1 / 20

Payment Card Industry Data Security Standard (PCI DSS) Compliance

Payment Card Industry Data Security Standard (PCI DSS) Compliance. Jeff Williams Information Security Officer California State University, Sacramento. Agenda. What is PCI DSS? Why do I need to care? What are the requirements? How can I get started? Resources and templates.

emma-wood
Download Presentation

Payment Card Industry Data Security Standard (PCI DSS) Compliance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Payment Card IndustryData Security Standard(PCI DSS) Compliance Jeff Williams Information Security Officer California State University, Sacramento

  2. Agenda What is PCI DSS? Why do I need to care? What are the requirements? How can I get started? Resources and templates

  3. What is PCI DSS? • PCI Security Standards Council • (American Express, Discover, JCB, MasterCard, and Visa) • Designed to protect credit data, mitigate financial loss and avoid government(s) regulations • Six security domains that make over 120 technical and operational security controls

  4. Why do I need to care? Regulatory notification requirements Loss of reputation Loss of customers Potential financial liabilities Litigation

  5. In the news

  6. What are the requirements? Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy

  7. Build and Maintain a Secure Network • Firewalls • control computer traffic from PCI (trusted) networks to and from external (untrusted) networks • Hardening systems • configuration management program • change defaults passwords and security settings • single purpose systems • remove unnecessary functions

  8. Protect Cardholder Data • Data Protection Program • data retention and disposal • minimize full PAN to absolutely necessary processes (truncate and masking first six and last four digits max if displayed, and hashing) • never store full track or card verification code • Encryption of data and across public networks Key management is key to encryption

  9. Maintain Vulnerability Management Program • Configuration management • Change management • Patch management • Anti-virus/malware protection • Vulnerably management program • rank, determine impact and prioritize activity

  10. Implement Strong Access Control Measures • Restrict access • need to know • need to perform • according to job responsibilities • default “deny-all” • Unique ID for accountability • Restrict physical access • deny, deter, document and detect • destroy

  11. Regularly Monitor and Test Networks • Track and monitor access • log activity (during an incident you are trying to limit $cope by determining what happened) • Test security systems and processes • test of presence of wireless • run internal vulnerably scans • run quarterly external vulnerably scans (ASV) • run intrusion-detection system • Run file-integrity monitoring tools

  12. Maintain Information Security Policy Covers all personnel Training and awareness Requires operational procedures are in compliance Incident response Reviewed and updated annually

  13. Compensating Controls Cannot meet the explicitly stated requirement due to legitimate technical or business constraints but has sufficiently compensating/ mitigating controls to address the risk. PCI DSS provides a compensating controls worksheet

  14. Compensating Controls Worksheet Constraints Objective Identified risk Definition of compensation controls Validation of compensating controls Maintenance More information and example in the PCI DSS Documentation Library Data Security Standard, Requirement and Security Assessment Procedures, Version 2.0

  15. Getting Started Identify a lead and team members Identity all PCI covered systems and processes Complete Self-Assessment Questionnaire (SAQ) Prioritize and address gaps Complete a Report of Compliance (ROC) Maintain the program

  16. Self Assessment Questionnaire More information in the PCI DSS Documentation Library Self-Assessment Questionnaire, Instructions and Guidelines, Version 2.0

  17. Prioritize and Address Gaps Resources and Templates www.csus.edu/irt/is/pci/presentations/index.html

  18. Report on Compliance (ROC) • Content and Format • Executive summary • Scope of work and approach taken • Details about reviewed environment • Contact information and report date • Quarterly scan results • Finding and observations

  19. Terms Report of Compliance (ROC) Approved Scanning Vendor (ASV) Self Assessment Questionnaire (SAQ) Primary Account Number (PAN)

  20. Resources and Credits • PCI DSS Document Library: • Instructions and Guidelines • Requirements and Security Assessment Procedures • Geekonomics, David Rice, 2008 • CSU, Sacramento PCI DSS Program • Adam Cook, Information Security Analyst, CSU, Sacramento

More Related