Comply by July. Step by Step Guide to PCI-PA-DSS Compliance

Transcription

1 Comply by July Step by Step Guide to PCI-PA-DSS Compliance June 2010

2 Comply By July Help is on the Way! Payment Card Industry (PCI) Payment Application (PA) Data Security Standard (DSS) June 2010 As the July 1, 2010 deadline approaches for PCI-PA-DSS compliance, campuses across the system have been requesting help in implementing a plan to meet the requirements of tougher credit card standards. These standards carry heavy fines for breaches of credit card security. Comply By July was developed by Augusta State University (ASU) to help them achieve compliance in a timely manner by using a team approach. We are now sharing this easy to read guide to assist other campuses. Please consider this a resource as you put together the compliance plan for your institution. Credit card security standards are nothing new. They have been evolving for years, under the direction of the credit card leaders (Visa, MC and AMEX). More recently the full cooperation of merchants has been expected as identity theft has become more and more prevalent. However, it is not only the credit card industry that has expectations, so do our students, parents and supporters. Our reputations are at stake and so are our pocketbooks. I hope that you will find the enclosed information and guide helpful. Please feel free to contact us, should you have questions, comments, or like to discuss your compliance plan. Stanton Gatewood Chief Information Security Officer Board of Regents University System of Georgia Kathleen Boyd Internal Auditor Office of the President Augusta State University

3 Comply by July PCI-PA-DSS Reference Guide Table of Contents A. Credit Card Security Team Selecting the Right Team Members B. The PCI-PA-DSS Standard Helpful Links C. Comply By July Step by Step Guide D. Endorsement from Senior Management Memo from Senior Management to Inform Campus about PCI-PA-DSS Standard E. Contacting Your Credit Card Processor Have Your Questions Ready F. Questionnaire to Department Cashiers Hello Out There Does Your Department Process Credit Cards? G. Inventory Capturing the Full Scope of the Project Have You Left Off Anyone? H. Compliance Field Visit Checklist Document Your Effort to Establish Compliance

4 Section A Credit Card Security Team Selecting the Right Team Members

5 CREDIT CARD SECURITY TEAM Selecting the Right Team Members The ideal team is composed of professional staff with considerable expertise in either technology, accounting and/or internal audit. The size of your team should reflect the size of your organization and the number of departments that utilize credit cards. Consider the deadline and plan according. IT Security Officer Internal Auditor Information Analyst/Trainer Assistant Director for Systems & Programming Services Controller Assistant Controller

6 Section B The PCI-PA-DSS Standard Helpful Links

7 PCI-PA-DSS Security Standard Helpful Links What it all means If you are having trouble wrapping your head around the alphabet soup of PCI compliance, here are two useful links to get you started: 1.) The PCI Security Standards Council Home Page On this website you will find the security standard definition, the self assessment questionnaire, the list of validated payment applications and lots more. Start here to educate yourself about credit card security standards. The link below will lead you to the home page, and you can navigate your way from there. 2.) TouchNet PCI-PA-DSS Solution Kit Brochure Request Page On this website you can request up to five copies of the TouchNet PCI-PA-DSS brochure. This easy to read brochure simplifies the information on the PCI Security Standards Council website. Even if you are not using TouchNet as a PCI solution, the brochure is worth reading. The brochures will be mailed out immediately upon request at no charge.

8 About the PCI Data Security Standard Excerpted from the PCI Security Council Standards Council Website HISTORY The PCI DSS, a set of comprehensive requirements for enhancing payment account data security, was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. International, to help facilitate the broad adoption of consistent data security measures on a global basis. The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data. PRINCIPLES The core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organized: Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security

