200 likes | 380 Views
Payment Card Industry Data Security Standard (PCI DSS) Compliance. Jeff Williams Information Security Officer California State University, Sacramento. Agenda. What is PCI DSS? Why do I need to care? What are the requirements? How can I get started? Resources and templates.
E N D
Payment Card IndustryData Security Standard(PCI DSS) Compliance Jeff Williams Information Security Officer California State University, Sacramento
Agenda What is PCI DSS? Why do I need to care? What are the requirements? How can I get started? Resources and templates
What is PCI DSS? • PCI Security Standards Council • (American Express, Discover, JCB, MasterCard, and Visa) • Designed to protect credit data, mitigate financial loss and avoid government(s) regulations • Six security domains that make over 120 technical and operational security controls
Why do I need to care? Regulatory notification requirements Loss of reputation Loss of customers Potential financial liabilities Litigation
What are the requirements? Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy
Build and Maintain a Secure Network • Firewalls • control computer traffic from PCI (trusted) networks to and from external (untrusted) networks • Hardening systems • configuration management program • change defaults passwords and security settings • single purpose systems • remove unnecessary functions
Protect Cardholder Data • Data Protection Program • data retention and disposal • minimize full PAN to absolutely necessary processes (truncate and masking first six and last four digits max if displayed, and hashing) • never store full track or card verification code • Encryption of data and across public networks Key management is key to encryption
Maintain Vulnerability Management Program • Configuration management • Change management • Patch management • Anti-virus/malware protection • Vulnerably management program • rank, determine impact and prioritize activity
Implement Strong Access Control Measures • Restrict access • need to know • need to perform • according to job responsibilities • default “deny-all” • Unique ID for accountability • Restrict physical access • deny, deter, document and detect • destroy
Regularly Monitor and Test Networks • Track and monitor access • log activity (during an incident you are trying to limit $cope by determining what happened) • Test security systems and processes • test of presence of wireless • run internal vulnerably scans • run quarterly external vulnerably scans (ASV) • run intrusion-detection system • Run file-integrity monitoring tools
Maintain Information Security Policy Covers all personnel Training and awareness Requires operational procedures are in compliance Incident response Reviewed and updated annually
Compensating Controls Cannot meet the explicitly stated requirement due to legitimate technical or business constraints but has sufficiently compensating/ mitigating controls to address the risk. PCI DSS provides a compensating controls worksheet
Compensating Controls Worksheet Constraints Objective Identified risk Definition of compensation controls Validation of compensating controls Maintenance More information and example in the PCI DSS Documentation Library Data Security Standard, Requirement and Security Assessment Procedures, Version 2.0
Getting Started Identify a lead and team members Identity all PCI covered systems and processes Complete Self-Assessment Questionnaire (SAQ) Prioritize and address gaps Complete a Report of Compliance (ROC) Maintain the program
Self Assessment Questionnaire More information in the PCI DSS Documentation Library Self-Assessment Questionnaire, Instructions and Guidelines, Version 2.0
Prioritize and Address Gaps Resources and Templates www.csus.edu/irt/is/pci/presentations/index.html
Report on Compliance (ROC) • Content and Format • Executive summary • Scope of work and approach taken • Details about reviewed environment • Contact information and report date • Quarterly scan results • Finding and observations
Terms Report of Compliance (ROC) Approved Scanning Vendor (ASV) Self Assessment Questionnaire (SAQ) Primary Account Number (PAN)
Resources and Credits • PCI DSS Document Library: • Instructions and Guidelines • Requirements and Security Assessment Procedures • Geekonomics, David Rice, 2008 • CSU, Sacramento PCI DSS Program • Adam Cook, Information Security Analyst, CSU, Sacramento