Presentation is loading. Please wait.

Presentation is loading. Please wait.

Disclaimer Copyright Michael Chapple and Jane Drews, 2006. This work is the intellectual property of the authors. Permission is granted for this material.

Published byGyles Elwin Parker Modified over 9 years ago

Similar presentations

Presentation on theme: "Disclaimer Copyright Michael Chapple and Jane Drews, 2006. This work is the intellectual property of the authors. Permission is granted for this material."— Presentation transcript:

1 Disclaimer Copyright Michael Chapple and Jane Drews, This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the authors.

2 Two Approaches to PCI-DSS Compliance
EDUCAUSE Security Professionals Conference April 11, 2006

3 Agenda What is PCI-DSS? Bringing a University into Compliance
Maintaining Compliance Q & A

4 What is PCI-DSS? Brief history of credit card infosec regulation
Who must comply? Consequences of non-compliance Review of “Digital Dozen”

5 Data Security Standard
PCI DSS History  2004 Visa Cardholder Information Security Program (CISP) Mastercard Site Data Protection Program (SDP) Payment Card Industry Data Security Standard (PCI DSS) Discover Information Security Compliance Program (DISC) American Express Data Security Standard (DSS)

6 Who Must Comply? “Payment Card Industry (PCI) Data Security requirements apply to all Members, merchants, and service providers that store, process or transmit cardholder data.” “Additionally, these security requirements apply to all system components which is defined as any network component, server, or application included in, or connected to, the cardholder data environment.” Hopefully, That Doesn’t Mean You! That Probably Means You

7 Merchant Levels Merchant Level Description 1
Any merchant who processes over 6,000,000 transactions annually. Any merchant that has suffered a breach. Any merchant designated Level 1 by Visa 2 Any merchant who processes between 150,000 and 6,000,000 e-commerce transactions annually. 3 Any merchant who processes between 20,000 and 150,000 e-commerce transactions annually. 4 Anyone else

8 Merchant Levels All merchants, regardless of level, must comply with all elements of the PCI DSS standard! Merchants at different levels have different validation requirements

9 Service Providers “Service providers are organizations that process, store, or transmit Visa cardholder data on behalf of Visa members, merchants, or other service providers.”

10 Consequences Reputational Risk Financial Risk
What will the impact be on your institution’s brand? Mandatory involvement of federal law enforcement in investigation Financial Risk Merchant banks may pass on substantial fines Up to $500,000 per incident from Visa alone Civil liability and cost of providing ID theft protection

11 Consequences Compliance Risk Operational Risk
Exposure to Level 1 validation requirements Operational Risk Visa-imposed operational restrictions Potential loss of card processing privileges

12 What Does Compliance Take?

13 Introducing the Digital Dozen
Install and maintain a firewall Do not use vendor default passwords Protect stored data Encrypt transmissions of cardholder data

14 Introducing the Digital Dozen
Use and update antivirus software Develop and maintain secure systems and applications Restrict access by need-to-know Assign unique IDs to all users

15 Introducing the Digital Dozen
Restrict physical access to cardholder data Track and monitor access to cardholder data Regularly test security systems and processes Maintain an information security policy

16 Bringing a University into Compliance
Seeking assistance from consultants Centralized vs. decentralized approach Conducting a gap analysis Prioritizing remediation Infrastructure vs. tactical remediation

17 Seeking Assistance Self-Assessment Questionnaire ROC
Quarterly network scans (annual L4) On-site assessment (only L1) Penetration test (only L1)

18 Centralized Approach “If you build it, they will come”
One physical location Need space/resources Retail Applications Units will want ability to customize Use 3rd party assessor (ROC)

19 Decentralized Approach
“Divide and Conquer” Maintains autonomy – (good or bad?) Stop-gap Protects investments in technology Flexible – use 3rd party or DIY

20 Picking an Approach Hybrid is likely Focus efforts – Prioritize!
Consider phases Focus efforts – Prioritize! Weakest links Biggest targets Merchant setup not relevant

