third party application access is via privileged accounts • PINs visible in GOATPAD form • six characters • default DOB

  6. Identity Management • AuthN and AuthZ • Identifiers (unify namespace) • Replaced SSN • PUID 00000-00000 • Provisioning (by department) • AuthZ (Id X Role matrix) • Example

  7. PCI-DSS • Data Security Standard 2004 • Applies to everyone who processes cards • Includes any equipment attached to the card processing environment • Compliance date June 2005 (poorly communicated)

  8. Merchants and Service Providers • Merchant-our institutions • Service Provider-process, stores, transmits cardholder data

  9. Levels 1 Any merchant who processes over 6,000,000 transactions annually. Any merchant that has suffered a breach. Any merchant designated Level 1 by Visa 2 Any merchant who processes between 150,000 and 6,000,000 e-commerce transactions annually.

  10. Levels continued • Any merchant who processes between 20,000 and 150,000 e-commerce transactions annually. • Anyone else.

  11. Risks • Reputation (damage to “brand” and data disclosure legislation) • Financial ($500,000 per incident) • Compliance (level 1 requirements) • Operational (loss of processing)

  12. 12 Requirements • Install and maintain a firewall • Do not user vender supplied default passwords • Protect (encrypt) Stored Data • Encrypt transmission of cardholder data • Use and update AV software

  13. Requirements continued • Develop and maintain secure systems and applications (patch management) • Restrict access (need to know) • Assign unique identifiers to all users (various password policies) • Restrict physical access to cardholder data

  14. Requirements continued • Track and monitor access to cardholder data • Regularly test security systems and processes • Maintain an information security policy

  15. Resources http://www.usa.visa.com/cisp Guidelines Self Assessment Audit

More Related