Disclaimer Copyright Michael Chapple and Jane Drews, 2006. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the authors.

Two Approaches to PCI-DSS Compliance EDUCAUSE Security Professionals Conference April 11, 2006

Agenda What is PCI-DSS? Bringing a University into Compliance Maintaining Compliance Q & A

What is PCI-DSS? Brief history of credit card infosec regulation Who must comply? Consequences of non-compliance Review of “Digital Dozen”

Data Security Standard PCI DSS History - 2000  2004 Visa Cardholder Information Security Program (CISP) Mastercard Site Data Protection Program (SDP) Payment Card Industry Data Security Standard (PCI DSS) Discover Information Security Compliance Program (DISC) American Express Data Security Standard (DSS)

Who Must Comply? “Payment Card Industry (PCI) Data Security requirements apply to all Members, merchants, and service providers that store, process or transmit cardholder data.” “Additionally, these security requirements apply to all system components which is defined as any network component, server, or application included in, or connected to, the cardholder data environment.” Hopefully, That Doesn’t Mean You! That Probably Means You

Merchant Levels Merchant Level Description 1 Any merchant who processes over 6,000,000 transactions annually. Any merchant that has suffered a breach. Any merchant designated Level 1 by Visa 2 Any merchant who processes between 150,000 and 6,000,000 e-commerce transactions annually. 3 Any merchant who processes between 20,000 and 150,000 e-commerce transactions annually. 4 Anyone else

Merchant Levels All merchants, regardless of level, must comply with all elements of the PCI DSS standard! Merchants at different levels have different validation requirements

Service Providers “Service providers are organizations that process, store, or transmit Visa cardholder data on behalf of Visa members, merchants, or other service providers.”

Consequences Reputational Risk Financial Risk What will the impact be on your institution’s brand? Mandatory involvement of federal law enforcement in investigation Financial Risk Merchant banks may pass on substantial fines Up to $500,000 per incident from Visa alone Civil liability and cost of providing ID theft protection

Consequences Compliance Risk Operational Risk Exposure to Level 1 validation requirements Operational Risk Visa-imposed operational restrictions Potential loss of card processing privileges

What Does Compliance Take?

Introducing the Digital Dozen Install and maintain a firewall Do not use vendor default passwords Protect stored data Encrypt transmissions of cardholder data

Introducing the Digital Dozen Use and update antivirus software Develop and maintain secure systems and applications Restrict access by need-to-know Assign unique IDs to all users

Introducing the Digital Dozen Restrict physical access to cardholder data Track and monitor access to cardholder data Regularly test security systems and processes Maintain an information security policy

Bringing a University into Compliance Seeking assistance from consultants Centralized vs. decentralized approach Conducting a gap analysis Prioritizing remediation Infrastructure vs. tactical remediation

Seeking Assistance Self-Assessment Questionnaire ROC Quarterly network scans (annual L4) On-site assessment (only L1) Penetration test (only L1)

Centralized Approach “If you build it, they will come” One physical location Need space/resources Retail Applications Units will want ability to customize Use 3rd party assessor (ROC)

Decentralized Approach “Divide and Conquer” Maintains autonomy – (good or bad?) Stop-gap Protects investments in technology Flexible – use 3rd party or DIY

Picking an Approach Hybrid is likely Focus efforts – Prioritize! Consider phases Focus efforts – Prioritize! Weakest links Biggest targets Merchant setup not relevant

Conducting a Gap Analysis Top administrative support essential Policy: Comply with PCI-DSS Make friends with your money people

Conducting a Gap Analysis Preliminary meeting Phase 1 – offsite review Phase 2 – analysis Phase 3 – onsite review Reporting and follow up

Gap Analysis - Preliminary Phone call and letter/email first Set expectations Gather information Describe systems IP addresses, locations Software and OS versions, other equipment Share documentation & request it

Gap Analysis – Phase 1 Perform network scans Research Perform system scanning Complete a Self-Assessment

Gap Analysis – Phase 2 Analyze preliminary results Network scans System scans Self-Assessment responses Policy/procedure documentation

Gap Analysis – Phase 3 On-site review Firewall required, appropriately configured Vendor defaults changed Configuration standards Encryption (stored data & transmissions) System maintenance Access Controls, Authentication Physical security Logging and monitoring Policy and procedures

Gap Analysis No surprises Respond with formal report Disperse SAQ, summarize results

Infrastructure vs. Tactical Remediation Goal = infrastructure Centralize Control risk, comply Reality = tactical first Upgrades Configurations Employ encryption

Prioritizing Remediation Network “drive by” attacks Firewall System configuration & maintenance Encryption Access controls Policy and Procedure Trained staff are essential Focus on your biggest risks !!!

Maintaining Compliance Testing Monitoring Audits and Self-Assessments

The Key to Success Scope Management

Testing The standard requires you to conduct vulnerability scans Level 1, 2, & 3 merchants must have them done by a qualified external vendor Standard also requires annual penetration testing

Monitoring Intrusion detection/prevention File integrity monitoring Automated audit trails Daily review One year of history Three months available online

Audits and Assessments Everyone should conduct self-assessments Level 2 & 3 merchants must conduct annual self-assessments Level 1 merchants must conduct annual on-site assessments

Design Review Environments change Critical to introduce security review into: New merchant accounts Vendor selection Architecture modifications

Q & A For more information http://www.usa.visa.com/cisp jane-drews@uiowa.edu mchapple@nd.edu