Payment Card Industry Data Security Standards

Slides:



Advertisements
Similar presentations
Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Advertisements

ISACA January 8, IT Auditor at Cintas Corporation Internal Audit Department Internal Security Assessor (ISA) Certification September 2010 Annual.
Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.
.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.
PCI DSS for Retail Industry
PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.
Complying With Payment Card Industry Data Security Standards (PCI DSS)
2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Property of CampusGuard Compliance With The PCI DSS.
Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?
Visa Cemea Account Information Security (AIS) Programme
Security Controls – What Works
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
Copyright Security-Assessment.com 2005 Payment Card Industry Digital Security Standards Presented By Carl Grayson.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Kevin R Perry August 12, Part 1: High Level Changes & Clarifications.
Why Comply with PCI Security Standards?
Introduction to PCI DSS
Northern KY University Merchant Training
Payment Card Industry (PCI) Data Security Standard
PCI's Changing Environment – “What You Need to Know & Why You Need To Know It.” Stephen Scott – PCI QSA, CISA, CISSP
Web Advisory Committee June 17,  Implementing E-commerce at UW  Current Status and Future Plans  PCI Data Security Standard  Questions.
Payment Card Industry Data Security Standard (PCI DSS) By Roni Argetsinger
PCI 3.0 Boot Camp Payment Card Industry Data Security Standards 3.0.
PCI DSS Managed Service Solution October 18, 2011.
Protecting Your Credit Card Security Environment (PCI) September 26, 2012 Jacob Arthur, CPA, QSA, CEH Timothy Agee, CISA, CGEIT, QSA FDH Consulting Frasier,
EDUCAUSE Security Conference Denver, Colorado April 10 to 12, 2006 Bob Beer Biggs Engineering 117 (419)
The influence of PCI upon retail payment design and architectures Ian White QSA Head of UK&I and ME PCI Team September 4, 2013 Weekend Conference 7 & 8.
An Introduction to PCI Compliance. Data Breach Trends About PCI-SSC 12 Requirements of PCI-DSS Establishing Your Validation Level PCI Basics Benefits.
NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
PCI requirements in business language What can happen with the cardholder data?
Introduction to Payment Card Industry Data Security Standard
North Carolina Community College System IIPS Conference – Spring 2009 Jason Godfrey IT Security Manager (919)
Introduction To Plastic Card Industry (PCI) Data Security Standards (DSS) April 28,2012 Cathy Pettis, SVP ICUL Service Corporation.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Data Security and Payment Card Acceptance Presented by: Brian Ridder Senior Vice President First National September 10, 2009.
Payment Card PCI DSS Compliance SAQ-B Training Accounts Receivable Services, Controller’s Office 7/1/2012.
PCI Training for PointOS Resellers PointOS Updated September 28, 2010.
ThankQ Solutions Pty Ltd Tech Forum 2013 PCI Compliance.
1 Payment Card Industry (PCI) Security Standard Developed by the PCI Security Council formed by major card issuers: Visa, MasterCard, American Express,
Payment Card Industry (PCI) Data Security Standard Version 3.1
Standards in Use. EMV June 16Caribbean Electronic Payments LLC2.
By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Introduction to PCI DSS
MARTA’s Road to PCI Compliance
Payment Card Industry (PCI) Rules and Standards
Wake Forest University
Summary of Changes PCI DSS V. 3.1 to V. 3.2
Payment Card Industry (PCI) Rules and Standards
Performing Risk Analysis and Testing: Outsource or In-house
PCI-DSS Security Awareness
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Payment card industry data security standards
2013 PCI:DSS Meeting OSU Business Affairs
Internet Payment.
Session 11 Other Assurance Services
Payment Card Industry Data Security Compliance
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
PCI Compliance : Whys and wherefores
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Payment Card Industry (PCI)
MARTA’s Road to PCI Compliance
Utility Payment Conference
PCI 3.1 Compliance Panel for CHECO
Presented by: Jeff Soukup
Presentation transcript:

Payment Card Industry Data Security Standards ISACA January 8, 2013

Cheryl Becker IT Auditor at Cintas Corporation Internal Audit Department Internal Security Assessor (ISA) Certification September 2010 Annual re-certification Currently responsible for SOX IT and PCI testing as well various Corporate audits Board of Governors, IIA Cincinnati Chapter

What is PCI DSS? The PCI DSS represents a common set of industry tools and measurements to help ensure the safe handling of sensitive information. The standard provides an actionable framework for developing a robust account data security process - including preventing, detecting and reacting to security incidents. Applies to any entity that stores, processes and/or transmits CHD.

History Lesson PCI is not government legislation.  It is an industry regulation.  The major Card Brands (Visa, MC, Discover, Amex) decided to create regulations which were initially agreed upon by the Card Brands in 2004. PCI DSS version 1 is dated December 2004. On June 30, 2005, the regulations took effect. The PCI Security Standards Council came into existence in 2006. 

PCI Security Standards Council The Council became responsible for the development, management, education and awareness of the PCI Data Security Standards. Each of the Card Brands (Visa, MC, Discover, Amex, JCB) have their own compliance programs in accordance with their own security risk management policies as well as their own definitions of the “levels” and their own penalizing/fining procedures for companies who have a breach.

