PCI Services Overview

OIT CSI has a build environment dedicated to serving PCI-DSS hosts and their connected systems.

What is PCI?

From the https://www.pcicomplianceguide.org website:

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment.

The Payment Card Industry Security Standards Council (PCI SSC) was launched on September 7, 2006 to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with a focus on improving payment account security throughout the transaction process. The PCI DSS is administered and managed by the PCI SSC, an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB.). It is important to note that the payment brands and acquirers are responsible for enforcing compliance, not the PCI council. A copy of the PCI DSS is available here

Who must meet the PCI-DSS standards?

According to the University Controller’s Office, all NCSU merchants must comply with PCI-DSS.

You can contact OIT’s Information Security Services Team for help identifying your PCI responsibilities and ensuring proper compliance.

CSI Value add for PCI-DSS

You are not required to use CSI’s services to achieve PCI-DSS compliance, but we offer the following services that you can leverage if you wish so that you don’t need to prove compliance yourself. CSI works with, and attests to compliance with the ISS team in the following control objectives:

Build and Maintain a Secure Network and Systems

  • Software firewall managed so that only necessary ports are exposed.
  • No vendor-supplied defaults for system passwords or other security parameters
  • We have puppet modules to maintain apache/ssh/openssl configuration that encrypts the transmission of data across open, public networks using PCI-DSS approved ciphers and TLS
  • We use selinux in full enforcing mode for anti-malware.

Protect Cardholder Data

CSI doesn’t have anything to offer for this control objective.

Maintain a Vulnerability Management Program

We patch PCI hosts using the campus Red Hat Satellite

Implement Strong Access Control Measures

  • Secure Active Directory Authentication using the Wolftech Regulatory Accounts, which are specifically managed to the PCI-DSS standards.
  • Multi-Factor Authentication via Duo

Regularly Monitor and Test Networks

We monitor PCI system health with Sysnews

Maintain an Information Security Policy

Our puppet code can install and configure the Splunk agent for aggregating logs.

Edit me