Complying with PCI is a necessary step in safely accepting Payment Cards.

Transcription

1 What Every Director Needs to Know About Credit Cards & Patron Privacy Complying with PCI is a necessary step in safely accepting Payment Cards.

2 Know the Risks! Some Interesting Facts: 94% of data breaches involved servers * 96% were not in PCI DSS compliance * Data Breach Regulations: 46 of 50 States mandate consumer notification of unauthorized access to private information $145 - average cost per compromised record ** PCI compliance is a key strategy to avoid a data breach! * 2012 Data Breach Investigations Report ** Ponemon Institute LLC. (2015) Cost of Data Breach Study: Global Analysis

3 What is PCI? Payment Card Industry Data Security Standard A VISA coordinated initiative started in 2004 Rules, methods, and procedures to reduce payment card fraud Compliance effort varies with where and how you take payment cards Mandates use of Validated services and products

4 Who are the PCI stakeholders? Since its inception, the PCI Standard has been applied to stakeholders in the order of greatest exposure. Organizations involved with payment cards: Processors Banks Service Providers Application Developers Merchants Library Today the focus is on Merchants That Means You!

5 Merchants (You the Library) Must comply with PCI based upon Merchant Category: Online (card not present) POS (card present) Online Merchants subscribe to a service with PCI- DSS POS Merchants install products with PA-DSS Merchant is responsible for: Appropriate policies and procedures Securing their network Documenting their PCI compliance status annually using a tool called the Self Assessment Questionnaire (SAQ)

6 PCI Compliance Best Practices Avoid storing cardholder data! Online merchants (payments over the Internet) Lessen the burden by outsourcing to a validated service provider (e.g., using a third-party payment gateway) POS merchants (over-the-counter & selfservice) You are responsible for protecting cardholder data at the point of sale and as it flows through the payment system. Segment your network to minimize exposure Install PA-DSS validated payment applications Use approved secure card readers

7 SAQ by Merchant Category Careful! Compliance Burden Increases with SAQ Level Merchant Type Online Payments Internet Protocol Terminals w/p2p Encryption Internet Protocol Terminals Payment Application Connected to Internet Keyboard Input to a Dedicated Computer All Other Merchants Self-Assessment Questionnaire 1 Restrict Physical Access to Data 2 Information Security Policy Protect Card Data Encrypt Transmission of Data Restrict Data to Need-to-Know Firewall Anti-Virus Software No Default Passwords Secure Systems and Applications 10 Assign Unique IDs for Access Regularly Test Systems Best SAQ for 8 libraries SAQs 1 for libraries 10 that accept counter, Track and Monitor Access that accept 6 payments self-check, 21 or kiosk payments Number of Questions 1 4 only by Internet Browser SAQ 62 depends 103 upon payment 57 product. 240

8 Additional PCI Requirements (1) Quarterly external vulnerability scans (Req. 11.2) If your payment systems are on a network connected to the Internet, PCI DSS requires you to have quarterly scans performed The automated scans look for weaknesses an attacker might exploit to access your systems PCI DSS requires these scans to be conducted by a PCI-certified Approved

9 Additional PCI Requirements (2) Internal and external penetration testing (Req. 11.3) A penetration test simulates an attack on your organization s network infrastructure or applications Penetration testing determines what attackers can access and what trouble they can cause

10 Let s Look at Some Success Stories Stirling Prentice Systems Librarian

11 Why Comprise? What we were looking for: ILS compatibility Bilingual interface PCI compliance Compatibility with Moneris Website & discovery layer integration

12 The Importance of PCI Compliance Peace of mind: Respecting and securing patron info City of Ottawa s requirements

13 Comprise at OPL Just credit card transactions Pay Fines Button on site and in catalogue Reconciliation reports ILS vs. Soft Launch Adapting to New Standards

14 Payments steady growth Payment Year Payment Type % Paid Bills % of Amounts Paid CASH 62.2% 51.8% 2012 CHECK 0.9% 2.1% CREDITCARD 13.3% 15.9% DEBITCARD 23.6% 30.3% CASH 59.4% 49.3% 2013 CHECK 0.7% 1.8% CREDITCARD 13.5% 15.9% DEBITCARD 23.4% 29.6% ONLINE 3.1% 3.4% CASH 55.2% 45.6% 2014 CHECK 0.5% 1.3% CREDITCARD 14.6% 16.5% DEBITCARD 23.3% 29.2% ONLINE 6.5% 7.3% CASH 52.7% 43.4% 2015 (so far) CHECK 0.4% 1.4% CREDITCARD 14.9% 16.4% DEBITCARD 22.8% 28.5% ONLINE 9.1% 10.3%