9 Section C Comply by July Step by Step Guide

10 PCI-PA-DSS "COMPLY BY JULY" STEP BY STEP GUIDE STEP NOTES STATUS 1 Assemble Credit Card Security Team. Team should have representatives from Internal Audit, IT, Business Office. 2 Have backing of Senior Management. Send correspondence from Senior Management. Reference "D" - Letter 3 Talk to your bank to identify your Credit Card Processor. Your Business Office/Controller should already know who the credit card processor is. Ask the bank to keep you informed of all new accounts that are established that have the university's name. 4 Arrange a conference with your Credit Card Processor(s). Reference "E" - Script of Questions 5 Review answers from Credit Card Processor. Determine if it is necessary to hire an assessor and/or a scanning service. 6 Take a preliminary look at the questionnaire that must! Assign responsibility for the questionnaire to IT. be completed for the Credit Card Processor by July 1, This questionnaire is key to compliance! Do not delay! 7 Conduct PCI-PA-DSS Training with Cashiers. Work with your Business Office/Controller to identify which departments need to be there. Conduct a survey. Reference "F" - Questionnaire 8 Get the Word Out. Publish articles in campus newsletters. 1

11 PCI-PA-DSS "COMPLY BY JULY" STEP BY STEP GUIDE STEP NOTES STATUS 9 Prepare comprehensive inventory of Departments Approach this several ways: ask for a list of that use credit cards. Merchant ID numbers from your credit card processor; check with the Business Office; ask your auditor. Reference "G" - Inventory Form 10 Identify Hot Spots on Inventory. Look closely at those areas where you would be hurt the most from a revenue perspective: (i.e. Admissions; Bookstore; Campus Dining; Development and Alumni; Housing). 11 Create a checklist of questions to ask each of the Send the checklist to the department before the departments that are on your inventory. field visit and ask them to fill in what they can. Reference "H" - Checklist 12 Establish teams to visit departments. Have enough teams to cover all the Each team should have a technical & business departments in a short period of time, so that representative. Complete Checklist for each department there is time to act if you discover a problem. and create a corrective action plan. 13 Set appointments to visit departments.! There is some urgency in completing this, so that you can identify problems ASAP. 14 Schedule conference calls with any vendors that have Do not be lulled into a false sense of security by not already provided adequate documentation to vague promises. Go to "plan two" if the vendor assure compliance. is making promises that you do not think can be fulfilled. 2

12 PCI-PA-DSS "COMPLY BY JULY" STEP BY STEP GUIDE STEP NOTES STATUS 15 Work with your credit card processor on establishing a Negotiate with your credit card processor. You "Fix It" timeline, if you cannot meet the July 1, 2010 want to mitigate risk as quickly as possible, deadline. however ask them to work with you if July 1 deadline is not realistic. There may be some flexibility if you can show an implementation plan. 16 Send Completed Questionnaire to Credit Card processor by Begin completing the questionnaire early to July 1, 2010! have ready well ahead of time. Be in Full PCI-PA-DSS Compliance by July 1, 2010! 3

13 Section D Endorsement from Senior Management Memo to Inform Campus about PCI-PA-DSS Standard

14 Important News on Credit Card Security Sample Letter from Your Senior Management News agencies routinely report stories of credit card fraud, identity theft and stories of hackers who have stolen sensitive information by breaking into databases. We CANNOT afford to let that happen here as illustrated by the following story. In 2003, one of our sister institutions had a security breach that cost up to $500,000 to fix. Hackers downloaded personal information stored on a server used as part of the university performing arts center ticketing process. The information included names, addresses, phone numbers, addresses and credit card numbers. It is believed the hackers gained access from a system located outside the US. The Georgia Bureau of Investigation, FBI and Secret Service all worked to find the source. The entire database of theatre goers had to be notified some 57,000 letters later, the university was bombarded with phone calls. A help desk was set up to reassure concerned patrons. Then insurance had to be purchased to protect all those exposed in this incident. And, the university was liable for a fine from the credit card company. In addition to the costs involved, the institution s reputation was tarnished. For the past two years, Business Operations and IT have worked together to implement ways to safeguard sensitive data, including credit card information. Several steps have been taken during this time to evaluate risk, identify problems, educate departments about best practices in cash receipting, and to employ secure technological solutions. As credit card standards continue to evolve, the stakes have grown higher. Beginning July 1, 2010 a new standard comes into effect that is known as the Payment Card Industry Payment Application Data Security Standard (PCI PA-DSS). The role that colleges and universities must take to protect private financial data has gotten bigger. Bottom line: If we are not in compliance with the new standard, we may not be able to process certain credit card transactions. A credit card security team was recently formed at (your institution name here) to ensure that business functions across the campus remain operational after the new credit card security standard goes into effect July 1. The goal of the team is to go beyond meeting minimum standards and to be able to say with confidence that we have taken all reasonable steps to safeguard credit card data. Our students, parents, donors, theatre patrons, employees and other constituents deserve no less. As such, we need your full cooperation. Members of the credit card security team will be calling on departments in the near future. Please instruct your staff to work cooperatively with them. Point out any areas of concern you may have, and discuss frankly such issues as credit card storage, employee access, and other matters that could lead to a breach of security. The team will explore possible solutions with you. Please contact a member of the Credit Card Security Team, if you would like to schedule a risk assessment. Thank you in advance for helping our campus maintain its reputation for safeguarding sensitive data. List Contact Information of your Credit Card Security Team Here Name, Title, and Phone Number

