Presentation is loading. Please wait.

Presentation is loading. Please wait.

Jeff Williams Information Security Officer CSU, Sacramento

Published byBertram Elliott Modified over 9 years ago

Similar presentations

Presentation on theme: "Jeff Williams Information Security Officer CSU, Sacramento"— Presentation transcript:

1 Jeff Williams Information Security Officer CSU, Sacramento
PCI DSS Roundtable Jeff Williams Information Security Officer CSU, Sacramento

2 Agenda What is PCI DSS? What are the financial impacts?
What are the requirements? How do I become compliant?

3 PCI DSS Payment Card Industry Data Security Standard
Standard that is applied to: Merchants (You) Service Providers (Third Third-party vendor, gateways) Systems (Hardware, software) That: Stores cardholder data Transmits cardholder data Processes cardholder data Applies to: Electronic Transactions Paper Transactions

4 The Financial Impact Forced service outage during incidents
Forced service suspension Loss of brand processing Fines as high as $5,000 per card per day Pay for independent investigation (entry fee of ~$30,000) Fines up to $500,000 Large breaches…

5 Combined fines for all three
The Financial Impact $50,000,000 $10,000,000 Combined fines for all three $60,590,000 $590,000

6 Business Impact Assessment
Consider highest total cards processed in one day (disclaimer, numbers picked for easy math, optimistic and assume pre-incident self-assessment and mitigation) 100 total cards $50 per card for notification/communication $100 fine per card $30,000 investigation fee Single Loss Expectancy $45,000 Annualized Rate of Occurrence .10 Annualized Loss Expectancy $4,500

7 Business Impact Assessment
Consider highest total cards processed in one day (disclaimer, numbers picked for easy math, optimistic and assume little to no self-assessment and mitigation activities) 100 total cards $50 per card for notification/communication $1,000 fine per card $30,000 investigation fee Single Loss Expectancy $180,000 Annualized Rate of Occurrence .20 Annualized Loss Expectancy $36,000

8 Business Impact Assessment
Consider Your highest number of cards processed day A multi-day event You are out of compliance and store all cards processed Maximum fines Impact to your reputation/fundraising Impact to your operations

9 12 High Level Security Requirements
Build and Maintain a Secure Network 1. Use firewalls and NAT to protect data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect physical stored data 4. Encrypt transmission of cardholder data and sensitive information across public networks Maintain a Vulnerability Management Program 5. Use and regularly update antivirus software 6. Develop and maintain secure systems and applications

10 12 High Level Security Requirements
Implement Strong Access Control Measures 7. Restrict access to data by business need-to-know 8. Assign a unique ID to each person 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Routinely test security systems and processes Maintain an Information Security Policy 12. Establish high-level security principles and procedures

11 How do I become compliant?
It all starts with a Self Assessment Identify and close your gaps html Bottom of the webpage has a matrix of examples, guides, resources and templates PCI Website -

12 Questions and Comments
Thank you, Jeff Williams

Download ppt "Jeff Williams Information Security Officer CSU, Sacramento"

Similar presentations

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.

Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.
The Payment Card Industry Data Security Standard (PCI DSS)

The Payment Card Industry Data Security Standard (PCI DSS)
Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.

Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.

PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security.

Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security.
PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.

PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.
Complying With Payment Card Industry Data Security Standards (PCI DSS)

Complying With Payment Card Industry Data Security Standards (PCI DSS)
2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.

2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Property of CampusGuard Compliance With The PCI DSS.

Property of CampusGuard Compliance With The PCI DSS.
Payment Card PCI DSS Compliance SAQ-D Training Accounts Receivable Services, Controller’s Office 7/1/2012.

Payment Card PCI DSS Compliance SAQ-D Training Accounts Receivable Services, Controller’s Office 7/1/2012.
JARED BIRD Nagios: Providing Value Throughout the Organization.

JARED BIRD Nagios: Providing Value Throughout the Organization.
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?

Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?
Property of the University of Notre Dame Navigating the Regulatory Maze: Notre Dame’s PCI DSS Solution EDUCAUSE Midwest Regional Conference March 17, 2008.

Property of the University of Notre Dame Navigating the Regulatory Maze: Notre Dame’s PCI DSS Solution EDUCAUSE Midwest Regional Conference March 17, 2008.
Visa Cemea Account Information Security (AIS) Programme

Visa Cemea Account Information Security (AIS) Programme
1 Goal is protection of sensitive data New Rice policy calls for protection of sensitive personally identifying information Confidential information includes:

1 Goal is protection of sensitive data New Rice policy calls for protection of sensitive personally identifying information Confidential information includes:
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.

GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.

Similar presentations

Ads by Google