Chad`s and Ruth`s presentation - Protect IU

advertisement
Payment Card Industry
Data Security Standards
@ IU
Ruth A. Harpool, Director, Treasury Operations, Office of The Treasurer
Chad Marcum, Lead Security Engineer, University Information Security Office
September 14, 2010
Indianapolis
PCI DSS Role Players @ IU
• Board of Trustees
• Purchasing
• Merchants
• Legal Counsel
• Office of The Treasurer
• Third Party Vendors
• UISO
• QSA (Trustwave)
• UITS
• YOU
PCI DSS Relationships
Merchants
Credit Card
Companies
Indiana University
Acquiring
Card Office)
Bank (USB) Credit(Treasurer’s
Companies
UISO
QSA
CACR Presentation
• BREAK
Six PCI DSS Goals
•
•
•
•
•
•
Build and Maintain a Secure Network
Protect Cardholder Data
Maintain a Vulnerability Management Program
Implement Strong Access Control Measures
Regularly Monitor and Test Networks
Maintain an Information Security Policy
Security Controls and Processes for
PCI DSS Requirements
•
•
•
•
•
•
•
•
•
•
•
•
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
Top PCI DSS Violations
80% - Requirement # 1: Install and Maintain a firewall configuration
Source: 2008 Trustwave Report
Top PCI DSS Violations
80% - Requirement # 1: Install and Maintain a firewall configuration
75% - Requirement # 2: Do not use vendor-supplied defaults
Source: 2008 Trustwave Report
Top PCI DSS Violations
80% - Requirement # 1: Install and Maintain a firewall configuration
75% - Requirement # 2: Do not use vendor-supplied defaults
88 % - Requirement # 3: Protect stored cardholder data
Source: 2008 Trustwave Report
Top PCI DSS Violations
80% - Requirement # 1: Install and Maintain a firewall configuration
75% - Requirement # 2: Do not use vendor-supplied defaults
88 % - Requirement # 3: Protect stored cardholder data
11% - Requirement # 4: Encrypt transmission of cardholder data
Source: 2008 Trustwave Report
Top PCI DSS Violations
80% - Requirement # 1: Install and Maintain a firewall configuration
75% - Requirement # 2: Do not use vendor-supplied defaults
88 % - Requirement # 3: Protect stored cardholder data
11% - Requirement # 4: Encrypt transmission of cardholder data
41% - Requirement # 5: Use and regularly update anti-virus software
Source: 2008 Trustwave Report
Top PCI DSS Violations
80% - Requirement # 1: Install and Maintain a firewall configuration
75% - Requirement # 2: Do not use vendor-supplied defaults
88 % - Requirement # 3: Protect stored cardholder data
11% - Requirement # 4: Encrypt transmission of cardholder data
41% - Requirement # 5: Use and regularly update anti-virus software
94% - Requirement # 6: Develop and maintain secure systems and apps
Source: 2008 Trustwave Report
Top PCI DSS Violations
80% - Requirement # 1: Install and Maintain a firewall configuration
75% - Requirement # 2: Do not use vendor-supplied defaults
88 % - Requirement # 3: Protect stored cardholder data
11% - Requirement # 4: Encrypt transmission of cardholder data
41% - Requirement # 5: Use and regularly update anti-virus software
94% - Requirement # 6: Develop and maintain secure systems and apps
25% - Requirement # 7: Restrict access to cardholder data by need to know
Source: 2008 Trustwave Report
Top PCI DSS Violations
80% - Requirement # 1: Install and Maintain a firewall configuration
75% - Requirement # 2: Do not use vendor-supplied defaults
88 % - Requirement # 3: Protect stored cardholder data
11% - Requirement # 4: Encrypt transmission of cardholder data
41% - Requirement # 5: Use and regularly update anti-virus software
94% - Requirement # 6: Develop and maintain secure systems and apps
25% - Requirement # 7: Restrict access to cardholder data by need to know
63% - Requirement # 8: Assign a unique ID to each person with access
Source: 2008 Trustwave Report
Top PCI DSS Violations
80% - Requirement # 1: Install and Maintain a firewall configuration
75% - Requirement # 2: Do not use vendor-supplied defaults
88 % - Requirement # 3: Protect stored cardholder data
11% - Requirement # 4: Encrypt transmission of cardholder data
41% - Requirement # 5: Use and regularly update anti-virus software
94% - Requirement # 6: Develop and maintain secure systems and apps
25% - Requirement # 7: Restrict access to cardholder data by need to know
