1 PCI Compliance Security Awareness Program For Marine Corps Community Services Contacts: Paul Watson
2 Overview What is PCI? MCCS Compliance PCI DSS Technical Requirements MCCS Information Security Policies MCCS Common PCI Findings Making a Difference at MCCS Glossary of Terms
3 What is PCI? PCI stands for Payment Card Industry PCI is an umbrella term used for a comprehensive security program to protect credit card information from accidental disclosure PCI SSC PCI Security Standards Council PCI DSS PCI Data Security Standard Provides protections for all participants in a credit card transaction; Cardholder (Marines, Marine family members, etc.) Merchant (Exchanges, Seven Day Stores, Golf Pro Shop, Clubs, etc.) Banks/Acquirers (Bank of America) Services Providers (Examples?) Card Brands (Visa, MasterCard, American Express, Discover, JCB)
4 PCI Data Security Standard Represents: Merchant and Card industry required data security practices Common Acceptance and participation by multiple card brands (5 TODAY) Establishes a Single Security Auditing Procedures (SAP) Best Way To Protect Credit Card Information For All MCCS Activities. Best Sources of Reference: for PCI Data Security Standards and Requirements (URL: for Business Understanding of Merchant Compliance Requirements (URL: )
5 Evolution of PCI and Card Brand Security Since 2001, Card Brands Security Programs & Enforcement: Visa CISP largely onsite audit driven MasterCard SDP primarily scan, questionnaires American Express DSOP nothing Discover DISC nothing JCB and Diners nothing (also original participants in PCI) PCI Data Security Standard started in 2004 PCI Data Security Standard v1.1 September 2006 Common standard of best practices from individual card brand security programs. Retain individual card brand enforcement programs Maintained by the PCI Security Standards Council PCI Data Security Standard v1.2 October 2008
6 Why PCI Compliance Matters 1. Demonstrates the MCCS commitment to protecting our customers confidential data. 2. Indicates stronger controls & processes to assess IT risk and prevent data compromise. 3. Helps to avoid substantial fines and penalties from card industry. 4. Demonstrates compliance for key customers who demand adherence to the PCI DSS. 5. Provides better protection for Marines and Marine family members. Source: Visa July 2006
7 Payment Card Industry Overview and/or Acquirer (BofA/Chase ) is a member of is a member of Issuer may or may not be the same as Processes transaction for Service Providers Merchant (MCCS Activities) uses payment card to purchase goods or services from issues cards to Cardholder (Marine)
8 PCI Data Security Standard Applies to Who? Anyone who Stores, Processes or Transmits cardholder data Must comply with the PCI DSS Including: Members (Banks & Acquirers Bank of America, Chase Paymentech) Merchants (MCCS Exchanges, Seven Day Stores, Clubs, etc.) Service Providers (Examples?) Network Components (Modems, Wireless Routers, Firewalls, etc.) Servers (In store controller/management systems) Applications (Point of Sale (POS) Software Triversity, HSI, EPOS, etc.) that connect to cardholder data environments.
9 What does PCI protect? The cardholder s identity and confidential data, including: Magnetic stripe (track 1 and track 2 data) Card Verification Values (CVC, CVV2 3 or 4 digit codes printed on back or front of card) Payment Account Numbers (PAN) Personal Identification Numbers (PIN) Passwords Card expiration dates Personal data Name Address Add picture to identify PAN cv codes, stripe?
