Download - Riding the wave from PCI DSS Ver 2.0 to 3.0
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
Riding the wave from PCI DSS Ver 2.0 to 3.0
Ed Hudson, Systemwide Director, Information Security
Gina Curry, Director, Student Financial Services Center & University Bursar, CSU Sacramento
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
Summary Of ChangesEffective January 2014Change Types
ClarificationAdditional GuidanceEvolving Requirement (20)
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
5 Key Areas Penetration TestingInventorying of System ComponentsVendor RelationshipsAntiMalwarePhysical Access and Point of Sale (POS)
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
Penetration Testing (11.3)Penetration testing must follow “Industry
Accepted Methodology”Best Practice until June 30, 2015Why is this an issue?
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
Inventorying System Components (2.4)“Maintain an inventory of system components
that are in scope for PCI DSSAll hardware (Virtual or Physical)Software (Commercial or custom)Applications (off the shelf, external or
internal)Requires that assessors “verify a list of
hardware and software components including a description of function
Authorized Wireless AP (11.1.1)
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
Vendor Relationships (12.8.5 & 12.9)Requires explicit documentation
Which PCI requirements are managed by you, or by a vendor and which vendors (Matrix)
Matrix Contractual requirements
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
AntiMalware (5.1.2)Requires campuses to “identify and evaluate
evolving malware threats for systems not commonly affected
Requires specific authorization from management to disable or alter antivirus and that is time limited
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
Physical Access and POS (9.3)Control access for onsite personnel
Access be authorized and based on job functionRevoked immediately upon termination
Protect devices from tampering/substitution (9.9)
Consider non standard POSFood Trucks, carts etc
Inventory and regular checking/inspection and policy
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
Building a planPartner on ownershipEngage senior executivesPlanCommunicate
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
Prioritized Approach
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
Case Study: Sacramento StatePartner – SFSC partnered with the campus ISO
Plan – ISO and SFSC implemented required training, document gathering and periodic review
Developed tracking process
Engaged Administration
Imposed “penalties” for non-compliance (“Shut ‘er Down)
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
Case Study: Sacramento State
ICSUAM –Section 3102.05 http://www.calstate.edu/icsuam/sections/3000/3102.05.shtml
Write a Campus Policy to support the ICSUAM http://www.csus.edu/umanual/admin/ADM-0117.html
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
Case Study: Sacramento State
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
Case Study: Sacramento State
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
Case Study: Sacramento State
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
Case Study: Sacramento State
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
Case Study: Sacramento State
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
Case Study: Sacramento State
Report goes at least annually to Vice President for Administration and Business Affairs and the Vice President & Chief Information Officer
To date, 3 departments were “shut down” until they could come into reasonable compliance
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
Case Study: Sacramento State
You are welcome to copy our templates for your use
There is also a sample training presentation available
http://www.csus.edu/irt/is/pci/presentations/index.html
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e