Presentation is loading. Please wait.

Presentation is loading. Please wait.

Disclaimer Copyright Michael Chapple and Jane Drews, 2006. This work is the intellectual property of the authors. Permission is granted for this material.

Similar presentations

Presentation on theme: "Disclaimer Copyright Michael Chapple and Jane Drews, 2006. This work is the intellectual property of the authors. Permission is granted for this material."— Presentation transcript:

1 Disclaimer Copyright Michael Chapple and Jane Drews, This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the authors.

2 Two Approaches to PCI-DSS Compliance
EDUCAUSE Security Professionals Conference April 11, 2006

3 Agenda What is PCI-DSS? Bringing a University into Compliance
Maintaining Compliance Q & A

4 What is PCI-DSS? Brief history of credit card infosec regulation
Who must comply? Consequences of non-compliance Review of “Digital Dozen”

5 Data Security Standard
PCI DSS History  2004 Visa Cardholder Information Security Program (CISP) Mastercard Site Data Protection Program (SDP) Payment Card Industry Data Security Standard (PCI DSS) Discover Information Security Compliance Program (DISC) American Express Data Security Standard (DSS)

6 Who Must Comply? “Payment Card Industry (PCI) Data Security requirements apply to all Members, merchants, and service providers that store, process or transmit cardholder data.” “Additionally, these security requirements apply to all system components which is defined as any network component, server, or application included in, or connected to, the cardholder data environment.” Hopefully, That Doesn’t Mean You! That Probably Means You

7 Merchant Levels Merchant Level Description 1
Any merchant who processes over 6,000,000 transactions annually. Any merchant that has suffered a breach. Any merchant designated Level 1 by Visa 2 Any merchant who processes between 150,000 and 6,000,000 e-commerce transactions annually. 3 Any merchant who processes between 20,000 and 150,000 e-commerce transactions annually. 4 Anyone else

8 Merchant Levels All merchants, regardless of level, must comply with all elements of the PCI DSS standard! Merchants at different levels have different validation requirements

9 Service Providers “Service providers are organizations that process, store, or transmit Visa cardholder data on behalf of Visa members, merchants, or other service providers.”

10 Consequences Reputational Risk Financial Risk
What will the impact be on your institution’s brand? Mandatory involvement of federal law enforcement in investigation Financial Risk Merchant banks may pass on substantial fines Up to $500,000 per incident from Visa alone Civil liability and cost of providing ID theft protection

11 Consequences Compliance Risk Operational Risk
Exposure to Level 1 validation requirements Operational Risk Visa-imposed operational restrictions Potential loss of card processing privileges

12 What Does Compliance Take?

13 Introducing the Digital Dozen
Install and maintain a firewall Do not use vendor default passwords Protect stored data Encrypt transmissions of cardholder data

14 Introducing the Digital Dozen
Use and update antivirus software Develop and maintain secure systems and applications Restrict access by need-to-know Assign unique IDs to all users

15 Introducing the Digital Dozen
Restrict physical access to cardholder data Track and monitor access to cardholder data Regularly test security systems and processes Maintain an information security policy

16 Bringing a University into Compliance
Seeking assistance from consultants Centralized vs. decentralized approach Conducting a gap analysis Prioritizing remediation Infrastructure vs. tactical remediation

17 Seeking Assistance Self-Assessment Questionnaire ROC
Quarterly network scans (annual L4) On-site assessment (only L1) Penetration test (only L1)

18 Centralized Approach “If you build it, they will come”
One physical location Need space/resources Retail Applications Units will want ability to customize Use 3rd party assessor (ROC)

19 Decentralized Approach
“Divide and Conquer” Maintains autonomy – (good or bad?) Stop-gap Protects investments in technology Flexible – use 3rd party or DIY

20 Picking an Approach Hybrid is likely Focus efforts – Prioritize!
Consider phases Focus efforts – Prioritize! Weakest links Biggest targets Merchant setup not relevant

21 Conducting a Gap Analysis
Top administrative support essential Policy: Comply with PCI-DSS Make friends with your money people

22 Conducting a Gap Analysis
Preliminary meeting Phase 1 – offsite review Phase 2 – analysis Phase 3 – onsite review Reporting and follow up

23 Gap Analysis - Preliminary
Phone call and letter/ first Set expectations Gather information Describe systems IP addresses, locations Software and OS versions, other equipment Share documentation & request it

24 Gap Analysis – Phase 1 Perform network scans Research
Perform system scanning Complete a Self-Assessment

25 Gap Analysis – Phase 2 Analyze preliminary results Network scans
System scans Self-Assessment responses Policy/procedure documentation

26 Gap Analysis – Phase 3 On-site review
Firewall required, appropriately configured Vendor defaults changed Configuration standards Encryption (stored data & transmissions) System maintenance Access Controls, Authentication Physical security Logging and monitoring Policy and procedures

27 Gap Analysis No surprises Respond with formal report
Disperse SAQ, summarize results

28 Infrastructure vs. Tactical Remediation
Goal = infrastructure Centralize Control risk, comply Reality = tactical first Upgrades Configurations Employ encryption

29 Prioritizing Remediation
Network “drive by” attacks Firewall System configuration & maintenance Encryption Access controls Policy and Procedure Trained staff are essential Focus on your biggest risks !!!

30 Maintaining Compliance
Testing Monitoring Audits and Self-Assessments

31 The Key to Success Scope Management

32 Testing The standard requires you to conduct vulnerability scans
Level 1, 2, & 3 merchants must have them done by a qualified external vendor Standard also requires annual penetration testing

33 Monitoring Intrusion detection/prevention File integrity monitoring
Automated audit trails Daily review One year of history Three months available online

34 Audits and Assessments
Everyone should conduct self-assessments Level 2 & 3 merchants must conduct annual self-assessments Level 1 merchants must conduct annual on-site assessments

35 Design Review Environments change
Critical to introduce security review into: New merchant accounts Vendor selection Architecture modifications

36 Q & A For more information

Download ppt "Disclaimer Copyright Michael Chapple and Jane Drews, 2006. This work is the intellectual property of the authors. Permission is granted for this material."

Similar presentations

Ads by Google