10 Card Compromises have a Ripple Effect MCCS Data Breach Marines Paymentech Families, Partners, Vendors Direct Impacts MCCS Partners Competitors Visa / MC Indirect Impacts Potential Legislation
11 Why? What s at risk? Data breaches can lead to significant adverse consequences For Marine Corps Community Services: Unwanted media attention i.e. DSW, TJX, Hannafords Lost revenue and/or financial damages Lost time and distractions to Marines and their families Litigation Substantial VISA and MasterCard penalties For the cardholder: Identity theft Unauthorized charges to their credit or debit card account Damage to their personal credit rating Financial losses
12 Cost of a Data Breach Studies estimate the 2007 Cost of a Data Breach at: $197* per compromised credit card record. an average total per-incident cost of - $6.3 million* What does this mean to MCCS? A single MCCS command can conduct up to 650,000 transactions per year or more. Card breaches often take months to be identified All cards used during that period could be compromised or at risk. Total cost to MCCS for a breach at a single base can potentially be up to $128 Million. (650,000 X $197) Fines per Incident: VISA Up to $500,000 MC Often $25 per card = up to $16,250,000 * Source: Ponemon Institute's 2007 Cost of a Data Breach Report
13 Non Compliance Fines and Enforcement Compliance is enforced by MCCS banks and fines start from the Card Brands (Visa / MC) i.e. The security program has teeth! VISA CISP Compliance Fines & Penalties (One brand example) Fines the responsible bank Typically $5,000 $25,000 per month per merchant Bank passes fines on to merchant (MCCS) Bank imposes restrictions on merchant (MCCS)
14 MCCS Goal Utopia: Safe Harbor Safe harbor provides merchants protection from fines in the event that they or one of their service providers experiences a data compromise. To attain safe harbor status MCCS must: Validate compliance with a third party QSA annually Maintain full PCI compliance at all times Demonstrate that prior to a compromise, all PCI compliance validation requirements were fully met.
15 MCCS Compliance Visa & MC VISA and MasterCard Requirements Level One (> 6 mil single card brand transactions/yr): Includes all types of payment card transactions (debit, credit, phone, etc.) Annual on site PCI data security assessment (SAP/ROC) Quarterly network vulnerability scans MCCS is a Level One merchant
16 PCI DSS Technical Requirements
17 PCI Data Security Standard (DSS) 6 Control Objectives The Digital Dozen 12 PCI DSS requirements 226 Detailed security focused sub-requirements
18 PCI DSS Control Objectives 1. Build and maintain a secure network 2. Protect cardholder data 3. Maintain a vulnerability management program 4. Implement strong access control measures 5. Monitor and test networks regularly 6. Maintain an information security policy
19 The PCI DSS Digital Dozen 1. Install & Maintain a Secure Firewall Configuration 2. Maintain System Configuration Standards 3. Protect Stored Cardholder Data 4. Encrypt Transmission of Cardholder Data Across Open, Public Networks 5. Use and Regularly Update Anti virus Software or Programs 6. Develop & Maintain Secure Systems & Applications 7. Restrict Access to Cardholder Data By Business Need to Know 8. Assign Unique IDs and Implement Strong Password Controls 9. Restrict Physical Access to Cardholder Data 10. Track and Monitor All Access to Network Resources and Cardholder Data 11. Regularly Test Security Systems & Processes 12. Maintain an Information Security Policy
20 226 Sub Requirements Detailed in the PCI Data Security Standard https://www.pcisecuritystandards.org/security_standards/pci_dss_dow nload.html Requirement 8: Assign a unique ID to each person with computer access. 8.1 Identify all users with a unique user name before allowing them to access system components or cardholder data. 8.2 In addition to assigning a unique ID, employ at least one of the following methods to authenticate all users: Password Token devices (for example, SecureID, certificates, or public key) Biometrics. 8.5 Ensure proper user authentication and password management for non-consumer users and administrators on all system components as follows: Control addition, deletion, and modification of user IDs, credentials, and other identifier objects Authenticate all access to any database containing cardholder data. This includes access by applications, administrators, and all other users
21 What to Do if You Suspect a Compromise Identification 1. Is a secured area found unlocked and confidential information missing? 2. Have you noticed new unidentifiable equipment in the POS area? 3. Do security logs alert you to suspicious activities? Reporting 1. Immediately inform your manager of the compromise. If unavailable, inform the Information Security Manager or IT Point of Contact for your Command. 2. Determine if there is an ongoing threat to customer account information or MCCS network data. Notify the IT\Network Manager immediately.
22 MCCS Common PCI Findings Compiled from onsite PCI assessments performed at 12 bases Most common non technical findings : Management of visitors; badged, authorized, escorted Security of paper credit card receipts and reports Password security Maintaining logs Keeping lockable items locked
23 Challenge Visitors PEDs are now being attacked Attackers are becoming more sophisticated and bold with their attacks. Employees need to be vigilant of visitors; wearing proper badges; properly authorized to be working in area. Do not be afraid to question them. Vigilance can prevent attacks such as these.
