9/11/2015. Auditing PCI Compliance. Introductions. Introductions



Similar documents
PCI Compliance From an Internal Audit point of view

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October cliftonlarsonallen.com CliftonLarsonAllen LLP

Payment Card Industry Data Security Standard

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

Becoming PCI Compliant

PCI DSS 3.0 Overview. OSU Business Affairs Business Affairs PIT Crew - Project, Improvement, & Technology Robin Whitlock

PCI DSS 3.0 and You Are You Ready?

PCI DSS Compliance What Texas BUC$ Need to Know! Ron King CampusGuard

PCI DSS. CollectorSolutions, Incorporated

PCI Compliance The Road Ahead. October 2012 Hari Shah & Parthiv Sheth

Adyen PCI DSS 3.0 Compliance Guide

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

PCI DSS 3.0 Changes & Challenges P R E S I D E N T/ C O - F O U N D E R F R S EC U R E

HOW SECURE IS YOUR PAYMENT CARD DATA?

PCI DSS Compliance Information Pack for Merchants

Important Info for Youth Sports Associations

HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS

Property of CampusGuard. Compliance With The PCI DSS

PCI Compliance 3.1. About Us

IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER

How Secure is Your Payment Card Data?

PCI Compliance Overview

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

Credit Card Processing, Point of Sale, ecommerce

Payment Card Industry (PCI) Data Security Standard

UNDERSTANDING PCI 3.0 AND HOW TO REDUCE YOUR SCOPE

Understanding the SAQs for PCI DSS version 3

PCI Compliance at The University of South Carolina. Failure is not an option. Rick Lambert PMP University of South Carolina

PCI DSS v3.0 SAQ Eligibility

Payment Card Industry (PCI) Data Security Standard

So you want to take Credit Cards!

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase

Strategies To Effective PCI Scoping ISACA Columbus Chapter Presentation October 2008

PC-DSS Compliance Strategies NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA

Are You Ready For PCI v 3.0. Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014

Payment Card Industry (PCI) Data Security Standard. Attestation of Compliance for Self-Assessment Questionnaire C-VT. Version 2.0

What s New in PCI DSS Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 1

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May cliftonlarsonallen.com CliftonLarsonAllen LLP

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

PCI DSS Presentation University of Cincinnati

Case 2:13-cv ES-JAD Document Filed 12/09/15 Page 1 of 116 PageID: Appendix A

Achieving PCI Compliance for Your Site in Acquia Cloud

PCI 3.1 Changes. Jon Bonham, CISA Coalfire System, Inc.

PCI DSS 3.0 : THE CHANGES AND HOW THEY WILL EFFECT YOUR BUSINESS

North Carolina Office of the State Controller Technology Meeting

Data Security Standard (DSS) Compliance. SIFMA June 13, 2012

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 3.0 to 3.1

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry - Achieving PCI Compliance Steps Steps

Spokane Airport Board (Spokane International Airport, Airport Business Park, Felts Field) Addendum #1 - Q&A

Credit Card Risks: Update on PCI Compliance Monday, May 23 2:40pm 3:55 CPE: 2

How To Protect Your Credit Card Information From Being Stolen

PCI Compliance. PCI DSS v3.1. Dan Lobb CRISC. Lisa Gable CISM

Payment Card Industry (PCI) Data Security Standard

Project Title slide Project: PCI. Are You At Risk?

AISA Sydney 15 th April 2009

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

Transitioning from PCI DSS 2.0 to 3.1

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

PCI Compliance. Crissy Sampier, Longwood University Edward Ko, CampusGuard

The State of Security and Compliance for E- Commerce and Retail

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

Payment Card Industry Data Security Standard (PCI DSS) v1.2

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

How To Protect Your Business From A Hacker Attack

PDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.1)

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

PCI Security Standards Council

PCI v 3.0 What you should know! Emily Coble UNC Chapel Hill Robin Mayo East Carolina University

