PCI within the IU Enterprise

Similar documents
Complying with Payment Card Industry Data Security Standards (PCI DSS) Requirements. Approaches in Higher Education

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics

March

PCI Requirements Coverage Summary Table

PCI Requirements Coverage Summary Table

SAQ D Compliance. Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP

University of Sunderland Business Assurance PCI Security Policy

The Comprehensive Guide to PCI Security Standards Compliance

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

PAYMENT CARD INDUSTRY (PCI) ANNUAL TRAINING DECEMBER 10, 2009 WESTERN ILLINOIS UNIVERSITY OFFICE OF THE CTSO & BUSINESS SERVICES

PCI v2.0 Compliance for Wireless LAN

FairWarning Mapping to PCI DSS 3.0, Requirement 10

Client Security Risk Assessment Questionnaire

Observations from the Trenches

CorreLog Alignment to PCI Security Standards Compliance

Presented By: Bryan Miller CCIE, CISSP

PCI Compliance 3.1. About Us

How To Protect Data From Attack On A Network From A Hacker (Cybersecurity)

AUTOMATING AUDITS AND ENSURING CONTINUOUS COMPLIANCE WITH ALGOSEC

74% 96 Action Items. Compliance

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

Project Title slide Project: PCI. Are You At Risk?

Case 2:13-cv ES-JAD Document Filed 12/09/15 Page 1 of 116 PageID: Appendix A

General Standards for Payment Card Environments at Miami University

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

Three Critical Success Factors for PCI Assessment. Seth Peter NetSPI April 21, 2010

PCI DSS Compliance What Texas BUC$ Need to Know! Ron King CampusGuard

SonicWALL PCI 1.1 Implementation Guide

Josiah Wilkinson Internal Security Assessor. Nationwide

How To Control Vcloud Air From A Microsoft Vcloud (Vcloud)

Payment Card Industry Data Security Standard

How To Protect Your Data From Being Stolen

Payment Card Industry Self-Assessment Questionnaire

Bottom line you must be compliant. It s the law. If you aren t compliant, you are leaving yourself open to fines, lawsuits and potentially closure.

Achieving PCI-Compliance through Cyberoam

Preparing for PCI DSS 3.0 & Ensuring a Seamless Transition. November 2013

Network Segmentation

PCI Compliance Training

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

1.3 Prohibit Direct Public Access - Prohibit direct public access between the Internet and any system component in the cardholder data environment.

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0

Automate PCI Compliance Monitoring, Investigation & Reporting

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

MONITORING AND VULNERABILITY MANAGEMENT PCI COMPLIANCE JUNE 2014

Did you know your security solution can help with PCI compliance too?

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

PCI Data Security Standards

It Won t Happen To Me! A Network and PCI Security Webinar Presented By FMS and VendorSafe

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

PCI DSS Compliance Guide

Becoming PCI Compliant

PCI DSS Requirements - Security Controls and Processes

A Rackspace White Paper Spring 2010

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

PDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.1)

Credit Card Secure Architecture for Interactive Voice Response (IVR) Applications

PCI Compliance. Top 10 Questions & Answers

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October cliftonlarsonallen.com CliftonLarsonAllen LLP

Payment Card Industry - Data Security Standard (PCI-DSS) Security Policy

PCI Compliance for Large Computer Systems

PCI and PA DSS Compliance Assurance with LogRhythm

PCI DSS 3.0 Overview. OSU Business Affairs Business Affairs PIT Crew - Project, Improvement, & Technology Robin Whitlock

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

Meeting PCI-DSS v1.2.1 Compliance Requirements. By Compliance Research Group

LogLogic. Application Security Use Case: PCI Compliance. Jaime D Anna Sr Dir of Product Strategy, TIBCO Software

CONTENTS. PCI DSS Compliance Guide

Two Approaches to PCI-DSS Compliance

Payment Cardholder Data Handling Procedures (required to accept any credit card payments)

Credit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600

LogRhythm and PCI Compliance

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

MEETING PCI DSS MERCHANT REQUIREMENTS WITH A WATCHGUARD FIREBOX

PCI Compliance Top 10 Questions and Answers

GFI White Paper PCI-DSS compliance and GFI Software products

A MERCHANTS GUIDE TO THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS)

Teleran PCI Customer Case Study

Agenda. Agenda. Security Testing: The Easiest Part of PCI Certification. Core Security Technologies September 6, 2007

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

Payment Card Industry Data Security Standard

The Protection Mission a constant endeavor

PCI Compliance Updates

Top Five Data Security Trends Impacting Franchise Operators. Payment System Risk September 29, 2009

<COMPANY> PR11 - Log Review Procedure. Document Reference Date 30th September 2014 Document Status. Final Version 3.

