1 / 0

Compliance With The PCI DSS

Compliance With The PCI DSS. Today’s Agenda. PCI DSS Introduction How are Colleges and Universities Affected? How Do You Validate Compliance? Best Practices Q&A. CampusGuard . Full-Service QSA/ASV Firm We Know Security Focused Solely on Higher Education. The Target Breach.

betrys
Télécharger la présentation

Compliance With The PCI DSS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Compliance With The PCI DSS
  2. Today’s Agenda PCI DSS Introduction How are Colleges and Universities Affected? How Do You Validate Compliance? Best Practices Q&A
  3. CampusGuard Full-Service QSA/ASV Firm We Know Security Focused Solely on Higher Education
  4. The Target Breach 40 million customers Insider ? POS was the vector Lessons for all…
  5. SOFTWARE DEVELOPERS MERCHANTS & PROCESSORS MANUFACTURERS PCI PA-DSS PCI Security & Compliance PCI PTS PCI DSS Payment Application Vendors PIN Transaction Security Data Security Standard Ecosystem of payment devices, applications, infrastructure and users PCI…
  6. Responsible for managing the PCI DSS and certifying QSAs and ASVs Responsible for enforcing and monitoring merchant compliance with the PCI DSS CREDIT CARD SECURITY Merchant Bank Responsible for safeguarding credit card data and complying with the PCI DSS Communicates and educates merchants on PCI DSS and reports compliance status to Card Associations PCI Relationships
  7. Penalties can be Huge In the event of a breach the bank can make the merchant responsible for: Fines from card associations Up to $500,000 + Cost to notify victims + Cost to replace cards + Cost for any fraudulent transactions + Forensics + Level 1 certification Bad Publicity – Priceless!
  8. How Much Time Left? You are assumed to be compliant NOW! Banks will be requiring your validation SOON!
  9. Government Higher Education Healthcare 6% 33% 8% Financial Services 14% 17% 22% Other Retailers Higher Ed Is Vulnerable Past 3 Years Source: Privacy Rights Clearinghouse
  10. Colleges and Universities are like Cities…
  11. A Campus Is A “City" Challenges for PCI Compliance: Open networks and systems Scope conversations complex Overloaded staff Fiscal constraints
  12. PCI in Higher Education Source: 2012 Treasury Institute PCI Workshop
  13. PCI in Higher Education Source: 2012 Treasury Institute PCI Workshop
  14. PCI in Higher Education Source: 2012 Treasury Institute PCI Workshop
  15. PCI in Higher Education Source: 2012 Treasury Institute PCI Workshop
  16. PCI DSS: 6 Goals, 12 Requirements Control Objective Requirements
  17. Merchant Levels Most Colleges and Universities
  18. Validation Requirements
  19. Move as far to the left as possible! 11 286 Self-Assessment Questionnaires
  20. Can I assess myself? Short answer: Maybe (but you probably don’t want to) Long answer: You can assess yourself, provided: You follow audit procedures Your acquirer agrees An approved officer (think President or CFO) signs on the “dotted line” (attesting to the veracity of the results) You’re absolutely sure you’re going to do it right
  21. Shopping Cart? Card Swipe Machine? Student in dorm? Office Workstations? Computer Lab? Phone Transaction? What’s in PCI Scope?
  22. PCI DSS Assessment Your Campus ? PA-DSS Internet Service Provider PCI DSS Level 1 Payment Application PCI DSS SAQ ? A/B/C/D?
  23. Case Study: The commercial software was PA-DSS certified, but 1 – Firewall configuration 7 – Access to system components and cardholder data 8– Assign unique ID to each person with computer access 9 – Restrict physical access 11– Regularly test security systems and processes 12– Maintain a policy that addresses information security
  24. Managing Compliance
  25. Compliance Finish Line! ?
  26. PCI Compliance Discovery and Assessment Remediation Validation Payments Analysis Merchant Discovery Documentation Preliminary Scanning Gap Analysis Correct Problems Compensating Controls ROC or SAQ Submission Quarterly Scanning Penetration Testing Re-Validate every 12 mos
  27. Awareness Training PCI DSS Red Flags HIPAA FERPA GLBA General Info Security Identity Theft Clery Act Title IX
  28. Online Training: PCI DSS
  29. Online Training: Administration
  30. Closing Thoughts PCI is a journey PCI requires partnerships Requires perseverance Keep the faith
  31. Ron King, CampusGuard rking@campusguard.com (972) 964-8884
More Related