Payment Card Industry (PCI) Data Security Standard

New PCI Standards Enhance Security of Cardholder Data

Preparing for PCI DSS 3.0 & Ensuring a Seamless Transition. November 2013

Payment Card Industry Data Security Standards Compliance

PCI Compliance Top 10 Questions and Answers

Payment Card Industry (PCI) Data Security Standard

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance

Making Sense of the PCI Puzzle

Simplêfy Client Support and Information Services. PCI Compliance Guidebook

PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW

PCI Compliance Updates

Protecting Your Customers' Card Data. Presented By: Oliver Pinson-Roxburgh

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0

Attestation of Compliance for Onsite Assessments Service Providers

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

PCI on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for PCI on AWS

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

PCI: The Dark Side. May 2012 Roanoke, VA

Frequently Asked Questions

Understanding Payment Card Industry (PCI) Data Security

DATA SECURITY. Payment Card Industry (PCI) Compliance Steps for Organizations May 26, Merit Member Conference

Tokenization Amplified XiIntercept. The ultimate PCI DSS cost & scope reduction mechanism

PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics

PCI Standards: A Banking Perspective

Why Is Compliance with PCI DSS Important?

Transcription:

Auditing PCI Compliance Tim Marley CPA, CIA, CISA, GSNA, CISSP, CIPP, CISM, PCI ISA, PCIP IT Audit Director, University of Oklahoma September 30, 2015 Introductions Introductions Me Harold s MIS, October 2005 (PCI DSS 1.0) OU IT Security, January 2009 (PCI DSS 1.2) CPISM/CPISA, August 2009 PCI ISA, September 2011 (PCI DSS 2.0) OU Internal Audit, November 2011 You Certified/trained in PCI compliance? Currently auditing PCI compliance? Familiar with PCI compliance? Pondering what the PCI stands for? 1

Quick overview Conceptually Chronologically Visa CISP 10/1999 PCI DSS 1.1 PCI SSC founded 9/2006 PCI DSS 1.2 10/2008 PCI DSS 1.2.1 7/2009 PCI DSS 3.0 11/2013 Home Depot 56M 9/2014 PCI DSS 1.0 12/2004 TJX 45M 12/2006 Heartland 130M 1/2009 PCI DSS 2.0 10/2010 Target 42M 12/2013 PCI DSS 3.1 4/2015 2

What s special about higher ed? E-commerce (hosted) Small shop 3

Point Of Sale Complex Enterprise 4

Campus Multiple Campuses Internal Cloud Services Athletics Concessions Multiple Processors Approach Determine your validation requirements 5

Audit by merchant or by campus/university? Who owns the compliance responsibility? How many owners do you have? How many merchants do you have? How complex is your environment? How mature is your compliance effort? By process 1. Operational audit - compliance owner CFO, CIO, Bursar, treasurer, cashier, registrar, IT, etc. Appropriate signature on the validation submission to the processor/acquiring bank Policy and procedures Efficiencies Effectiveness* 2. *Compliance audit merchants and compliance owner Split into logical populations, SAQ A, B, C, etc. for sampling purposes Perform a risk analysis/assessment similar to the annual audit plan? Achieve economies of scale Merchant audit process Verify: the scope for the cardholder data environment. the correctness of the validation form/media, etc. (i.e. did they use the proper SAQ if applicable) the accuracy and completeness of the merchant s submission. compliance with applicable organizational policies. 6

