Presentation Summary

Document Sample
Presentation Summary Powered By Docstoc
					NACCU Presents
     PCI-DSS
    The Technical Aspects
          September 23, 2008

  Joel Weidner
  Director, Information Systems
  Penn State Auxiliary & Business Services
                                        Presentation Summary

                                         •   Introduction
                                         •   The Card Data Environment
NACCU                                    •   Transmission vs. Storage of Card Data
National Association of
Campus Card Users
                                         •   Segmenting
        Data Security Standards (DSS)




                                         •   Encrypting
        Payment Card Industry (PCI)




                                         •   Logging
                                         •   Testing
                                         •   Documenting
                                         •   Getting Help


                                                                                     2
                                        Payment Card Industry (PCI)
                                        Data Security Standards (DSS)

                                         • Regulations created by and enforced
                                           by the card labels (i.e. Visa, MC)—not
NACCU
National Association of
                                           laws.
Campus Card Users
                                         • Applies to transactions processed
                                           using credit cards or branded debit
        Data Security Standards (DSS)
        Payment Card Industry (PCI)




                                           (check cards).
                                         • Non-compliance and related data
                                           breach can result in fines and
                                           jeopardize your ability as a merchant
                                           to accept and process credit cards
                                           (not to mention reputational damage).
                                                                                    3
                                        Special Note about ID Card
                                        Systems

                                          PCI-DSS regulations do not
NACCU
National Association of
                                          directly apply to ID card
Campus Card Users
                                          transactions that are not
        Data Security Standards (DSS)




                                          branded with a card label . . .
        Payment Card Industry (PCI)




                                             HOWEVER . . .
                                                                            4
                                        Your ID System May Need
                                        to be PCI-DSS Compliant

                                         • In many cases, point of sale
                                           devices/terminals used to process
NACCU                                      ID transactions are also used to
National Association of
Campus Card Users
                                           process credit cards
        Data Security Standards (DSS)




                                         • Some ID cards are
        Payment Card Industry (PCI)




                                           VISA/MasterCard branded
                                         • Depending the specifics of your
                                           particular implementation, part or
                                           all of your card system may need
                                           to be PCI compliant
                                                                                5
                                        Cardholder Data
                                        Environment
                                         ―Area of computer system network that
                                         possesses cardholder data or sensitive
NACCU                                    authentication data and those systems and
National Association of
Campus Card Users                        segments that directly attach or support
                                         cardholder processing, storage, or
        Data Security Standards (DSS)




                                         transmission.‖
        Payment Card Industry (PCI)




                                         ―Adequate network segmentation, which
                                         isolates systems that store, process, or
                                         transmit cardholder data from those that
                                         do not, may reduce the scope of the
                                         cardholder data environment and thus the
                                         scope of the PCI assessment.‖

                                                                                     6
                                        Understanding Your
                                        Environment is Critical to
                                        Planning for Compliance
                                         To understand which parts of your
NACCU
National Association of
                                         infrastructure need to be protected
Campus Card Users
                                         and be compliant, you need
        Data Security Standards (DSS)




                                         consider carefully WHAT is going
        Payment Card Industry (PCI)




                                         on and WHERE it is happening.
                                         Wherever possible, limit the scope
                                         of activities to reduce your
                                         compliance efforts and related
                                         costs.                            7
8
                                        Understanding Where & What

                                          • Where are credit cards being entered?
                                             – Usually via a keyboard or card swipe
NACCU
National Association of
                                          • What parts of the network is the credit
Campus Card Users
                                            card data traversing?
                                          • Are you storing protected credit card
        Data Security Standards (DSS)
        Payment Card Industry (PCI)




                                            data?
                                             – If so where (which workstations or servers)?
                                          • What other systems/terminals are
                                            connected to the environment?
                                          • What other applications are being used
                                            on workstations processing credit cards?

                                                                                          9
                                        Transmission vs. Storage

                                         • All POS systems/terminals have
NACCU
                                           to transmit credit card data to
National Association of
Campus Card Users                          process a sale, but do you have
                                           to store sensitive credit card
        Data Security Standards (DSS)
        Payment Card Industry (PCI)




                                           data?
                                         • Eliminating the storage of credit
                                           card data can reduce the scope
                                           and costs of compliance.

