payment card industry data security standard tom davis and chad marcum indiana university
TRANSCRIPT
Payment Card IndustryData Security Standard
Tom Davis and Chad MarcumIndiana University
PCI DSS, OMG!(and other TLAs)
PCI
SSC
DSS
PAN
ASV
SAQ
QSA
CVV
ROCSIGPTS
PED CID
• Before PCI DSS• PCI SSC overview• Higher Ed’s Voice• Compliance vs. Security• IU’s approach
before PCI DSS
(circa 2003)
VISA Cardholder Information Security Program
MasterCardSite Data Protection Program
American ExpressData Security Operating Policy
DiscoverInformation Security and Compliance
Program
JCBData Security Program
As fraud losses increased…
Merging standards
“… enhance payment account data security by driving education and awareness
of the PCI Security Standards.”
PCI Security Standards Suite
Organization Stakeholders
ExecutiveCommittee
MarketingWkg Group
LegalManagementCommittee
Board ofAdvisors
GeneralManager
Secretariat
QSACommittee
ASVCommittee
Task Forces(ad hoc)
ParticipatingOrganizations
TechnicalWkg Group
DSS
TechnicalWkg Group
PED
QSA ProgramManagement
ASV ProgramManagement
PA ProgramManagement
Organization Stakeholders
ExecutiveCommittee
MarketingWkg Group
LegalManagementCommittee
Board ofAdvisors
GeneralManager
Secretariat
QSACommittee
ASVCommittee
Task Forces(ad hoc)
ParticipatingOrganizations
TechnicalWkg Group
DSS
TechnicalWkg Group
PED
QSA ProgramManagement
ASV ProgramManagement
PA ProgramManagement
ExecutiveCommittee
ParticipatingOrganizations
“Participating organizations have an opportunity to influence the direction of PCI standards through:
ParticipatingOrganizations
“Participating organizations have an opportunity to influence the direction of PCI standards through:
• active involvement in community meetings,
• advance review of drafts of standards and supporting materials, and
• regular dialogue with key stakeholders.”
National Association of College andUniversity Business Officers
National Association of College andUniversity Business Officers
Walt ConwayBusiness Representative
Tom DavisTechnical Representative
PCI DSS Lifecycle
Compliance vs. Security
Security?
Robert Carr, CEOHeartland Payment
Systems Inc.
“… we certainly didn't understand the limitations of PCI and the entire assessment process. PCI compliance doesn't mean secure. We and others were declared PCI compliant shortly before the intrusions.”
Robert Carr, CEOHeartland Payment
Systems Inc.
GeneralManager
“(PCI DSS) is more about security than compliance.”
Bob Russo, General ManagerPCI Security Standards Council
PCI DSS Overview
Applies to all merchants that “store, process, or transmit cardholder data”all payment (acceptance) channels, including brick-and-mortar, mail, telephone, e-commerce (Internet)all forms, including electronic, paper, or oral
Includes 12 requirements, based onadministrative controls (policies, procedures, etc.)physical security (locks, physical barriers, etc.)technical security (passwords, encryption, etc.)
PCI Data Security Standard – High Level Overview
Build and Maintain a Secure NetworkRequirement 1: Install and maintain a firewall configuration to protect cardholder dataRequirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder DataRequirement 3: Protect stored cardholder dataRequirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management ProgramRequirement 5: Use and regularly update anti-virus softwareRequirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control MeasuresRequirement 7: Restrict access to cardholder data by business need-to-knowRequirement 8: Assign a unique ID to each person with computer accessRequirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test NetworksRequirement 10: Track and monitor all access to network resources and cardholder dataRequirement 11: Regularly test security systems and processes
Maintain an Information Security PolicyRequirement 12: Maintain a policy that addresses information security
Office of the Treasurer
University Information Campus
Security Office Network
Infrastructure
Departments (aka: Merchants)(IU has over 240 merchants)
Office of the Treasurer
University Information Campus
Security Office Network
Infrastructure
Departments (aka: Merchants)(IU has over 240 merchants)
Office of the Treasurer
University Information Campus
Security Office Network
Infrastructure
Departments (aka: Merchants)(IU has over 240 merchants)
Office of the Treasurer
University Information Campus
Security Office Network
Infrastructure
Departments (aka: Merchants)(IU has over 240 merchants)
Office of the Treasurer
University Information Campus
Security Office Network
Infrastructure
Departments (aka: Merchants)(IU has over 240 merchants)
OS SCANNERS
ADSWEB APP SCANNERS
PCI VIRTUAL NETWORK
DNS
LOGS
WSUS
NTP
You’ll have to get your own.
Maintaining and Sustaining
Self-Assessment Questionnaires for each Dept/Unit each year-(about ~240 different merchants)
Review of PCI virtual network Firewall rules, both to and from
Closely working with our QSA on interpretations of the PCI DSS- Scope – Control – Guidance
Change Management Program (which has existed at IU since before the 1990s)
“…if done correctly and seen as a security starting point rather than a compliance end point, PCI is the antitheses of security theatre.”
--Ben Rothke and Anton Chuvakin,PCI Shrugged: Debunking Criticisms of PCI DSS
Resources
NACUBO Business Officer Magazine Articlehttp://tinyurl.com/yd2sjw8
Walt Conway’s PCI bloghttp://treasuryinstitutepcidss.blogspot.com/
Treasury Institute Workshophttp://www.treasuryinstitute.org/resourcelibrary/
PCI_2010/
PCI Security Standards Councilhttps://www.pcisecuritystandards.org/
Payment Card IndustryData Security Standard
Tom Davis and Chad MarcumIndiana University