What is the Payment Card Industry Data Security Standard

1
(No Transcript)
2

• What is the Payment Card Industry Data Security
  Standard?
  
• What are the Different Levels of Merchants?
• Who is the PCI Security Council
• 12 Requirements for PCI Compliance
• Who is Affected at your Institution?
• Security Breach Data
• PCI DSS Risk of Non-Compliance
• Items to Consider
• Next Steps

2
3

• Payment Card Industry Data Security Standards
  (www.pcisecuritystandards.org)
  
• Common Set of Technical Requirements and Testing
  Methodologies
  
• Purpose is to Ensure the Safe Handling of
  Sensitive Payment Card Information
  
• Initially Created to Align the Separate Security
  Programs of MasterCard (SDP) and Visa (CISP)
  
• Was Later Adopted By Other Major Credit Card
  Programs (American Express, JCB, Discover)
  
• The Standard is not Optional and Non-Compliance
  Could Bring Significant Financial Cost
  

3
4

• Levels are Defined by the Credit Card Companies
  (Visa/MasterCard), and Established by your
  Merchant Bank
  
• Level 4 (
• Network Scan Recommended Quarterly
• Self-Assessment Questionnaire Recommended
  Annually
  
• Level 3 (20,000 1,000,000 e-Commerce
  Transactions)
  
• Quarterly Network Scan and Annually
  Self-Assessment Questionnaire Required
  
• Level 2 (1,000,000 6,000,000)
• Quarterly Network Scan and Annually
  Self-Assessment Questionnaire Required
  
• Level 1 (Over 6,000,000, Suffered a Breach, or
  Deemed High Risk)
  
• Network Scan Required Quarterly
• On-Site PCI Security Audit Required Annually

4
5

• PCI Security Standards Council Governs the
  Standards for the Payment Card Industry
  
• Founding Members
• American Express
• Discover Financial Services
• MasterCard Worldwide
• Visa International
• JCB (Japan Credit Bureau)

5
6

• Build and Maintain a Secure Network
• Install and Maintain a Firewall Configuration to
  Protect Card Holder Data (25)
  
• Do Not Use Vendor-Supplied Defaults for System
  Passwords and Other Security Parameters (13)
  
• Protect Cardholder Data
• Protect Stored Cardholder Data (28)
• Encrypt Transmission of Cardholder Data Across
  Open, Public Networks (6)
  
• Maintain a Vulnerability Management Program
• Use and Regularly Update Anti-Virus Software (3)
• Develop and Maintain Secure Systems and
  Applications (30)

• Implement Strong Access Control Measures
• Restrict Access to Cardholder Data by Business
  Need-To-Know (2)
  
• Assign a Unique ID to Each Person with Computer
  Access (25)
  
• Restrict Physical Access to Cardholder Data (23)
• Regularly Monitor and Test Networks
• Track and Monitor All Access to Network Resources
  and Cardholder Data (28)
  
• Regularly Test Security Systems and Processes
  (11)
  
• Maintain an Information Security Policy
• Maintain a Policy That Addresses Information
  Security (39)

6
7

• Everyone Who Takes Credit Cards on Behalf of the
  Institution Examples Include
  
• Campus Card
• Supply/Book Store
• Athletics
• Student Receivables
• Alumni/Advancement
• Undergraduate/Graduate Admissions
• Publications Year Book/Other Campus Documents
• Performing Arts/Music
• Continuing Education

7
8
January 2000 March 23, 2009

• 1781 Publically Reported Computer Security
  Breaches in the United States (44 States and
  DC/Puerto Rico/Virgin Islands States with
  no/limited laws AL, MS, KY, MO, NM, SD)
• 24.1 (19.3) Educational Institutions (Most Were
  Hacks)
  
• 43.6 Businesses
• 20.7 Government Agencies (State, Local and
  Federal
  
• 11.6 Medical Institutions
• Educational Institutions are Disproportionately
  Vulnerable to Security Breaches
  
• According to http//datalossdb.org/

8
9

• Median Higher Ed Breach is 5,000 - 50,000
  accounts1
  
• Expected cost 182 per account compromised1
• Cost of Notifying Affected Cardholders
• Cost of Paying for Credit Monitoring
• Cost of Paying for Unauthorized Charges
• A Small Breach Can Cost 1 million1
• Including the Cost of an Annual On-Site Audit
• Cost Related to a Possible Increase in Credit
  Card Rates
  
• Implementing Hardware/Software/Resource Upgrades
• Possible Fines By the Card Association In 2006,
  Visa Alone Issued Merchant Fines Totaling 4.4
  million
  
• Visa and TJX reach an agreement in November 2007
  of a 40.9M Settlement
  
• Additional Indirect Cost Unfavorable Publicity,
  Significant Brand Damage to the Institution

1 According to Walter Conway Associates, LLC,
Security Breach Data, 2000-July 2007
9
10

• Understand your card processing environment
• How do you gather and manage the data
• How do you manage the PCI DSS Team
• Do you have a good partner in Finance
• Understand the flow of credit card traffic
  through your network
  
• Each Merchant must complete one of 4
  questionnaires based on how they handle credit
  card data
  
• Using a 3rd Party, PCI Compliant Vendor doesnt
  make you PCI compliant
  
• News Events Heartland, TJX

10
11

• If you havent started, get started now Its a
  long road
  
• Partner with Finance to gather data by Merchant
  ID
  
• Include interviews with the merchants vendors
• Interview each Merchant ID owner at least twice
• Maintain a common set of data on a single large
  spreadsheet
  
• Dont forget about the paper copies of credit
  card data
  
• Unless youre a level 4, Hire an Approved
  Scanning Vendor (ASV) www.pcisecuritystandard.org
  
  
• If you need external assistance, Hire a Qualified
  Security Assessor (QSA) www.pcisecuritystandard.or
  g
  
• Work closely with your Merchant Bank

11
12
COMMENTS/QUESTIONS?

• J. Ashley Ewing, CISSP, CISA
• Director of Information Security and
  Compliance/ISO
  
• University of Alabama
• aewing_at_ua.edu

12