north carolina community college system iips conference – spring 2009 jason godfrey it security...
TRANSCRIPT
![Page 1: North Carolina Community College System IIPS Conference – Spring 2009 Jason Godfrey IT Security Manager (919) 807-7054 godfreyj@nccommunitycolleges.edu](https://reader036.vdocuments.site/reader036/viewer/2022073121/56649e6b5503460f94b698d4/html5/thumbnails/1.jpg)
PCI COMPLIANCE
North Carolina Community College System
IIPS Conference – Spring 2009
Jason GodfreyIT Security Manager
(919) [email protected]
![Page 2: North Carolina Community College System IIPS Conference – Spring 2009 Jason Godfrey IT Security Manager (919) 807-7054 godfreyj@nccommunitycolleges.edu](https://reader036.vdocuments.site/reader036/viewer/2022073121/56649e6b5503460f94b698d4/html5/thumbnails/2.jpg)
AGENDA
PCI Data Security Standard (DSS) Latest Data Security Standard Compliant Process Becoming Compliant Maintaining Compliance Determining Which SAQ General Tips Prioritizing Milestones Challenges Additional Information Q & A - Open forum
![Page 3: North Carolina Community College System IIPS Conference – Spring 2009 Jason Godfrey IT Security Manager (919) 807-7054 godfreyj@nccommunitycolleges.edu](https://reader036.vdocuments.site/reader036/viewer/2022073121/56649e6b5503460f94b698d4/html5/thumbnails/3.jpg)
PCI DATA SECURITY STANDARD (DSS)
![Page 4: North Carolina Community College System IIPS Conference – Spring 2009 Jason Godfrey IT Security Manager (919) 807-7054 godfreyj@nccommunitycolleges.edu](https://reader036.vdocuments.site/reader036/viewer/2022073121/56649e6b5503460f94b698d4/html5/thumbnails/4.jpg)
LATEST DATA SECURITY STANDARD
Current version is 1.2 Released October 2008 Majority of changes are explanatory and
clarifications Three enhancements
Section 4.1.1 – Testing requirements and wireless encryption standards
Appendix D: attestations and compliance forms
Appendix E: attestations and compliance forms
![Page 5: North Carolina Community College System IIPS Conference – Spring 2009 Jason Godfrey IT Security Manager (919) 807-7054 godfreyj@nccommunitycolleges.edu](https://reader036.vdocuments.site/reader036/viewer/2022073121/56649e6b5503460f94b698d4/html5/thumbnails/5.jpg)
Attestation
COMPLIANCE PROCESS
Compliance (Process\Procedures)
Validation (SAQ\ Vulnerability Scans)
![Page 6: North Carolina Community College System IIPS Conference – Spring 2009 Jason Godfrey IT Security Manager (919) 807-7054 godfreyj@nccommunitycolleges.edu](https://reader036.vdocuments.site/reader036/viewer/2022073121/56649e6b5503460f94b698d4/html5/thumbnails/6.jpg)
BECOMING COMPLIANT
1. PCI DSS Scoping – determine what system components are governed by PCI DSS
2. Sampling – examine the compliance of a subset of system components in scope
3. Compensating Controls – QSA validates alternative control technologies/processes
4. Reporting – merchant/organization submits required documentation
5. Clarifications – merchant/organization clarifies/updates report statements (if applicable)
![Page 7: North Carolina Community College System IIPS Conference – Spring 2009 Jason Godfrey IT Security Manager (919) 807-7054 godfreyj@nccommunitycolleges.edu](https://reader036.vdocuments.site/reader036/viewer/2022073121/56649e6b5503460f94b698d4/html5/thumbnails/7.jpg)
MAINTAINING COMPLIANCE
Remediate
Report
Assess
![Page 8: North Carolina Community College System IIPS Conference – Spring 2009 Jason Godfrey IT Security Manager (919) 807-7054 godfreyj@nccommunitycolleges.edu](https://reader036.vdocuments.site/reader036/viewer/2022073121/56649e6b5503460f94b698d4/html5/thumbnails/8.jpg)
DETERMINING WHICH SAQ
![Page 9: North Carolina Community College System IIPS Conference – Spring 2009 Jason Godfrey IT Security Manager (919) 807-7054 godfreyj@nccommunitycolleges.edu](https://reader036.vdocuments.site/reader036/viewer/2022073121/56649e6b5503460f94b698d4/html5/thumbnails/9.jpg)
GENERAL TIPS
Never store sensitive card data Full content of the magnetic strip Card validation codes and values PIN blocks
Contact your POS vendor regarding PCI compliance
Don’t store card holder data if you don’t need it
Minimize scope Prioritize requirements
![Page 10: North Carolina Community College System IIPS Conference – Spring 2009 Jason Godfrey IT Security Manager (919) 807-7054 godfreyj@nccommunitycolleges.edu](https://reader036.vdocuments.site/reader036/viewer/2022073121/56649e6b5503460f94b698d4/html5/thumbnails/10.jpg)
