Presentation is loading. Please wait.

Presentation is loading. Please wait.

Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.

Similar presentations


Presentation on theme: "Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University."— Presentation transcript:

1 Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University

2 PCI DSS, OMG! (and other TLAs) PCI SSC DSS PAN ASV SAQ QSA CVV ROCSIGPTS PEDCID

3 Before PCI DSS PCI SSC overview Higher Eds Voice Compliance vs. Security IUs approach

4

5 before PCI DSS (circa 2003)

6 VISA Cardholder Information Security Program MasterCard Site Data Protection Program American Express Data Security Operating Policy Discover Information Security and Compliance Program JCB Data Security Program

7 As fraud losses increased…

8 Merging standards

9

10 … enhance payment account data security by driving education and awareness of the PCI Security Standards.

11 PCI Security Standards Suite

12 OrganizationStakeholders Executive Committee Marketing Wkg Group Legal Management Committee Board of Advisors General Manager Secretariat QSA Committee ASV Committee Task Forces (ad hoc) Participating Organizations Technical Wkg Group DSS Technical Wkg Group PED QSA Program Management ASV Program Management PA Program Management

13 OrganizationStakeholders Executive Committee Marketing Wkg Group Legal Management Committee Board of Advisors General Manager Secretariat QSA Committee ASV Committee Task Forces (ad hoc) Participating Organizations Technical Wkg Group DSS Technical Wkg Group PED QSA Program Management ASV Program Management PA Program Management

14 Executive Committee

15 Participating Organizations Participating organizations have an opportunity to influence the direction of PCI standards through:

16 Participating Organizations Participating organizations have an opportunity to influence the direction of PCI standards through: active involvement in community meetings, advance review of drafts of standards and supporting materials, and regular dialogue with key stakeholders.

17 National Association of College and University Business Officers

18 National Association of College and University Business Officers Walt Conway Business Representative Tom Davis Technical Representative

19 PCI DSS Lifecycle

20 Compliance vs. Security

21 Security?

22 Robert Carr, CEO Heartland Payment Systems Inc.

23 … we certainly didn't understand the limitations of PCI and the entire assessment process. PCI compliance doesn't mean secure. We and others were declared PCI compliant shortly before the intrusions. Robert Carr, CEO Heartland Payment Systems Inc.

24 General Manager (PCI DSS) is more about security than compliance. Bob Russo, General Manager PCI Security Standards Council

25 PCI DSS Overview Applies to all merchants that store, process, or transmit cardholder data all payment (acceptance) channels, including brick-and- mortar, mail, telephone, e-commerce (Internet) all forms, including electronic, paper, or oral Includes 12 requirements, based on administrative controls (policies, procedures, etc.) physical security (locks, physical barriers, etc.) technical security (passwords, encryption, etc.)

26 PCI Data Security Standard – High Level Overview Build and Maintain a Secure Network Requirement 1:Install and maintain a firewall configuration to protect cardholder data Requirement 2:Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Requirement 3:Protect stored cardholder data Requirement 4:Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Requirement 5:Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9:Restrict physical access to cardholder data Regularly Monitor and Test Networks Requirement 10:Track and monitor all access to network resources and cardholder data Requirement 11:Regularly test security systems and processes Maintain an Information Security Policy Requirement 12:Maintain a policy that addresses information security

27

28

29 Office of the Treasurer University Information Campus Security Office Network Infrastructure Departments (aka: Merchants) (IU has over 240 merchants)

30 Office of the Treasurer University Information Campus Security Office Network Infrastructure Departments (aka: Merchants) (IU has over 240 merchants)

31 Office of the Treasurer University Information Campus Security Office Network Infrastructure Departments (aka: Merchants) (IU has over 240 merchants)

32 Office of the Treasurer University Information Campus Security Office Network Infrastructure Departments (aka: Merchants) (IU has over 240 merchants)

33

34 Office of the Treasurer University Information Campus Security Office Network Infrastructure Departments (aka: Merchants) (IU has over 240 merchants)

35

36

37 Youll have to get your own.

38 Maintaining and Sustaining Self-Assessment Questionnaires for each Dept/Unit each year -(about ~240 different merchants) Review of PCI virtual network Firewall rules, both to and from Closely working with our QSA on interpretations of the PCI DSS - Scope – Control – Guidance Change Management Program (which has existed at IU since before the 1990s) …if done correctly and seen as a security starting point rather than a compliance end point, PCI is the antitheses of security theatre. --Ben Rothke and Anton Chuvakin, PCI Shrugged: Debunking Criticisms of PCI DSS

39 Resources NACUBO Business Officer Magazine Article Walt Conways PCI blog Treasury Institute Workshop PCI Security Standards Council https://www.pcisecuritystandards.org/

40

41 Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University


Download ppt "Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University."

Similar presentations


Ads by Google