PCI Overview. Lee Buttke Director of Consulting QSA, CPISM, CISSP

Transcription

1 PCI Overview Lee Buttke Director of Consulting QSA, CPISM, CISSP

2 About NetSPI Security and compliance consulting solutions for highly regulated markets QSA, PA-QSA, and ASV Higher Education and Retail/Payment Card are strategic verticals, as well as Financial Services & Healthcare colleges & universities nationwide Program development, PCI compliance gap analysis, & technical consulting including: PCI vulnerability assessment Penetration testing Web application assessment & code review

3 PCI Overview Key Points General PCI requirements What we know How Compliance Works SAQs Strategies to reduce scope

4 A Brief History of PCI Five independent card programs Cardholder Information Security Program (CISP) Site Data Protection (SDP) Data Security Operating Policy (DSOP) Information Security and Compliance (DISC) JCB Data Security Program

5 A Brief History of PCI PCI Security Standards Council Formed in 2004 Maintains standards, audit and participating organizations programs (QSA Program and QA Program) Standards include: Data Security Standard (DSS) Payment Application DSS (PA-DSS) Pin Entry Device (PED)

6 PCI Relationships & Enforcement Acquirers The Council Merchants Card Brands Service Providers Auditors

7 What We Know More than 280 million payment card records were breached in 2008 alone 1 The value of credit card numbers make them the most targeted information for theft 1 The average cost of coping with a data breach in 2008 rose to $6.6 million a 40 percent increase since : Verizon, 2009 Data Breach Investigations Report, Verizon Business RISK Team, : Ponemon Institute, 2008 Annual Study: Cost of a Data Breach, February 2009

8 What makes higher education unique compared to other merchants?

9 Higher Education Institutional Focus Academic Freedom Environment - Students Complex Systems

10 Issues Facing Higher Ed IT "Top-Ten IT Issues, 2009 The top-ten issues that IT leaders identified as the most important for their institutions to resolve for strategic success. Those issues aligned to validating PCI compliance: #3 Security #4 Infrastructure/Cyber infrastructure #6 Identity/Access Management #7 Governance/Organization/IT Leadership #8 Disaster Recovery/Business Continuity #1 IT Funding EDUCAUSE Review Vol. 44, No. 4, July/August 2009

11 Compliance and Validation Compliance Reporting Validation

12 SAQ Requirements Validation Type Description Electronic Cardholder Data Storage? SAQ Type # of Questions 1 Card-not-present (e-com or moto), all cardholder data functions outsourced No A 13 2 Imprint-only merchants No B 26 3 Stand-alone dial-up terminal merchants No B 26 4 Payment application systems connected to the Internet No C 41 5 All other merchants and all service providers Yes D 225

13 What s my validation type? Type 1 Type 2 Type 3 Type 4 Type 5 CNP, all cardholder data (CHD) functions outsourced Imprint only, no CHD storage Standalone, dialout terminals only, no CHD storage POS or payment system connected to Internet, no CHD storage CNP Only No CHD on premises, all outsourced Third party is PCI DSS Compliant Only paper is retained No electronic storage of CHS Imprint machine only No CHD over phone or internet Only paper is retained No electronic storage of CHD Standalone, dial out terminals only Terminals not connected to any other systems Terminals not connected to the internet Only paper is retained POS or payment system and Internet on same device POS not connected to other systems Only paper is retained No electronic storage of CHD POS vendor provides secure structure All other merchants and all service providers, defined by a payment brand as SAQ-eligible

14 Self-Assessment Questionnaire: C and D Comparison of PCI SAQ C and D Description SAQ C SAQ D Number of Questions Application Layer Firewall (product investment) no yes Cardholder data document management yes yes Configuration standards no yes Electronic cardholder data storage no yes Encryption Key Management (product investment) no yes

15 Self-Assessment Questionnaire: C and D Comparison of PCI SAQ C and D Description SAQ C SAQ D Number of Questions File Integrity Monitoring (product investment) no yes Incident response plan implementation and testing no yes Logging Requirements (product investment) no yes Network intrusion detection systems implementation (product investment) no yes Stringent Password policies no yes Stringent Physical Security requirements no yes

16 Strategies to Reduce Scope Reduce or eliminate stored data Segmentation Review business processes Use compliant applications

17 Typical Findings Segmentation Remote access POS Firewall Rules Patch Management Policies

18 Summary General PCI Requirements What we know How Compliance Works SAQs Strategies to reduce scope

19 Questions?

20 NetSPI 800 Washington Avenue North Suite 670 Minneapolis, Minnesota Direct: