Presentation is loading. Please wait.

Presentation is loading. Please wait.

Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.

Published byHassan Scholer Modified over 10 years ago

Similar presentations

Presentation on theme: "Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University."— Presentation transcript:

1 Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University

2 PCI DSS, OMG! (and other TLAs) PCI SSC DSS PAN ASV SAQ QSA CVV ROCSIGPTS PEDCID

3 Before PCI DSS PCI SSC overview Higher Eds Voice Compliance vs. Security IUs approach

4

5 before PCI DSS (circa 2003)

6 VISA Cardholder Information Security Program MasterCard Site Data Protection Program American Express Data Security Operating Policy Discover Information Security and Compliance Program JCB Data Security Program

7 As fraud losses increased…

8 Merging standards

9

10 … enhance payment account data security by driving education and awareness of the PCI Security Standards.

11 PCI Security Standards Suite

12 OrganizationStakeholders Executive Committee Marketing Wkg Group Legal Management Committee Board of Advisors General Manager Secretariat QSA Committee ASV Committee Task Forces (ad hoc) Participating Organizations Technical Wkg Group DSS Technical Wkg Group PED QSA Program Management ASV Program Management PA Program Management

13 OrganizationStakeholders Executive Committee Marketing Wkg Group Legal Management Committee Board of Advisors General Manager Secretariat QSA Committee ASV Committee Task Forces (ad hoc) Participating Organizations Technical Wkg Group DSS Technical Wkg Group PED QSA Program Management ASV Program Management PA Program Management

14 Executive Committee

15 Participating Organizations Participating organizations have an opportunity to influence the direction of PCI standards through:

16 Participating Organizations Participating organizations have an opportunity to influence the direction of PCI standards through: active involvement in community meetings, advance review of drafts of standards and supporting materials, and regular dialogue with key stakeholders.

17 National Association of College and University Business Officers

18 National Association of College and University Business Officers Walt Conway Business Representative Tom Davis Technical Representative

19 PCI DSS Lifecycle

20 Compliance vs. Security

21 Security?

22 Robert Carr, CEO Heartland Payment Systems Inc.

23 … we certainly didn't understand the limitations of PCI and the entire assessment process. PCI compliance doesn't mean secure. We and others were declared PCI compliant shortly before the intrusions. Robert Carr, CEO Heartland Payment Systems Inc.

24 General Manager (PCI DSS) is more about security than compliance. Bob Russo, General Manager PCI Security Standards Council

25 PCI DSS Overview Applies to all merchants that store, process, or transmit cardholder data all payment (acceptance) channels, including brick-and- mortar, mail, telephone, e-commerce (Internet) all forms, including electronic, paper, or oral Includes 12 requirements, based on administrative controls (policies, procedures, etc.) physical security (locks, physical barriers, etc.) technical security (passwords, encryption, etc.)

26 PCI Data Security Standard – High Level Overview Build and Maintain a Secure Network Requirement 1:Install and maintain a firewall configuration to protect cardholder data Requirement 2:Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Requirement 3:Protect stored cardholder data Requirement 4:Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Requirement 5:Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9:Restrict physical access to cardholder data Regularly Monitor and Test Networks Requirement 10:Track and monitor all access to network resources and cardholder data Requirement 11:Regularly test security systems and processes Maintain an Information Security Policy Requirement 12:Maintain a policy that addresses information security

27

28

29 Office of the Treasurer University Information Campus Security Office Network Infrastructure Departments (aka: Merchants) (IU has over 240 merchants)

30 Office of the Treasurer University Information Campus Security Office Network Infrastructure Departments (aka: Merchants) (IU has over 240 merchants)

31 Office of the Treasurer University Information Campus Security Office Network Infrastructure Departments (aka: Merchants) (IU has over 240 merchants)

32 Office of the Treasurer University Information Campus Security Office Network Infrastructure Departments (aka: Merchants) (IU has over 240 merchants)

33

34 Office of the Treasurer University Information Campus Security Office Network Infrastructure Departments (aka: Merchants) (IU has over 240 merchants)

35

36

37 Youll have to get your own.

38 Maintaining and Sustaining Self-Assessment Questionnaires for each Dept/Unit each year -(about ~240 different merchants) Review of PCI virtual network Firewall rules, both to and from Closely working with our QSA on interpretations of the PCI DSS - Scope – Control – Guidance Change Management Program (which has existed at IU since before the 1990s) …if done correctly and seen as a security starting point rather than a compliance end point, PCI is the antitheses of security theatre. --Ben Rothke and Anton Chuvakin, PCI Shrugged: Debunking Criticisms of PCI DSS

39 Resources NACUBO Business Officer Magazine Article http://tinyurl.com/yd2sjw8 Walt Conways PCI blog http://treasuryinstitutepcidss.blogspot.com/ Treasury Institute Workshop http://www.treasuryinstitute.org/resourcelibrary/PCI_2010/ PCI Security Standards Council https://www.pcisecuritystandards.org/

40

41 Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University

Download ppt "Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University."

Similar presentations

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.

Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.
National Bank of Dominica Ltd. 2011 Merchant Seminar Facilitator: Janiere Frank Fraud & Compliance Analyst June 16, 2011.

National Bank of Dominica Ltd Merchant Seminar Facilitator: Janiere Frank Fraud & Compliance Analyst June 16, 2011.
Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.

Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.
.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.

.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.
The Payment Card Industry Data Security Standard (PCI DSS)

The Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS for Retail Industry

PCI DSS for Retail Industry
UCSB Credit Card Processing and PCI Compliance

UCSB Credit Card Processing and PCI Compliance
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.

PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
MARTAs Road to PCI Compliance 1 Presenter: Yolanda Curtis, PMP AFC Project Manager.

MARTAs Road to PCI Compliance 1 Presenter: Yolanda Curtis, PMP AFC Project Manager.
PCI:DSS What is it, and what does it mean to you? Dale Pearson 17 th November 2009.

PCI:DSS What is it, and what does it mean to you? Dale Pearson 17 th November 2009.
Navigating the New SAQs (Helping the 99% validate PCI compliance)

Navigating the New SAQs (Helping the 99% validate PCI compliance)
Complying With Payment Card Industry Data Security Standards (PCI DSS)

Complying With Payment Card Industry Data Security Standards (PCI DSS)
2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.

2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Property of CampusGuard Compliance With The PCI DSS.

Property of CampusGuard Compliance With The PCI DSS.
Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.

Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?

Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?

Similar presentations

Ads by Google