PCI Compliance A Team Effort

1
PCI Compliance - A Team Effort

• VA SCAN 2008 Conference
• October 6-7, 2008
• Blacksburg, VA
• Susan English Assistant to the Controller,
  Virginia Tech
• Curtis McNay Director of IT Security, George
  Mason University

2
Agenda

• The Standard
• Who Owns Compliance
• Two Models for Coordination
• Challenges Fiscal Perspective
• Areas of Confusion
• PCI DSS version 1.1 vs. 1.2
• Questions

3
The PCI Data Security Standard

• The Payment Card Industry Data Security Standard
  (PCI DSS) is a set of comprehensive requirements
  for enhancing payment account data security
• The PCI DSS is a multifaceted security standard
• that includes requirements for
• Security management
• Policies and procedures
• Network architecture
• Software design
• Other critical protective measures
• This comprehensive standard is intended to help
  organizations proactively protect customer
  payment data

4
PCI Standard 6 goals, 12 Requirements

• Build and Maintain a Secure Network
• Install and maintain a firewall
• Do not use default passwords
• Protect Cardholder Data
• Protect stored data
• Encrypt sensitive information in transit
• Maintain Vulnerability Management Program
• Use and update anti-virus software
• Develop secure systems and applications
• Implement Strong Access Control Measures
• Restrict access to data
• Assign a unique ID to people with access
• Restrict physical access
• Regularly Monitor and Test Networks
• Track and monitor access to network/data
• Regularly test systems and processes
• Maintain An Information Security Policy
• Maintain an information security policy

5
What Department Should Be Responsible for PCI
Compliance?
According to a survey conducted in May 2008 by
The Treasury Institute for Higher Education
during a PCI DSS Workshop, based on 74
respondents from private and public higher
education institutions

• 44 indicate that responsibility for their
  compliance effort is a shared responsibility,
  often involving Audit, Purchasing, Legal and
  other areas in addition to Finance and IT
• Size of PCI compliance team dependent somewhat on
  size of merchant base and commonality of payment
  platform

6
PCI Compliance Coordination at VT

• A decentralized approach, focusing on where the
  expertise lies
• Controllers Office provides compliance oversight
  and coordination
• IT Security provides technical expertise and
  management of global IT security issues, perform
  general security reviews
• Bursar manages relationship with bank,
  establishes new merchant IDs and provides credit
  card settlement information monthly to merchant
  fiscal contacts
• Merchants are responsible for review and
  resolution of issues from quarterly external
  scans, preparation of annual SAQ, adherence to
  standards and internal policies for safeguarding
  sensitive information
• Internal Auditing to perform PCI audits,
  compliance to policies on safeguarding of
  confidential information

7
PCI Compliance Coordination at GMU

• A centralized approach for a centralized
  architecture
• IT Security takes a more central role in
  compliance oversight and coordination. The
  University ISO completes a single Security
  Assessment Questionnaire (SAQ) for the
  University. The University CIO signs as the
  executive merchant. IT Security can take
  responsibility for technical compliance because
  almost all PCI related IT assets are managed
  centrally . Assets have also been isolated in
  clearly defined secure network scopes. Standards
  and requirements supporting the centralized
  architecture are enforced for all new requests
• Controllers Office provides business rule
  compliance oversight for each Merchant. The
  Controllers Office also manages relationship
  with bank, approves new requests and establishes
  new merchant IDs and provides credit card
  settlement information to merchants . The office
  also reviews and approves business related PCI
  SAQ responses
• Merchants are responsible for complying with
  Controllers Offices policy and procedures and
  thereby PCI business standards
• Internal Auditing to perform PCI audits,
  compliance to policies on safeguarding of
  confidential information

8
PCI Challenges - Fiscal Perspective

• Decentralized Environment
• Non homogenous merchant environment
• Defining roles
• Centralized Environment
• Greater burden on central authority
• Central authority assumes most of the costs
• Creating Awareness Requirement 12
• Development of written policies and procedures
• Communication and training of university
  community
• Requirement 12.6 upon hire and at least
  annually, employees must acknowledge they have
  read and understood their employers security
  policies and procedures
• Review of business processes
• Linkages to other fiscal policies/procedures
• Linkages to security of sensitive information
• Ensuring compliance by existing merchants
• Creating an audit trail