24 Kiosk False Front & Hidden Camera Camera hidden inside pamphlet holder next to ATM at the University of Texas campus False front (Skimmer) place over the face of the ATM in Texas. Unauthorized personnel install these devices. Source:
25 Visitor Logging Logs serve a purpose: Require visitor logs for all areas storing or processing cardholder data Enforce the signing of logs by all visitors Retain logs for at least a year
26 Paper Receipt Security and Retention Paper receipts should be stored: In rooms or closets with secured locks In containers marked FOUO (For Official Use Only) with storage and retention dates Containers contents should be: Inventoried Periodically reviewed against inventory lists
27 Records Warehousing Records Warehousing Best Practices The ultimate in records security 27
28 Password Security Passwords should be secure and protected: Minimum of 7 characters Alpha, numeric, and special characters Do not use common names or words that can be found in the dictionary Do not write down or keep passwords in a public place where they may be discovered (Insert picture of post it note on a monitor)
29 Physical Security Clear desk Do not leave papers or reports containing cardholder data on desktops or areas accessible by customers. Lock all doors, cabinets or draws securing receipts or other papers holding card data. Don t leave passwords on post its or viewable at desks. Do not promote or allow tail gating. Ensure customer receipts and cardholder data are not accessible by those that are not authorized.
30 Making a Difference at MCCS If you accept a customer s credit card for payment, here are some ways you can help to meet PCI DSS compliance: 1. Protect your customer s cardholder data at all times. 2. Don t write down or share customer account information. 3. Don t ask a customer for their CVC or CVV2 when the customer is present to authenticate their own card. 4. If your department uses AVS, do ask a customer to confirm their zip code and address. 5. Be sure to protect merchant receipt copies that have customer payment card account numbers on them.
31 Making a Difference at MCCS If you work in an office that processes payment card transactions, here are some ways you can help to meet PCI DSS compliance : 1. Don t share card data over the phone or with those who are not authorized to have such information. 2. If you work in an area that requires use of payment card data, do not take card data home or leave it on your desk unattended or overnight. (Clean Desk Policy) 3. Use computers for acceptable business purposes only. Do not load personal music, files, or applications or access your personal . (Acceptable Use Policy) 4. Be sure to change your passwords regularly. 5. Learn how to construct a strong computer password. 6. Do not share your passwords with others, even your manager or MCCS IT personnel. 7. Don t leave computers on and unattended. Log out and/or use locked screen savers. 8. Maintain a segregation of duties between development, testing\qa, and production. 9. Be aware of data retention requirements for payment card receipts and related transactions. 10. Read your MCCS Information Security Policy and attend your annual security awareness training.
32 Making a Difference IT If you work in MCCS IT areas, here are some ways you can help to meet PCI DSS compliance : 1. Never store magnetic stripe, CVC2 or PIN data after authorization. 2. Payment card Primary Account Numbers (called PAN) should always be stored encrypted using strong encryption algorithms such as 3DES and AES. 3. Full PANs should be masked when displayed. 4. Payment cardholder data should always be encrypted during transmission over public networks, i.e. wireless or the internet. 5. Access to databases where payment card and other sensitive data resides should be restricted to those with a business need to know. 6. Ensure the use of anti virus software including automatic updates and periodic scans. 7. Do not share your user IDs or passwords. 8. Don t use administrator accounts to perform regular user tasks. 9. Ensure that all non console administrative access is encrypted. Use technologies such as SSH, VPN, or SSL/TLS for web based management and other non console administrative access. 10. Restrict physical access to payment card data or systems storing card data. 11. Protect and manage backup media. Store media securely, log removal of media, transfer securely, and destroy securely according to the MCCS data retention policy. 12. Attend annual security awareness training.
33 Making a Difference HR and Training If you work in MCCS HR areas, here are some ways you can help to meet PCI DSS compliance: 1. Ensure that new employees are properly screened and background checks are performed appropriate to their job responsibilities. 2. Inform employees and managers of their obligation to read and understand Information Security Policies. 3. Ensure that new employees are informed of MCCS Acceptable Use Policies for IT equipment and customer information. 4. Ensure that new employees attend IT training including how to change their passwords and how to use and protect customer data. 5. Ensure that managers provide new employees with IT systems access appropriate to their job responsibilities. (business need to know) 6. Inform IT in a timely manner about employee terminations so their user IDs, network and systems access privileges may be removed. 7. Execute periodic security awareness communication programs such as s, notices, posters, etc.
