Security Update - Information Security Office

Report
PCI DSS IT Security Training
for University of Tennessee Credit
Card Merchants
UT System Administration
Information Security Office
UTSA Information Security Office
• Chief Information Security Officer
– A. J. Wright
• IT Security Oversight Team
– Jeremy Parrott
– Nick Sweet
Sandy Lindsey
[email protected]
Jeremy Parrott
[email protected]
Charlie Seitz
[email protected]
John Sturgis
[email protected]
Nick Sweet
[email protected]
David Bean
[email protected]
• IT Security Compliance
– Sandy Lindsey
• UTSA IT Security Services
– John Sturgis
• Campus On-site Staff
– UTC: David Bean
– UTM: Charlie Seitz
– UTHSC: Hiring in Memphis!
UTSA ISO Services
• IT Security Oversight
– Assessments: Independent Validation and Verification
– Compliance with Legal and Industry Regulations
• Security and IT Policy Administration
• Compliance-Related Incident Response Coordination
– IT System Forensics
• Operational Security Services to UTSA
Agenda
•
•
•
•
Overview of PCI DSS
PCI Requirements
Roles and Responsibilities
Next Steps
All materials available at:
http://tiny.utk.edu/pci-training
(and I’ll show that again on the last slide.)
Payment Card Industry - Data Security Standard
• PCI DSS (2004)
– Increase security
protections
– Reduce Fraud
– Protect card holders
Where PCI Applies
PCI DSS requirements are applicable to credit card
Merchants.
By itself, use of Cardholder Data (CDH) does not
necessarily require PCI compliance.
PCI applies to paper as well as electronic storage.
Compliance Flow
PCI Security Council
Issuers and Acquirers
Merchants
The Importance of PCI Compliance
Why is PCI Important?
• To manage risk
• To protect consumer data
• Losses due to fraud
• Negative publicity
• Loss of consumer
confidence
• Threat of enforced
regulation
Why comply with PCI?
• To manage your risk
• To protect your data
• To avoid punitive measures
• Potentially significant fines
– incrementally increases
• To continue processing
credit cards
Last year, 125 merchants across the
University processed 962,000 credit
card transactions, totaling around
$165 million.
125 PCI Merchants at UT in 2012
IPS, 1
UTSI, 2
Merchant: an entity that
enters into a card acceptance
agreement with an acquirer
or processor.
C
C-VT
D
UTIA, 3
SAQ
B
GSM, 4
VetMed, 6
SAQ
A
UTM, 15
UTC, 16
UTHSC, 18
UTK, 59
Penalties for Non-Compliance
• Fines can include the following:
– Fines of $500,000 per data security incident
– Fines of $50,000 per day for non-compliance with published standards
– Liability for all fraud losses incurred from compromised account
numbers
– Liability for the cost of re-issuing cards associated with the
compromise
– Suspension of merchant accounts
• Incident investigation must be performed by external company
certified by PCI group (estimated $30k - $300k)
• UT Fiscal Policy 311 states that:
– “University Departments/Units [that process credit cards are]
financially responsible for all costs associated with PCI compliance, as
well as any fines, fees and remediation expenses associated with
security breach.”
Self Assessment Questionnaires (SAQs)
Complexity and Risk
• SAQ A
– All cardholder data functions outsourced
• SAQ B
– Imprint-only or dial out terminals
• SAQ C
– Payment applications
• SAQ C-VT
– Web-based virtual terminals
• SAQ D
– All other types
Self Assessment Questionnaire (SAQ) Requirements
A B C C-VT D
1
Install and maintain a firewall configuration to protect cardholder data
x
x
x
2
Do not use vendor-supplied defaults for system passwords and other security
parameters
x
x
x
3
Protect stored cardholder data
x x
x
x
4
Encrypt transmission of cardholder data across open, public networks
x x
x
x
5
Use and regularly update anti-virus software or programs
x
x
x
6
Develop and maintain secure systems and applications
x
x
x
7
Restrict access to cardholder data by business need to know
x x
x
x
8
Assign a unique ID to each person with computer access
9
Restrict physical access to cardholder data
10
Track and monitor all access to network resources and cardholder data
11
Regularly test security systems and processes
12
Maintain a policy that addresses information security for all personnel
x
x x x
x
x
x
x
x
x x x
x
x
x
UT Fiscal Policy FI0311
• Requirements and guidelines for credit card
processing activities at UT
– Process for obtaining a Merchant ID
• Outlines roles, responsibilities, and approval
process
– UTSA ISO, ACS, IT POAs, CBOs,
Treasurer’s Office, Merchant Depts.