9
More Challenges Fiscal Perspective

• Funding Challenges
• Treasury Institute May 2008 survey indicates
  private institutions are much more likely (92)
  to fund PCI compliance centrally than public
  institutions (60)
• Does it take a breach to secure ample financial
  resources to create a well coordinated PCI
  compliance effort?
• Who pays for
• Quarterly ASV
• Remediation costs
• Hosting fees
• Migration to a central platform vs. decentralized
  processing based on business needs

10
Areas of Confusion

• Requirement 11 Regularly test security systems
  and processes
• Do we need externally conducted penetration
  tests?
• NO! Internal and external penetration tests
  are necessary
• BUT are not required to be performed by a
  Quarterly
• Security Assessor (QSA) or Approved Scanner
  Vendor (ASV)
• https//www.pcisecuritystandards.org/pdfs/infosu
  pp_11_3_penetration_testing.pdf
• Do we need to hire an external Approved Scanner
  Vendor (ASV)?
• YES! Must hire an ASV to perform, at a
  minimum, quarterly
• Internet scans of all outward facing IP
  addresses that are
• in-scope for PCI compliance
• https//www.pcisecuritystandards.org/pdfs/pci_sc
  anning_procedures_v1-1.pdf

11
Areas Of Confusion

• Requirement 11 Regularly test security systems
  and processes
• Do I have to report my scanning results to my
  acquirer?
• Per guidance on Visas CISP page, for Level 4
  merchants, reporting of results is optional, but
  must provide if requested and should keep log of
  scanning results
• http//usa.visa.com/merchants/risk_management/ci
  sp_merchants.html
• Note reporting of results for Level 1-3
  merchants is mandatory
• General Network Segmentation
• What is meant by "adequate network segmentation"
  in the PCI DSS?
• The use of private VLANs, firewalls, access
  controls and IP filtering that partitions and
  isolates the network space can narrow the scope
  of assessment . A clear guideline does not
  exist. If in doubt consult with a Qualified
  Security Assessor (QSA)
• http//selfservice.talisma.com/display/2/index.asp
  x?c58cpcMSdA03B2IfY15uvLEKtr40R5a5pV2lnCUb4i1Qj
  2q2gcid81catcatURLr0.223705112934113

12
Areas Of Confusion

• General Self-Assessment Questionnaire
• What Self-Assessment Questionnaire (SAQ) do I
  use?
• SAQ A For e-commerce merchants only, all
  functions involving cardholder data is
  outsourced
• SAQ B If you take imprints but dont
  electronically store data or
• only accept transactions via a stand-alone
  analog terminal and dont electronically store
  data
• SAQ C If you have internet accessible IT
  systems but dont store CC data
• SAQ D Everyone else.
• https//www.pcisecuritystandards.org/pdfs/instr
  uctions_guidelines_v1-1.pdf
• See Description of CC Data - PCI DSS
  Standard 1.1 section 3.2.1-3

13
Changes and Clarification PCI DSS Version 1.1
to Version 1.2

• From Ambiguity to Clarity?
• The standard and assessment procedures documents
  are no longer separate but one document.
• Requirement 4.1.1
• WEP is prohibited after June 10th, 2010. Must
  have been implemented before March 31, 2009. If
  you havent gone there, just dont do it. If you
  are using WEP, plan on getting off soon.
  Implement wireless according to industry best
  practices WPA2
• Requirement 5.1
• Deploy anti-virus software on all systems
  commonly affected by malicious software. Deleted
  note stating Systems commonly affected by
  viruses typically do not include UNIX-based
  operating systems or mainframes.

14
More Changes Version 1.1 to Version 1.2

• Requirement 6.6
• For public-facing web applications, ensure that
  either one of the following methods are in place
  as follows
• Verify that public-facing web applications are
  reviewed (using either manual or automated
  vulnerability security assessment tools or
  methods), at least annually and after any changes
• Verify that a web-application firewall is in
  place in front of public-facing web applications
  to detect and prevent web-based attacks
• Requirement 7.1
• Better defined and more prescriptive access
  control requirements.
• PCI -DSS 1.1 Least Privileges statement. PCI -DSS
  1.2 use role-based access control
• PCI - DSS 1.1 Establish mechanism to restrict
  access based on need to know PCI -DSS 1.2 Require
  authorization form

15

• Questions?
• Susan English, 540-231-8560, senglish_at_vt.edu
• Curtis McNay, 703- 993-4183, cmcnay_at_gmu.edu