Exploring PCI-DSS

One of the enjoyable aspects of this blog is using it to gather and process topics I’m involved in at work.  On my front burner right now: PCI-DSS.  One of my colleagues has been working on this mostly and now I’m joining in.

What is it you ask?  I’m sure you’re dying to know.  It’s a set of requirements that anyone who processes credit cards must adhere to so that personal information and card information is protected.  It was started in 2001 by Visa and Mastercard, then called Cardholder Information Security Program (CISP).  It’s since expanded and became PCI-DSS and in 2010 PCI-DSS v 2.0 came out.  One result of PCI-DSS is that receipts only should be showing the last 4 digits of your card number.

Some of my main resources at the moment are

1. Achieving Cost-Effective PCI Compliance:  presentation from the 2011 Educause Enterprise Computing Conference co-presented by Cathy Hubbs who was in my Frye cohort.
2. Two Diverse Approaches to PCI-DSS Compliance: presentation from the 2011 Educause Security Conference.
3. PCI FAQs

Cathy’s presentation in (1) has a great set of questions to answer on page 25.  You really need to get your arms around where you are using credit cards and how they are being processed.  What you need to do depends on your level which is based on how many card transactions you process annually.  A few pages later in page 32 she has some equally great recommendations.  The Baylor presentation (2) notes that in higher ed limiting scope is critical.  That is, limiting what is in scope vs. not.  If something stores, processes or transmits card data it is in scope.  That really makes you want to ditch credit card processing.  That’s what the U. of Delaware essentially did.  Those little dial-up terminals that you see in merchants seem like a good way to go — since the info travels over the phone line and not your network you have less to be concerned with.  And be sure you’re not storing credit card numbers in your ERP (ideally nowhere).  Keep things out of scope.  Baylor also notes to prioritize and tackle the critical area first and work your way down to lower risk items.  It could be daunting to try to do it all at once.

Now, of the 4 levels merchants can be in, level 3 is a common place where schools can find themselves.  For level 3 you need to do an Annual SAQ (Self-Assessment Questionnaire), fill out an attestation of compliance form, and lastly have a quarterly network scan by an approved scan vendor (ASV).  The ASV scan is done externally to look for public-facing vulnerabilities.

So if you’re looking into PCI-DSS, find some good resources, read up, and talk to other institutions.