15 Section E Contacting Your Credit Card Processor Have Your Questions Ready

16 PCI-PA-DSS Compliance Have Your Questions Ready: Questions for Credit Card Processor What exactly does our University need to do to satisfy Credit Card Processor that we are in PCI- PA-DSS compliance? Which merchant level is University? Note: You will need to know your merchant level to help you determine which self assessment questionnaire you are to complete for verification purposes. If we self assess, which questionnaire do we complete? What are the requirements that qualify us for that particular questionnaire? Is the questionnaire requirement waived if we hire an assessor? What are the pros and cons for self assessment versus hiring an assessor? Is hiring an assessor a recommendation or a requirement? What is the range of cost we might expect to pay for an assessor? How long does an assessment take to complete? What kind of report should we expect from the assessor? Is this a one-time assessment, or is ongoing assessment required? Frequency? Does the university submit one global questionnaire for all merchants on campus, or must a separate questionnaire be completed for each merchant ID number? Does your Credit Card Swiper (device) store credit card data? Is it PCI compliant? What do we look for in reading the PCI Compliance List to know definitively that our POS systems are in compliance? If at July 1, the Credit Card Processing company realizes that the University has missed something that makes us not in compliance, what will happen? Will credit card data processing stop all across campus, for that one merchant ID, or is there a grace period in which to fix the problem?

17 Section F Questionnaire to Department Cashiers Hello Out There Does Your Department Process Credit Cards?

18 Credit Card Security Questionnaire Department: Contact Name: Contact Contact Phone #: Do you accept credit cards in your department? YES NO If yes, please answer the following questions. If no, you need go no further. For what purpose(s) do you accept credit cards? How are the cards processed? Touchnet POS System Which One? Manually Use credit card machine to imprint card Hand write credit card numbers on credit card slip or other paper Other What identifying information do you record on the credit card slip? Driver s License # Social Security # Campus Card ID # Other Do your credit card receipts have the full credit card number imprinted on them? YES NO Merchant s copy only Customer s copy only Merchant s copy and Customer s copy Entire number Last four digits Other Where do you store credit card records? Cash Register Safe Storage Cabinet Other How long are credit card records kept?

19 Section G Inventory Capturing the Full Scope of the Project Have You Left Off Anyone?

20 Inventory of Departments with Credit Card Processing Activity - Sample TEAM Merchant/Department Outlet # Hierarchy Level YES/NO FD-100 POS Other Touchnet Terminal MPL BillPay Upay NOTES POS SYSTEMS 1 BOOKSTORE 2 PERFORMING ARTS CENTER 3 DEVELOPMENT AND ALUMNI 4 GOLF CLUB 5 CAREER CENTER TOUCHNET 6 BUSINESS OFFICE 7 CONTINUING EDUCATION 8 REGISTRAR'S OFFICE 9 CAMPUS SERVICES 10 STUDY ABROAD 11 SCIENCE OLYMPIAD 12 SPECIAL EVENTS 13 PUBLIC SAFETY/PARKING 14 ATHLETICS 15 STUDENT ACTIVITIES 16 LIBRARY 17 COLLEGE OF BUSINESS 19 PSYCHOLOGY 19 COLLEGE OF EDUCATION OTHER

