Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University

PCI DSS, OMG! (and other TLAs) PCI SSC DSS PAN ASV SAQ QSA CVV ROCSIGPTS PEDCID

Before PCI DSS PCI SSC overview Higher Eds Voice Compliance vs. Security IUs approach

before PCI DSS (circa 2003)

VISA Cardholder Information Security Program MasterCard Site Data Protection Program American Express Data Security Operating Policy Discover Information Security and Compliance Program JCB Data Security Program

As fraud losses increased…

Merging standards

… enhance payment account data security by driving education and awareness of the PCI Security Standards.

PCI Security Standards Suite

OrganizationStakeholders Executive Committee Marketing Wkg Group Legal Management Committee Board of Advisors General Manager Secretariat QSA Committee ASV Committee Task Forces (ad hoc) Participating Organizations Technical Wkg Group DSS Technical Wkg Group PED QSA Program Management ASV Program Management PA Program Management

OrganizationStakeholders Executive Committee Marketing Wkg Group Legal Management Committee Board of Advisors General Manager Secretariat QSA Committee ASV Committee Task Forces (ad hoc) Participating Organizations Technical Wkg Group DSS Technical Wkg Group PED QSA Program Management ASV Program Management PA Program Management

Executive Committee

Participating Organizations Participating organizations have an opportunity to influence the direction of PCI standards through:

Participating Organizations Participating organizations have an opportunity to influence the direction of PCI standards through: active involvement in community meetings, advance review of drafts of standards and supporting materials, and regular dialogue with key stakeholders.

National Association of College and University Business Officers

National Association of College and University Business Officers Walt Conway Business Representative Tom Davis Technical Representative

PCI DSS Lifecycle

Compliance vs. Security

Security?

Robert Carr, CEO Heartland Payment Systems Inc.

… we certainly didn't understand the limitations of PCI and the entire assessment process. PCI compliance doesn't mean secure. We and others were declared PCI compliant shortly before the intrusions. Robert Carr, CEO Heartland Payment Systems Inc.

General Manager (PCI DSS) is more about security than compliance. Bob Russo, General Manager PCI Security Standards Council

PCI DSS Overview Applies to all merchants that store, process, or transmit cardholder data all payment (acceptance) channels, including brick-and- mortar, mail, telephone, e-commerce (Internet) all forms, including electronic, paper, or oral Includes 12 requirements, based on administrative controls (policies, procedures, etc.) physical security (locks, physical barriers, etc.) technical security (passwords, encryption, etc.)

PCI Data Security Standard – High Level Overview Build and Maintain a Secure Network Requirement 1:Install and maintain a firewall configuration to protect cardholder data Requirement 2:Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Requirement 3:Protect stored cardholder data Requirement 4:Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Requirement 5:Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9:Restrict physical access to cardholder data Regularly Monitor and Test Networks Requirement 10:Track and monitor all access to network resources and cardholder data Requirement 11:Regularly test security systems and processes Maintain an Information Security Policy Requirement 12:Maintain a policy that addresses information security

Office of the Treasurer University Information Campus Security Office Network Infrastructure Departments (aka: Merchants) (IU has over 240 merchants)

Office of the Treasurer University Information Campus Security Office Network Infrastructure Departments (aka: Merchants) (IU has over 240 merchants)

Office of the Treasurer University Information Campus Security Office Network Infrastructure Departments (aka: Merchants) (IU has over 240 merchants)

Office of the Treasurer University Information Campus Security Office Network Infrastructure Departments (aka: Merchants) (IU has over 240 merchants)

Office of the Treasurer University Information Campus Security Office Network Infrastructure Departments (aka: Merchants) (IU has over 240 merchants)

Youll have to get your own.

Maintaining and Sustaining Self-Assessment Questionnaires for each Dept/Unit each year -(about ~240 different merchants) Review of PCI virtual network Firewall rules, both to and from Closely working with our QSA on interpretations of the PCI DSS - Scope – Control – Guidance Change Management Program (which has existed at IU since before the 1990s) …if done correctly and seen as a security starting point rather than a compliance end point, PCI is the antitheses of security theatre. --Ben Rothke and Anton Chuvakin, PCI Shrugged: Debunking Criticisms of PCI DSS

Resources NACUBO Business Officer Magazine Article Walt Conways PCI blog Treasury Institute Workshop PCI Security Standards Council

Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University