north carolina community college system iips conference – spring 2009 jason godfrey it security...
TRANSCRIPT
PCI COMPLIANCE
North Carolina Community College System
IIPS Conference – Spring 2009
Jason GodfreyIT Security Manager
(919) [email protected]
AGENDA
PCI Data Security Standard (DSS) Latest Data Security Standard Compliant Process Becoming Compliant Maintaining Compliance Determining Which SAQ General Tips Prioritizing Milestones Challenges Additional Information Q & A - Open forum
PCI DATA SECURITY STANDARD (DSS)
LATEST DATA SECURITY STANDARD
Current version is 1.2 Released October 2008 Majority of changes are explanatory and
clarifications Three enhancements
Section 4.1.1 – Testing requirements and wireless encryption standards
Appendix D: attestations and compliance forms
Appendix E: attestations and compliance forms
Attestation
COMPLIANCE PROCESS
Compliance (Process\Procedures)
Validation (SAQ\ Vulnerability Scans)
BECOMING COMPLIANT
1. PCI DSS Scoping – determine what system components are governed by PCI DSS
2. Sampling – examine the compliance of a subset of system components in scope
3. Compensating Controls – QSA validates alternative control technologies/processes
4. Reporting – merchant/organization submits required documentation
5. Clarifications – merchant/organization clarifies/updates report statements (if applicable)
MAINTAINING COMPLIANCE
Remediate
Report
Assess
DETERMINING WHICH SAQ
GENERAL TIPS
Never store sensitive card data Full content of the magnetic strip Card validation codes and values PIN blocks
Contact your POS vendor regarding PCI compliance
Don’t store card holder data if you don’t need it
Minimize scope Prioritize requirements
PRIORITIZING MILESTONES1
1. Remove sensitive authentication data and limit data retention.
2. Protect the perimeter, internal, and wireless networks.
3. Secure payment card applications.4. Monitor and control access to your
systems.5. Protect stored cardholder data (security
classes).6. Finalize remaining compliance efforts, and
ensure all controls are in place.1 The Prioritized Approach to Pursue PCI DSS Compliance
CHALLENGES
Documenting policies, processes, and procedures Storing backups in secured manner (off-site is
preferable) Separation of duties Local payment card applications Hardware and software
CCTV File monitoring Audit trails
Internal and external penetration tests Training Management buy-in and user acceptance
ADDITIONAL INFORMATION PCI Council
https://www.pcisecuritystandards.org PCI Council Navigating the SAQ
https://www.pcisecuritystandards.org/pdfs/pci_dss_saq_navigating_dss.pdf
PCI Council Quick Guidehttps://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf
PCI Prioritized Approach
https://www.pcisecuritystandards.org/education/docs/Prioritized_Approach_PCI_DSS_1_2.pdf
Trustwave General Questions – (800) 363-1621 [email protected]
ADDITIONAL INFORMATION System Office – contact the CIS Help Desk US CERT
http://www.us-cert.gov/ SANS Institute
http://www.sans.org/ NC ITS State-wide Security Manual
http://www.scio.state.nc.us/SITPoliciesAndStandards/Statewide_Information_Security_Manual.asp
Open Source applications Network Security Tool (NST) Snort Untangle Zenoss
OPEN FORUM
Q & A