Validation SAQ A A EP B B IP C VT C P2PE D Description Card not present merchants (e commerce or mail/telephone order), that have fully outsourced all cardholder data functions to PCI DSS compliant third party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant s systems or premises. Not applicable to faceto face channels. E commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn t directly receive cardholder data but that can impact the security of the payment transaction. No storage, processing, or transmission of cardholder data on merchant s systems or premises. Applicable only to e commerce channels. Merchants using only: Imprint machines with no electronic cardholder data storage, and/or Standalone, dial out terminals with no electronic cardholder data storage. Not applicable to e commerce channels. Merchants using only standalone, PTS approved payment terminals with an IP connection to the payment processor with no electronic cardholder data storage. Not applicable to e commerce channels. Merchants who manually enter a single transaction at a time via a keyboard into an Internet based, virtual payment terminal solution that is provided and hosted by a PCI DSS validated third party service provider. No electronic cardholder data storage. Not applicable to e commerce channels. Merchants with payment application systems connected to the Internet, no electronic cardholder data storage. Not applicable to e commerce channels. Merchants using only hardware payment terminals included in and managed via a validated, PCI SSC listed P2PE solution, with no electronic cardholder data storage. Not applicable to e commerce merchants. SAQ D for Merchants: All merchants not included in descriptions for the above SAQ types. Validation https://www.pcisecuritystan dards.org/documents/saq_i nstrguidelines_v3 1.pdf PCI DSS 3.1 12 High level requirements 1. Install and maintain a firewall configuration to protect cardholder data. (23 reqs) 2. Do not use vendor-supplied defaults for system passwords and other security parameters (12 reqs) 3. Protect stored cardholder data (22 reqs) 4. Encrypt transmission of cardholder data across open, public networks (4 reqs) 5. Protect all systems against malware and regularly update anti-virus software or programs (6 reqs) 6. Develop and maintain secure systems and applications (28 reqs) 7. Restrict access to cardholder data by business need to know (10 reqs) 8. Identify and authenticate access to system components (23 reqs) 9. Restrict physical access to cardholder data (27 reqs) 10. Track and monitor all access to network resources and cardholder data (32 reqs) 11. Regularly test security systems and processes (16 reqs) 12. Maintain a policy that addresses information security for all personnel (39 reqs) 7

Each requirement may have multiple tests SAQ Description # Tests w/responses A Card not present ~14 A EP E commerce ~143 B Imprint machines, and/or Standalone, dial out terminals ~41 B IP Standalone, PTS approved payment terminals ~87 C VT Virtual payment terminal solution ~78 C Payment application systems, no electronic cardholder data storage. ~144 P2PE PCI SSC listed P2PE ~35 D SAQ D for Merchants: All other merchants not included above. ~332 SAQ D Testing SAQ D Testing 8

SAQ D Testing Organizational Policy By campus standards Assign responsibilities Business Units Bursar Human Resources IT Support IT Security/Compliance CSIRT Organizational Policy 9

Organizational Policy Education PCI SSC Internal Security Assessor (ISA) Improve your understanding of PCI DSS and how it can help protect your customer data and your business Help your organization build internal expertise Facilitate interaction with a QSA for your organization Enhance payment card data security and manage compliance costs Earn CPE credits https://www.pcisecuritystandards.org/training/isa_training.php 10

PCI SSC Internal Security Assessor (ISA) ISA Eligibility Requirements The ISA candidate must be a full-time employee of a Sponsor Company that is in Good Standing at the time when the application for the employee s ISA qualification is considered by PCI SSC (the Application Time ); PCI SSC must have on file an executed and effective Sponsor Attestation from the ISA s Initiating Sponsor Company; and https://www.pcisecuritystandards.org/documents/isa_qualification_requirements_v2.0.pdf PCI SSC Internal Security Assessor (ISA) Initial ISA Qualification Requirements All applicable ISA Eligibility Requirements must continue to be satisfied, the ISA candidate must continue to be a full-time employee of its Initiating Sponsor Company, and the Initiating Sponsor Company must continue to be in Good Standing; The ISA candidate must successfully complete all required initial ISA Program training and legitimately pass, of his or her own accord, each examination conducted as part of that training; The ISA candidate must read and agree to adhere to the PCI SSC Code of Professional Responsibility; and The ISA candidate must accept the ISA Attestation as part of the training and exam process. https://www.pcisecuritystandards.org/documents/isa_qualification_requirements_v2.0.pdf PCI SSC Internal Security Assessor (ISA) Recommended ISA Experience ISA training is intended for individuals who already possess significant relevant technical and security audit and assessment experience. Candidates will ideally possess the following or equivalent experience: Sufficient information security knowledge and experience to conduct technically complex security assessments; Emphasis on internal information systems and security audit work as Sponsor Company employee; Strong understanding of payment processes, related systems, and PCI DSS; Annual information systems audit training to support applicable continuing professional education requirements (for example, 20 hours of such training annually and 120 hours of such training over the immediately preceding rolling three-year period); and https://www.pcisecuritystandards.org/documents/isa_qualification_requirements_v2.0.pdf 11

