Presentation is loading. Please wait.

Presentation is loading. Please wait.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

Similar presentations


Presentation on theme: "JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance."— Presentation transcript:

1 JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance

2 Agenda What is PCI DSS? Why do I need to care? What are the requirements? How can I get started? Resources and templates

3 What is PCI DSS? PCI Security Standards Council  (American Express, Discover, JCB, MasterCard, and Visa) Designed to protect credit data, mitigate financial loss and avoid government(s) regulations Six security domains that make over 120 technical and operational security controls

4 Why do I need to care? Regulatory notification requirements Loss of reputation Loss of customers Potential financial liabilities Litigation

5 In the news

6 What are the requirements? Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy

7 Build and Maintain a Secure Network Firewalls  control computer traffic from PCI (trusted) networks to and from external (untrusted) networks Hardening systems  configuration management program  change defaults passwords and security settings  single purpose systems  remove unnecessary functions

8 Protect Cardholder Data Data Protection Program  data retention and disposal  minimize full PAN to absolutely necessary processes (truncate and masking first six and last four digits max if displayed, and hashing)  never store full track or card verification code Encryption of data and across public networks Key management is key to encryption

9 Maintain Vulnerability Management Program Configuration management Change management Patch management Anti-virus/malware protection Vulnerably management program  rank, determine impact and prioritize activity

10 Implement Strong Access Control Measures Restrict access  need to know  need to perform  according to job responsibilities  default “deny-all” Unique ID for accountability Restrict physical access  deny, deter, document and detect  destroy

11 Regularly Monitor and Test Networks Track and monitor access  log activity (during an incident you are trying to limit $cope by determining what happened) Test security systems and processes  test of presence of wireless  run internal vulnerably scans  run quarterly external vulnerably scans (ASV)  run intrusion-detection system  Run file-integrity monitoring tools

12 Maintain Information Security Policy Covers all personnel Training and awareness Requires operational procedures are in compliance Incident response Reviewed and updated annually

13 Compensating Controls Cannot meet the explicitly stated requirement due to legitimate technical or business constraints but has sufficiently compensating/ mitigating controls to address the risk. PCI DSS provides a compensating controls worksheet

14 Compensating Controls Worksheet 1. Constraints 2. Objective 3. Identified risk 4. Definition of compensation controls 5. Validation of compensating controls 6. Maintenance More information and example in the PCI DSS Documentation Library Data Security Standard, Requirement and Security Assessment Procedures, Version 2.0

15 Getting Started 1. Identify a lead and team members 2. Identity all PCI covered systems and processes 3. Complete Self-Assessment Questionnaire (SAQ) 4. Prioritize and address gaps 5. Complete a Report of Compliance (ROC) 6. Maintain the program

16 Self Assessment Questionnaire SAQMerchant / Activity Description ACard-not-present / outsourced e-commerce / mail/telephone- order / relies entirely on 3 rd party for handling electronic processes / Never has face-to-face with customer BImprint-only / dial-out terminal (phone line) / no electronic storage C-VTWeb-based virtual terminals / no electronic storage / Manually entered, no card readers CPayment application connected to the Internet / no electronic storage DAll other merchants / activities More information in the PCI DSS Documentation Library Self-Assessment Questionnaire, Instructions and Guidelines, Version 2.0

17 Prioritize and Address Gaps Resources and Templates

18 Report on Compliance (ROC) Content and Format  Executive summary  Scope of work and approach taken  Details about reviewed environment  Contact information and report date  Quarterly scan results  Finding and observations

19 Terms Report of Compliance (ROC) Approved Scanning Vendor (ASV) Self Assessment Questionnaire (SAQ) Primary Account Number (PAN)

20 Resources and Credits PCI DSS Document Library:  Instructions and Guidelines  Requirements and Security Assessment Procedures Geekonomics, David Rice, 2008 CSU, Sacramento PCI DSS Program Adam Cook, Information Security Analyst, CSU, Sacramento


Download ppt "JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance."

Similar presentations


Ads by Google