what you need to know about pci-dss jane drews chief information security officer information...
TRANSCRIPT
What you need to know about PCI-DSS
Jane DrewsChief Information Security Officer
Information Security & Policy [email protected], 5-5537
Topics
1. PCI-DSS Basics for University of Iowa merchants 2. Point to Point Encryption (P2PE) 3. EMV Credit Cards4. Isolated “PCI Environment” for University CC
operations
PCI-DSS: Basics
1. UI policy requires merchants to comply with PCI-DSS, no exceptions2. Reducing PCI-DSS “scope” is our strategy to reduce UI compliance
requirements, and minimize the institution’s risk of a card data breach3. Scope is about communication between devices
• Any IT device or system involved in processing card payments, or that shares the infrastructure that supports payments, is “in scope” and must comply
• Encryption has been touted by some vendors as a way to avoid the rigor of compliance, however that has not been demonstrated, and is not UI policy
4. It is not the card brands, but the acquiring bank’s decision on how we must validate our compliance
Point to Point Encryption (P2PE):
• P2PE Standard = technology and processes to protect account data from the point of interaction (card reader) to the point of initial decryption (transaction processor)• Card reader establishes encrypted “tunnel” through which PAN is sent
to the processor. Authorization code is returned, and sent to the point of sale cash register or the server• PAN is never seen by the cash register or the server• The merchant is never allowed to perform encryption key
management under the P2PE standard
Point to Point Encryption (P2PE):
• The standard for point-to-point encryption solutions does not supersede the PCI Data Security Standard, PCI PIN Security Requirements, or any other PCI Standards • The P2PE standards are not a recommendation, and do not obligate
merchants, service providers, or financial institutions to purchase or deploy such solutions• P2PE capable devices will be the target for attacks, as the PAN could
be intercepted by malware before encryption occurs• Implementing P2PE doesn’t eliminate need to comply with PCI-DSS
EMV Credit Cards
• Referred to as “chip and pin” or “chip and signature” cards• Smart cards that store data on a chip rather than on a magnetic
stripe, although most cards currently use both for backward compatibility, transition purposes • Can be contact cards (reader) or contactless cards (RFID)• Banks can transfer liability/costs for face-to-face (card present)
fraud to merchants that don’t support EMV cards (Oct 2015)• Supporting EMV cards does not eliminate the need to comply
with PCI-DSS
UI’s Isolated PCI Environment:
1. All peripherals migrate to PCI network (registers, readers, etc):• Any device involved in transaction processing that connects to UI network
2. All servers migrate to ITF data center:A. Level III (high sensitivity) data storage/handling servers, critical operations
servers, and servers with peripherals move to High Security Zone • Secure configuration required, very restricted communications, full logging, monitored
system and data access, etc.B. Non-critical web servers that don’t pass CC information move to Medium
Zone, Co-Managed Zone, or Co-Location Zone• Secure configuration required, no communication with peripherals, full logging, etc.
3. Goal is to simplify compliance responsibilities
ITF Data Center:All Servers
High Security Zone: Critical app servers and L3 databases that communicate with CC peripherals.
Medium, Co-Lo, other zones: Web servers that transfer to payment processing, no CC peripherals.
$
Bank
PCI Network:All CC Peripherals