PCI Overview. PCI-DSS: Payment Card Industry Data Security Standard

Transcription

1 PCI-DSS: Payment Card Industry Data Security Standard

2 Why is this important? Cardholder data and personally identifying information are easy money That we work with this information makes us a target That we have technologies facing the Internet enables cyber criminals worldwide to attempt break-ins without ever leaving home around the clock A review of any university s firewall logs will convince you the attacks are relentless

3 More reasons it s important Failure to comply with DSS could result in merchant account termination Fines for being the source of a breach are substantial Card replacement costs now averaging about $4 per item Compliance fines ranging from about $5,000 to $50,000 per event Forensic examination averaging between $25,000 and $35,000 per event The rules are consistent with information-security best practices

4 Who makes the rules? Five Payment brands: American Express (Amex), Discover, JCB, MasterCard, Visa Set standards Specify event response (forensics) Define merchant levels (volume-based) Acquirers (Merchant Banks) and processors Set merchant level (based on transaction volume per year) Certify compliance Evaluate compensating controls

5 To what do the rules apply? The cardholder data environment includes: Network components (firewall, switches, routers ) Servers (web, database, mail ) Applications (purchased, custom, internal, external) Physical spaces where cardholder data is used & stored whether in electronic or printed form Policies, procedures Anything that stores, transmits, or processes cardholder data is in scope for PCI

6 12 PCI DSS Requirements Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks

7 12 PCI DSS Requirements (cont.) Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-toknow 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data

8 12 PCI DSS Requirements (cont.) Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security for employees and contractors

9 Each of the 12 general compliance requirements brings with it extensive specific commitments: Policies and standards for the full spectrum of information technologies Policies and standards for employee training and awareness Validation/approval of technologies before they are placed in production Classification of organizational data Comprehensive, real-time reporting and monitoring capability for all facets of the information technology environment and more PCI Overview 12 PCI DSS Requirements (cont.)

10 Key Stakeholders Business units that process credit card payments Controllers offices Internal auditors Central IT & IT departments throughout the organization The CIO and the Information Security Officer Office of the Chancellor

11 Objectives Ongoing compliance for every business unit that processes credit card payments Continuous improvement of information security and the corresponding monitoring and reporting functions PCI-DSS is never finished; it is subject to annual selfassessment, quarterly external scans, and compliance with the underlying standards

12 Who to contact: Information Security Officer: Controllers Offices - controller@uwex.uwc.edu Internal Auditors - internalaudit@uwex.uwc.edu

13 Additional Reference Material: PCI-DSS Quick reference: Guide.pdf PCI Security Standards Council website: