San Jose Airport PCI@SJC. Diane Mack-Williams SJC Airport Technology Services ACI NA San Diego, 15th October 2011

Similar documents
ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

March

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

PCI PA - DSS. Point ipos Implementation Guide. Version VeriFone Vx820 using the Point ipos Payment Core

Payment Card Industry Data Security Standard C-VT Guide

PCI PA - DSS. Point BKX Implementation Guide. Version Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core

MONITORING AND VULNERABILITY MANAGEMENT PCI COMPLIANCE JUNE 2014

Self Assessment Questionnaire A Short course for online merchants

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance

Becoming PCI Compliant

Payment Card Industry Data Security Standard Explained

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

Project Title slide Project: PCI. Are You At Risk?

Payment Card Industry (PCI) Data Security Standard ROC Reporting Instructions for PCI DSS v2.0

University of Sunderland Business Assurance PCI Security Policy

BRAND-NAME is What COUNTS!!!

Spokane Airport Board (Spokane International Airport, Airport Business Park, Felts Field) Addendum #1 - Q&A

Minnesota State Colleges and Universities System Procedures Chapter 5 Administration. Guideline Payment Card Industry Technical Requirements

PCI Compliance. Top 10 Questions & Answers

AISA Sydney 15 th April 2009

Payment Card Industry Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

PCI Overview. PCI-DSS: Payment Card Industry Data Security Standard

Windows Azure Customer PCI Guide

This policy shall be reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment.

PA-DSS Implementation Guide for. Sage MAS 90 and 200 ERP. Credit Card Processing

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A-EP and Attestation of Compliance

P R O G R E S S I V E S O L U T I O N S

PCI Compliance Top 10 Questions and Answers

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

Your Compliance Classification Level and What it Means

PCI Data Security Standards

Payment Card Industry - Data Security Standard (PCI-DSS) Security Policy

PCI DSS Requirements - Security Controls and Processes

Payment Application Data Security Standard

University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009

Accounting and Administrative Manual Section 100: Accounting and Finance

Technology Innovation Programme

Payment Card Industry (PCI) Data Security Standard

IMPORTANT BID ADDENDUM FAILURE TO RETURN THIS BID ADDENDUM IN ACCORDANCE WITH INSTRUCTIONS MAY SUBJECT YOUR BID TO REJECTION ON THE AFFECTED ITEM(S).

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May cliftonlarsonallen.com CliftonLarsonAllen LLP

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase

Attestation of Compliance, SAQ A

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

Payment Card Industry Data Security Standards

Common Use Systems and PCI Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

PCI Data Security and Classification Standards Summary

Research Results Digest 11

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance

Thoughts on PCI DSS 3.0. September, 2014

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version to 2.0

Bottom line you must be compliant. It s the law. If you aren t compliant, you are leaving yourself open to fines, lawsuits and potentially closure.

Best Practices for PCI DSS V3.0 Network Security Compliance

Payment Card Industry Data Security Standard

A Rackspace White Paper Spring 2010

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

Payment Card Industry Data Security Standard. Information Security Policies

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

Two Approaches to PCI-DSS Compliance

b. USNH requires that all campus organizations and departments collecting credit card receipts:

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C-VT and Attestation of Compliance

Complying with PCI is a necessary step in safely accepting Payment Cards.

74% 96 Action Items. Compliance

TERMINAL CONTROL MEASURES

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

Payment Card Industry (PCI) Data Security Standard

PCI Requirements Coverage Summary Table

CREDIT CARD SECURITY POLICY PCI DSS 2.0

GFI White Paper PCI-DSS compliance and GFI Software products

GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL

PCI DSS 3.1 Security Policy

How To Protect Your Data From Being Stolen

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

Why Is Compliance with PCI DSS Important?

Payment Card Industry (PCI) Data Security Standard. Requirements and Security Assessment Procedures. Version 3.1 April 2015

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Compliance. Management Guidelines

Achieving PCI-Compliance through Cyberoam

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0

PCI Security Scan Procedures. Version 1.0 December 2004

Frequently Asked Questions

General Standards for Payment Card Environments at Miami University

Payment Cardholder Data Handling Procedures (required to accept any credit card payments)

PC-DSS Compliance Strategies NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA

PCI Compliance for Cloud Applications

PCI Compliance Training

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

Payment Card Industry (PCI) Data Security Standard. Requirements and Security Assessment Procedures. Version 3.0 November 2013

New York University University Policies

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C-VT and Attestation of Compliance

PCI Training for Retail Jamboree Staff Volunteers. Securing Cardholder Data

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

La règlementation VisaCard, MasterCard PCI-DSS

Credit Card Security

Transcription:

San Jose Airport PCI@SJC Diane Mack-Williams SJC Airport Technology Services ACI NA San Diego, 15th October 2011

Why PCI-DSS at SJC? SJC as a Service Provider Definition: Business entity that is not a payment card brand member or a merchant directly involved in the processing, storage, transmission, and switching or transaction data and cardholder information or both. Visa Levels: Service Provider Level 1 2 Description VisaNet processors or any service provider that stores, processes and/or transmits over 300,000 Visa transactions annually Any service provider that stores, processes and/or transmits less than 300,000 Visa transactions annually

SJC as a Service Provider Single Structured Cabling System (SCS) Supports shared & dedicated needs Airport Integrated Network (AIN) Single network shared with airlines & tenants Mandated use of layer2 VLANS for data transport Shared Passenger Processing Shared gates & ticket counters Common Use Self service Kiosks

The Road to PCI Preliminary Self-Audit Vendor partners Documentation (Policies/processes/configurations) Scoping of elements to include in the audit Procurement for consulting/audit Quarterly external scans On-site audit Preliminary investigation Internal vulnerability scans External penetration tests Remediation Procurement of FIM/Log Monitoring Software On-site audit for validation Successful completion of audit Communication to Stakeholders Begin preparing for next year s audit Continue quarterly scans & monitoring

PCI DSS Requirements and Security Assessment Procedures, Version 2.0 October 2010 Copyright 2010 PCI Security Standards Council LLC Page 20 Self-Assessment Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Firewalls are devices that control computer traffic allowed between an entity s networks (internal) and untrusted networks (external), as well as traffic into and out of more sensitive areas within an entity s internal trusted networks. The cardholder data environment is an example of a more sensitive area within an entity s trusted network. A firewall examines all network traffic and blocks those transmissions that do not meet the specified security criteria. All systems must be protected from unauthorized access from untrusted networks, whether entering the system via the Internet as e-commerce, employee Internet access through desktop browsers, employee e-mail access, dedicated connections such as business-to-business connections, via wireless networks, or via other sources. Often, seemingly insignificant paths to and from untrusted networks can provide unprotected pathways into key systems. Firewalls are a key protection mechanism for any computer network. Other system components may provide firewall functionality, provided they meet the minimum requirements for firewalls as provided in Requirement 1. Where other system components are used within the cardholder data environment to provide firewall functionality, these devices must be included within the scope and assessment of Requirement 1. PCI DSS Requirements Testing Procedures In Place 1.1 Establish firewall and router configuration standards that include the following: 1.1.1 A formal process for approving and testing all network connections and changes to the firewall and router configurations 1.1.2 Current network diagram with all connections to cardholder data, including any wireless networks 1.1.3 Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone 1.1 Obtain and inspect the firewall and router configuration standards and other documentation specified below to verify that standards are complete. Complete the following: 1.1.1 Verify that there is a formal process for testing and approval of all network connections and changes to firewall and router configurations. 1.1.2.a Verify that a current network diagram (for example, one that shows cardholder data flows over the network) exists and that it documents all connections to cardholder data, including any wireless networks. 1.1.2.b Verify that the diagram is kept current. 1.1.3.a Verify that firewall configuration standards include requirements for a firewall at each Internet connection and between any DMZ and the internal network zone. 1.1.3.b Verify that the current network diagram is consistent with the firewall configuration standards. Not in Place Target Date/ Comments

SJC as Owner Parking & Revenue Control No Contractual Relationship Software Vendor Maint & Support PARCS Environment Parking Management Merchant Parking Management Owner

SJC as Owner Parking & Revenue Control Areas of Discussion Application is PA-DSS compliant The SJC Local Area Network (LAN) is PCI-DSS compliant System must be fully compliant within the SJC environment Management policies & practices must be compliant Roles and responsibilities need to be decided Lesson s Learned Ongoing M&O PCI requirements not clearly spelled out in procurement contract Clear Expectations as to who will be responsible for which items Scope changes during implementation not fully documented

PCI DSS Requirements Testing Procedures 9.9.1 Properly maintain inventory 9.9.1 Obtain and review the media inventory logs of all media and conduct media log to verify that periodic media inventories are inventories at least annually. performed at least annually. 9.10 Destroy media containing 9.10 Obtain and examine the periodic media cardholder data when it is no longer destruction policy and verify that it covers all needed for business or legal media containing cardholder data and confirm reasons as follows: the following: 9.10.1 Shred, incinerate, or pulp 9.10.1.a Verify that hard-copy materials hardcopy materials so that are cross-cut shredded, incinerated, or pulped cardholder data cannot be such that there is reasonable assurance the reconstructed. hard-copy materials cannot be reconstructed. 9.10.2 Render cardholder data on electronic media unrecoverable so that cardholder data cannot be reconstructed. 10.1 Establish a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user. 10.2 Implement automated audit trails for all system components to reconstruct the following events: 10.2.1 All individual accesses to cardholder data 9.10.1.b Examine storage containers used for information to be destroyed to verify that the containers are secured. For example, verify that a to-be-shredded container has a lock preventing access to its contents. 9.10.2 Verify that cardholder data on electronic media is rendered unrecoverable via a secure wipe program in accordance with industryaccepted standards for secure deletion, or otherwise physically destroying the media (for example, degaussing). 10.1 Verify through observation and interviewing the system administrator, that audit trails are enabled and active for system components. 10.2 Through interviews, examination of audit logs, and examination of audit log settings, perform the following: 10.2.1 Verify all individual access to cardholder data is logged. 10.2.2 All actions taken by any 10.2.2 Verify actions taken by any individual individual with root or administrative with root or administrative privileges are logged. privileges Addressed by PA-DSS 1 10.2.3 Access to all audit trails 10.2.3 Verify access to all audit trails is logged. YES YES YES YES YES Addressed by Contract 1 Addressed by Change Order 2 Merchant Responsibility

SJC Lesson s Learned PCI compliance is NOT (only) an IT project Must involve the business risks of compromise are financial and reputational Requires Sr. management sponsorship Budget & Resources Policy development and agreement Business process development PCI language in RFPs, Contracts Management of Vendors PCI is not a one time project Continuous process of monitoring Continuous process of assessment and remediation Quarterly scans Spot audits during the year Compliance is NOT cheap Financial Costs SJC Audits ($40K annually for Service Provider only) Security Information and Event Management (SIEM) software $80K + ongoing Time consuming Multiple months in preparation and completion of the audit Off-hours required for penetration tests

Questions??

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information