PCI DSS RoundtableJeff Williams

Information Security OfficerCSU, Sacramento

What is PCI DSS? What are the financial impacts? What are the requirements? How do I become compliant?

Agenda

• Standard that is applied to:– Merchants (You)– Service Providers (Third Third-party vendor, gateways)– Systems (Hardware, software)

• That:– Stores cardholder data– Transmits cardholder data– Processes cardholder data

• Applies to:– Electronic Transactions– Paper Transactions

PCI DSS Payment Card Industry Data Security Standard

◦ Forced service outage during incidents◦ Forced service suspension◦ Loss of brand processing◦ Fines as high as $5,000 per card per day◦ Pay for independent investigation (entry fee of

~$30,000)◦ Fines up to $500,000◦ Large breaches…

The Financial Impact

The Financial Impact

$50,000,000

$10,000,000

Combined fines for all

three

$60,590,000

$590,000

Consider highest total cards processed in one day (disclaimer, numbers picked for easy math, optimistic and assume pre-incident self-assessment and mitigation)

100 total cards$50 per card for notification/communication$100 fine per card$30,000 investigation fee Single Loss Expectancy $45,000Annualized Rate of Occurrence .10

Annualized Loss Expectancy $4,500

Business Impact Assessment

Consider highest total cards processed in one day (disclaimer, numbers picked for easy math, optimistic and assume little to no self-assessment and mitigation activities)

100 total cards$50 per card for notification/communication$1,000 fine per card$30,000 investigation fee Single Loss Expectancy $180,000Annualized Rate of Occurrence .20

Annualized Loss Expectancy $36,000

Business Impact Assessment

Consider◦ Your highest number of cards processed day◦ A multi-day event◦ You are out of compliance and store all cards

processed◦ Maximum fines◦ Impact to your reputation/fundraising ◦ Impact to your operations

Business Impact Assessment

12 High Level Security RequirementsBuild and Maintain a Secure Network1. Use firewalls and NAT to protect data2. Do not use vendor-supplied defaults for system passwords

and other security parameters

Protect Cardholder Data3. Protect physical stored data4. Encrypt transmission of cardholder data and sensitive

information across public networks

Maintain a Vulnerability Management Program5. Use and regularly update antivirus software6. Develop and maintain secure systems and applications

12 High Level Security RequirementsImplement Strong Access Control Measures7. Restrict access to data by business need-to-know8. Assign a unique ID to each person9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks10. Track and monitor all access to network resources and

cardholder data11. Routinely test security systems and processes

Maintain an Information Security Policy12. Establish high-level security principles and procedures

It all starts with a Self Assessment Identify and close your gaps

http://www.csus.edu/irt/is/pci/presentations/index.html

Bottom of the webpage has a matrix of examples, guides, resources and templates

PCI Website - www.pcisecuritystandards.org

How do I become compliant?

Thank you,

Jeff Williamsjeff.williams@csus.edu916.278.7733

Questions and Comments