• Available on UT Policy website:
http://tennessee.edu/policy
Roles & Responsibilities from FI0311
• UTSA Information Security Office:
– Consulting, guidance, and oversight related to
PCI compliance and IT Security controls
– Review technical implementations related to PCI
– Incident response coordination
– Quarterly security scans coordination
– Validate SAQs annually
• Audit and Consulting Services:
– Review departmental policies and procedures
Roles & Responsibilities from FI0311
IT Position of Authority
(Campus/Institute):
•
•
•
•
Provide compliance support and consulting
Identify and review systems in PCI scope
Provide technical guidance
Ensure a segmented cardholder data
environment exists
Roles & Responsibilities from FI0311
Campus/Institute Chief Business Officers:
• Approve the business need for a Merchant ID
• Attest to SAQ accuracy (with signature)
• Monitor PCI compliance
Roles & Responsibilities from FI0311
Treasurer’s Office:
• Oversee credit card accounting for approved
merchants
• Manage the Merchant ID approval process
• Maintain the relationship with the University’s
processor
Merchant Responsibilities from FI0311
• Complete Annual SAQ and maintain compliance
– Notify Treasurer’s Office of any change in processing
• Protect cardholder data and ensure appropriate security
controls
–
–
–
–
Internal Procedures
Technical controls on computers that process PCI data
Update software on any terminals every 18 months.
Place computers in the segmented cardholder data environment
(SAQ C, C-VT, D)
• Immediately notify UTSA ISO in the event of a data breach
• Financially responsible for costs associated with
compliance: fines, fees, and remediation expenses
High-Level Compliance Requirements
• Annual Self Assessment Questionnaire
– Incomplete SAQ = Non-Compliant
• Annual Scope Verification
– What systems are required to be PCI compliant?
• Quarterly Vulnerability Scans (SAQ C & D)
• Segmented Cardholder Data Environment
(SAQ C, C-VT, and D)
• Full text available online:
https://www.pcisecuritystandards.org/
Cardholder Data Storage Requirements
• Card Security Code may not be stored after initial
transaction approval. (CVC2, CVV2, CID)
• Credit card numbers must only be stored in one
location (except backups.)
• Complete cardholder information may not be
stored in an unprotected manner.
• All computers that handle, process, or store card
numbers must be registered.
• Merchants may not use mobile phones for
processing.
PCI Incident Response
• Report Security Incidents to UTSA ISO
– Computer, network, or paper-based activity
– (May) result in
Example Security Incidents:
•
•
•
•
•
Misuse
Damage
Denial of service
Compromise of integrity
Loss of confidentiality
•
•
•
•
•
Attacks launched on others
Compromise of user account
Compromise of computer systems
Viruses, Worms, and Trojan Horses
Disclosure of protected data
• Unauthorized access
• E-mail release
• Inadvertent posting a web site
• Need to demonstrate prompt response
Primary Risk Area
• Attacks on Users
– Phishing & Social Engineering
– Malicious websites
• Unpatched systems
– System & application vulnerabilities
– Zero-day vulnerabilities
• Limit exposure to email
and Internet sites
Review
•
•
•
•
Overview of PCI DSS
PCI Requirements
Roles and Responsibilities
Next Steps
Next Steps
• Complete Annual SAQ
– Questions? Contact Treasurer’s Office or ISO
• Review Documentation
– Policy FI0311
– SAQ Requirements Documents
• Reduce PCI scope
– Move information systems into the cardholder data
environment
• Reduce PCI risk
– Outsource credit card processing
– Minimize UT exposure to cardholder data
– Reduce exposure to websites and email
Thank you!
Questions?
This information is available on the PCI Training website:
http://tiny.utk.edu/pci-training

similar documents