1 / 83

Payment Card Industry Data Security Standards @ IU

Payment Card Industry Data Security Standards @ IU. Ruth A. Harpool, Director, Treasury Operations, Office of The Treasurer Chad Marcum, Lead Security Engineer, University Information Security Office. PCI DSS Role Players @ IU. Board of Trustees Merchants Office of The Treasurer UISO UITS.

nigel
Télécharger la présentation

Payment Card Industry Data Security Standards @ IU

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Payment Card IndustryData Security Standards@ IU Ruth A. Harpool, Director, Treasury Operations, Office of The Treasurer Chad Marcum, Lead Security Engineer, University Information Security Office

  2. PCI DSS Role Players @ IU • Board of Trustees • Merchants • Office of The Treasurer • UISO • UITS • Purchasing • Legal Counsel • Third Party Vendors • QSA (Trustwave) • YOU

  3. PCI DSS Relationships Credit Card Companies Credit Card Companies Merchants Acquiring Bank (USB) Indiana University (Treasurer’s Office) UISO QSA

  4. CACR Presentation

  5. BREAK

  6. Six PCI DSS Goals • Build and Maintain a Secure Network • Protect Cardholder Data • Maintain a Vulnerability Management Program • Implement Strong Access Control Measures • Regularly Monitor and Test Networks • Maintain an Information Security Policy

  7. Security Controls and Processes for PCI DSS Requirements • Build and Maintain a Secure Network • Requirement 1:Install and maintain a firewall configuration to protect cardholder dataRequirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters • Protect Cardholder Data • Requirement 3: Protect stored cardholder dataRequirement 4: Encrypt transmission of cardholder data across open, public networks • Maintain a Vulnerability Management Program • Requirement 5: Use and regularly update anti-virus softwareRequirement 6: Develop and maintain secure systems and applications • Implement Strong Access Control Measures • Requirement 7: Restrict access to cardholder data by business need-to-knowRequirement 8: Assign a unique ID to each person with computer accessRequirement 9: Restrict physical access to cardholder data • Regularly Monitor and Test Networks • Requirement 10: Track and monitor all access to network resources and cardholder dataRequirement 11: Regularly test security systems and processes • Maintain an Information Security Policy • Requirement 12: Maintain a policy that addresses information security

  8. Top PCI DSS Violations 80% - Requirement # 1: Install and Maintain a firewall configuration Source: 2008 Trustwave Report

  9. Top PCI DSS Violations 80% - Requirement # 1: Install and Maintain a firewall configuration 75% - Requirement # 2: Do not use vendor-supplied defaults Source: 2008 Trustwave Report

  10. Top PCI DSS Violations 80% - Requirement # 1: Install and Maintain a firewall configuration 75% - Requirement # 2: Do not use vendor-supplied defaults 88 % - Requirement # 3: Protect stored cardholder data Source: 2008 Trustwave Report

  11. Top PCI DSS Violations 80% - Requirement # 1: Install and Maintain a firewall configuration 75% - Requirement # 2: Do not use vendor-supplied defaults 88 % - Requirement # 3: Protect stored cardholder data 11% - Requirement # 4: Encrypt transmission of cardholder data Source: 2008 Trustwave Report

  12. Top PCI DSS Violations 80% - Requirement # 1: Install and Maintain a firewall configuration 75% - Requirement # 2: Do not use vendor-supplied defaults 88 % - Requirement # 3: Protect stored cardholder data 11% - Requirement # 4: Encrypt transmission of cardholder data 41% - Requirement # 5: Use and regularly update anti-virus software Source: 2008 Trustwave Report

  13. Top PCI DSS Violations 80% - Requirement # 1: Install and Maintain a firewall configuration 75% - Requirement # 2: Do not use vendor-supplied defaults 88 % - Requirement # 3: Protect stored cardholder data 11% - Requirement # 4: Encrypt transmission of cardholder data 41% - Requirement # 5: Use and regularly update anti-virus software 94% - Requirement # 6: Develop and maintain secure systems and apps Source: 2008 Trustwave Report

