Taylor Brumbeloe, ecommerce Financial Specialist Office of State Controller. John Frye, Financial Services Director Village of Pinehurst

Transcription

1

2 Taylor Brumbeloe, ecommerce Financial Specialist Office of State Controller John Frye, Financial Services Director Village of Pinehurst Rick Owens, Vice President Administrative Services Pitt Community College

3 PCI Compliance is a requirement so long as credit cards are accepted in any shape, form or fashion. Analog Swipe Machines Phone Calls Online In Person IT should not be in the habit or process of setting or enforcing daily workflow procedures for employees outside of IT. How are citizens calling in credit car payments handled. Which areas in your organization accept credit cards What information can be written down (what information is being written down) How long is the information stored

4 Why should we be concerned about PCI? Why should we worry about Shared Governance of PCI?

5 Requirement 3: Protecting Cardholder Data Discussion points IT can only protect the known areas were information technology is used to transmit, store or process card data. Procedures and Processes must be in place to protect physical data (ie: written numbers). If you have written numbers, you must have a policy of destruction. Anyone who comes in contact with cardholder data must be aware of the policies. Requirement 3.1: Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes, as follows. Can be maintained / set in programs, must be policy related for stored information. Do not store: the full contents of the mag stripe, card verification code, PIN. Primary Account Number (PAN) must be masked. Except when there is a legitimate business need.

6 Requirement 4.2: Never send unprotected PANs by end-user messaging technologies (for example, , instant messaging, chat, etc.). Covered in employee policy and training. Can t prevent citizens from ing, but policies must ensure employees do not ask for the information to be ed. Any containing card data should be sanitized asap. Great customer service may also be one of your greatest dangers and challenges in this arena. Do you allow employees to use non-formally approved methods of chat / communication to discuss work related items? (What does your social media policy say?)

7 Requirement 8.1.4: Remove/disable inactive user accounts at least every 90 days. Policies with Human Resources, Payroll and Departments to ensure access permissions are terminated. Requirement 9.1: Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment. This includes anywhere Credit Card information is: Collected, Processed, Transmitted or Stored. Examples: Athletic Fields Libraries Festivals

8 Requirement 9.2: Develop procedures to easily distinguish between onsite personnel and visitors. Do you require ID badges Can you easily distinguish between an employee and guest? Requirement 9.4: Implement procedures to identify and authorize visitors: Do you keep a log for visitors who are allowed in sensitive areas. Requirement 11.1: Test for the presence of wireless access points and detect unauthorized wireless access points on a quarterly basis. Requirement 12: Maintain a policy that addresses information security for ALL personnel. Key phrase: ALL personnel

9 What steps did you take to achieve PCI compliance at Pitt Community College? Reviewed the PCI requirements Determined who should be involved and developed the project team Established a weekly meeting and met until the project was completed Worked to develop a culture of questioning and continuous improvement. We consistently ask Why? and Can we do this better?

10 What are you doing on an ongoing basis to ensure continued compliance? We have a multi-area team (not just IT) that meets to review any changes that occur, both to PCI and at the College. As project proposals are received, they are reviewed to ensure security is considered. Meetings with the CFO, CIO and me. Training, for all employees (both formal and informal).

11 What was the single biggest challenge you had to overcome? Our employees will strive to provide excellent customer service and convenience. Security compliance and convenience often do not go hand in hand. Trying to find a happy medium, is always a challenge.

12 What steps did you take in Pinehurst did you take to achieve compliance? We formed a team consisting of IT and Finance Staff Enrolled in the Coalfire SAQ system Reviewed the SAQ requirements and assigned sections of the SAQ to the IT or Finance staff members Set up monthly meetings to review findings and monitor progress Worked to resolve system deficiencies Established training program Set up ongoing training and monitoring program

13 What particular challenges did you encounter in a smaller government? Getting buy-in that this is important Understanding some of the terminology in the SAQ Understanding which sections of the SAQ applied to our card processing model Knowing how to answer some of the questions that we felt did not apply to our processing situation.

14 Tell us about your experiences with the PCI compliance project at NC State University. 130 Merchants Ranging from simple to complex Surveys sent out to all business contacts Deep dive into each merchants lines of business -- one-on-one meetings, site visits Created database to house all Merchant information (capture methods, vendors, SAQ classification, contact info, etc.) Identified gaps, security concerns and areas of improvement

15 What is the Office of State Controller s role in PCI compliance as it relates to units of local government who participate in the state contract for merchant services? Initial enrollment with Coalfire services Assistance completing annual self-assessment questionnaire Monitor annual compliance submissions Work with First Data s Compliance division First point of contact for breach situations

16 What compliance tools has the OSC made available to local government who participate in the merchant services contract? Coalfire Services Provided by OSC for all Participants Self-Assessment Questionnaire Quarterly external network vulnerability scans Other Coalfire Services available Paid by Participant Internal network vulnerability scans External Network Penetration Testing Incident Response Services On-site QSA Services Security Awareness Training Assistance and Guidance from OSC

17 What happens if a unit does not complete a self-assessment questionnaire and begin moving toward compliance? OSC becoming more involved in annual attestations First Data currently monitoring AOC submissions Notices being sent out for failure to submit compliance documents Fines assessed by card brands Risk of no longer being able to accept credit cards

18