1 Payment Card Industry Data Security Standards PCI DSS Rhonda Chorney Manager, Revenue Capital & General Accounting
2 Today s Agenda 1. What is PCI DSS? 2. Where are we today? 3. Why is compliance so important? 4. What are the PCI requirements? 5. What s an SAQ? Attestation of Compliance? 6. The annual compliance cycle. 7. Where can I find more information?
3 What is PCI-DSS? PCI DSS is a widely accepted set of policies and procedures intended to optimize the security of credit, and debit card transactions and protect cardholders against misuse of their personal information. The PCI DSS was created jointly in 2004 by four major credit-card companies: Visa, MasterCard, Discover and American Express.
4 What is meant by Cardholder Data? Cardholder data refers to any information contained on a customer s payment card. Data is printed on either side of the card and is contained in digital format on the magnetic stripe or in the chip embedded on the front side. Cardholder data includes the primary account number (PAN), cardholder name, expiration date and the 3-4 digit card verification number (CVV2).
5 UM Merchant Stats Merchant Type Number of Merchants Number of Terminals Interactive Voice Response (IVR) 15 n/a Point of Sale (POS) Standalone Terminals Integrated with Payment App. POS Batch Software Web or e-commerce 35 n/a
6 Where are we today? In 2010 all merchants completed the Self Assessment Questionnaires and the Attestation of Compliance. Three merchants were not compliant at that time which were: the Main Cashiers office, Donor Relations, and Kinesiology
7 Where are we today? Feb, 2013 we upgraded CORE, which is the software that the cashiers use and once the self assessment is completed the main cashiers office will be compliant. Oct, 2013 Raiser s Edge has been upgraded for Donor Relations which will contribute towards becoming compliant. Donor Relations also has Online Donation forms which must be replaced to bring them to full compliance. This work is forecast to be completed by March/2014.
8 Where are we today? Nov, 2013 Meetings will be initiated with Kinesiology to plan the upgrade to the CLASS application to bring it to PCI DSS compliance The goal is to have the entire U of M PCI compliant by May, 2014
9 Why Is Compliance So Important? A security breach and subsequent compromise of payment card data has far reaching consequences: Loss of reputation Loss of customers Potential financial liabilities, such as fines of up to $500,000 for a breach; $10,000 per month for non compliance Litigation Regulatory notification requirements Loss of merchant status
10 Who Does PCI DSS Apply To? PCI DSS applies to all organizations that process, store or transmit cardholder data: merchants payment card issuing banks processors software developers other vendors
11 What Are the PCI Requirements? REQUIREMENTS (note: requirements not listed are the responsibility of IST) 3. Protect stored cardholder data (eg. mask PAN when displayed; don t store unnecessary data such as PIN) 7. Restrict access to cardholder data by business need-toknow (eg. limit access to system components) 8. Assign a unique ID to each person with computer access
12 What Are the PCI DSS Requirements? REQUIREMENTS (note: requirements not listed are the responsibility of IST) 9. Restrict physical access to cardholder data 12. Maintain and adhere to a policy that addresses information security for employees and contractors (IST/Financial Services/Merchants)
13 The Self Assessment Questionnaire (SAQ) Definition The Self Assessment Questionnaire (SAQ) is a validation tool intended to assist merchants in self-evaluating their compliance with the PCI- DSS.
14 The Self Assessment Questionnaire (SAQ) Eligibility Criteria Merchants are pre-assigned to an SAQ based on specific eligibility criteria: SAQ A: telephone (IVR) or web processing; SAQ B: standalone POS terminal; SAQ C: card processing via a 3 rd party payment application.
15 Self Assessment Questionnaire (SAQ) Questions on the SAQ s are derived from the PCI Requirements relevant to merchant type. SAQ A covers Requirements 9 (physical storage of data) and 12 (familiarity with Cash Control Policy) only. SAQ B adds Requirements 3 and 7 SAQ C adds Requirement 8
16 Process going forward The assigned SAQ and Attestation of Compliance forms will be sent to each merchant owner for completion, within the next week. The requested completion date is Nov 30 th. Forward the completed documents, soft and hard copies, to Alicia Bressani in RCGA for compilation.
