Protecting Credit Card Information

Slides:



Advertisements
Similar presentations
Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
Advertisements

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.
.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.
The Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS for Retail Industry
Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.
Complying With Payment Card Industry Data Security Standards (PCI DSS)
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Property of CampusGuard Compliance With The PCI DSS.
Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.
© Vendor Safe Technologies 2008 B REACHES BY M ERCHANT T YPE 70% 1% 9% 20% Data provided by Visa Approved QIRA November 2008 from 475 Forensic Audits.
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?
Property of the University of Notre Dame Navigating the Regulatory Maze: Notre Dame’s PCI DSS Solution EDUCAUSE Midwest Regional Conference March 17, 2008.
Visa Cemea Account Information Security (AIS) Programme
Security Controls – What Works
Information Security Policies and Standards
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Why Comply with PCI Security Standards?
Introduction to PCI DSS
Northern KY University Merchant Training
Payment Card Industry (PCI) Data Security Standard
PCI's Changing Environment – “What You Need to Know & Why You Need To Know It.” Stephen Scott – PCI QSA, CISA, CISSP
Disclaimer Copyright Michael Chapple and Jane Drews, This work is the intellectual property of the authors. Permission is granted for this material.
Payment Card Industry Data Security Standard (PCI DSS) By Roni Argetsinger
PCI 3.0 Boot Camp Payment Card Industry Data Security Standards 3.0.
PCI DSS Managed Service Solution October 18, 2011.
Protecting Your Credit Card Security Environment (PCI) September 26, 2012 Jacob Arthur, CPA, QSA, CEH Timothy Agee, CISA, CGEIT, QSA FDH Consulting Frasier,
Doug Landoll, CISSP, CISA, QSA, MBA Sr. Solutions Architect Risk and Compliance Management
An Introduction to PCI Compliance. Data Breach Trends About PCI-SSC 12 Requirements of PCI-DSS Establishing Your Validation Level PCI Basics Benefits.
NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
General Awareness Training
PCI requirements in business language What can happen with the cardholder data?
DATE: 3/28/2014 GETTING STARTED WITH THE INTEGRITY EASY PCI PROGRAM Presenter : Integrity Payment Systems Title: Easy PCI Program.
Introduction to Payment Card Industry Data Security Standard
Identity Protection (Red Flag/PCI Compliance/SSN Remediation) SACUBO Fall Workshop Savannah, GA November 3, 2009.
North Carolina Community College System IIPS Conference – Spring 2009 Jason Godfrey IT Security Manager (919)
Introduction To Plastic Card Industry (PCI) Data Security Standards (DSS) April 28,2012 Cathy Pettis, SVP ICUL Service Corporation.
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Data Security and Payment Card Acceptance Presented by: Brian Ridder Senior Vice President First National September 10, 2009.
ThankQ Solutions Pty Ltd Tech Forum 2013 PCI Compliance.
1 Payment Card Industry (PCI) Security Standard Developed by the PCI Security Council formed by major card issuers: Visa, MasterCard, American Express,
Payment Card Industry (PCI) Data Security Standard Version 3.1
Chapter 8 Auditing in an E-commerce Environment
BUSINESS CLARITY ™ PCI – The Pathway to Compliance.
Standards in Use. EMV June 16Caribbean Electronic Payments LLC2.
By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit.
Introduction to PCI DSS
Payment Card Industry Data Security Standards
Payment Card Industry (PCI) Rules and Standards
Summary of Changes PCI DSS V. 3.1 to V. 3.2
Payment Card Industry (PCI) Rules and Standards
PCI-DSS Security Awareness
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Payment card industry data security standards
Critical Security Controls
Internet Payment.
Breaches by Merchant Type
Session 11 Other Assurance Services
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
PCI Compliance : Whys and wherefores
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Presentation transcript:

Protecting Credit Card Information IT Security Roundtable January 14, 2011 Harvard Townsend Chief Information Security Officer harv@ksu.edu

Agenda Why we should care Payment card industry (PCI) expectations of merchants Overview of PCI Data Security Standards (PCI DSS) PCI compliance at K-State Open discussion

The Risks Stolen credit card information and the major costs associated with a breach Notifying/compensating victims ($30 each) Damages/liability for lost credit card numbers Fines (depends on card brand or bank; range from $10K to $200K per month) Additional compliance reporting/auditing requirements (may move to level 1 merchant) Bank or credit card company may refuse to do business with us Identity theft Damage to reputation – perhaps more expensive/important than any of the above Identity theft is really impersonation, where someone is pretending to be you in cyberspace and using that to obtain resources, usually credit

A hypothetical merchant compromises 10,000 accounts Economics of a breach A hypothetical merchant compromises 10,000 accounts Notify clients Fines and penalties Increased audit needs Fraud liability Reputation Loss $30 x 10,000 = $300,000 $50,000+ $25,000 x 3 years = $75,000 (minimum) 500 accounts x $1,000 = $500,000 PRICELESS!

