410 likes | 623 Views
Payment Card Industry Data Security Standard. Tom Davis and Chad Marcum Indiana University. PCI DSS, OMG! (and other TLAs ). PTS. SIG. ROC. PAN. SSC. PED. PCI. CID. ASV. QSA. SAQ. DSS. CVV. Before PCI DSS PCI SSC overview Higher Ed’s Voice Compliance vs. Security
E N D
Payment Card IndustryData Security Standard Tom Davis and Chad Marcum Indiana University
PCI DSS, OMG!(and other TLAs) PTS SIG ROC PAN SSC PED PCI CID ASV QSA SAQ DSS CVV
Before PCI DSS • PCI SSC overview • Higher Ed’s Voice • Compliance vs. Security • IU’s approach
VISA • Cardholder Information Security Program • MasterCard • Site Data Protection Program • American Express • Data Security Operating Policy • Discover • Information Security and Compliance Program • JCB • Data Security Program
As fraud losses increased…
“… enhance payment account data security by driving education and awareness of the PCI Security Standards.”
Organization Stakeholders Executive Committee Board of Advisors Management Committee General Manager Marketing Wkg Group Legal QSA Committee Secretariat ASV Committee Technical Wkg Group DSS Task Forces (ad hoc) Technical Wkg Group PED Participating Organizations QSA Program Management ASV Program Management PA Program Management
Organization Stakeholders Executive Committee Board of Advisors Management Committee General Manager Marketing Wkg Group Legal QSA Committee Secretariat ASV Committee Technical Wkg Group DSS Task Forces (ad hoc) Technical Wkg Group PED Participating Organizations QSA Program Management ASV Program Management PA Program Management
Executive Committee
“Participating organizations have an opportunity to influence the direction of PCI standards through: Participating Organizations
“Participating organizations have an opportunity to influence the direction of PCI standards through: • active involvement in community meetings, • advance review of drafts of standards and supporting materials, and • regular dialogue with key stakeholders.” Participating Organizations
National Association of College and University Business Officers
National Association of College and University Business Officers Walt Conway Business Representative Tom Davis Technical Representative
PCI DSS Lifecycle
Robert Carr, CEO Heartland Payment Systems Inc.
“… we certainly didn't understand the limitations of PCI and the entire assessment process. PCI compliance doesn't mean secure. We and others were declared PCI compliant shortly before the intrusions.” Robert Carr, CEO Heartland Payment Systems Inc.
General Manager “(PCI DSS) is more about security than compliance.” Bob Russo, General Manager PCI Security Standards Council
PCI DSS Overview • Applies to • all merchants that “store, process, or transmit cardholder data” • all payment (acceptance) channels, including brick-and-mortar, mail, telephone, e-commerce (Internet) • all forms, including electronic, paper, or oral • Includes 12 requirements, based on • administrative controls (policies, procedures, etc.) • physical security (locks, physical barriers, etc.) • technical security (passwords, encryption, etc.)
PCI Data Security Standard – High Level Overview Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security
Office of the Treasurer University Information Campus Security Office Network Infrastructure Departments (aka: Merchants) (IU has over 240 merchants)
Office of the Treasurer University Information Campus Security Office Network Infrastructure Departments (aka: Merchants) (IU has over 240 merchants)
Office of the Treasurer University Information Campus Security Office Network Infrastructure Departments (aka: Merchants) (IU has over 240 merchants)
Office of the Treasurer University Information Campus Security Office Network Infrastructure Departments (aka: Merchants) (IU has over 240 merchants)
Office of the Treasurer University Information Campus Security Office Network Infrastructure Departments (aka: Merchants) (IU has over 240 merchants)
OS Scanners WSUS DNS Web app Scanners ADS Logs NTP PCI Virtual Network
Maintaining and Sustaining Self-Assessment Questionnaires for each Dept/Unit each year -(about ~240 different merchants) Review of PCI virtual network Firewall rules, both to and from Closely working with our QSA on interpretations of the PCI DSS - Scope – Control – Guidance Change Management Program (which has existed at IU since before the 1990s) “…if done correctly and seen as a security starting point rather than a compliance end point, PCI is the antitheses of security theatre.” --Ben Rothke and Anton Chuvakin, PCI Shrugged: Debunking Criticisms of PCI DSS
Resources • NACUBO Business Officer Magazine Article • http://tinyurl.com/yd2sjw8 • Walt Conway’s PCI blog • http://treasuryinstitutepcidss.blogspot.com/ • Treasury Institute Workshop • http://www.treasuryinstitute.org/resourcelibrary/PCI_2010/ • PCI Security Standards Council • https://www.pcisecuritystandards.org/
Payment Card IndustryData Security Standard Tom Davis and Chad Marcum Indiana University