1 / 14

PCI Compliance

North Carolina Community College System IIPS Conference – Spring 2009. PCI Compliance. Jason Godfrey IT Security Manager (919) 807-7054 godfreyj@nccommunitycolleges.edu. Agenda. PCI Data Security Standard (DSS) Latest Data Security Standard Compliant Process Becoming Compliant

star
Télécharger la présentation

PCI Compliance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. North Carolina Community College System IIPS Conference – Spring 2009 PCI Compliance Jason Godfrey IT Security Manager (919) 807-7054 godfreyj@nccommunitycolleges.edu

  2. Agenda • PCI Data Security Standard (DSS) • Latest Data Security Standard • Compliant Process • Becoming Compliant • Maintaining Compliance • Determining Which SAQ • General Tips • Prioritizing Milestones • Challenges • Additional Information • Q & A - Open forum

  3. PCI Data Security Standard (DSS)

  4. Latest Data Security Standard • Current version is 1.2 • Released October 2008 • Majority of changes are explanatory and clarifications • Three enhancements • Section 4.1.1 – Testing requirements and wireless encryption standards • Appendix D: attestations and compliance forms • Appendix E: attestations and compliance forms

  5. Compliance Process Compliance (Process\Procedures) • Validation (SAQ\ Vulnerability Scans) Attestation

  6. Becoming Compliant 1. PCI DSS Scoping – determine what system components are governed by PCI DSS 2. Sampling – examine the compliance of a subset of system components in scope 3. Compensating Controls – QSA validates alternative control technologies/processes 4. Reporting – merchant/organization submits required documentation 5. Clarifications – merchant/organization clarifies/updates report statements (if applicable)

  7. Maintaining Compliance

  8. Determining Which SAQ

  9. General Tips • Never store sensitive card data • Full content of the magnetic strip • Card validation codes and values • PIN blocks • Contact your POS vendor regarding PCI compliance • Don’t store card holder data if you don’t need it • Minimize scope • Prioritize requirements

  10. Prioritizing Milestones1 • Remove sensitive authentication data and limit data retention. • Protect the perimeter, internal, and wireless networks. • Secure payment card applications. • Monitor and control access to your systems. • Protect stored cardholder data (security classes). • Finalize remaining compliance efforts, and ensure all controls are in place. 1 The Prioritized Approach to Pursue PCI DSS Compliance

  11. Challenges • Documenting policies, processes, and procedures • Storing backups in secured manner (off-site is preferable) • Separation of duties • Local payment card applications • Hardware and software • CCTV • File monitoring • Audit trails • Internal and external penetration tests • Training • Management buy-in and user acceptance

  12. Additional Information • PCI Council https://www.pcisecuritystandards.org • PCI Council Navigating the SAQ https://www.pcisecuritystandards.org/pdfs/pci_dss_saq_navigating_dss.pdf • PCI Council Quick Guide https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf • PCI Prioritized Approach https://www.pcisecuritystandards.org/education/docs/Prioritized_Approach_PCI_DSS_1_2.pdf • Trustwave • General Questions – (800) 363-1621 • support@trustwave.com

  13. Additional Information • System Office – contact the CIS Help Desk • US CERT http://www.us-cert.gov/ • SANS Institute http://www.sans.org/ • NC ITS State-wide Security Manual http://www.scio.state.nc.us/SITPoliciesAndStandards/Statewide_Information_Security_Manual.asp • Open Source applications • Network Security Tool (NST) • Snort • Untangle • Zenoss

  14. Open Forum Q & A

More Related