34 Make a Difference Finance\Purchasing If you work in MCCS Finance or Purchasing, here are some ways you can help meet PCI DSS compliance : 1. Store receipts, statements and any other financial data containing cardholder information in a locked file drawer, safe or other designated secure area. 2. If payment card Primary Account Number (called PAN) is downloaded from banks or card brand websites, data should always be stored encrypted. This applies to Excel spreadsheets, Word and PDF documents. 3. Restrict access to PANs to only those individuals in the accounting and finance departments with a business need to know. 4. Storage and inventory of transaction and card receipts should be minimized to only that which is required for business purposes. (i.e. 18 months) 5. Storage areas containing payment card data must be monitored with video cameras and a card access system that provides an audit trail of each individual entry. 6. Maintain accurate and complete logs of all archived or stored data including accounting boxes with card data and receipts stored securely offsite. 7. Do not share passwords. 8. Never send card account numbers via or in any other unsecured manner. 9. Attend annual security awareness training.
35 Making a Difference Facilities If you work in MCCS Facilities, here are some ways you can help to meet PCI DSS compliance : 1. Maintain physical locks and access controls on storage areas these are key to protecting cardholder information. 2. Cardholder receipts and other accounting data that has full payment card Primary Account Numbers (called PAN) should only be accessible only to those with authorized access. 3. Re consider shared access by other departments. 4. Avoid open windows and access points that could lead to theft of data. 5. Operate and maintain video surveillance equipment for secure data areas. 6. Maintain a visitor log that indicates accountability for who accesses areas where sensitive information is stored, transmitted or processed. 7. Retain video recordings for at least 90 days and visitor logs for at least one year in the event of a data compromise. 8. Attend annual security awareness training.
36 Making a Difference Legal, Purchasing, Marketing and Internal Operations If you work at MCCS in Purchasing, Legal, Marketing or Internal Operations, here are some ways you can help to meet PCI DSS compliance: 1. Make sure MCCS contractual agreements for third parties that store, transmit and/or process MCCS cardholder data have appropriate PCI and security language as identified in Req Practice vendor due diligence and management. 3. Ask your vendors how they comply with the PCI DSS. 4. Develop secure mechanisms for sharing card data. (Ask MCCS IT) 5. Review ongoing PCI compliance requirements for all third parties. 6. Develop contract practices to ensure MCCS vendors maintain ongoing PCI compliance, how they inform you and what happens if they don t meet those requirements. 7. Attend annual security awareness training.
37 Where to Get More Information 1. Visa Cardholder Information Security website (www.visa.com/cisp) 2. PCI Security Standards Council website (www.pcisecuritystandards.org)
Josiah Wilkinson Internal Security Assessor Nationwide Payment Card Industry Overview PCI Governance/Enforcement Agenda PCI Data Security Standard Penalties for Non-Compliance Keys to Compliance Challenges
PCI Data Security and Classification Standards Summary Data security should be a key component of all system policies and practices related to payment acceptance and transaction processing. As customers
Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 I. PURPOSE The purpose of this policy is to establish guidelines for processing charges on Payment Cards to protect
Credit Card Handling Security Standards Overview Information Technology This document is intended to provide guidance to merchants (colleges, departments, organizations or individuals) regarding the processing
Appendix 1 Payment Card Industry Data Security Standards Program PCI security standards are technical and operational requirements set by the Payment Card Industry Security Standards Council to protect
Cal Poly PCI DSS Compliance Training and Information Information Security http://security.calpoly.edu 1 Training Objectives Understanding PCI DSS What is it? How to comply with requirements Appropriate
What is PCI DSS? PCI DSS is an acronym for Payment Card Industry Data Security Standards. PCI DSS is a global initiative intent on securing credit and banking transactions by merchants & service providers
GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY PURPOSE The Payment Card Industry Data Security Standard was established by the credit card industry in response to an increase in identify theft