21 Inventory of Departments with Credit Card Processing Activity - Sample 20 CAMPUS DINIING YES/NO FD-100 POS Other Touchnet Terminal MPL BillPay Upay NOTES 21 UNIVERSITY HOUSING 22 GEORGIA 411

22 Section H Compliance Field Visit Checklist Document Your Effort to Establish Compliance

23 PCI-PA-DDS Compliance Checklist Adaptation fromtouchnet PCI-PA-DSS Solution Kit, page 7 Date of Field Visit: Department: Department Contact(s): Does Department Accept Credit Cards Yes No For what purpose does department accept Credit Cards? PART I: IDENTIFY EACH DEPARTMENT'S PAY PRACTICES What credit card brands does department accept? Visa MasterCard Discover AMEX Other What volume (number of transactions) does the department accept per fiscal year (per card brand/type)? Visa MasterCard Discover AMEX Other What dollar value do these volumes represent on fiscal year basis (per card brand/type)? Visa MasterCard Discover AMEX Other What channels does the department use to accept credit cards? Online In Person Telephone By Mail Other PART II: CHECK EACH SYSTEM FOR PCI-DSS COMPLIANCE Where is the credit card application hosted? On Campus Off Campus Off Campus Data Center Third Party Service Provider Other Is the hosting facility PCI-PA-DSS compliant? Yes No Was compliance specified via Self-Assessment Questionnaire or independent audit? Yes No Has proof of PCI -PA-DSS compliance been filed for each system? Yes No ( Note: Proof should be forward to Internal Audit for filing in PCI Compliance Notebook) 1

24 PART III: CHECK EACH SOFTWARE APPLICATION FOR PA-DSS CERTIFICATION What POS software is used to accept, process or store any sensitive credit card data? Is there an additional credit card processing system used? Yes No If Yes, Please specify which one. Does staff type credit card numbers typed into a desktop computer? Yes No If yes, are the numbers masked after they are entered? Yes No If masked, describe. What system is currently in place to accept/process credit cards? Card Imprinter Handwritten TouchNet Card Swipe Make Model Other POS See below If there is currently a POS System in place, provide name, all components and versions. Confirm by field visit. Obtain vendor contact information, product name and version Vendor Version Hardware Version Software Version Vendor Version Hardware Version Software Version Vendor Version Hardware Version Software Version Is the application a custom application used only by university/department? Yes No Obtain Vendor Contact Information: Product Name Vendor Name Street Address City, State, Zip Name of Contact Phone Is the application (and version) listed by the PCI Council as PA DSS certified? Be sure to check the version of the application. Print copy of list, highlight application. Yes No Retain for file. If not on PCI Website, contact vendor for PA-DSS status clarification, or proof of compliance. Confirm PCI Compliance Plan. Date contacted Name of Contact Contact Info Recommended Solution Contacted by Timeframe Must be in compliance by July 1 If July 1 date cannot be met, apprise First Data of implementation plan in writing. Written approval obtained date Send by certified mail. 2

25 PART IV: CHECK ALL MERCHANT DEVICES FOR PTS VALIDATION Does the merchant use any card swipe devices? Yes No Do the devices store payment data? Yes No What devices are in use? Manufacturer Model Number Version How is device connected to the processor Internet Phone Other For PIN-entry equipment, is the device listed as validated by the PCI Council? FD 100 Yes No N/A For what purpose is the card swipe used? PART V: TOUCHNET Is TouchNet used in the Department? Yes No How is TouchNet Used? Marketplace Upay-Tlink BillPay COMPLETED BY (One of Three Teams): Date Date OR Date Date OR Date Date Note: Adapted from TouchNet PCI-PA-DSS Solution Kit, page 7 3