North Carolina Community College System
IIPS Conference – Spring 2009
PCI COMPLIANCE
Jason Godfrey
IT Security Manager
(919) 807-7054
godfreyj@nccommunitycolleges.edu
AGENDA











PCI Data Security Standard (DSS)
Latest Data Security Standard
Compliant Process
Becoming Compliant
Maintaining Compliance
Determining Which SAQ
General Tips
Prioritizing Milestones
Challenges
Additional Information
Q & A - Open forum
PCI DATA SECURITY STANDARD (DSS)
LATEST DATA SECURITY STANDARD




Current version is 1.2
Released October 2008
Majority of changes are explanatory and clarifications
Three enhancements



Section 4.1.1 – Testing requirements and wireless
encryption standards
Appendix D: attestations and compliance forms
Appendix E: attestations and compliance forms
COMPLIANCE PROCESS
BECOMING COMPLIANT
1. PCI DSS Scoping – determine what system
components are governed by PCI DSS
2. Sampling – examine the compliance of a subset of
system components in scope
3. Compensating Controls – QSA validates alternative
control technologies/processes
4. Reporting – merchant/organization submits required
documentation
5. Clarifications – merchant/organization
clarifies/updates report statements (if applicable)
MAINTAINING COMPLIANCE
Assess
Remediate
Report
DETERMINING WHICH SAQ
GENERAL TIPS





Never store sensitive card data
 Full content of the magnetic strip
 Card validation codes and values
 PIN blocks
Contact your POS vendor regarding PCI compliance
Don’t store card holder data if you don’t need it
Minimize scope
Prioritize requirements
PRIORITIZING MILESTONES1
1.
2.
3.
4.
5.
6.
Remove sensitive authentication data and limit data
retention.
Protect the perimeter, internal, and wireless
networks.
Secure payment card applications.
Monitor and control access to your systems.
Protect stored cardholder data (security classes).
Finalize remaining compliance efforts, and ensure
all controls are in place.
1 The
Prioritized Approach to Pursue PCI DSS Compliance
CHALLENGES








Documenting policies, processes, and procedures
Storing backups in secured manner (off-site is preferable)
Separation of duties
Local payment card applications
Hardware and software
 CCTV
 File monitoring
 Audit trails
Internal and external penetration tests
Training
Management buy-in and user acceptance
ADDITIONAL INFORMATION

PCI Council
https://www.pcisecuritystandards.org

PCI Council Navigating the SAQ
https://www.pcisecuritystandards.org/pdfs/pci_dss_saq_navigating_d
ss.pdf

PCI Council Quick Guide
https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf

PCI Prioritized Approach
https://www.pcisecuritystandards.org/education/docs/Prioritized_Approach_
PCI_DSS_1_2.pdf

Trustwave


General Questions – (800) 363-1621
support@trustwave.com
ADDITIONAL INFORMATION


System Office – contact the CIS Help Desk
US CERT
http://www.us-cert.gov/

SANS Institute
http://www.sans.org/

NC ITS State-wide Security Manual
http://www.scio.state.nc.us/SITPoliciesAndStandards/Statewide_Informatio
n_Security_Manual.asp

Open Source applications




Network Security Tool (NST)
Snort
Untangle
Zenoss
OPEN FORUM
Q&A