Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
LRCCDRoadmap to PCI Compliance
- F A L L 2 0 1 8 -
C C I A C O N F E R E N C E
E M M I E O E S T E R M A N , C I S A
O C T O B E R 4 , 2 0 1 8
CCIA Conference – Fall 2018
Agenda
Gain an understanding of PCI DSS?
Who has to comply?
How to comply?
CCIA Conference – Fall 2018
What is the PCI DSS?
PCI DSS =
Payment Card Industry Data Security Standard The result of a collaboration between Visa, MasterCard,
American Express, Discover, and JCB to create common industry security requirements.
Provides a baseline of technical and operational requirements designed to protect cardholder data.
Compliance is mandated for all organizations handling creditcard data.
CCIA Conference – Fall 2018
Who Does What?
1. Develops Standards
2. Establishes compliance requirements
3. Enforces requirements on merchants
4. Merchant
CCIA Conference – Fall 2018
Visa – Defined Merchant Levels
CCIA Conference – Fall 2018
PCI Requirements
CCIA Conference – Fall 2018
Annual Self-Assessment Questionnaire (SAQ):
CCIA Conference – Fall 2018
COMPLIANCE IN HIGHER EDUCATION
LRCCD, like all colleges, have unique challenges in maintaining PCI compliance.
Network are usually wide-open – Academic Freedom
The colleges/departments within LRCCD are not located in a central location and vary greatly in their procedures:
Methods of payment card acceptance
Different procedures in place
Methods of fund collection
In person, over the phone, online, via the mail
CCIA Conference – Fall 2018
Why do we need to care?
If one of your payment system is breached and cardholder data is compromised, and you were found not to be PCI DSS compliant, the following may happen:
Fines of $50,000 to $500,000 per violation
Recurring monthly fines of $5000 or more
Loss of credit card services for the entire district
Costs to notify and remedy services for impacted cardholders (average $202* each)
Repayment of fraudulent charges that result from data breach
Requires onsite forensics audit (between $8,000 to $20,000*)
Receives bad publicity
Loss of reputation/trust of staff and students
Requires Level 1 Merchant certification *http://www.pcicomplianceguide.org/merchants-20090416-cost-data-breach.php
CCIA Conference – Fall 2018
The Plan - LRCCD
Form a Team Principal Information Systems Auditor – Project Lead Network Security Administrator – IT Expert
Gather Information Survey where/how credit cards are taken Evaluate risks and what have to be changed Determine applicable SAQ
Obtain Expert Guidance Hire QSA Consultant– Security Metrics
Become PCI Compliant Create PCI Network Create PCI Awareness Training Create Business Process to Maintain PCI
CCIA Conference – Fall 2018
What we found in 2010!
Credit cards were stored in our ERP systems.
Credit cards processing were connected to our network.
Credit cards information were collected on forms and scanned into our databases.
Credit cards information were email to our Business Services Office.
And so much more…..
CCIA Conference – Fall 2018
IT Security Implemented
Created a PCI Network
Implemented quarterly newtork scans (vulnerability, rouge access point, etc.)
Implemented logging and detections (tripwire)
Implemented 2-factor authentication
Adopted security standards (CIS Benchmarks)
And so much more…
CCIA Conference – Fall 2018
Business Process Implemented
LRCCD do not stored credit card information electronically
Credit cards will not be processed or transmitted on a non PCI Network
All new credit cards processing requests must be reviewed and approved by the Principal Information Systems Auditor and Senior Network Security Analyst.
PCI awareness training
And so much more…..
CCIA Conference – Fall 2018
Compliant!
CCIA Conference – Fall 2018
And here we go again…..