The PCI DSS - Protect IU
Payment Card Industry
Data Security Standard
Tom Davis and Chad Marcum
Indiana University
PCI DSS, OMG!
(and other TLAs)
PTS
PED
SAQ
PAN
ASV
SIG
PCI
DSS
SSC
ROC
CID
QSA
CVV
• Before PCI DSS
• PCI SSC overview
• Higher Ed’s Voice
• Compliance vs. Security
• IU’s approach
before PCI DSS
(circa 2003)
VISA
Cardholder Information Security Program
MasterCard
Site Data Protection Program
American Express
Data Security Operating Policy
Discover
Information Security and Compliance Program
JCB
Data Security Program
As fraud losses increased…
Merging standards
“… enhance payment account data security by driving education and awareness of the PCI Security Standards .”
PCI Security Standards Suite
Organization
Management
Committee
Secretariat
Executive
Committee
General
Manager
Technical
Wkg Group
DSS
Technical
Wkg Group
PED
QSA Program
Management
ASV Program
Management
PA Program
Management
Marketing
Wkg Group
Legal
Stakeholders
Board of
Advisors
QSA
Committee
ASV
Committee
Task Forces
(ad hoc)
Participating
Organizations
Organization
Management
Committee
Secretariat
Executive
Committee
General
Manager
Technical
Wkg Group
DSS
Technical
Wkg Group
PED
QSA Program
Management
ASV Program
Management
PA Program
Management
Marketing
Wkg Group
Legal
Stakeholders
Board of
Advisors
QSA
Committee
ASV
Committee
Task Forces
(ad hoc)
Participating
Organizations
Executive
Committee
“ Participating organizations have an opportunity to influence the direction of PCI standards through:
Participating
Organizations
“ Participating organizations have an opportunity to influence the direction of PCI standards through:
• active involvement in community meetings,
• advance review of drafts of standards and supporting materials, and
• regular dialogue with key stakeholders.”
Participating
Organizations
National Association of College and
University Business Officers
National Association of College and
University Business Officers
Walt Conway
Business Representative
Tom Davis
Technical Representative
PCI DSS
Lifecycle
Compliance vs. Security
Security?
Robert Carr, CEO
Heartland Payment Systems Inc.
“ … we certainly didn't understand the limitations of
PCI and the entire assessment process. PCI compliance doesn't mean secure. We and others were declared PCI compliant shortly before the intrusions.
”
Robert Carr, CEO
Heartland Payment Systems Inc.
General
Manager
“ (PCI DSS) is more about security than compliance.
”
Bob Russo, General Manager
PCI Security Standards Council
PCI DSS Overview
Applies to all merchants that “store, process, or transmit cardholder data” all payment (acceptance) channels, including brick-andmortar, mail, telephone, e-commerce (Internet) all forms, including electronic, paper, or oral
Includes 12 requirements, based on administrative controls (policies, procedures, etc.) physical security (locks, physical barriers, etc.) technical security (passwords, encryption, etc.)
PCI Data Security Standard – High Level Overview
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
Office of the Treasurer
University Information
Security Office
Campus
Network
Infrastructure
Departments (aka: Merchants)
(IU has over 240 merchants)
Office of the Treasurer
University Information
Security Office
Campus
Network
Infrastructure
Departments (aka: Merchants)
(IU has over 240 merchants)
Office of the Treasurer
University Information
Security Office
Campus
Network
Infrastructure
Departments (aka: Merchants)
(IU has over 240 merchants)
Office of the Treasurer
University Information
Security Office
Campus
Network
Infrastructure
Departments (aka: Merchants)
(IU has over 240 merchants)
Office of the Treasurer
University Information
Security Office
Campus
Network
Infrastructure
Departments (aka: Merchants)
(IU has over 240 merchants)
You’ll have to get your own.
Maintaining and Sustaining
Self-Assessment Questionnaires for each Dept/Unit each year
-(about ~240 different merchants)
Review of PCI virtual network Firewall rules, both to and from
Closely working with our QSA on interpretations of the PCI DSS
- Scope – Control – Guidance
Change Management Program (which has existed at IU since before the 1990s)
“…if done correctly and seen as a security starting point rather than a compliance end point, PCI is the antitheses of security theatre.”
--Ben Rothke and Anton Chuvakin,
PCI Shrugged: Debunking Criticisms of PCI DSS
Resources
NACUBO Business Officer Magazine Article http://tinyurl.com/yd2sjw8
Walt Conway’s PCI blog http://treasuryinstitutepcidss.blogspot.com/
Treasury Institute Workshop http://www.treasuryinstitute.org/resourcelibrary/PCI_2010/
PCI Security Standards Council https://www.pcisecuritystandards.org/
Payment Card Industry
Data Security Standard
Tom Davis and Chad Marcum
Indiana University