University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009 Effective Date of this Policy: August 1, 2008 Last Revision: September 1, 2009 Contact for More Information: UDit Internal Auditor
Effective Date: August 2008 Approval: December 17, 2015 PCI General Policy Maintenance of Policy: Office of Student Accounts PURPOSE: To protect against the exposure and possible theft of account and personal
Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking SUMMARY The Payment Card Industry Data Security Standard (PCI DSS) defines 12 high-level security requirements directed
PCI Policies 2011 Appalachian State University Table of Contents Section 1: State and Contractual Requirements Governing Campus Credit Cards A. Cash Collection Point Approval for Departments B. State Requirements
Credit Card Handling Security Standards Overview This document is intended to provide guidance to merchants (colleges, departments, auxiliary organizations or individuals) regarding the processing of charges
APPROVED BY Ronald J. Paprocki I. Policy Statement Any office of the University that processes credit card transactions may do so only in the manner approved by the University Treasury Office and in compliance
cliftonlarsonallen.com PCI Compliance What is New in Payment Card Industry Compliance Standards October 2015 Overview PCI DSS In the beginning Each major card brand had its own separate criteria for implementing
CUR RITY SE Data Security Requirements for K-12 January 28, 2010 Payment Card Industry (PCI) SE CUR RITY 1 Welcome To Join The Voice Conference Dial 866-939-3921 Technical issues press 0 Q & A We ll leave
What is the PCI standards council? The Payment Card Industry Standards Council is an institution set-up by American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International
Blank slide Project Title slide Project: PCI Are You At Risk? Agenda Are You At Risk? Video What is the PCI SSC? Agenda What are the requirements of the PCI DSS? What Steps Can You Take? Available Services
DELAWARE COLLEGE OF ART AND DESIGN 600 N MARKET ST WILMINGTON DELAWARE 19801 302.622.8000 INFORMATION SECURITY POLICY including Policy for Credit Card Acceptance to Conduct College Business stuff\policies\security_information_policy_with_credit_card_acceptance.doc
TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS 1. Introduction Debit and Credit Card Receipt Standards apply to the administration
1. Introduction 1.1. Purpose and Background 1.2. Central Coordinator Contact 1.3. Payment Card Industry Data Security Standards (PCI-DSS) High Level Overview 2. PCI-DSS Guidelines - Division of Responsibilities
Any physical access to devices or data held in an Melbourne datacentre that houses a customer s cardholder data must be controlled and restricted only to approved individuals. PCI DSS Requirements Version
This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected officials, administrative officials and business managers.
Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008 What is the PCI DSS? And what do the acronyms CISP, SDP, DSOP and DISC stand for? The PCI DSS is a set of comprehensive requirements
EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy ) Background Due to increased threat of identity theft, fraudulent credit card activity and other instances where cardholder
Miami University Payment Card Data Security Policy IT Policy IT Standard IT Guideline IT Procedure IT Informative Issued by: IT Services SCOPE: This policy covers all units within Miami University that
Why Is Compliance with PCI DSS Important? The members of PCI Security Standards Council (American Express, Discover, JCB, MasterCard, and Visa) continually monitor cases of account data compromise. These
PCI Compliance Overview 1 PCI DSS Payment Card Industry Data Security Standard Standard that is applied to: Merchants Service Providers (Banks, Third party vendors, gateways) Systems (Hardware, software)
University of Sunderland Business Assurance PCI Security Policy Document Classification: Public Policy Reference Central Register IG008 Policy Reference Faculty / Service IG 008 Policy Owner Chief Financial
Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance A Non-Technical Guide Essential for Business Managers Office Managers Operations Managers Compliant? Bank Name
USNH Payment Card Industry Data Security Standard (PCI DSS) Version 3 Administration and Department Policy Draft Revision 3/12/2013 1. Purpose. The purpose of this policy is to assist the University System