63% - Requirement # 8: Assign a unique ID to each person with access
12% - Requirement # 9: Restrict physical access to cardholder data
Source: 2008 Trustwave Report
Top PCI DSS Violations
80% - Requirement # 1: Install and Maintain a firewall configuration
75% - Requirement # 2: Do not use vendor-supplied defaults
88 % - Requirement # 3: Protect stored cardholder data
11% - Requirement # 4: Encrypt transmission of cardholder data
41% - Requirement # 5: Use and regularly update anti-virus software
94% - Requirement # 6: Develop and maintain secure systems and apps
25% - Requirement # 7: Restrict access to cardholder data by need to know
63% - Requirement # 8: Assign a unique ID to each person with access
12% - Requirement # 9: Restrict physical access to cardholder data
91% - Requirement # 10: Track and monitor all access to resources
Source: 2008 Trustwave Report
Top PCI DSS Violations
80% - Requirement # 1: Install and Maintain a firewall configuration
75% - Requirement # 2: Do not use vendor-supplied defaults
88 % - Requirement # 3: Protect stored cardholder data
11% - Requirement # 4: Encrypt transmission of cardholder data
41% - Requirement # 5: Use and regularly update anti-virus software
94% - Requirement # 6: Develop and maintain secure systems and apps
25% - Requirement # 7: Restrict access to cardholder data by need to know
63% - Requirement # 8: Assign a unique ID to each person with access
12% - Requirement # 9: Restrict physical access to cardholder data
91% - Requirement # 10: Track and monitor all access to resources
91% - Requirement # 11: Regularly test security systems and processes
Source: 2008 Trustwave Report
Top PCI DSS Violations
80% - Requirement # 1: Install and Maintain a firewall configuration
75% - Requirement # 2: Do not use vendor-supplied defaults
88 % - Requirement # 3: Protect stored cardholder data
11% - Requirement # 4: Encrypt transmission of cardholder data
41% - Requirement # 5: Use and regularly update anti-virus software
94% - Requirement # 6: Develop and maintain secure systems and apps
25% - Requirement # 7: Restrict access to cardholder data by need to know
63% - Requirement # 8: Assign a unique ID to each person with access
12% - Requirement # 9: Restrict physical access to cardholder data
91% - Requirement # 10: Track and monitor all access to resources
91% - Requirement # 11: Regularly test security systems and processes
75% - Requirement # 12: Maintain a policy that addresses info security
Source: 2008 Trustwave Report
Ten Common Myths of PCI DSS
Ten Common Myths of PCI DSS
Ten Common Myths of PCI DSS
Ten Common Myths of PCI DSS
Ten Common Myths of PCI DSS
Ten Common Myths of PCI DSS
Ten Common Myths of PCI DSS
Ten Common Myths of PCI DSS
Ten Common Myths of PCI DSS
Ten Common Myths of PCI DSS
Ten Common Myths of PCI DSS
Build and Maintain a Secure Network
Requirement 1:
Install and maintain
a firewall and router
configuration to
protect cardholder
data (26 sub-requirements)
Responsibility
Merchants
UITS
Treasury
UISO
How can you help?
Headlines
Novice computer hacking kits found for sale on eBay
UT Arlington File Server with Records on 27,000
Breached Four Times
Submitted by Adam Dodge on Fri, 2010-07-23 06:19 Quick Facts
Date: 7/23/2009
Institution: University of Texas, Arlington
Type of Incident: Penetration
Number Affected: 27,000
Source: ESI
Abstract Source: University of Texas, Arlington
Abstract
The University of Texas, Arlington recently notified students, faculty and staff after the breach of a file server containing personal
information. The file server, used by the university's Student Health Center, contained the names, addresses, prescription names,
amount spent and diagnostic codes of 27,000 students, faculty and staff between 2000 and June 2010, including 2,048 Social
Security numbers. The compromise was discovered on June 21, 2010 by IT staff and an investigation uncovered the server had been
breached on four occasions between February 2009 and February 2010.
Build and Maintain a Secure Network
Requirement 2:
Do not use vendor
supplied defaults for
system passwords
and other security
parameters
Responsibility
Merchants
Every user, every machine
UITS
(13 sub-requirements)
How can you help?
