140 likes | 621 Vues
North Carolina Community College System IIPS Conference – Spring 2009. PCI Compliance. Jason Godfrey IT Security Manager (919) 807-7054 godfreyj@nccommunitycolleges.edu. Agenda. PCI Data Security Standard (DSS) Latest Data Security Standard Compliant Process Becoming Compliant
E N D
North Carolina Community College System IIPS Conference – Spring 2009 PCI Compliance Jason Godfrey IT Security Manager (919) 807-7054 godfreyj@nccommunitycolleges.edu
Agenda • PCI Data Security Standard (DSS) • Latest Data Security Standard • Compliant Process • Becoming Compliant • Maintaining Compliance • Determining Which SAQ • General Tips • Prioritizing Milestones • Challenges • Additional Information • Q & A - Open forum
Latest Data Security Standard • Current version is 1.2 • Released October 2008 • Majority of changes are explanatory and clarifications • Three enhancements • Section 4.1.1 – Testing requirements and wireless encryption standards • Appendix D: attestations and compliance forms • Appendix E: attestations and compliance forms
Compliance Process Compliance (Process\Procedures) • Validation (SAQ\ Vulnerability Scans) Attestation
Becoming Compliant 1. PCI DSS Scoping – determine what system components are governed by PCI DSS 2. Sampling – examine the compliance of a subset of system components in scope 3. Compensating Controls – QSA validates alternative control technologies/processes 4. Reporting – merchant/organization submits required documentation 5. Clarifications – merchant/organization clarifies/updates report statements (if applicable)
General Tips • Never store sensitive card data • Full content of the magnetic strip • Card validation codes and values • PIN blocks • Contact your POS vendor regarding PCI compliance • Don’t store card holder data if you don’t need it • Minimize scope • Prioritize requirements
Prioritizing Milestones1 • Remove sensitive authentication data and limit data retention. • Protect the perimeter, internal, and wireless networks. • Secure payment card applications. • Monitor and control access to your systems. • Protect stored cardholder data (security classes). • Finalize remaining compliance efforts, and ensure all controls are in place. 1 The Prioritized Approach to Pursue PCI DSS Compliance
Challenges • Documenting policies, processes, and procedures • Storing backups in secured manner (off-site is preferable) • Separation of duties • Local payment card applications • Hardware and software • CCTV • File monitoring • Audit trails • Internal and external penetration tests • Training • Management buy-in and user acceptance
Additional Information • PCI Council https://www.pcisecuritystandards.org • PCI Council Navigating the SAQ https://www.pcisecuritystandards.org/pdfs/pci_dss_saq_navigating_dss.pdf • PCI Council Quick Guide https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf • PCI Prioritized Approach https://www.pcisecuritystandards.org/education/docs/Prioritized_Approach_PCI_DSS_1_2.pdf • Trustwave • General Questions – (800) 363-1621 • support@trustwave.com
Additional Information • System Office – contact the CIS Help Desk • US CERT http://www.us-cert.gov/ • SANS Institute http://www.sans.org/ • NC ITS State-wide Security Manual http://www.scio.state.nc.us/SITPoliciesAndStandards/Statewide_Information_Security_Manual.asp • Open Source applications • Network Security Tool (NST) • Snort • Untangle • Zenoss
Open Forum Q & A