JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance
Agenda What is PCI DSS? Why do I need to care? What are the requirements? How can I get started? Resources and templates
What is PCI DSS? PCI Security Standards Council (American Express, Discover, JCB, MasterCard, and Visa) Designed to protect credit data, mitigate financial loss and avoid government(s) regulations Six security domains that make over 120 technical and operational security controls
Why do I need to care? Regulatory notification requirements Loss of reputation Loss of customers Potential financial liabilities Litigation
In the news
What are the requirements? Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy
Build and Maintain a Secure Network Firewalls control computer traffic from PCI (trusted) networks to and from external (untrusted) networks Hardening systems configuration management program change defaults passwords and security settings single purpose systems remove unnecessary functions
Protect Cardholder Data Data Protection Program data retention and disposal minimize full PAN to absolutely necessary processes (truncate and masking first six and last four digits max if displayed, and hashing) never store full track or card verification code Encryption of data and across public networks Key management is key to encryption
Maintain Vulnerability Management Program Configuration management Change management Patch management Anti-virus/malware protection Vulnerably management program rank, determine impact and prioritize activity
Implement Strong Access Control Measures Restrict access need to know need to perform according to job responsibilities default “deny-all” Unique ID for accountability Restrict physical access deny, deter, document and detect destroy
Regularly Monitor and Test Networks Track and monitor access log activity (during an incident you are trying to limit $cope by determining what happened) Test security systems and processes test of presence of wireless run internal vulnerably scans run quarterly external vulnerably scans (ASV) run intrusion-detection system Run file-integrity monitoring tools
Maintain Information Security Policy Covers all personnel Training and awareness Requires operational procedures are in compliance Incident response Reviewed and updated annually
Compensating Controls Cannot meet the explicitly stated requirement due to legitimate technical or business constraints but has sufficiently compensating/ mitigating controls to address the risk. PCI DSS provides a compensating controls worksheet
Compensating Controls Worksheet 1. Constraints 2. Objective 3. Identified risk 4. Definition of compensation controls 5. Validation of compensating controls 6. Maintenance More information and example in the PCI DSS Documentation Library Data Security Standard, Requirement and Security Assessment Procedures, Version 2.0
Getting Started 1. Identify a lead and team members 2. Identity all PCI covered systems and processes 3. Complete Self-Assessment Questionnaire (SAQ) 4. Prioritize and address gaps 5. Complete a Report of Compliance (ROC) 6. Maintain the program
Self Assessment Questionnaire SAQMerchant / Activity Description ACard-not-present / outsourced e-commerce / mail/telephone- order / relies entirely on 3 rd party for handling electronic processes / Never has face-to-face with customer BImprint-only / dial-out terminal (phone line) / no electronic storage C-VTWeb-based virtual terminals / no electronic storage / Manually entered, no card readers CPayment application connected to the Internet / no electronic storage DAll other merchants / activities More information in the PCI DSS Documentation Library Self-Assessment Questionnaire, Instructions and Guidelines, Version 2.0
Prioritize and Address Gaps Resources and Templates
Report on Compliance (ROC) Content and Format Executive summary Scope of work and approach taken Details about reviewed environment Contact information and report date Quarterly scan results Finding and observations
Terms Report of Compliance (ROC) Approved Scanning Vendor (ASV) Self Assessment Questionnaire (SAQ) Primary Account Number (PAN)
Resources and Credits PCI DSS Document Library: Instructions and Guidelines Requirements and Security Assessment Procedures Geekonomics, David Rice, 2008 CSU, Sacramento PCI DSS Program Adam Cook, Information Security Analyst, CSU, Sacramento