17 Self Assessment Questionnaire for POS Merchants (SAQ B) Requirement 3: Protect stored cardholder data In general, no cardholder data should ever be stored unless it s necessary to meet the needs of the business. Sensitive data on the magnetic stripe or chip must never be stored. If your organization stores PAN, it is crucial to render it unreadable (see 3.3). QUESTION RESPONSE: YES NO N/A 3.2 Do all systems adhere to the following requirements regarding storage of sensitive authentication data after authorization (even if encrypted)? Do not store the full contents of any track from the magnetic stripe (located on the back of a card, contained in a chip, or elsewhere). This data is alternatively called full track, track, track 1, track 2, and magnetic-stripe data. In the normal course of business, the following data elements from the magnetic stripe may need to be retained: The cardholder s name, Primary account number (PAN), Expiration date, and Service code To minimize risk, store only these data elements as needed for business. NEVER store the card verification code (CVV2) or value or PIN verification value data elements NEVER store the card-validation code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions Do not store the personal identification number (PIN) or the encrypted PIN block. 3.3 Is the PAN masked when displayed? The cardholder receipt generated by all electronic POS terminals, whether attended or unattended, must reflect only the last four (4) digits of the PAN. All preceding digits of the PAN must be replaced with fill characters, such as X, *, or #, that are neither blank spaces nor numeric characters. Note: This requirement does not apply to employees and other parties with a specific need to see the full PAN;
18 Requirement 7: Restrict access to cardholder data by business need-to-know To ensure critical data can only be accessed by authorized personnel, systems and processes must be in place to limit access based on need-to-know and according to job responsibilities. Need-to-know is when access rights are granted to only the least amount of data and privileges needed to perform a job. QUESTION RESPONSE YES NO N/A 7.1 Is access to system components and cardholder data limited to only those individuals whose jobs require such access?
19 Requirement 9: Restrict physical access to cardholder data. Any physical access to data or systems that house cardholder data provides the opportunity for individuals to access devices or data and to remove systems or hardcopies, and should be appropriately restricted. QUESTION RESPONSE: YES NO N/A 9.6 Are all paper and electronic media that contain cardholder data physically secure? (including computers, removable electronic media, networking, and communications hardware, telecommunication lines, paper receipts, paper reports, and faxes). 9.7 (a) Is strict control maintained over the internal or external distribution of any kind of media that contains cardholder data? (b) Do controls include the following: Is the media classified so it can be identified as confidential? Is the media sent by secured courier or other delivery method that can be accurately tracked? 9.8 Are processes and procedures in place to ensure management approval is obtained prior to moving any and all media containing cardholder data from a secured area (especially when media is distributed to individuals)? 9.9 Is strict control maintained over the storage and accessibility of media that contains cardholder data? 9.10 Is media containing cardholder data destroyed when it is no longer needed for business or legal reasons? Destruction should be as follows: Are hardcopy materials cross-cut shredded, incinerated, or pulped so that cardholder data cannot be reconstructed?
20 Requirement 12: Maintain a policy that addresses information security. The University s Cash Control policy and procedures reference the acceptance and handling of payment cards. Adherence to the terms of these documents is required to ensure information security. *A new information security policy that will address protection of electronic cardholder data is currently being developed by IST.* UM Cash Control Policy and Procedure Requirements Additional Information YES NO Excerpt from Policy Document: Section 2.2: All departments of the University whose activities include the acceptance and handling of cash on the University s behalf are responsible for ensuring that: (a) adequate controls and procedures are in place to safeguard cash from time of receipt to time of deposit to a University authorized bank account through Financial Services; (b) all cash and receipts are properly recorded and accounted for; and (c) customer payment information is stored in a secure manner. Excerpts from Cash Control Procedures Document: Departments are required to use University of Manitoba merchant services providers and may request information in this regard from RCGA. All employees entrusted with handling cash and credit card payment are familiar with the Cash Control Policy. Full document available at: ning_documents/financial/389.htm Full document available at: uments/financial/863.htm The University contracts with TD Merchant Services for the provision of its Visa and Master Card merchant services. All payment card revenue must be deposited to the University s main bank account. Departments must advise Financial Services of any situation where this is not the case. For information only
21 Attestation of Compliance After completing the SAQ, the merchant must complete the Attestation of Compliance to confirm that: 1. the merchant qualified for the SAQ 2. the merchant is in compliance This document must be signed by one of: the unit s Business Manager, Department Head, Director, or equivalent.