                                                                           10
                                        Transmission vs. Storage
                                                     vs

NACCU
National Association of
Campus Card Users
                                         If your vendor can support a solution
                                         where only an authorization number
        Data Security Standards (DSS)
        Payment Card Industry (PCI)




                                         or transaction number is stored—in
                                         place of a credit card number
                                         (PAN)—it is much easier to meet the
                                         requirements and can greatly reduce
                                         your liability if you are breached.
                                                                             11
                                        Data You Are Not Allowed
                                        to Store
                                        Under Any Circumstances
                                         • PINs or encrypted PIN block
NACCU
National Association of
                                         • CVV or CVV2 codes (the 3 or 4
Campus Card Users
                                           digit printed security codes on
                                           the back of cards)
        Data Security Standards (DSS)
        Payment Card Industry (PCI)




                                         • Track Data
                                           full card
                                           track data
                                           (tracks 1 & 2)
                                                                             12
                                        Data You Can Store
                                        But Must Protect

                                         • PAN – Primary account number
NACCU
National Association of
                                           (usually 16 digits)
Campus Card Users

                                         • Cardholder Name
        Data Security Standards (DSS)




                                         • Expiration Date
        Payment Card Industry (PCI)




                                                                          13
                                        Storage Requirements
                                        (if you must store credit
                                        card data)
                                         • Encryption of data
NACCU
National Association of
Campus Card Users
                                         • Management of encryption keys
                                         • Increased logging requirements
        Data Security Standards (DSS)
        Payment Card Industry (PCI)




                                         • Restriction/monitoring of
                                           physical access to server
                                           (including video surveillance)
                                         • Management and protection of
                                           backup media                 14
                                        Pitfalls of Vendor Reliance

                                         Many of us rely on vendors to properly
                                         maintain systems. This can be
NACCU
National Association of
                                         problematic.
Campus Card Users
                                         • Password maintenance (shared
                                            support accounts/default passwords)
        Data Security Standards (DSS)
        Payment Card Industry (PCI)




                                         • File permissions
                                         • Cleanup of backup/temporary files
                                         If your system is breached, the card
                                         companies will penalize you as the
                                         merchant—not your vendor.

                                                                                  15
                                        Payment Application Best
                                        Practices (PABP)

                                         • Ask your vendors if they are
NACCU
National Association of
                                           PABP certified and require proof
Campus Card Users
                                           of what they tell you
        Data Security Standards (DSS)




                                         • When looking for new software,
        Payment Card Industry (PCI)




                                           be sure to include language in
                                           your RFP about PABP


                                                                          16
                                        Segmenting

                                         Segregating the computers,
NACCU
National Association of
                                         networks, and applications that
Campus Card Users
                                         process credit card information
        Data Security Standards (DSS)




                                         from other computers,
        Payment Card Industry (PCI)




                                         applications, and networks is key.




                                                                              17
                                        Segmenting

                                        Computers, networks, and applications that
                                            process credit card information.
NACCU
National Association of
Campus Card Users
        Data Security Standards (DSS)
        Payment Card Industry (PCI)




                                        Computers, networks, and applications that
                                         do not process credit card information.


                                                                                     18
                                        Common Attack Vectors

                                         Email and un-restricted web browsing
                                         are the two most common attack vectors
NACCU
National Association of
                                         for mal-ware (even commonly used and
Campus Card Users
                                         well respected web sites have been
                                         recently reported as unwittingly
        Data Security Standards (DSS)




                                         spreading mal-ware through improperly
        Payment Card Industry (PCI)




                                         designed ads).

