1 / 22

Riding the wave from PCI DSS Ver 2.0 to 3.0

Riding the wave from PCI DSS Ver 2.0 to 3.0. Ed Hudson, Systemwide Director, Information Security Gina Curry, Director, Student Financial Services Center & University Bursar, CSU Sacramento . Summary Of Changes. Effective January 2014 Change Types Clarification Additional Guidance

kapila
Download Presentation

Riding the wave from PCI DSS Ver 2.0 to 3.0

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Riding the wave from PCI DSS Ver 2.0 to 3.0 Ed Hudson, Systemwide Director, Information Security Gina Curry, Director, Student Financial Services Center & University Bursar, CSU Sacramento

  2. Summary Of Changes • Effective January 2014 • Change Types • Clarification • Additional Guidance • Evolving Requirement (20)

  3. 5 Key Areas • Penetration Testing • Inventorying of System Components • Vendor Relationships • AntiMalware • Physical Access and Point of Sale (POS)

  4. Penetration Testing (11.3) • Penetration testing must follow “Industry Accepted Methodology” • Best Practice until June 30, 2015 • Why is this an issue?

  5. Inventorying System Components (2.4) • “Maintain an inventory of system components that are in scope for PCI DSS • All hardware (Virtual or Physical) • Software (Commercial or custom) • Applications (off the shelf, external or internal) • Requires that assessors “verify a list of hardware and software components including a description of function • Authorized Wireless AP (11.1.1)

  6. Vendor Relationships (12.8.5 & 12.9) • Requires explicit documentation • Which PCI requirements are managed by you, or by a vendor and which vendors (Matrix) • Matrix • Contractual requirements

  7. AntiMalware(5.1.2) • Requires campuses to “identify and evaluate evolving malware threats for systems not commonly affected • Requires specific authorization from management to disable or alter antivirus and that is time limited

  8. Physical Access and POS (9.3) • Control access for onsite personnel • Access be authorized and based on job function • Revoked immediately upon termination • Protect devices from tampering/substitution (9.9) • Consider non standard POS • Food Trucks, carts etc • Inventory and regular checking/inspection and policy

  9. Building a plan • Partner on ownership • Engage senior executives • Plan • Communicate

  10. Prioritized Approach

  11. Case Study: Sacramento State • Partner – SFSC partnered with the campus ISO • Plan – ISO and SFSC implemented required training, document gathering and periodic review • Developed tracking process • Engaged Administration • Imposed “penalties” for non-compliance (“Shut ‘er Down)

  12. Case Study: Sacramento State • ICSUAM –Section 3102.05 http://www.calstate.edu/icsuam/sections/3000/3102.05.shtml • Write a Campus Policy to support the ICSUAM http://www.csus.edu/umanual/admin/ADM-0117.html

  13. Case Study: Sacramento State

  14. Case Study: Sacramento State

  15. Case Study: Sacramento State

  16. Case Study: Sacramento State

  17. Case Study: Sacramento State

  18. Case Study: Sacramento State • Report goes at least annually to Vice President for Administration and Business Affairs and the Vice President & Chief Information Officer • To date, 3 departments were “shut down” until they could come into reasonable compliance

  19. Case Study: Sacramento State • You are welcome to copy our templates for your use • There is also a sample training presentation available • http://www.csus.edu/irt/is/pci/presentations/index.html

More Related