The PCI DSS - Protect IU

Download Report

Transcript The PCI DSS - Protect IU 

Payment Card Industry
Data Security Standard
Tom Davis and Chad Marcum
Indiana University
PCI DSS, OMG!
(and other TLAs)
PTS
SIG
ROC
PAN
SSC
PED
PCI
CID
ASV
QSA
SAQ
DSS
CVV
•
•
•
•
•
Before PCI DSS
PCI SSC overview
Higher Ed’s Voice
Compliance vs. Security
IU’s approach
before PCI DSS
(circa 2003)
VISA
Cardholder Information Security Program
MasterCard
Site Data Protection Program
American Express
Data Security Operating Policy
Discover
Information Security and Compliance Program
JCB
Data Security Program
As fraud
losses increased…
Merging standards
“… enhance payment account data security by
driving education and awareness
of the PCI Security Standards.”
PCI Security Standards Suite
Organization
Stakeholders
Executive
Committee
Board of
Advisors
Management
Committee
General
Manager
Secretariat
Technical
Wkg Group
DSS
ASV
Committee
Technical
Wkg Group
PED
Task Forces
(ad hoc)
QSA Program
Management
ASV Program
Management
PA Program
Management
Marketing
Wkg Group
Legal
QSA
Committee
Participating
Organizations
Organization
Stakeholders
Executive
Committee
Board of
Advisors
Management
Committee
General
Manager
Secretariat
Technical
Wkg Group
DSS
ASV
Committee
Technical
Wkg Group
PED
Task Forces
(ad hoc)
QSA Program
Management
ASV Program
Management
PA Program
Management
Marketing
Wkg Group
Legal
QSA
Committee
Participating
Organizations
Executive
Committee
“Participating organizations have an
opportunity to influence the direction of PCI
standards through:
Participating
Organizations
“Participating organizations have an
opportunity to influence the direction of PCI
standards through:
• active involvement in
community meetings,
• advance review of drafts
of standards and
supporting materials, and
• regular dialogue with
key stakeholders.”
Participating
Organizations
National Association of College and
University Business Officers
National Association of College and
University Business Officers
Walt Conway
Business Representative
Tom Davis
Technical Representative
PCI DSS
Lifecycle
Compliance vs. Security
Security?
Robert Carr, CEO
Heartland Payment Systems Inc.
“… we certainly didn't
understand the limitations of
PCI and the entire assessment
process. PCI compliance
doesn't mean secure. We and
others were declared PCI
compliant shortly before the
intrusions.”
Robert Carr, CEO
Heartland Payment Systems Inc.
General
Manager
“(PCI DSS) is more about security
than compliance.”
Bob Russo, General Manager
PCI Security Standards Council
PCI DSS Overview
Applies to
all merchants that “store, process, or transmit cardholder
data”
all payment (acceptance) channels, including brick-andmortar, mail, telephone, e-commerce (Internet)
all forms, including electronic, paper, or oral
Includes 12 requirements, based on
administrative controls (policies, procedures, etc.)
physical security (locks, physical barriers, etc.)
technical security (passwords, encryption, etc.)
PCI Data Security Standard – High Level Overview
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
Office of the Treasurer
University Information
Security Office
Campus
Network
Infrastructure
Departments (aka: Merchants)
(IU has over 240 merchants)
Office of the Treasurer
University Information
Security Office
Campus
Network
Infrastructure
Departments (aka: Merchants)
(IU has over 240 merchants)
Office of the Treasurer
University Information
Security Office
Campus
Network
Infrastructure
Departments (aka: Merchants)
(IU has over 240 merchants)
Office of the Treasurer
University Information
Security Office
Campus
Network
Infrastructure
Departments (aka: Merchants)
(IU has over 240 merchants)
Office of the Treasurer
University Information
Security Office
Campus
Network
Infrastructure
Departments (aka: Merchants)
(IU has over 240 merchants)
You’ll have to get your own.
Maintaining and Sustaining
Self-Assessment Questionnaires for each Dept/Unit each year
-(about ~240 different merchants)
Review of PCI virtual network Firewall rules, both to and from
Closely working with our QSA on interpretations of the PCI DSS
- Scope – Control – Guidance
Change Management Program (which has existed at IU since before the 1990s)
“…if done correctly and seen as a security starting point rather than a
compliance end point, PCI is the antitheses of security theatre.”
--Ben Rothke and Anton Chuvakin,
PCI Shrugged: Debunking Criticisms of PCI DSS
Resources
NACUBO Business Officer Magazine Article
http://tinyurl.com/yd2sjw8
Walt Conway’s PCI blog
http://treasuryinstitutepcidss.blogspot.com/
Treasury Institute Workshop
http://www.treasuryinstitute.org/resourcelibrary/PCI_2010/
PCI Security Standards Council
https://www.pcisecuritystandards.org/
Payment Card Industry
Data Security Standard
Tom Davis and Chad Marcum
Indiana University