  14. Top PCI DSS Violations 80% - Requirement # 1: Install and Maintain a firewall configuration 75% - Requirement # 2: Do not use vendor-supplied defaults 88 % - Requirement # 3: Protect stored cardholder data 11% - Requirement # 4: Encrypt transmission of cardholder data 41% - Requirement # 5: Use and regularly update anti-virus software 94% - Requirement # 6: Develop and maintain secure systems and apps 25% - Requirement # 7: Restrict access to cardholder data by need to know Source: 2008 Trustwave Report

  15. Top PCI DSS Violations 80% - Requirement # 1: Install and Maintain a firewall configuration 75% - Requirement # 2: Do not use vendor-supplied defaults 88 % - Requirement # 3: Protect stored cardholder data 11% - Requirement # 4: Encrypt transmission of cardholder data 41% - Requirement # 5: Use and regularly update anti-virus software 94% - Requirement # 6: Develop and maintain secure systems and apps 25% - Requirement # 7: Restrict access to cardholder data by need to know 63% - Requirement # 8: Assign a unique ID to each person with access Source: 2008 Trustwave Report

  16. Top PCI DSS Violations 80% - Requirement # 1: Install and Maintain a firewall configuration 75% - Requirement # 2: Do not use vendor-supplied defaults 88 % - Requirement # 3: Protect stored cardholder data 11% - Requirement # 4: Encrypt transmission of cardholder data 41% - Requirement # 5: Use and regularly update anti-virus software 94% - Requirement # 6: Develop and maintain secure systems and apps 25% - Requirement # 7: Restrict access to cardholder data by need to know 63% - Requirement # 8: Assign a unique ID to each person with access 12% - Requirement # 9: Restrict physical access to cardholder data Source: 2008 Trustwave Report

  17. Top PCI DSS Violations 80% - Requirement # 1: Install and Maintain a firewall configuration 75% - Requirement # 2: Do not use vendor-supplied defaults 88 % - Requirement # 3: Protect stored cardholder data 11% - Requirement # 4: Encrypt transmission of cardholder data 41% - Requirement # 5: Use and regularly update anti-virus software 94% - Requirement # 6: Develop and maintain secure systems and apps 25% - Requirement # 7: Restrict access to cardholder data by need to know 63% - Requirement # 8: Assign a unique ID to each person with access 12% - Requirement # 9: Restrict physical access to cardholder data 91% - Requirement # 10: Track and monitor all access to resources Source: 2008 Trustwave Report

  18. Top PCI DSS Violations 80% - Requirement # 1: Install and Maintain a firewall configuration 75% - Requirement # 2: Do not use vendor-supplied defaults 88 % - Requirement # 3: Protect stored cardholder data 11% - Requirement # 4: Encrypt transmission of cardholder data 41% - Requirement # 5: Use and regularly update anti-virus software 94% - Requirement # 6: Develop and maintain secure systems and apps 25% - Requirement # 7: Restrict access to cardholder data by need to know 63% - Requirement # 8: Assign a unique ID to each person with access 12% - Requirement # 9: Restrict physical access to cardholder data 91% - Requirement # 10: Track and monitor all access to resources 91% - Requirement # 11: Regularly test security systems and processes Source: 2008 Trustwave Report

  19. Top PCI DSS Violations 80% - Requirement # 1: Install and Maintain a firewall configuration 75% - Requirement # 2: Do not use vendor-supplied defaults 88 % - Requirement # 3: Protect stored cardholder data 11% - Requirement # 4: Encrypt transmission of cardholder data 41% - Requirement # 5: Use and regularly update anti-virus software 94% - Requirement # 6: Develop and maintain secure systems and apps 25% - Requirement # 7: Restrict access to cardholder data by need to know 63% - Requirement # 8: Assign a unique ID to each person with access 12% - Requirement # 9: Restrict physical access to cardholder data 91% - Requirement # 10: Track and monitor all access to resources 91% - Requirement # 11: Regularly test security systems and processes 75% - Requirement # 12: Maintain a policy that addresses info security Source: 2008 Trustwave Report