Headlines
Vendor-Supplied Backdoor Passwords – A
Continuing Vulnerability
Retailers Sue POS Vendor
“One of the key accusations against Computer World is that it used
vendor default passwords for systems with many of these
restaurants, for easier remote administration. The lawsuit correctly
points out that PCI bans retailers from using such vendor default
passwords.”
Read more:
http://www.storefrontbacktalk.com/securityfraud/retailers-suingcard-processor-questions-raised-as-to-where-pci-dutiesstop/#ixzz0ymIKSDPF
Protect Cardholder Data
Requirement :3
Protect stored
cardholder data
(28 sub-requirements)
Responsibility
Merchants
Treasury
How can you help?
Headlines
Email Attachment Contains Arkansas State University
Employee Information
Submitted by Adam Dodge on Thu, 2010-09-02 06:31 Quick Facts
Date: 9/2/2010
Institution: Arkansas State University
Type of Incident: Unauthorized Disclosure
Number Affected: 2,484
Source: ESI
Headlines
Laptop Stolen From Locked Office at University
of Kentucky
Submitted by Adam Dodge on Thu, 2010-08-19 06:32 Quick Facts
Date: 8/19/2010
Institution: University of Kentucky
Type of Incident: Theft
Number Affected: 2,027
Source: DataBreaches.net
Abstract Source: University of Kentucky Public Notice
Abstract
The University of Kentucky is working to notify parents after a laptop was stolen from the
university's Newborn Screening Program. The laptop, which was taken from a locked
office in the Department of Pediatrics Newborn Screening Program, contained the
names, medical record numbers, dates of birth, diagnosis, mothers' name and mothers'
Social Security numbers on 2,027.
Protect Cardholder Data
Requirement 4:
Encrypt
transmission of
cardholder data
across open, public
networks
Responsibility
Merchants
Treasury
(4 sub-requirements)
How can you help?
Headlines
• Encryption Implementation Really Matters
• Written by Walter Conway
August 26th, 2010
Read more:
http://www.storefrontbacktalk.com/securityfraud
/encryption-implementation-reallymatters/#ixzz0ymKXbVcS
Maintain a Vulnerability Management
Program
Requirement 5:
Use and regularly
update anti-virus
software or
programs
Responsibility
Merchants
UITS
(7 sub-requirements)
How can you help?
Headlines
August 17, 2000 9:15 AM PDT
New strain of "Love" virus steals passwords
Read more: http://news.cnet.com/2100-1023-244593.html#ixzz0ymNOafk9
February 18, 2010 :
New computer virus steals your log-in info for
Facebook, Yahoo and Hotmail
Headlines
Sep 1, 2010 Cyber Thieves Steal Nearly
$1,000,000 from University of Virginia
College
Cyber crooks stole just shy of $1 million from a satellite campus of The
University of Virginia last week, KrebsOnSecurity.com has learned.
The attackers stole the money from The University of Virginia’s College at
Wise, a 4-year public liberal arts college located in the town of Wise in
southwestern Virginia.
According to several sources familiar with the case, thieves stole the funds after compromising a
computer belonging to the university’s comptroller. The attackers used a computer virus to steal
the online banking credentials for the University’s accounts at BB&T Bank, and initiated a single
fraudulent wire transfer in the amount of $996,000 to the Agricultural Bank of China. BB&T
declined to comment for this story.
Maintain a Vulnerability Management
Program
Requirement 6:
Develop and
maintain secure
systems and
applications
Responsibility
Merchants
UITS
(40 sub-requirements)
How can you help?
Headlines
Even antivirus vendors warn their solutions are
not enough.
"A lot of people will buy one product and expect it to do everything -- and it doesn't,"
says GFI's Eckelberry, which recently bought security application maker Sunbelt
Software. "In the past, you could rely on your AV product to catch everything, but it
can't anymore. I have some of the coolest technology in the world, but I know what
it is like out there. It will not catch everything."
Companies should secure employees against their own behavior just as a parent
childproofs a house, Eckelberry says. "It may be a terrible analogy," he says, "but as
an IT manager, you have to expect that users are gong to bumble around and break
glass objects."
Lunch Break
12-1
Security Controls and Processes for
PCI DSS Requirements
•
•
•
•
•
•
•
•
•
•
•
•
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
Implement Strong Access Control
Measures
Requirement 7:
Restrict access to
cardholder data by
business need to
know
Responsibility
Merchants
UITS
(9 sub-requirements)
How can you help?
