PCI Services Overview
What is PCI?
From the https://www.pcicomplianceguide.org website:
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment.
The Payment Card Industry Security Standards Council (PCI SSC) was launched on September 7, 2006 to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with a focus on improving payment account security throughout the transaction process. The PCI DSS is administered and managed by the PCI SSC, an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB.). It is important to note that the payment brands and acquirers are responsible for enforcing compliance, not the PCI council. A copy of the PCI DSS is available here
Who must meet the PCI-DSS standards?
According to the University Controller’s Office, all NCSU merchants must comply with PCI-DSS.
You can contact OIT’s Information Security Services Team for help identifying your PCI responsibilities and ensuring proper compliance.
CSI Value add for PCI-DSS
You are not required to use CSI’s services to achieve PCI-DSS compliance, but we offer the following services that you can leverage if you wish so that you don’t need to prove compliance yourself. CSI works with, and attests to compliance with the ISS team in the following control objectives:
Build and Maintain a Secure Network and Systems
- Software firewall managed so that only necessary ports are exposed.
- No vendor-supplied defaults for system passwords or other security parameters
- We have puppet modules to maintain apache/ssh/openssl configuration that encrypts the transmission of data across open, public networks using PCI-DSS approved ciphers and TLS
- We use selinux in full enforcing mode for anti-malware.
Protect Cardholder Data
CSI doesn’t have anything to offer for this control objective.
Maintain a Vulnerability Management Program
We patch PCI hosts using the campus Red Hat Satellite
Implement Strong Access Control Measures
- Secure Active Directory Authentication using the Wolftech Regulatory Accounts, which are specifically managed to the PCI-DSS standards.
- Multi-Factor Authentication via Duo
Regularly Monitor and Test Networks
We monitor PCI system health with Sysnews
Maintain an Information Security Policy
Our puppet code can install and configure the Splunk agent for aggregating logs.Edit me