Merchant Levels Overview 4 Little credit card business Some Card Brands do not have this level Annual Compliance Validation 3 Less than a million credit card transactions Annual Self-Assessment

Merchant Levels Overview 2 Millions (1+ to <6) credit card transactions All Card Brands have this level Must internally audit with a PCI certified Internal Security Assessor (ISA) using PCI DSS 1 Many millions (2.5+ to 6+) credit card transactions Must audit either using a PCI certified external Qualified Security Assessor (QSA) OR Internal Audit with ISA certification using PCI DSS

PCI ISA Training Program The PCI SSC Sponsor Company Internal Security Assessor Program is a PCI DSS training and qualification program for eligible internal audit security professionals. The course helps participants improve their organization's understanding of PCI DSS and validate and maintain ongoing compliance through: Enhancing the quality, reliability, and consistency of internal PCI DSS self-assessments Supporting the consistent and proper application of PCI DSS measures and controls Effectively facilitating interactions with QSAs https://www.pcisecuritystandards.org/index.php

PCI DSS Versioning Version 2.0 as of October 2010 Version will be on a three year basis The PCI documentation (end result) has changed every year

PCI DSS Six Goals Build and Maintain a Secure Network Protect Card Holder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy

12 Requirements 1) Install and Maintain a firewall configuration to protect Card Holder Data (CHD) Firewall and Router configuration standards Review Network Diagram Firewall and Router connections are restricted (inbound/outbound traffic) No direct internet connection to CHD (DMZ) 2) Do not use vendor supplied defaults Attempt to sign on with defaults Hardening standards and system configuration Non-console admin access is encrypted

12 Requirements 3) Protect stored CHD 4) Encrypt transmission of CHD Retention Policy and Procedures Quarterly process for deleting stored CHD Sample incoming transactions, logs, history files, trace files, database schemas and content Do not store full track, CVV or PIN Render PAN unreadable (mask/truncate) Encryption and key management 4) Encrypt transmission of CHD Verify encryption and encryption strength Verify wireless is industry best practice (no WEP)

12 Requirements 5) Use and regularly update Antivirus software All system have AV AV is current, actively running and logging 6) Develop and maintain secure systems and applications Patch management – current within one month ID new security vulnerabilities with risk rating Custom code is reviewed prior to release Change management process Developers are trained in secure coding techniques

12 Requirements 7) Restrict access to CHD by need-to-know Review access policies Confirm access rights for privileged users Confirm access controls are in place Confirm access controls default with “deny-all” 8) Assign a unique ID to each user Verify all users have a unique ID Verify authentication with ID/PW combination Verify two-factor authentication for remote access Verify terminated users are deleted Inspect configurations for PW controls

12 Requirements 9) Restrict physical access to CHD Access to computer rooms and data centers Video cameras are in place and video is secure Network jacks are secure – not in visitor area Process for assigning badges Storage locations are secure (offsite media) 10) Track and monitor all access to network resources Review audit trails – actions, time, date, user, etc. Time server updates and distribution Process to review security logs

12 Requirements 11) Regularly test security systems Test for wireless access points Internal and external network vulnerability scans Internal and external penetration testing annually File integrity monitoring tools are used 12) Maintain security policies Policies are reviewed at least annually Explicit approval is required for access Auto disconnect for inactivity-internal and remote Security awareness program is in place Incident Response Plan

PCI DSS Tests ~260 tests PCI DSS gives both the requirement and the test Every test has to have an answer Every bullet within each test must have an answer If the requirement is not in place, a target date and comments must be made If there are compensating controls, a Compensating Control Worksheet must be completed

PCI Documentation Attestation of Compliance Executive Summary Score Report on Compliance Test Procedures Score Sheet Report on Compliance

Attestation of Compliance This is the document that is submitted to the appropriate companies Scanning vendor Merchant (i.e. Bank) Card Brand Company (i.e. Amex) Signed by ISA/QSA and Officers of the Company Brief overview of Company and Cardholder Data Environment Not a website copy/paste My summation of the company (business, DC, locs)

Attestation of Compliance Brief overview of how the company stores, processes and/or transmits cardholder data Terminals Applications Third parties State if we are compliant All 12 Requirements are listed stating “in place” or “not in place” and “special” like N/A At the bottom explain special – N/A may be ‘not a service provider’

Compensating Control Worksheet Within the Attestation of Compliance The “special” column is where to state if it is a compensating control “NOTE: Only companies that have undertaken a risk analysis and have legitimate technological or documented business constraints can consider the use of compensating controls to achieve compliance” Ex: cannot do 7 character pw on mainframe

Executive Summary Score Report on Compliance Detailed overview of CHDE – explain the flow from ‘swipe’ Phone orders Online orders Monthly charges Any other way CHD is processed Network diagram prepared by ISA/QSA Validate and explain scope – flat vs. segment Validate myself

Executive Summary Score Report on Compliance Explain the environment Personnel Payment channels IT Environment Locations Explain sampling method Exclusions and why they were excluded Wholly-owned Entities International locations Wireless Environment

Executive Summary Score Report on Compliance Service providers Third-party applications Individuals interviewed with titles List of documentation reviewed My contact information Quarterly scan information Findings and observations

Test Procedures Score Sheet Report on Compliance How each control was tested Observation – configuration or process Sampling Interview with whom Document reviews

Lessons Learned Give yourself enough time to complete the final reports Answer all of the points in each test Know your scope Inventory the environment Use a firewall to segment If you are getting your QSA/ISA, complete the training and study Users/coworkers/employees do not understand IT security (i.e. email)

Cheryl Becker IT Auditor Cintas Corporation beckerc@cintas.com