Need to be PCI DSS compliant and reduce the risk of fraud? NCR Security lessens your PCI compliance burden and protects the integrity of your network An NCR White Paper Experience a new world of interaction
Minnesota State Colleges and Universities System Procedures Chapter 5 Administration Payment Card Industry Technical s Part 1. Purpose. This guideline emphasizes many of the minimum technical requirements
PCI Compliance Frequently Asked Questions Table of Content GENERAL INFORMATION... 2 PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)...2 Are all merchants and service providers required to comply
UCR Cashiering & Payment Card Services TERMINAL CONTROL MEASURES Instructions: Upon completion, please sign and return to firstname.lastname@example.org when requesting a stand-alone dial up terminal. The University
Procedure Credit Card Handling and Security for Departments/Divisions and Elected/Appointed Offices Last Update: January 19, 2016 References: Credit Card Payments Policy Purpose: To comply with the Payment
Dartmouth College Merchant Credit Card Policy for Managers and Supervisors Mission Statement Dartmouth College requires all departments that process, store or transmit credit card data remain in compliance
PCI Compliance Top 10 Questions & Answers 1. What is PCI Compliance and PCI DSS? 2. Who needs to follow the PCI Data Security Standard? 3. What happens if I don t comply? 4. What are the basic requirements
No.: C-13 Page: 1 of 6 POLICY: It is the policy of the University of Alaska that all payment card transactions are to be executed in compliance with standards established by the Payment Card Industry Security
Payment Card Industry (PCI) Policy Manual Network and Computer Services Forward This policy manual outlines acceptable use Black Hills State University (BHSU) or University herein, Information Technology
What To Do if Compromised Visa USA Fraud Investigations and Incident Management Procedures Table of Contents Introduction......................................................... 1 Identifying and Detecting
BROWN UNIVERSITY University Policy Accepting and Handling Payment Cards to Conduct University Business Table of Contents Purpose... 2 Scope... 2 Authorization... 2 Establishing a new account... 2 Policy
Implementation Guide PayLINK Implementation Guide Version 2.1.252 Released September 17, 2013 Copyright 2011-2013, BridgePay Network Solutions, Inc. All rights reserved. The information contained herein
Catapult PCI Compliance Table of Contents Catapult PCI Compliance...1 Table of Contents...1 Overview Catapult (PCI)...2 Support and Contact Information...2 Dealer Support...2 End User Support...2 Catapult
Security in the Payment Card Industry OWASP AppSec Seattle Oct 2006 Hap Huynh, Information Security Specialist, Visa USA email@example.com Copyright 2006 - The OWASP Foundation Permission is granted to copy,
BROWN UNIVERSITY University Policy Accepting Credit Cards to Conduct University Business Purpose Brown University requires all departments that are involved with credit card handling to do so in compliance
Credit Card Security Created 16 Apr 2014 Revised 16 Apr 2014 Reviewed 16 Apr 2014 Purpose This policy is intended to ensure customer personal information, particularly credit card information and primary
FINANCE AND TREASURY POLICIES AND PROCEDURES E071 CREDIT CARD PROCESSING & SECURITY POLICY PURPOSE The purpose of this policy is to establish guidelines for processing charges/credits on Credit Cards to
Where every interaction matters. PCI Compliance Top 10 Questions and Answers White Paper October 2013 By: Peer 1 Hosting Product Team www.peer1.com Contents What is PCI Compliance and PCI DSS? 3 Who needs
Louisiana State University Finance and Administrative Services Operating Procedure FASOP: AS-22 CREDIT CARD MERCHANT POLICY Scope: All campuses served by Louisiana State University (LSU) Office of Accounting
PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW David Kittle Chief Information Officer Chris Ditmarsch Network & Security Administrator Smoker Friendly International / The Cigarette Store Corp
PCI Compliance 101: Payment Card Industry Basics Data Security Standards Compliance Wednesday, July 20, 2011 2:00 pm 3:00 pm EDT This complimentary webinar is brought to you by ASAE-Endorsed Business Solutions
Liverpool Hope University PCI DSS Policy Document Control Date Revision/Amendment Details & Reason Author 26 th March 2015 Updates G. Donelan 23 rd June 2015 Audit Committee 7 th July 2015 University Council
CREDIT CARD PROCESSING POLICY AND PROCEDURES Note: For purposes of this document, debit cards are treated the same as credit cards. Any reference to credit cards includes credit and debit card transactions.
