Payment Card Industry Data Security Standard Compliance

decisioncrunchNetworking and Communications

Nov 20, 2013 (3 years and 6 months ago)

78 views

JEFF WI LLI AMS

I NFORMATI ON SECURI TY OFFI CER

CALI FORNI A STATE UNI VERSI TY,
SACRAMENTO

Payment Card Industry

Data Security Standard

(PCI DSS)
Compliance

Agenda


What is PCI DSS?


Why do I need to care?


What are the requirements?


How can I get started?


Resources and templates


What is PCI DSS?


PCI Security Standards Council


(American Express, Discover, JCB, MasterCard,
and Visa)


Designed to protect credit data, mitigate
financial loss and avoid government(s)
regulations


Six security domains that make over 120
technical and operational security controls


Why do I need to care?


Regulatory notification requirements


Loss of reputation


Loss of customers


Potential financial liabilities


Litigation

In the news


What are the requirements?


Build and Maintain a Secure Network


Protect Cardholder Data


Maintain a Vulnerability Management
Program


Implement Strong Access Control Measures


Regularly Monitor and Test Networks


Maintain an Information Security Policy

Build and Maintain a Secure Network


Firewalls


control computer traffic from PCI (trusted)
networks to and from external (untrusted)
networks


Hardening systems


configuration management program


change defaults passwords and security settings


single purpose systems


remove unnecessary functions

Protect Cardholder Data


Data Protection Program


data retention and disposal


minimize full PAN to absolutely necessary
processes (truncate and masking first six and last
four digits max if displayed, and hashing)


never store full track or card verification code


Encryption of data and across public
networks

Key management is key to encryption

Maintain Vulnerability Management Program


Configuration management


Change management


Patch management


Anti
-
virus/malware protection


Vulnerably management program


rank, determine impact and prioritize
activity

Implement Strong Access Control Measures


Restrict access


need to know


need to perform


according to job responsibilities


default “deny
-
all”


Unique ID for accountability


Restrict physical access


deny, deter, document and detect


destroy

Regularly Monitor and Test Networks


Track and monitor access


log activity (during an incident you are trying to limit $cope by
determining what happened)


Test security systems and processes


test of presence of wireless


run internal vulnerably scans


run quarterly external vulnerably scans (ASV)


run intrusion
-
detection system


Run file
-
integrity monitoring tools

Maintain Information Security Policy


Covers all personnel


Training and awareness


Requires operational procedures are in compliance


Incident response


Reviewed and updated annually

Compensating Controls


Cannot meet the explicitly stated requirement due to
legitimate technical or business constraints but has
sufficiently compensating/ mitigating controls to
address the risk.


PCI DSS provides a compensating controls
worksheet

Compensating Controls Worksheet

1.
Constraints

2.
Objective

3.
Identified risk

4.
Definition of compensation controls

5.
Validation of compensating controls

6.
Maintenance

More information and example in the PCI DSS Documentation Library

Data Security Standard, Requirement and Security Assessment
Procedures, Version 2.0

Getting Started

1.
Identify a lead and team members

2.
Identity all PCI covered systems and
processes

3.
Complete Self
-
Assessment Questionnaire
(SAQ)

4.
Prioritize and address gaps

5.
Complete
a Report of Compliance (ROC)

6.
Maintain the program


Self Assessment Questionnaire

SAQ

Merchant / Activity

Description

A

Card
-
not
-
present / outsourced e
-
commerce / mail/telephone
-
order / relies

entirely on 3
rd

party for handling electronic
processes / Never has face
-
to
-
face with customer

B

Imprint
-
only / dial
-
out terminal (phone line) / no electronic
storage

C
-
VT

Web
-
based virtual terminals / no electronic

storage / Manually
entered, no card readers

C

Payment

application connected to the Internet / no electronic
storage

D

All

other merchants / activities

More information in the PCI DSS Documentation Library

Self
-
Assessment Questionnaire, Instructions and Guidelines, Version 2.0

Prioritize and
Address Gaps


Resources and Templates


www.csus.edu/irt/is/pci/presentations/index.html

Report on Compliance (ROC)


Content and Format


Executive summary


Scope of work and approach taken


Details about reviewed environment


Contact information and report date


Quarterly scan results


Finding and observations

Terms


Report of Compliance (ROC)


Approved Scanning Vendor (ASV)


Self Assessment Questionnaire (SAQ)


Primary Account Number (PAN)

Resources and Credits


PCI DSS Document Library:


Instructions and Guidelines


Requirements and Security Assessment Procedures


Geekonomics
, David Rice, 2008


CSU, Sacramento PCI DSS Program


Adam Cook, Information Security Analyst, CSU,
Sacramento