Presentation is loading. Please wait.

Presentation is loading. Please wait.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

Published byShaniya Watkinson Modified over 9 years ago

Similar presentations

Presentation on theme: "JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance."— Presentation transcript:

1 JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance

2 Agenda What is PCI DSS? Why do I need to care? What are the requirements? How can I get started? Resources and templates

3 What is PCI DSS? PCI Security Standards Council  (American Express, Discover, JCB, MasterCard, and Visa) Designed to protect credit data, mitigate financial loss and avoid government(s) regulations Six security domains that make over 120 technical and operational security controls

4 Why do I need to care? Regulatory notification requirements Loss of reputation Loss of customers Potential financial liabilities Litigation

5 In the news

6 What are the requirements? Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy

7 Build and Maintain a Secure Network Firewalls  control computer traffic from PCI (trusted) networks to and from external (untrusted) networks Hardening systems  configuration management program  change defaults passwords and security settings  single purpose systems  remove unnecessary functions

8 Protect Cardholder Data Data Protection Program  data retention and disposal  minimize full PAN to absolutely necessary processes (truncate and masking first six and last four digits max if displayed, and hashing)  never store full track or card verification code Encryption of data and across public networks Key management is key to encryption

9 Maintain Vulnerability Management Program Configuration management Change management Patch management Anti-virus/malware protection Vulnerably management program  rank, determine impact and prioritize activity

10 Implement Strong Access Control Measures Restrict access  need to know  need to perform  according to job responsibilities  default “deny-all” Unique ID for accountability Restrict physical access  deny, deter, document and detect  destroy

11 Regularly Monitor and Test Networks Track and monitor access  log activity (during an incident you are trying to limit $cope by determining what happened) Test security systems and processes  test of presence of wireless  run internal vulnerably scans  run quarterly external vulnerably scans (ASV)  run intrusion-detection system  Run file-integrity monitoring tools

12 Maintain Information Security Policy Covers all personnel Training and awareness Requires operational procedures are in compliance Incident response Reviewed and updated annually

13 Compensating Controls Cannot meet the explicitly stated requirement due to legitimate technical or business constraints but has sufficiently compensating/ mitigating controls to address the risk. PCI DSS provides a compensating controls worksheet

14 Compensating Controls Worksheet 1. Constraints 2. Objective 3. Identified risk 4. Definition of compensation controls 5. Validation of compensating controls 6. Maintenance More information and example in the PCI DSS Documentation Library Data Security Standard, Requirement and Security Assessment Procedures, Version 2.0

15 Getting Started 1. Identify a lead and team members 2. Identity all PCI covered systems and processes 3. Complete Self-Assessment Questionnaire (SAQ) 4. Prioritize and address gaps 5. Complete a Report of Compliance (ROC) 6. Maintain the program

16 Self Assessment Questionnaire SAQMerchant / Activity Description ACard-not-present / outsourced e-commerce / mail/telephone- order / relies entirely on 3 rd party for handling electronic processes / Never has face-to-face with customer BImprint-only / dial-out terminal (phone line) / no electronic storage C-VTWeb-based virtual terminals / no electronic storage / Manually entered, no card readers CPayment application connected to the Internet / no electronic storage DAll other merchants / activities More information in the PCI DSS Documentation Library Self-Assessment Questionnaire, Instructions and Guidelines, Version 2.0

17 Prioritize and Address Gaps Resources and Templates www.csus.edu/irt/is/pci/presentations/index.html

18 Report on Compliance (ROC) Content and Format  Executive summary  Scope of work and approach taken  Details about reviewed environment  Contact information and report date  Quarterly scan results  Finding and observations

19 Terms Report of Compliance (ROC) Approved Scanning Vendor (ASV) Self Assessment Questionnaire (SAQ) Primary Account Number (PAN)

20 Resources and Credits PCI DSS Document Library:  Instructions and Guidelines  Requirements and Security Assessment Procedures Geekonomics, David Rice, 2008 CSU, Sacramento PCI DSS Program Adam Cook, Information Security Analyst, CSU, Sacramento

Download ppt "JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance."

Similar presentations

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.

Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.
.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.

.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.
PCI DSS for Retail Industry

PCI DSS for Retail Industry
Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.

Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.
Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security.

Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security.
PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.

PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.
Complying With Payment Card Industry Data Security Standards (PCI DSS)

Complying With Payment Card Industry Data Security Standards (PCI DSS)
2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.

2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.
Property of CampusGuard Compliance With The PCI DSS.

Property of CampusGuard Compliance With The PCI DSS.
1 Credit card operation and the recent CardSystems incident HONG KONG MONETARY AUTHORITY 4 July 2005.

1 Credit card operation and the recent CardSystems incident HONG KONG MONETARY AUTHORITY 4 July 2005.
Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.

Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.
Payment Card PCI DSS Compliance SAQ-D Training Accounts Receivable Services, Controller’s Office 7/1/2012.

Payment Card PCI DSS Compliance SAQ-D Training Accounts Receivable Services, Controller’s Office 7/1/2012.
Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations

Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?

Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?
Jeff Williams Information Security Officer CSU, Sacramento

Jeff Williams Information Security Officer CSU, Sacramento
Visa Cemea Account Information Security (AIS) Programme

Visa Cemea Account Information Security (AIS) Programme
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.

GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.

Similar presentations

Ads by Google