PCI Expectations [PCI = Payment Card Industry] PCI Data Security Standards compliance Validate our compliance Annual Self-Assessment Questionnaire (SAQ) Quarterly network scans by an external vendor (“Approved Scan Vendor”, or ASV) Validation method dependent on our “Merchant Level”, which is a reflection of the number of transactions per year

K-State now a level 3 merchant (several individual merchant IDs > 20,000 transactions per year in FY2010, cumulative ~ 280,000)

PCI Expectations This means every K-State entity with a merchant ID (i.e., any department that accepts credit card payments) must: Protect cardholder information (ultimate goal) Fill out an SAQ every year Have its credit card technical infrastructure scanned for vulnerabilities by an approved scan vendor four times a year Ensure compliance with PCI DSS K-State currently has 47 merchant IDs

PCI Expectations Are 4 types of SAQs based on how card info is accepted

The Players “Payment Card Industry” encompasses all the organizations that store, process and transmit cardholder data PCI Security Standards Council (PCI SSC) Card brands (VISA, MasterCard, etc.) Banks (Bank of America, Chase, etc.) Service Providers (manage the transactions for the banks, like PayPal, FirstData, VeriSign) Merchants (like K-State – the entity that takes the credit card info from the customer) PCI Assessors (Qualified Security Assessor – QSA) Approved Scan Vendor (ASV)

Overview of PCI DSS Six goals with 12 general security requirements ~150 detailed requirements 288 testing procedures to assess whether a requirement is “in place” Is a substantial set of requirements designed to provide adequate protection of “cardholder data” Many are technical, but some are process and policy oriented; requirement 12 even dabbles in contract law Compliance = implementing all the requirements

Overview of PCI DSS

Highlights Build and Maintain a Secure Network Establish firewall and router configuration standards… … review firewall and router rule sets at least every six months Restrict connections between untrusted networks and any system components in the cardholder data environment… … verify that inbound and outbound traffic is limited to that which is necessary for the cardholder data environment, and all other traffic is specifically denied (ie, use an explicit “deny all” or implicit deny after allow statements) Prohibit direct public access between the Internet and any system component in the cardholder data environment

Highlights Protect Cardholder Data Do not store sensitive authentication data after authorization (even if encrypted)… … card verification value (3-digit code on back of the card), PIN, or mag stripe content Render PAN [Primary Account Number] unreadable anywhere it is stored… … examine a sample of removable media (for example, back-up tapes) to confirm that the PAN is rendered unreadable

Highlights Maintain a Vulnerability Mgmt Program Use and regularly update antivirus software… … we can handle this one!!! Ensure that all system components and software are protected from known vulnerabilities by having the latest vendor-supplied security patches installed… … interview responsible personnel to verify that processes are implemented to identify new security vulnerabilities and rank them based on risk Follow change control processes and procedures for all changes to system components… … for a sample of system components and recent changes/security patches, trace those changes back to related change control documentation

Highlights Implement Strong Access Control Measures Limit access to system components and cardholder data to only those individuals whose job requires such access… … confirm that privileges are assigned to individuals based on job classification and function Incorporate two-factor authentication for remote access… … observe an employee connecting remotely to the network and verify that two of the three authentication methods are used Ensure proper user identification and authentication management for non-consumer users and administrators on all system components… … change ser passwords at least every 90 days

Highlights Regularly Monitor and Test Networks Implement automated audit trails for all system components… … verify all individual access to cardholder data is logged, along with all actions taken by any individual with root or administrative privileges Review logs for all system components at least daily Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis

Highlights Regularly Monitor and Test Networks continued… Test for the presence of wireless access points and detect unauthorized wireless access points on a quarterly basis Run internal and external quarterly network scans at least quarterly and after any significant change in the network … via an Approved Scanning Vendor (ASV) approved by the PCI Security Standards Committee Perform internal and external penetration testing at least once a year… … at the network layer and application layer Use intrusion-detection systems, and/or intrusion-prevention systems, to monitor all traffic at the perimeter of the cardholder data environment as well as at critical points inside of the cardholder data environment Deploy file-integrity monitoring tools to alert personnel to unauthorized modification of critical system files, configuration files, or content files

Highlights Maintain an Information Security Policy Establish, publish, maintain, and disseminate a security policy… … that addresses all PCI DSS requirements Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security… …verify that personnel attend awareness training upon hire and at least annually Screen potential personnel prior to hire to minimize the risk of attacks from internal sources

K-State Compliance Plan Perform baseline survey audit of credit card handling, led by Internal Audit – starting March 2011 Reduce scope of network exposure (for the quarterly scan) Contract with a QSA (PCI consultant) to do gap analysis and help develop a compliance plan Contract with ASV to perform initial quarterly network scan (late spring) Fill out SAQs (by June) Tackle full compliance in strategic, prioritized manner over next few years

Points to Ponder PCI DSS compliance is NOT optional Protecting credit card information is a serious matter requiring considerable effort and expense It is a university-wide effort – we must work together to move toward compliance as quickly as possible Is challenging since K-State has many merchants spread out all over campus with many ways of handling credit cards Many will have to change how they operate; some may find compliance too burdensome/expensive It’s not about complying with some arbitrary industry standard – these are reasonable security controls necessary for properly protecting confidential information

Policy K-State does have a policy for credit card handling: www.k-state.edu/policies/ppm/6115.html Includes a section on PCI compliance which states that departments must comply, do the quarterly scans, and fill out the SAQ (see “.070 Payment Card Industry Requirements”)

Contacts Division of Financial Services Jennyfer Owensby 532-6211 jennyfer@k-state.edu Information Security and Compliance Harvard Townsend 532-2985 harv@k-state.edu

What’s on your mind?