Headlines
Study: 80% of Organizations Suffer Breaches, Most From the Inside
“If you still think nameless, faceless bad hackers are the biggest threat, think again:
Three quarters of all data breaches in the U.S. are at the hands of insiders at the
organization -- most inadvertent, but some malicious –” Source: Security
DARKreading. October 2008 http://www.darkreading.com/security/government
New Facebook ID Theft scam: 'Dislike' button
Monday, August 16, 2010
Charlotte Observer
The Better Business Bureau warns Facebook users against clicking a ‘dislike’
button siting a new identity theft scam.
Implement Strong Access Control
Measures
Requirement 8:
Assign a unique ID
to each person with
computer access
Responsibility
Merchants
UITS
(25 sub-requirements)
How can you help?
Headlines
Two Factor Authentication required for remote access.
Remove/disable inactive users every 90 days. Remove terminated employee’s
access immediately.
• An Employee Leaves, Does Your Data Follow?
Carl J. Rychcik; LTN Law Technology News: http://www.law.com
Corporate Counsel
November 09, 2009
•
•
The days of photocopying documents and sneaking out the door with hard copies are long gone. Most information is now
available electronically, and large amounts of data can be copied efficiently and discreetly via computer. The good news is
that in many instances, accessing information electronically leaves a distinct trail for a former employer to follow. The bad
news, though, is that if the proper steps are not taken, this trail can quickly be lost.
In fact, in many cases, simply doing nothing can result in valuable information being lost forever. There are a number of
pitfalls to avoid when building a case against a former employee who you believe has taken your confidential information.
Implement Strong Access Control
Measures
Requirement 9:
Restrict physical
access to
cardholder data
Responsibility
Merchants
UITS
(24 sub-requirements)
How can you help?
Headlines
Storm Lake, Iowa College Falls Victim to
Campus Data Breach
August 26, 2010
It has been confirmed that Buena Vista University, located in Storm Lake, Iowa, has fallen victim to a data breach on
campus, in which a campus database was accessed without authorization sometime in June.
The database that was accessed contained information going back to 1987, and included personally identifiable
information on BVU students, faculty, staff, parents, alumni and even BVU donors. This information included
names, Social Security numbers, and in some cases, driver’s license numbers.
This breach, which was confirmed to have happened sometime in June, has caused the University to invest time and
energy in contacting some 93,000 people who have been affected. Although there have been no reports of
information on this database being misused, university officials have notified the proper authorities of the data
breach and are taking the time to contact all who have been affected.
Regularly Monitor and Test Networks
Requirement 10:
Track and monitor
all access to
network resources
and cardholder data
Responsibility
Merchants
UITS
(30 sub-requirements)
How can you help?
Headlines
Top Five Data Security Vulnerabilities Leading
to Compromises
1.
2.
3.
4.
5.
SQL Injection
Unpatched and Unhardened Systems
Malicious Software (Malware) That Captures Cardholder Data
Insecure Network Configuration and Poor Monitoring
Lack of audit Trail Logs
According to VISA as reported on April 15, 2009
Regularly Monitor and Test Networks
Requirement 11:
Regularly test
security systems
and processes
(14 sub-requirements)
Responsibility
Merchants
UITS
Treasury
UISO
How can you help?
Headlines
From University of Wisconsin-Madison this
warning was issued in February 2010:
A new botnet and phishing scam has the ability to steal files from (and
remotely control) an infected computer. Computer.botnet is using an old
tool in phishing scams aimed at collecting banking and social networking
website usernames and passwords. Specifically, something called the
Kneber Botnet uses Zeus trojan to steal restricted data. Zeus, also know
as Zbot, is a trojan horse type malware that includes a keystroke logger.
Maintain an Information Security Policy
Requirement 12:
Responsibility
Maintain a policy
that addresses
information security
for employees and
contractors
Merchants
(35 sub-requirements)
UISO
UITS
Treasury
How can you help?
Verizon 2010 Data Breach Report
Key Findings of the 2010 Report
This year's key findings both reinforce prior conclusions and offer new insights. These include:
•
Most data breaches investigated were caused by external sources. Sixty-nine percent of breaches
resulted from these sources, while only 11 percent were linked to business partners. Forty-nine percent
were caused by insiders, which is an increase over previous report findings, primarily due in part to an
expanded dataset and the types of cases studied by the Secret Service.