PCI SSC Internal Security Assessor (ISA) Recommended ISA Experience 20 hours of such training annually and 120 hours of such training over the immediately preceding rolling threeyear period); and The following additional qualifications: University or undergraduate degree; Five years applicable work experience; One year of experience performing information security audits similar to QSA Assessments, or three separate such audits, or other equivalent as determined by the Sponsor Company; Demonstrated expertise in at least three relevant areas including network security, application security and consultancy, system integration; and One or more of the following industry-recognized professional certifications (possessing one certification from each list is recommended, but not required): List A Information Security Certified Information System Security Professional (CISSP) Certified Information Security Manager (CISM) List B Audit Certified Information Systems Auditor (CISA) GIAC Systems and Network Auditor (GSNA) https://www.pcisecuritystandards.org/document Certified ISO 27001, Lead Auditor, Internal Auditor s/isa_qualification_requirements_v2.0.pdf International Register of Certificated Auditors (IRCA) Information Security Management System (ISMS) Auditor PCI SSC Internal Security Assessor (ISA) Pre-requisite course curriculum Online training that concludes with a 50 question multiple-choice exam Understanding the PCI SSC and its role Defining the processes involved in card processing PCI roles and responsibilities Understanding cardholder data Defining network segmentation PCI DSS assessments CANDIDATES MUST PASS THIS EXAM BEFORE SCHEDULING 2-DAY ISA TRAINING https://www.pcisecuritystandards.org/training/isa_training course highlights.php PCI SSC Internal Security Assessor (ISA) ISA course contents PCI DSS requirements and testing procedures Report on Compliance (ROC) documentation QA-ROC review Compensating controls ISA course options Instructor-led elearning https://www.pcisecuritystandards.org/training/isa_training course highlights.php 12

Recent changes 3.0 and 3.1 3.0 (98 changes) 74 clarifications 5 additional guidance 19 evolving requirements 3.1 (36 changes) 30 clarifications 4 additional guidance 4 evolving requirements Key changes in 3.0 1.1.2/1.1.3 Clarified what the network diagram must include and added new requirement at 1.1.3 for a current diagram that shows cardholder data flows. 13

Key changes in 3.0 2.4 new requirement to maintain an inventory of system components in scope for PCI DSS to support development of configuration standards. Key changes in 3.0 5.3 New requirement to ensure that anti-virus solutions are actively running (formerly in 5.2), and cannot be disabled or altered by users unless specifically authorized by management on a per-case basis. Key changes in 3.0 11.3 new requirement to implement a methodology for penetration testing. 14

Key changes in 3.0 11.3.4 new requirement, if segmentation is used to isolate the CDE from other networks, to perform penetration tests to verify that the segmentation methods are operational and effective. Key changes in 3.0 12.8.5 - new requirement to maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity. Key changes in 3.0 12.9 new requirement for service providers to provide the written agreement/acknowledgment to their customers as specified at requirement 12.8. 15

Key changes in 3.1 2.2.3, 2.3, & 4.1 Removed SSL as an example of a secure technology. Added note that SSL and early TLS are no longer considered to be strong cryptography and cannot be used as a security control after June 30, 2016. Tools/resources Official resources and references pcisecuritystandards.org Documents Library Training News and Events PCI NA Community Meeting Get Involved Participating Organization Special Interest Groups (SIGs) 16

Less official resources and references treasuryinstitute.org/pci-dssworkshop-2016 Continuing education Higher education only Focus on implementations, case studies and shared experiences Vendors Caveat Emptor Look for higher ed experience QUESTIONS Tim Marley CPA, CIA, CISA, GSNA, CISSP, CIPP, CISM, PCI ISA, PCIP IT Audit Director, University of Oklahoma tim.marley@ou.edu www.ou.edu/audit twitter: @timmarley desk 405.325.5418 cell 405.613.8500 17

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information