PRIORITIZING MILESTONES1
1. Remove sensitive authentication data and limit data retention.
2. Protect the perimeter, internal, and wireless networks.
3. Secure payment card applications.4. Monitor and control access to your
systems.5. Protect stored cardholder data (security
classes).6. Finalize remaining compliance efforts, and
ensure all controls are in place.1 The Prioritized Approach to Pursue PCI DSS Compliance
![Page 11: North Carolina Community College System IIPS Conference – Spring 2009 Jason Godfrey IT Security Manager (919) 807-7054 godfreyj@nccommunitycolleges.edu](https://reader036.vdocuments.site/reader036/viewer/2022073121/56649e6b5503460f94b698d4/html5/thumbnails/11.jpg)
CHALLENGES
Documenting policies, processes, and procedures Storing backups in secured manner (off-site is
preferable) Separation of duties Local payment card applications Hardware and software
CCTV File monitoring Audit trails
Internal and external penetration tests Training Management buy-in and user acceptance
![Page 12: North Carolina Community College System IIPS Conference – Spring 2009 Jason Godfrey IT Security Manager (919) 807-7054 godfreyj@nccommunitycolleges.edu](https://reader036.vdocuments.site/reader036/viewer/2022073121/56649e6b5503460f94b698d4/html5/thumbnails/12.jpg)
ADDITIONAL INFORMATION PCI Council
https://www.pcisecuritystandards.org PCI Council Navigating the SAQ
https://www.pcisecuritystandards.org/pdfs/pci_dss_saq_navigating_dss.pdf
PCI Council Quick Guidehttps://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf
PCI Prioritized Approach
https://www.pcisecuritystandards.org/education/docs/Prioritized_Approach_PCI_DSS_1_2.pdf
Trustwave General Questions – (800) 363-1621 [email protected]
![Page 13: North Carolina Community College System IIPS Conference – Spring 2009 Jason Godfrey IT Security Manager (919) 807-7054 godfreyj@nccommunitycolleges.edu](https://reader036.vdocuments.site/reader036/viewer/2022073121/56649e6b5503460f94b698d4/html5/thumbnails/13.jpg)
ADDITIONAL INFORMATION System Office – contact the CIS Help Desk US CERT
http://www.us-cert.gov/ SANS Institute
http://www.sans.org/ NC ITS State-wide Security Manual
http://www.scio.state.nc.us/SITPoliciesAndStandards/Statewide_Information_Security_Manual.asp
Open Source applications Network Security Tool (NST) Snort Untangle Zenoss
![Page 14: North Carolina Community College System IIPS Conference – Spring 2009 Jason Godfrey IT Security Manager (919) 807-7054 godfreyj@nccommunitycolleges.edu](https://reader036.vdocuments.site/reader036/viewer/2022073121/56649e6b5503460f94b698d4/html5/thumbnails/14.jpg)
OPEN FORUM
Q & A