                                         A compromised workstation, that
                                         processes credit transactions, is a
                                         reportable breach.
                                                                               19
20
21
22
                                        Original Account
NACCU                                   Deposit Screen
National Association of
Campus Card Users
        Data Security Standards (DSS)
        Payment Card Industry (PCI)




                                                           23
                                        New Account
NACCU                                   Deposit Screen using
National Association of
Campus Card Users                       ―punch out‖
                                        technology
        Data Security Standards (DSS)
        Payment Card Industry (PCI)




                                                               24
                                        PSUPay
NACCU                                   Secure Payment
National Association of
Campus Card Users                       Server Screen
        Data Security Standards (DSS)
        Payment Card Industry (PCI)




                                                         25
26
                                        System and Application
                                        Patching

                                         • Operating system patches
NACCU
National Association of
Campus Card Users
                                         • Application patches
                                         • Anti-virus definitions
        Data Security Standards (DSS)
        Payment Card Industry (PCI)




                                                                      27
                                        Restricting Access

                                         • Unique IDs for all users
                                         • Complex password policies
NACCU
National Association of
Campus Card Users
                                         • Proper application security—access
                                           on a need-to-know basis.
        Data Security Standards (DSS)




                                         • Immediate revocation of access for
        Payment Card Industry (PCI)




                                           terminated employees
                                         • Physical access to workstations &
                                           servers
                                         • Two factor authentication for remote
                                           access

                                                                                  28
                                        Encrypting

                                         • Encryption of transmission of
                                           cardholder data across open, public
NACCU
National Association of
                                           networks
                                         • Encryption of transmission of
Campus Card Users
        Data Security Standards (DSS)




                                           cardholder data across wireless
        Payment Card Industry (PCI)




                                           networks—specific protocols are
                                           spelled out in the specifications
                                         • Encryption of cardholder data at rest
                                         • Management of encryption keys
                                           (storing and changing)
                                                                               29
                                        Logging

                                         • All individual user accesses to cardholder
                                           data
NACCU
National Association of
                                         • All actions using root or administrative
Campus Card Users                          access
                                         • Access to audit trails
        Data Security Standards (DSS)




                                         • Invalid access attempts
        Payment Card Industry (PCI)




                                         • Backing up and securing audit trails
                                         • Synchronization of system clocks
                                         • Daily review of logs
                                         • At least one year, with min. of 3 months
                                           online
                                                                                    30
                                        Testing

                                         • Annual testing of security controls
NACCU                                    • Quarterly network vulnerability scans
National Association of
Campus Card Users
                                           (and after any significant network
                                           changes)
        Data Security Standards (DSS)
        Payment Card Industry (PCI)




                                         • Annual penetration testing (network
                                           and application)
                                         • Use of network intrusion detection
                                           systems (IDS)
                                         • File integrity monitoring software
                                                                               31
                                        Documenting

                                         • Establish, publish, maintain, and
NACCU
                                           disseminate security policy that
National Association of
Campus Card Users                          covers all the PCI requirements.
                                         • Identify annual process for formal
        Data Security Standards (DSS)
        Payment Card Industry (PCI)




                                           risk assessment
                                         • Operational security procedures
                                           consistent with PCI-DSS
                                           requirements
                                         • Review policy and update annually
                                                                                32
                                        Getting Help

                                         • Qualified Security Assessors
NACCU
National Association of
                                           (QSAs)
Campus Card Users

                                         • Approved Scanning Vendors
        Data Security Standards (DSS)




                                           (ASVs)
        Payment Card Industry (PCI)




                                                                          33
                                        Online Resources

                                         •   PCI home page
                                             https://www.pcisecuritystandards.org

                                         •   PCI-DSS Standards
NACCU                                        https://www.pcisecuritystandards.org/security_standards/pci_dss.sht
National Association of
Campus Card Users
                                             ml

                                         •   Self-Assessment Questionnaire information
        Data Security Standards (DSS)




                                             https://www.pcisecuritystandards.org/saq/
        Payment Card Industry (PCI)




                                         •   Find a QSA
                                             https://www.pcisecuritystandards.org/qsa_asv/find_one.shtml

                                         •   ABC News video - How Thieves Are 'Stealing You‗
                                             http://abcnews.go.com/Video/playerIndex?id=4769169




                                                                                                               34
Comments/Questions
            Joel L. Weidner
     Director, Information Systems
Penn State Auxiliary & Business Services
             814.863.4494
             jlw2@psu.edu

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:7
posted:7/15/2011
language:English
pages:35