Jeff Williams
Information Security Officer
CSU, Sacramento




What is PCI DSS?
What are the financial impacts?
What are the requirements?
How do I become compliant?
•
•
•
Standard that is applied to:
– Merchants (You)
– Service Providers (Third Third-party vendor, gateways)
– Systems (Hardware, software)
That:
– Stores cardholder data
– Transmits cardholder data
– Processes cardholder data
Applies to:
– Electronic Transactions
– Paper Transactions
Forced service outage during incidents
Forced service suspension
Loss of brand processing
Fines as high as $5,000 per card per day
Pay for independent investigation (entry fee of
~$30,000)
◦ Fines up to $500,000
◦ Large breaches…
◦
◦
◦
◦
◦
$50,000,000
$590,000
$10,000,000
Combined fines
for all three
$60,590,000
Consider highest total cards processed in one day
(disclaimer, numbers picked for easy math, optimistic and
assume pre-incident self-assessment and mitigation)
100 total cards
$50 per card for notification/communication
$100 fine per card
$30,000 investigation fee
Single Loss Expectancy $45,000
Annualized Rate of Occurrence .10
Annualized Loss Expectancy $4,500
Consider highest total cards processed in one day
(disclaimer, numbers picked for easy math, optimistic and assume
little to no self-assessment and mitigation activities)
100 total cards
$50 per card for notification/communication
$1,000 fine per card
$30,000 investigation fee
Single Loss Expectancy $180,000
Annualized Rate of Occurrence .20
Annualized Loss Expectancy $36,000

Consider
◦ Your highest number of cards processed day
◦ A multi-day event
◦ You are out of compliance and store all cards
processed
◦ Maximum fines
◦ Impact to your reputation/fundraising
◦ Impact to your operations
Build and Maintain a Secure Network
1. Use firewalls and NAT to protect data
2. Do not use vendor-supplied defaults for system passwords
and other security parameters
Protect Cardholder Data
3. Protect physical stored data
4. Encrypt transmission of cardholder data and sensitive
information across public networks
Maintain a Vulnerability Management Program
5. Use and regularly update antivirus software
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7. Restrict access to data by business need-to-know
8. Assign a unique ID to each person
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and
cardholder data
11. Routinely test security systems and processes
Maintain an Information Security Policy
12. Establish high-level security principles and procedures


It all starts with a Self Assessment
Identify and close your gaps
http://www.csus.edu/irt/is/pci/presentations/index.
html
Bottom of the webpage has a matrix of examples,
guides, resources and templates
PCI Website - www.pcisecuritystandards.org
Thank you,
Jeff Williams
jeff.williams@csus.edu
916.278.7733