Many breaches involved privilege misuse. Forty-eight percent of breaches were attributed to users who,
for malicious purposes, abused their right to access corporate information. An additional 40 percent of
breaches were the result of hacking, while 28 percent were due to social tactics and 14 percent to physical
attacks.
•
Commonalities continue across breaches. As in previous years, nearly all data was breached from
servers and online applications. Eight-five percent of the breaches were not considered highly difficult, and
87 percent of victims had evidence of the breach in their log files, yet missed it.
•
Meeting PCI-DSS compliance still critically important. Seventy-nine percent of victims subject to the
PCI-DSS standard hadn't achieved compliance prior to the breach.
Source: 2010 Data Breach Report from Verizon Businesses
Break
Summary of PCI DSS Changes
Requirement Impact
Reason for Change
Proposed Change
Category
PCI DSS Intro
Clarify Applicability of PCI
DSS and cardholder data
Clarify that PCI DSS
Requirements 3.3 and 3.4
apply only to PAN
Clarification
Scope of Assessment
Ensure all locations of
cardholder data are included
in scope of PCI DSS
assessments
Clarify that all locations and
flows of cardholder data
should be identified and
documented to ensure
accurate scoping of
environment
Additional Guidance
PCI DSS Intro and various
requirements
Provide guidance on
virtualization
Expanded definition of
systems components to
include virtual components.
Updated requirement 2.2.1 to
clarify intent of ‘one primary
function per server” and use
of virtualization
Additional Guidance
Source: PCI Security Standards Council
Summary of PCI DSS Changes
Requirement Impact
Reason for Change
Proposed Change
Category
PCI DSS Requirement 1
Further clarification of the
DMZ
Provide clarification on
secure boundaries between
internet and card holder data
environment
Clarification
PCI DSS Requirement 3.2
Clarify applicability of PCI
DSS to Issuers or Issuer
Processors-
Recognize that Issuers have
a legitimate business need to
store Sensitive
Authentication Data
Clarification
PCI DSS Requirement 3.6
Clarify key management
processes
Clarify processes and
increase flexibility for
cryptographic key changes,
retired or replaced keys, and
use of split control and dual
knowledge
Clarification
Source: PCI Security Standards Council
Summary of PCI DSS Changes
Requirement Impact
Reason for Change
Proposed Change
Category
PCI DSS Requirement 6.2
Apply a risk based approach
for addressing vulnerabilities
Update requirement to allow
vulnerabilities to be ranked
and prioritized according to
risk
Evolving Requirement
PCI DSS Requirement 6.5
Merge requirements to
eliminate redundancy and
Expand examples of secure
coding standards to include
more than OWASP
Merge requirement 6.3.1 into
6.5 to eliminate redundancy
for secure coding for internal
and Web-facing applications.
Include examples of
additional secure coding
standards, such as CWE and
CERT
Clarification
PCI DSS Requirement
12.3.10
Clarify remote copy, move,
and storage of cardholder
data
Update requirement to allow
business justification for
copy, move and storage of
CHD during remote access
Clarification
Source: PCI Security Standards Council
Summary of PCI DSS Changes
Requirement Impact
Reason for Change
Proposed Change
Category
PA-DSS
General
Payment Applications on
Hardware Terminals.
Provide further guidance on
PA-DSS applicability to
hardware terminals.
Additional Guidance
PA-DSS
Requirement 4.4
Payment applications should
facilitate centralized logging
Add sub-requirement for
payment applications to
support centralized logging,
in alignment with PCI DSS
requirement 10.5.3
Evolving Requirement
PA-DSS
Requirements 10 & 11
Merge PA-DSS
Requirements 10 and 11
Combine requirements 10
and 11 (remote update and
access requirements) to
remove redundancies
Clarification
Source: PCI Security Standards Council
PCI DSS Timelines to Know
• The planned publication date of version 2.0
of PCI DSS and version 2.0 of PA-DSS is
October 28, 2010.
• The updated standards will become effective
on January 1, 2011.
Upcoming Changes to the IU
Payment Card Environment You
Should Expect?
• Tighter access controls on desktop and laptop
computers that access IU PCI systems or are used by
employees to hand key cardholder data
Upcoming Changes to the IU
Payment Card Environment You
Should Expect?
• Remote desktop requires two-factor authentication
Upcoming Changes to the IU
Payment Card Environment You
Should Expect?
• Retirement of IPAS (no later than 12/2010)
Upcoming Changes to the IU
Payment Card Environment You
Should Expect?