22 Part 2. Eligibility to Complete SAQ B Complete this section to confirm your eligibility to use SAQ B: Yes Merchant uses only standalone, dial-up terminals; and the standalone, dial-up terminals No are not connected to the Internet or any other systems within the merchant environment; Yes No Yes No Merchant does not store cardholder data in electronic format; and If Merchant does store cardholder data, such data is only paper reports or copies of paper receipts and is not received electronically. Part 3. PCI DSS Validation Based on the results noted in the SAQ dated Nov 30, 2013, Merchant 123 asserts the following compliance status (check one): Compliant: All sections of the PCI SAQ are complete and all questions answered yes. Therefore Merchant 123 has demonstrated full compliance with the PCI DSS. Non-Compliant: Not all sections of the PCI SAQ are complete or some questions are answered no, resulting in an overall NON- COMPLIANT rating, thereby Merchant 123 has not demonstrated full compliance with the PCI DSS. Target Date for Compliance:
23 Part 3a. Confirmation of Compliant Status Merchant confirms: Yes No Yes No Yes No N/A PCI DSS Self-Assessment Questionnaire B, was completed according to the instructions therein. All information within the above-referenced SAQ and in this attestation fairly represents the results of my assessment. I have confirmed with my payment application vendor that my payment system does not store sensitive authentication data after authorization. (if applicable) Yes No Yes No I have read the PCI DSS and I recognize that I must maintain full PCI DSS compliance at all times. No evidence of magnetic stripe (i.e., track) data 1, CAV2, CVC2, CID, or CVV2 data 2, or PIN data 3 storage after transaction authorization was found on ANY systems reviewed during this assessment. (applicable only if Merchant is storing data electronically) Part 3b. Merchant Acknowledgement Print Name of Department Head or Business Manager Title Signature Date Unit /Merchant Represented
24 What if Merchant is Non Compliant? If your responses indicate that you are not in compliance, please complete Part 4 of the Attestation of Compliance to indicate where compliance has not been achieved and provide the steps to be taken within your unit to meet the requirement.
25 Part 4. Action Plan for Non-Compliant Status Please select the appropriate Compliance Status for each requirement. If you answer No to any of the requirements, you are required to provide the date this Merchant will be compliant with the requirement and a brief description of the actions being taken to meet the requirement. PCI Requirement Description Compliance Status (Select One) Remediation Date and Actions (if Compliance Status is No ) 3 Protect stored cardholder data Yes No 7 Restrict access to cardholder data by business need to know Yes No 9 Restrict physical access to cardholder data. Yes No 12 Adhere to University policy that addresses information security. Yes No
26 What if Merchant is Non Compliant? Where non-compliance is indicated, further follow up will be scheduled by either IST or RCGA, depending on the area of vulnerability. Non compliant products must be upgraded, replaced, or discontinued within a reasonable time frame. Depending on the nature of non compliance, discontinuance may be immediate.
27 3 rd Party Compliance Most of our processing partners are already in compliance with PCI DSS: TD Bank POS terminals (Freedom IV and Freedom V) are compliant, provided all software upgrades have been completed by the merchant. Beanstream is compliant (web merchants) Certain vendor software used by UM merchants (for example, Class, used by Faculty of Kinesiology) is certified as PCI compliant.
28 The Compliance Cycle Assess Identify cardholder data, take an inventory of your IT assets and business processes for payment card processing, and analyze them for vulnerabilities that could expose cardholder data. Report Compile and submit required remediation validation records (if applicable), the SAQ s Remediate Fix vulnerabilities and do not store cardholder data unless you need it.
29 Steps in the Annual Compliance Cycle 1. Create an inventory of all campus merchants and confirm merchant contact information. 2. Promote awareness of the PCI requirements and the consequences of non compliance to all UM merchants. 3. Request that each merchant review and sign off on the appropriate self-assessment questionnaire (SAQ). Determine areas of non compliance and establish plan to correct.
30 Steps in the Compliance Cycle cont. 4. Develop a policy that addresses storage of electronic data (IST/RCGA). 5. Obtain statements from all 3 rd party vendors/partners confirming that they are also in compliance. 6. Develop processes that ensure continued compliance.
31 Helpful Tips Treat cardholder data like cash- keep it secure and if it need to be stored, deposit it right away. If you don t need it, don t store it! Never store the CVV2 or PIN Data storage requirements are 12 months for VISA, 18 months for Master Card.
32 Helpful Tips- continued Read and understand the Merchant Operating Guide for information on items such issuing refunds, receipt requirements (for example, never issue a refund by cash or cheque for a purchase made by credit card). Read the TD Fraud Prevention brochures Never lend your merchant number to another unit. This could expose you to unwanted liability and increased merchant fees.
33 Where can I find more information RCGA web site : TD Merchant Services Resource Center: PCI Security Standards Council: Guidelines set by the University s IST department for hosting a web application: index.html
34 QUESTIONS? RCGA Merchant Administration: Rhonda Chorney Alicia Bressani Anna Chugunova IST - Technical: David Treble If you re not sure, ask!