Payment Card Industry
Data Security Standard
(PCI DSS) Compliance
JEFF WILLIAMS
INFORMATION SECURITY OFFICER
CALIFORNIA STATE UNIVERSITY,
SACRAMENTO
Agenda
 What is PCI DSS?
 Why do I need to care?
 What are the requirements?
 How can I get started?
 Resources and templates
What is PCI DSS?
 PCI Security Standards Council
 (American
Express, Discover, JCB, MasterCard,
and Visa)
 Designed to protect credit data, mitigate
financial loss and avoid government(s)
regulations
 Six security domains that make over 120
technical and operational security controls
Why do I need to care?
 Regulatory notification requirements
 Loss of reputation
 Loss of customers
 Potential financial liabilities
 Litigation
In the news
What are the requirements?
 Build and Maintain a Secure Network
 Protect Cardholder Data
 Maintain a Vulnerability Management
Program
 Implement Strong Access Control Measures
 Regularly Monitor and Test Networks
 Maintain an Information Security Policy
Build and Maintain a Secure Network
 Firewalls
 control
computer traffic from PCI (trusted)
networks to and from external (untrusted)
networks
 Hardening systems
 configuration
management program
 change defaults passwords and security settings
 single purpose systems
 remove unnecessary functions
Protect Cardholder Data
 Data Protection Program
 data
retention and disposal
 minimize full PAN to absolutely necessary
processes (truncate and masking first six and last
four digits max if displayed, and hashing)
 never store full track or card verification code
 Encryption of data and across public
networks
Key management is key to encryption
Maintain Vulnerability Management Program
 Configuration management
 Change management
 Patch management
 Anti-virus/malware protection
 Vulnerably management program
 rank,
determine impact and prioritize
activity
Implement Strong Access Control Measures
 Restrict access
 need
to know
 need to perform
 according to job responsibilities
 default “deny-all”
 Unique ID for accountability
 Restrict physical access
 deny,
deter, document and detect
 destroy
Regularly Monitor and Test Networks
 Track and monitor access
 log activity (during an incident you are trying to limit $cope by
determining what happened)
 Test security systems and processes
 test of presence of wireless
 run internal vulnerably scans
 run quarterly external vulnerably scans (ASV)
 run intrusion-detection system
 Run file-integrity monitoring tools
Maintain Information Security Policy
 Covers all personnel
 Training and awareness
 Requires operational procedures are in compliance
 Incident response
 Reviewed and updated annually
Compensating Controls
 Cannot meet the explicitly stated requirement due to
legitimate technical or business constraints but has
sufficiently compensating/ mitigating controls to
address the risk.
 PCI DSS provides a compensating controls
worksheet
Compensating Controls Worksheet
1. Constraints
2. Objective
3. Identified risk
4. Definition of compensation controls
5. Validation of compensating controls
6. Maintenance
More information and example in the PCI DSS Documentation Library
Data Security Standard, Requirement and Security Assessment
Procedures, Version 2.0
Getting Started
1. Identify a lead and team members
2. Identity all PCI covered systems and
3.
4.
5.
6.
processes
Complete Self-Assessment Questionnaire
(SAQ)
Prioritize and address gaps
Complete a Report of Compliance (ROC)
Maintain the program
Self Assessment Questionnaire
SAQ
Merchant / Activity Description
A
Card-not-present / outsourced e-commerce / mail/telephoneorder / relies entirely on 3rd party for handling electronic
processes / Never has face-to-face with customer
B
Imprint-only / dial-out terminal (phone line) / no electronic
storage
C-VT
Web-based virtual terminals / no electronic storage / Manually
entered, no card readers
C
Payment application connected to the Internet / no electronic
storage
D
All other merchants / activities
More information in the PCI DSS Documentation Library
Self-Assessment Questionnaire, Instructions and Guidelines, Version 2.0
Prioritize and Address Gaps
 Resources and Templates
 www.csus.edu/irt/is/pci/presentations/index.html
Report on Compliance (ROC)
 Content and Format
 Executive
summary
 Scope of work and approach taken
 Details about reviewed environment
 Contact information and report date
 Quarterly scan results
 Finding and observations
Terms
 Report of Compliance (ROC)
 Approved Scanning Vendor (ASV)
 Self Assessment Questionnaire (SAQ)
 Primary Account Number (PAN)
Resources and Credits
 PCI DSS Document Library:
 Instructions and Guidelines
 Requirements and Security Assessment Procedures
 Geekonomics, David Rice, 2008
 CSU, Sacramento PCI DSS Program
 Adam Cook, Information Security Analyst, CSU,
Sacramento