Two Approaches to PCI-DSS Compliance

Transcription

1 Disclaimer Copyright Michael Chapple and Jane Drews, This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the authors. 1

2 Two Approaches to PCI-DSS Compliance EDUCAUSE Security Professionals Conference April 11, 2006

3 Agenda What is PCI-DSS? Bringing a University into Compliance Maintaining Compliance Q & A 3

4 What is PCI-DSS? Brief history of credit card infosec regulation Who must comply? Consequences of non-compliance Review of Digital Dozen 4

5 PCI DSS History Visa Cardholder Information Security Program (CISP) Mastercard Site Data Protection Program (SDP) Payment Card Industry Data Security Standard (PCI DSS) Discover Information Security Compliance Program (DISC) American Express Data Security Standard (DSS) 5

6 Who Must Comply? Payment Card Industry (PCI) Data Security requirements apply to all Members, merchants, and service providers that store, process or transmit cardholder data. Additionally, these security requirements apply to all system components which is defined as any network component, server, or application included in, or connected to, the cardholder data environment. Hopefully, That Doesn t Mean You! That Probably Means You 6

7 Merchant Levels Merchant Level Description Any merchant who processes over 6,000,000 transactions annually. Any merchant that has suffered a breach. Any merchant designated Level 1 by Visa Any merchant who processes between 150,000 and 6,000,000 e-commerce transactions annually. Any merchant who processes between 20,000 and 150,000 e-commerce transactions annually. Anyone else 7

8 Merchant Levels All merchants, regardless of level, must comply with all elements of the PCI DSS standard! Merchants at different levels have different validation requirements 8

9 Service Providers Service providers are organizations that process, store, or transmit Visa cardholder data on behalf of Visa members, merchants, or other service providers. 9

10 Consequences Reputational Risk What will the impact be on your institution s brand? Mandatory involvement of federal law enforcement in investigation Financial Risk Merchant banks may pass on substantial fines Up to $500,000 per incident from Visa alone Civil liability and cost of providing ID theft protection 10

11 Consequences Compliance Risk Exposure to Level 1 validation requirements Operational Risk Visa-imposed operational restrictions Potential loss of card processing privileges 11

12 What Does Compliance Take? 12

13 Introducing the Digital Dozen 1. Install and maintain a firewall 2. Do not use vendor default passwords 3. Protect stored data 4. Encrypt transmissions of cardholder data 13

14 Introducing the Digital Dozen 5. Use and update antivirus software 6. Develop and maintain secure systems and applications 7. Restrict access by need-to-know 8. Assign unique IDs to all users 14

15 Introducing the Digital Dozen 9. Restrict physical access to cardholder data 10. Track and monitor access to cardholder data 11. Regularly test security systems and processes 12. Maintain an information security policy 15

16 Bringing a University into Compliance Seeking assistance from consultants Centralized vs. decentralized approach Conducting a gap analysis Prioritizing remediation Infrastructure vs. tactical remediation 16

17 Seeking Assistance Self-Assessment Questionnaire ROC Quarterly network scans (annual L4) On-site assessment (only L1) Penetration test (only L1) 17

18 Centralized Approach If you build it, they will come One physical location Need space/resources Retail Applications Units will want ability to customize Use 3 rd party assessor (ROC) 18

19 Decentralized Approach Divide and Conquer Maintains autonomy (good or bad?) Stop-gap Protects investments in technology Flexible use 3 rd party or DIY 19

20 Picking an Approach Hybrid is likely Consider phases Focus efforts Prioritize! Weakest links Biggest targets Merchant setup not relevant 20

21 Conducting a Gap Analysis Top administrative support essential Policy: Comply with PCI-DSS Make friends with your money people 21

22 Conducting a Gap Analysis Preliminary meeting Phase 1 offsite review Phase 2 analysis Phase 3 onsite review Reporting and follow up 22

23 Gap Analysis - Preliminary Phone call and letter/ first Set expectations Gather information Describe systems IP addresses, locations Software and OS versions, other equipment Share documentation & request it 23

24 Gap Analysis Phase 1 Perform network scans Research Perform system scanning Complete a Self-Assessment 24

25 Gap Analysis Phase 2 Analyze preliminary results Network scans System scans Self-Assessment responses Policy/procedure documentation 25

26 Gap Analysis Phase 3 On-site review Firewall required, appropriately configured Vendor defaults changed Configuration standards Encryption (stored data & transmissions) System maintenance Access Controls, Authentication Physical security Logging and monitoring Policy and procedures 26

27 Gap Analysis No surprises Respond with formal report Disperse SAQ, summarize results 27

28 Infrastructure vs. Tactical Remediation Goal = infrastructure Centralize Control risk, comply Reality = tactical first Upgrades Configurations Employ encryption 28

29 Prioritizing Remediation Network drive by attacks Firewall System configuration & maintenance Encryption Access controls Policy and Procedure Trained staff are essential 29

30 Maintaining Compliance Testing Monitoring Audits and Self-Assessments 30

31 The Key to Success Scope Management 31

32 Testing The standard requires you to conduct vulnerability scans Level 1, 2, & 3 merchants must have them done by a qualified external vendor Standard also requires annual penetration testing 32

33 Monitoring Intrusion detection/prevention File integrity monitoring Automated audit trails Daily review One year of history Three months available online 33

34 Audits and Assessments Everyone should conduct selfassessments Level 2 & 3 merchants must conduct annual self-assessments Level 1 merchants must conduct annual on-site assessments 34

35 Design Review Environments change Critical to introduce security review into: New merchant accounts Vendor selection Architecture modifications 35

36 Q & A VISA s CISP Program site A sample credit card policy %20Handling%20Policies%20and%20Procedur es.pdf Contacts: jane-drews@uiowa.edu mchapple@nd.edu 36