  20. Ten Common Myths of PCI DSS

  21. Ten Common Myths of PCI DSS

  22. Ten Common Myths of PCI DSS

  23. Ten Common Myths of PCI DSS

  24. Ten Common Myths of PCI DSS

  25. Ten Common Myths of PCI DSS

  26. Ten Common Myths of PCI DSS

  27. Ten Common Myths of PCI DSS

  28. Ten Common Myths of PCI DSS

  29. Ten Common Myths of PCI DSS

  30. Ten Common Myths of PCI DSS

  31. Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall and router configuration to protect cardholder data (26 sub-requirements) Responsibility Merchants UITS Treasury UISO How can you help?

  32. Headlines Novice computer hacking kits found for sale on eBay UT Arlington File Server with Records on 27,000 Breached Four Times Submitted by Adam Dodge on Fri, 2010-07-23 06:19 Quick Facts Date: 7/23/2009 Institution: University of Texas, Arlington Type of Incident: Penetration Number Affected: 27,000 Source: ESI Abstract Source: University of Texas, Arlington AbstractThe University of Texas, Arlington recently notified students, faculty and staff after the breach of a file server containing personal information. The file server, used by the university's Student Health Center, contained the names, addresses, prescription names, amount spent and diagnostic codes of 27,000 students, faculty and staff between 2000 and June 2010, including 2,048 Social Security numbers. The compromise was discovered on June 21, 2010 by IT staff and an investigation uncovered the server had been breached on four occasions between February 2009 and February 2010.

  33. Build and Maintain a Secure Network Requirement 2: Do not use vendor supplied defaults for system passwords and other security parameters (13 sub-requirements) Responsibility Merchants Every user, every machine UITS How can you help?

  34. Headlines Vendor-Supplied Backdoor Passwords – A Continuing Vulnerability Retailers Sue POS Vendor “One of the key accusations against Computer World is that it used vendor default passwords for systems with many of these restaurants, for easier remote administration. The lawsuit correctly points out that PCI bans retailers from using such vendor default passwords.”Read more: http://www.storefrontbacktalk.com/securityfraud/retailers-suing-card-processor-questions-raised-as-to-where-pci-duties-stop/#ixzz0ymIKSDPF

  35. Protect Cardholder Data Requirement :3 Protect stored cardholder data (28 sub-requirements) Responsibility Merchants Treasury How can you help?

  36. Email Attachment Contains Arkansas State University Employee InformationSubmitted by Adam Dodge on Thu, 2010-09-02 06:31 Quick FactsDate: 9/2/2010 Institution: Arkansas State UniversityType of Incident: Unauthorized Disclosure Number Affected: 2,484 Source: ESI Headlines

  37. Headlines Laptop Stolen From Locked Office at University of Kentucky Submitted by Adam Dodge on Thu, 2010-08-19 06:32 Quick Facts Date: 8/19/2010 Institution: University of Kentucky Type of Incident: Theft Number Affected: 2,027 Source: DataBreaches.net Abstract Source: University of Kentucky Public Notice AbstractThe University of Kentucky is working to notify parents after a laptop was stolen from the university's Newborn Screening Program. The laptop, which was taken from a locked office in the Department of Pediatrics Newborn Screening Program, contained the names, medical record numbers, dates of birth, diagnosis, mothers' name and mothers' Social Security numbers on 2,027.

  38. Protect Cardholder Data Requirement 4: Encrypt transmission of cardholder data across open, public networks (4 sub-requirements) Responsibility Merchants Treasury How can you help?

  39. Headlines • Encryption Implementation Really Matters • Written by Walter ConwayAugust 26th, 2010Read more: http://www.storefrontbacktalk.com/securityfraud/encryption-implementation-really-matters/#ixzz0ymKXbVcS

  40. Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software or programs (7 sub-requirements) Responsibility Merchants UITS How can you help?