IUPay - Web-based Payments System for Multiple Departments Cheryl L. Shifflett, AAP, CTP Office of the Treasurer Indiana University

PCI Compliance at The University of South Carolina. Failure is not an option. Rick Lambert PMP University of South Carolina

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

Request for Proposal INFORMATION SECURITY ASSESSMENT SERVICES RFP # Addendum 1.0

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

H.I.P.A.A. Compliance Made Easy Products and Services

The self-defending network a resilient network. By Steen Pedersen Ementor, Denmark

Transcription:

PCI within the IU Enterprise Cheryl L. Shifflett, AAP, CTP Associate Director Treasury Operations Daniel Tony Brazzell, Security+, GCUX Lead Network Systems Engineer University Information Technology Services

IU Merchant Landscape Centrally Managed by Treasury Operations Over 200 merchant locations Centralized systems Dial-up terminals IPAS-PF (PayPal PayFlow Pro) Outsourced systems NBS QuikPay NBS Commerce Manager Volusion Shopping Cart

IU Merchant Landscape Specialty locations with exceptions Hotel Ticketmaster Dining Parking 3 rd parties doing business in IU space Barnes & Noble FLIK/Compass Sodexho

IU Enterprise Environment 8 Campuses 10 Gig connection to the Internet2 backbone Multiple commercial Internet circuits 248 Buildings 3,148 Wireless Access Points 775 Switches 8 Class B subnets Multiple Firewalls

PCI Obstacles Specialty systems managed by departments Several areas involved in PCI compliance initiative Location of servers and systems # of locations to monitor Containing surprises Cost of firewalls, File Integrity Monitoring, logging solution Multiple solutions vs. Centralized solution

PCI Solutions Buy in from departments Mandate from Board of Trustees RFP for QSA Gap Analysis Self Assessment Questionnaire Tracking RFP for ASV RFP for File Integrity Monitoring Solution Cost sharing among departments Solution includes Remote Logging, Deep Packet Inspection and Virtual Patching

Network segregation PCI-DSS Network Project management Host registration for cutover (moving a host to the new network ) Pre cutover firewall requests Scheduling a cutover date Where to place firewalls Merchant separation Host Based Firewalls

Host based firewalls Required for merchant segregation Host based firewalls must be stateful (SPI) Windows XP firewall not capable of limiting egress traffic Linux based systems with IPTABLES are using a stateful firewall and are capable of limiting egress traffic What about Deep Packet Inspection? (6.6)

2 Factor Authentication Challenges What about vendors? Where is the PCI-DSS Network Border (Req 8.3)? What VPN solution should we use? Can you push the two factor authentication requirement for vendors back to the vendor? Example - Ticketmaster

Firewall & Deep Packet Inspection Application layer firewall Virtual patching Centralized rule management

File Integrity Monitoring Requirement 11.5: Deploy file-integrity monitoring software to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly. What did we do? Research, RFP and Vendor Demos Selected Third Brigade s Deep Security Manager Open Source Products

Log Analysis Requirement 10.5.5: Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert).

Log Analysis - Continued Requirement 10.6: Review logs for all system components at least daily. Log reviews must include those servers that perform security functions like intrusiondetection system (IDS) and authentication, authorization, and accounting protocol (AAA) servers (for example, RADIUS). Note: Log harvesting, parsing, and alerting tools may be used to meet compliance with Requirement 10.6

New Merchant Agreements PCI DSS language and responsibilities Technical & System requirements Static IP Addresses Anti-virus Host based firewall FIMS File Integrity Monitoring Software System and Audit logs Monthly Scans

Internal Training SANS Secure Coding for PCI-DSS Compliance Two day mini sessions covering a variety of technical topics IU Certificate Authority Firewalls Antivirus File Integrity Monitoring Remote logging Network Infrastructure for PCI-DSS Web Application Firewall s PCI Workshop with outside expert Revenue Processing Training Quarterly Newsletter

IU Network Core

Design Options

Design Options

Design Implemented

Summary Req 1 Implement a stateful hardware firewall with ingress and egress filtering at the PCI-DSS Network Border. Implement host based firewall on hosts with ingress and egress filtering. Req 2 Implement a configuration management system. Req 3 Use database encryption and ask your outsourced vendors to use database encryption. Req 4 Configure PCI-DSS systems to use encrypted transport protocols. Verify configuration with network analyzers. Req 5 Use a managed AV solution with email notifications for systems with alerts.

Summary - Continued Req 6 Use a Web Application Firewall such as Mod_Security or equivalent. Req 7 & 9 Use the Principle of Least Privilege when granting access. Req 8 Do not allow the use of shared or group accounts. Req 10 - Use an automated log parsing application. Req 11 Try to group all of your merchants into a limited number of maskable IP address ranges. Req 12 Develop baseline policies that your departments can use as a template.

Questions?

References Cheryl Shifflett cshiffl@indiana.edu Tony Brazzell dbrazzel@indiana.edu Treasury Operations web site: http://www.indiana.edu/~iutreas

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information