21 Conducting a Gap Analysis
Top administrative support essential Policy: Comply with PCI-DSS Make friends with your money people

22 Conducting a Gap Analysis
Preliminary meeting Phase 1 – offsite review Phase 2 – analysis Phase 3 – onsite review Reporting and follow up

23 Gap Analysis - Preliminary
Phone call and letter/ first Set expectations Gather information Describe systems IP addresses, locations Software and OS versions, other equipment Share documentation & request it

24 Gap Analysis – Phase 1 Perform network scans Research
Perform system scanning Complete a Self-Assessment

25 Gap Analysis – Phase 2 Analyze preliminary results Network scans
System scans Self-Assessment responses Policy/procedure documentation

26 Gap Analysis – Phase 3 On-site review
Firewall required, appropriately configured Vendor defaults changed Configuration standards Encryption (stored data & transmissions) System maintenance Access Controls, Authentication Physical security Logging and monitoring Policy and procedures

27 Gap Analysis No surprises Respond with formal report
Disperse SAQ, summarize results

28 Infrastructure vs. Tactical Remediation
Goal = infrastructure Centralize Control risk, comply Reality = tactical first Upgrades Configurations Employ encryption

29 Prioritizing Remediation
Network “drive by” attacks Firewall System configuration & maintenance Encryption Access controls Policy and Procedure Trained staff are essential Focus on your biggest risks !!!

30 Maintaining Compliance
Testing Monitoring Audits and Self-Assessments

31 The Key to Success Scope Management

32 Testing The standard requires you to conduct vulnerability scans
Level 1, 2, & 3 merchants must have them done by a qualified external vendor Standard also requires annual penetration testing

33 Monitoring Intrusion detection/prevention File integrity monitoring
Automated audit trails Daily review One year of history Three months available online

34 Audits and Assessments
Everyone should conduct self-assessments Level 2 & 3 merchants must conduct annual self-assessments Level 1 merchants must conduct annual on-site assessments

35 Design Review Environments change
Critical to introduce security review into: New merchant accounts Vendor selection Architecture modifications

36 Q & A For more information http://www.usa.visa.com/cisp

Download ppt "Disclaimer Copyright Michael Chapple and Jane Drews, 2006. This work is the intellectual property of the authors. Permission is granted for this material."

Similar presentations

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.

.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.

PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.

PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.
Complying With Payment Card Industry Data Security Standards (PCI DSS)

Complying With Payment Card Industry Data Security Standards (PCI DSS)
2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.

2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Property of CampusGuard Compliance With The PCI DSS.

Property of CampusGuard Compliance With The PCI DSS.
Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.

Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.
Payment Card PCI DSS Compliance SAQ-D Training Accounts Receivable Services, Controller’s Office 7/1/2012.

Payment Card PCI DSS Compliance SAQ-D Training Accounts Receivable Services, Controller’s Office 7/1/2012.
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?

Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?
Jeff Williams Information Security Officer CSU, Sacramento

Jeff Williams Information Security Officer CSU, Sacramento
Property of the University of Notre Dame Navigating the Regulatory Maze: Notre Dame’s PCI DSS Solution EDUCAUSE Midwest Regional Conference March 17, 2008.

Property of the University of Notre Dame Navigating the Regulatory Maze: Notre Dame’s PCI DSS Solution EDUCAUSE Midwest Regional Conference March 17, 2008.
Visa Cemea Account Information Security (AIS) Programme

Visa Cemea Account Information Security (AIS) Programme
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
Copyright Security-Assessment.com 2005 Payment Card Industry Digital Security Standards Presented By Carl Grayson.

Copyright Security-Assessment.com 2005 Payment Card Industry Digital Security Standards Presented By Carl Grayson.
GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.

GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Why Comply with PCI Security Standards?

Why Comply with PCI Security Standards?

Similar presentations

Ads by Google