Disclaimer Copyright Michael Chapple and Jane Drews, 2006. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the authors. 1
Two Approaches to PCI-DSS Compliance EDUCAUSE Security Professionals Conference April 11, 2006
Agenda What is PCI-DSS? Bringing a University into Compliance Maintaining Compliance Q & A 3
What is PCI-DSS? Brief history of credit card infosec regulation Who must comply? Consequences of non-compliance Review of Digital Dozen 4
PCI DSS History - 2000 2004 Visa Cardholder Information Security Program (CISP) Mastercard Site Data Protection Program (SDP) Payment Card Industry Data Security Standard (PCI DSS) Discover Information Security Compliance Program (DISC) American Express Data Security Standard (DSS) 5
Who Must Comply? Payment Card Industry (PCI) Data Security requirements apply to all Members, merchants, and service providers that store, process or transmit cardholder data. Additionally, these security requirements apply to all system components which is defined as any network component, server, or application included in, or connected to, the cardholder data environment. Hopefully, That Doesn t Mean You! That Probably Means You 6
Merchant Levels Merchant Level Description 1 2 3 4 Any merchant who processes over 6,000,000 transactions annually. Any merchant that has suffered a breach. Any merchant designated Level 1 by Visa Any merchant who processes between 150,000 and 6,000,000 e-commerce transactions annually. Any merchant who processes between 20,000 and 150,000 e-commerce transactions annually. Anyone else 7
Merchant Levels All merchants, regardless of level, must comply with all elements of the PCI DSS standard! Merchants at different levels have different validation requirements 8
Service Providers Service providers are organizations that process, store, or transmit Visa cardholder data on behalf of Visa members, merchants, or other service providers. 9
Consequences Reputational Risk What will the impact be on your institution s brand? Mandatory involvement of federal law enforcement in investigation Financial Risk Merchant banks may pass on substantial fines Up to $500,000 per incident from Visa alone Civil liability and cost of providing ID theft protection 10
Consequences Compliance Risk Exposure to Level 1 validation requirements Operational Risk Visa-imposed operational restrictions Potential loss of card processing privileges 11
What Does Compliance Take? 12
Introducing the Digital Dozen 1. Install and maintain a firewall 2. Do not use vendor default passwords 3. Protect stored data 4. Encrypt transmissions of cardholder data 13
Introducing the Digital Dozen 5. Use and update antivirus software 6. Develop and maintain secure systems and applications 7. Restrict access by need-to-know 8. Assign unique IDs to all users 14
Introducing the Digital Dozen 9. Restrict physical access to cardholder data 10. Track and monitor access to cardholder data 11. Regularly test security systems and processes 12. Maintain an information security policy 15
Bringing a University into Compliance Seeking assistance from consultants Centralized vs. decentralized approach Conducting a gap analysis Prioritizing remediation Infrastructure vs. tactical remediation 16
Seeking Assistance Self-Assessment Questionnaire ROC Quarterly network scans (annual L4) On-site assessment (only L1) Penetration test (only L1) 17
Centralized Approach If you build it, they will come One physical location Need space/resources Retail Applications Units will want ability to customize Use 3 rd party assessor (ROC) 18
Decentralized Approach Divide and Conquer Maintains autonomy (good or bad?) Stop-gap Protects investments in technology Flexible use 3 rd party or DIY 19
Picking an Approach Hybrid is likely Consider phases Focus efforts Prioritize! Weakest links Biggest targets Merchant setup not relevant 20
Conducting a Gap Analysis Top administrative support essential Policy: Comply with PCI-DSS Make friends with your money people 21
Conducting a Gap Analysis Preliminary meeting Phase 1 offsite review Phase 2 analysis Phase 3 onsite review Reporting and follow up 22
Gap Analysis - Preliminary Phone call and letter/email first Set expectations Gather information Describe systems IP addresses, locations Software and OS versions, other equipment Share documentation & request it 23
Gap Analysis Phase 1 Perform network scans Research Perform system scanning Complete a Self-Assessment 24
Gap Analysis Phase 2 Analyze preliminary results Network scans System scans Self-Assessment responses Policy/procedure documentation 25
Gap Analysis Phase 3 On-site review Firewall required, appropriately configured Vendor defaults changed Configuration standards Encryption (stored data & transmissions) System maintenance Access Controls, Authentication Physical security Logging and monitoring Policy and procedures 26
Gap Analysis No surprises Respond with formal report Disperse SAQ, summarize results 27
Infrastructure vs. Tactical Remediation Goal = infrastructure Centralize Control risk, comply Reality = tactical first Upgrades Configurations Employ encryption 28
Prioritizing Remediation Network drive by attacks Firewall System configuration & maintenance Encryption Access controls Policy and Procedure Trained staff are essential 29
Maintaining Compliance Testing Monitoring Audits and Self-Assessments 30
The Key to Success Scope Management 31
Testing The standard requires you to conduct vulnerability scans Level 1, 2, & 3 merchants must have them done by a qualified external vendor Standard also requires annual penetration testing 32
Monitoring Intrusion detection/prevention File integrity monitoring Automated audit trails Daily review One year of history Three months available online 33
Audits and Assessments Everyone should conduct selfassessments Level 2 & 3 merchants must conduct annual self-assessments Level 1 merchants must conduct annual on-site assessments 34
Design Review Environments change Critical to introduce security review into: New merchant accounts Vendor selection Architecture modifications 35
Q & A VISA s CISP Program site http://www.usa.visa.com/cisp A sample credit card policy http://www.uiowa.edu/~fustreas/credit%20card %20Handling%20Policies%20and%20Procedur es.pdf Contacts: jane-drews@uiowa.edu mchapple@nd.edu 36