Policy/Procedure Description PCI DSS Policies Install and Maintain a Firewall Configuration to Protect Cardholder Data Establish Firewall and Router Configuration Standards Build a Firewall Configuration
HOW SECURE IS YOUR PAYMENT CARD DATA? October 27, 2011 MOSS ADAMS LLP 1 TODAY S PRESENTERS Francis Tam, CPA, CISA, CISM, CITP, CRISC, PCI QSA Managing Director PCI Practice Leader Kevin Villanueva,, CISSP,
Payment Cardholder Data Handling Procedures (required to accept any credit card payments) Introduction: The Procedures that follow will allow the University to be in compliance with the Payment Card Industry
BRAND-NAME is What COUNTS!!! USE PCI-DSS and make a name for your business Amit Jain Lead Solution Architect Aug 2015 Who We Are WHO WE ARE Company facts and figures ESTABLISHED TRUSTED 1995 BY MORE THAN
New York University University Policies Title: Payment Card Industry Data Security Standard Policy Effective Date: April 11, 2012 Supersedes: N/A Issuing Authority: Executive Vice President for Finance
Cyber - Security and Investigations Ingrid Beierly August 18, 2008 Agenda Visa Cyber - Security and Investigations Today s Targets Recent Attack Patterns Hacking Statistics (removed) Top Merchant Vulnerabilities
Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year Over 80% of compromised systems were card present or in-person transactions
Fraud Protection, You and Your Bank Maximize your chances to minimize your losses Presentation for Missouri GFOA April 2011 By: Terry Endres, VP, Government Treasury Solutions Phone: 314-466-6774 Terry.firstname.lastname@example.org
AISA Sydney 15 th April 2009 Where PCI stands today: Who needs to do What, by When Presented by: David Light Sense of Security Pty Ltd Agenda Overview of PCI DSS Compliance requirements What & When Risks
2010 Merit Member Conference Compliance Steps for Organizations May 26, 2010 Payment Card Industry (PCI) 1 Welcome 2 Welcome Q & A We ll leave time to address questions during the last 15 minutes of the
CSU, Chico Credit Card Handling Security Standard Effective Date: July 28, 2015 1.0 INTRODUCTION This standard provides guidance to ensure that credit card acceptance and ecommerce processes comply with
Slide 1 PCI Standards: A Banking Perspective Bob Brown, CISSP Wachovia Corporate Information Security Slide 2 Agenda 1. Payment Card Initiative History 2. Description of the Industry 3. PCI-DSS Control
Net Report s PCI DSS Version 1.1 Compliance Suite Real Security Log Management! July 2007 1 Executive Summary The strict requirements of the Payment Card Industry (PCI) Data Security Standard (DSS) are
Credit Cards and Oracle: How to Comply with PCI DSS Stephen Kost Integrigy Corporation Session #600 Background Speaker Stephen Kost CTO and Founder 16 years working with Oracle 12 years focused on Oracle
PCI DSS 101 FOR CTOs AND BUSINESS EXECUTIVES CUTTING THROUGH THE COMPLEXITY AND CONFUSION Over the years, South African retailers have come under increased pressure to gain PCI DSS (Payment Card Industry
Office of Finance and Treasury How to Accept & Process Credit and Debit Card Transactions Procedure Related Policy Title Credit Card Processing Policy For University Merchant Locations Responsible Executive
This document is to be used to verify that a payment application has been validated against Visa U.S.A. Payment Application Best Practices and to create the Report on Validation. Please note that payment
Understanding Payment Card Industry (PCI) Data Security Office of the State Controller November 2010 State of North Carolina The Enemy Major Security Breaches TJ-Max Heartland Hannaford Foods BJ s Wholesale
PCI Data Security Standards An Introduction to Bankcard Data Security Why should we worry? Since 2005, over 500 million customer records have been reported as lost or stolen 1 In 2010 alone, over 134 million
PCI-DSS Compliance Ron Dinwiddie Chief Technology Officer J. Spargo & Associates Agenda What is PCI Compliance Why is PCI Important How does this impact me? Becoming PCI Compliant JSA PCI Strategy Risk
January 31, 2014 11:30am 12:30pm Central Hosted by: Texas.gov Presented by: Jayne Holland Barbara Brinson Payment Card Industry Compliance Overview Securing Government Payments Audio Dial In: 866-740-1260
05.118 Credit Card Acceptance Policy Authority: Vice Chancellor of Business Affairs History: Effective July 1, 2011 Updated February 2013 Source of Authority: Office of State Controller (OSC); Office of
Andrews University Payment Card Acceptance Policies & Procedures Prepared by Financial Administration July 12, 2011 Part I: Introduction of Policy and Purpose Formatted: Font: 12 pt In order to protect