  41. Headlines August 17, 2000 9:15 AM PDT New strain of "Love" virus steals passwords Read more: http://news.cnet.com/2100-1023-244593.html#ixzz0ymNOafk9 February 18, 2010 : New computer virus steals your log-in info for Facebook, Yahoo and Hotmail

  42. Headlines Sep 1, 2010 Cyber Thieves Steal Nearly $1,000,000 from University of Virginia College Cyber crooks stole just shy of $1 million from a satellite campus of The University of Virginia last week, KrebsOnSecurity.com has learned. The attackers stole the money from The University of Virginia’s College at Wise, a 4-year public liberal arts college located in the town of Wise in southwestern Virginia. According to several sources familiar with the case, thieves stole the funds after compromising a computer belonging to the university’s comptroller. The attackers used a computer virus to steal the online banking credentials for the University’s accounts at BB&T Bank, and initiated a single fraudulent wire transfer in the amount of $996,000 to the Agricultural Bank of China. BB&T declined to comment for this story.

  43. Maintain a Vulnerability Management Program Requirement 6: Develop and maintain secure systems and applications (40 sub-requirements) Responsibility Merchants UITS How can you help?

  44. Headlines Even antivirus vendors warn their solutions are not enough. "A lot of people will buy one product and expect it to do everything -- and it doesn't," says GFI's Eckelberry, which recently bought security application maker Sunbelt Software. "In the past, you could rely on your AV product to catch everything, but it can't anymore. I have some of the coolest technology in the world, but I know what it is like out there. It will not catch everything." Companies should secure employees against their own behavior just as a parent childproofs a house, Eckelberry says. "It may be a terrible analogy," he says, "but as an IT manager, you have to expect that users are gong to bumble around and break glass objects."

  45. Lunch Break 12-1

  46. Security Controls and Processes for PCI DSS Requirements • Build and Maintain a Secure Network • Requirement 1: Install and maintain a firewall configuration to protect cardholder dataRequirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters • Protect Cardholder Data • Requirement 3: Protect stored cardholder dataRequirement 4: Encrypt transmission of cardholder data across open, public networks • Maintain a Vulnerability Management Program • Requirement 5: Use and regularly update anti-virus softwareRequirement 6: Develop and maintain secure systems and applications • Implement Strong Access Control Measures • Requirement 7: Restrict access to cardholder data by business need-to-knowRequirement 8: Assign a unique ID to each person with computer accessRequirement 9: Restrict physical access to cardholder data • Regularly Monitor and Test Networks • Requirement 10:Track and monitor all access to network resources and cardholder dataRequirement 11:Regularly test security systems and processes • Maintain an Information Security Policy • Requirement 12: Maintain a policy that addresses information security

  47. Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need to know (9 sub-requirements) Responsibility Merchants UITS How can you help?

  48. Headlines Study: 80% of Organizations Suffer Breaches, Most From the Inside “If you still think nameless, faceless bad hackers are the biggest threat, think again: Three quarters of all data breaches in the U.S. are at the hands of insiders at the organization -- most inadvertent, but some malicious –” Source: Security DARKreading. October 2008 http://www.darkreading.com/security/government New Facebook ID Theft scam: 'Dislike' buttonMonday, August 16, 2010Charlotte ObserverThe Better Business Bureau warns Facebook users against clicking a ‘dislike’ button siting a new identity theft scam.

  49. Implement Strong Access Control Measures Requirement 8: Assign a unique ID to each person with computer access (25 sub-requirements) Responsibility Merchants UITS How can you help?

  50. Headlines Two Factor Authentication required for remote access. Remove/disable inactive users every 90 days. Remove terminated employee’s access immediately. • An Employee Leaves, Does Your Data Follow? Carl J. Rychcik; LTN Law Technology News: http://www.law.com Corporate Counsel November 09, 2009 • The days of photocopying documents and sneaking out the door with hard copies are long gone. Most information is now available electronically, and large amounts of data can be copied efficiently and discreetly via computer. The good news is that in many instances, accessing information electronically leaves a distinct trail for a former employer to follow. The bad news, though, is that if the proper steps are not taken, this trail can quickly be lost. • In fact, in many cases, simply doing nothing can result in valuable information being lost forever. There are a number of pitfalls to avoid when building a case against a former employee who you believe has taken your confidential information.

More Related