• Guidelines regarding Host Based firewalls for servers
and systems operating within the IU PCI environment
Upcoming Changes to the IU
Payment Card Environment You
Should Expect?
• Guidance on the IU PCI VRF and what should and
should not be inside of it
Upcoming Changes to the IU
Payment Card Environment You
Should Expect?
• Discontinued use of iFrames unless approved by
Treasury
Self-Assessment Questionnaires (SAQs)
Would you rather have an A or a D?
•
•
•
•
SAQ A - about 13 questions
SAQ B - about 26 questions
SAQ C - about 41 questions
SAQ D - about 240 questions
Self-Assessment Questionnaire A
• Merchant does not store, process, or transmit
any cardholder data on merchant premises but
relies entirely on third-party service provider(s)
to handle these functions
• Third-party service provider(s) handling storage,
processing, and/or transmission of cardholder
data is confirmed to be PCI DSS compliant
4/9/2015
Self-Assessment Questionnaire A
• Requirement 9: Restrict physical access
to cardholder data
• Requirement 12: Maintain a policy that
addresses information security
4/9/2015
Self-Assessment Questionnaire B
• Merchant uses only an imprint machine and does not
transmit cardholder data over either a phone line or the
Internet
OR
• Merchant uses only standalone, dial-up terminals, and the
standalone, dial-up terminals are not connected to the
Internet or any other systems within the merchant
environment
AND
• Merchant does not store cardholder data in electronic
format
4/9/2015
Self-Assessment Questionnaire B
• Requirement 3: Protect stored cardholder data
• Requirement 4: Encrypt transmission of cardholder data
across open, public networks
• Requirement 7: Restrict access to cardholder data by
business need to know
• Requirement 9: Restrict physical access to cardholder
data
• Requirement 12: Maintain a policy that addresses
information security
4/9/2015
Self-Assessment Questionnaire C
• Merchant has a payment application system and
an Internet or public network connection on the
same device
• Merchant does not store cardholder data in
electronic format
4/9/2015
Self-Assessment Questionnaire C
•
•
•
•
•
•
•
•
•
•
•
Requirement 1: Install and configure a firewall configuration to protect
cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords
and other security parameters
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public
networks
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Requirement 7: Restrict access to cardholder data by business need to
know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Requirement 11: Regularly test security systems and processes
Requirement 12: Maintain a policy that addresses information security
4/9/2015
Self-Assessment Questionnaire D
• All other Merchants
4/9/2015
Self-Assessment Questionnaire D
•
•
•
•
•
•
•
•
•
•
•
•
Requirement 1: Install and configure a firewall configuration to protect cardholder
data
Requirement 2: Do not use vendor-supplied defaults for system passwords and
other security parameters
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public
networks
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Requirement 7: Restrict access to cardholder data by business need to know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Requirement 10: Track and monitor all access to network resources and
cardholder data
Requirement 11: Regularly test security systems and processes
Requirement 12: Maintain a policy that addresses information security
4/9/2015
SAQ Validation
Type
Description
SAQ V1.2
1
Card-not-present (ecommerce or mail/telephone
order) merchants. NO face
to face merchants
A
2
Imprint-only, no electronic
B
3
Stand-alone terminal
merchants, no electronic
cardholder date storage
B
4
Merchants with POS
systems connected to the
Internet, no electronic
cardholder data storage
C
5
All other merchants(not
included in types 1-4 above)
D
•
SAQs
• SAQs are beginning to be released. If you receive
one then you are listed as our primary contact and
are responsible for completing.
• SAQs must be completed timely or your departments’
ability to accept credit cards may be temporarily
suspended.
• If you have SAQ questions contact
[email protected] ASAP ie..don’t wait until
the day your SAQ is due.
Security Awareness Education
• Provided by Trustwave
• Meets PCI DSS training requirement 12.6.1
• Treasury will contact Fiscal Officers to request
names and contact info of all individuals involved in
any way in credit card processing. (includes full
time, part time, IT staff, fiscal officers, etc..)
• Names and contact info will be provided to
Trustwave who will send an email to each with
instructions on taking the training. Employees must
pass.
• This will be an annual requirement.
• Is this the end or just the beginning?
• Is it yesterday or tomorrow?
Download
Related flashcards

Computer security

25 cards

Computer security

73 cards

Backup software

62 cards

Authentication methods

31 cards

Create Flashcards