Credit Card Data Security Compliance
|
|
- Valerie King
- 8 years ago
- Views:
Transcription
1 Credit Card Data Security Compliance Achieving PCI Compliance July 2009 Kim Ray Billing and Payment Services Campus Credit Card Coordinator Karen Eft IT Policy Manager Office of the CIO Kate Riley IT Security Analyst Information System Technology
2 Who Accepts Credit Cards? Departments with a business need for: Tickets Sales Enrollment/Registration/Conference Hosting Donations/Gifts Gift Shops/Admission Desks/Memberships Publication Sales Public Services (e.g., Library, Optometry, Parking, Cal Overstock)
3 Who Accepts Credit Cards? Over 130+ merchant accounts with annual sales exceeding $103 million/year Gross Annual Credit Card Sales $120,000,000 $100,000,000 $80,000,000 $60,000,000 $40,000,000 $43 million/2003 $20,000,000 $
4 How we Accept Credit Cards Obtain Credit Card Number System Application Database On-campus or Hosted by Vendor Internet Gateways UC s Acquiring Bank: Issues Merchant Account Numbers Processes authorizations, sales, credits
5 How to Accept Credit Cards Card Present Customers making purchases in-person Gifts at the Berkeley Art Museum store Services at the Optometry Clinic Admission to the Botanical Gardens Parking pass at Parking and Transportation
6 How to Accept Credit Cards Card Not Present Customers making purchases by phone or mail requests Conference registration by mail Publication purchases over the phone
7 Accepting Credit Card Data by Fax Prohibited in University Cash-Handling Policy (BUS 49) Violation of the intent of section 4(a) in the Uniform Commercial Code The Campus Controller may grant a variance Such a request must provide detail of the compensating controls in place to secure the data
8 How we Accept Credit Cards Obtain Credit Card Number System Application Database On-campus or Hosted by Vendor Internet Gateways UC s Acquiring Bank: Issues Merchant Account Numbers Processes authorizations, sales, credits
9 How we Accept Credit Cards Card Not Present Customers making purchases online through a department s web application that interfaces with an Internet Gateway Enroll in a course with University Extension Purchase a ticket for an Athletics game Pay a student intent to register fee Pay a Visiting Scholar s fee
10 Department Web Application The department has a business need to collect and store personally identifiable information Hosted: On-campus or by Vendor Must comply with Campus Minimum Security Standards: Networked Devises Electronic Information
11 Campus Minimum Security Standards Karen Eft IT Policy Manager Office of the Chief Information Officer
12 Campus IT Security Policy Each member of the campus community is responsible for the security and protection of electronic information resources over which he or she has control. Resources to be protected include networks, computers, software, and data. The physical and logical integrity of these resources must be protected against threats such as unauthorized intrusions, malicious misuse, or inadvertent compromise.
13 UC-wide Business & Finance Bulletins, IS series Oversight of Electronic Information: IS-2, Inventory, Classification, and Release of University Electronic Information IS-3, Electronic Information Security IS-11, Identity and Access Management IS-12, Continuity Planning and Disaster Recovery (
14 Minimum Security Standards Minimum minimal Why do we put you through this?
15 Prevent Identity Theft Horrible consequences for victims of identity theft. When un-encrypted data of specific types is breached we have to notify the subjects. Incredible waste of time and effort responding to security incidents. Notifications can cost Millions of dollars. Damage to reputation / good will. Reduced level of donations or research funding.
16 Minimum Security Standards MSS for Networked Devices MSS for Electronic Information
17 Minimum Security Standards for Networked Devices 1. Keep software patches current 2. Run approved anti-virus software 3. Run approved host-based firewall software 4. Use secure passwords 5. No unencrypted authentication 6. No unauthenticated relays 7. No unauthenticated proxy services 8. Ensure physical security 9. Don t run unnecessary services
18 Minimum Security Standards for Electronic Information ( MSSEI ) 1. Notice-triggering information High Confidentiality - apply all protective measures listed in Attachment A 2. Payment Card Industry Data May not be stored without explicit approval from UC Berkeley Billing and Payment Services
19 1) MSSEI notice-triggering information: First name OR first initial AND last name in combination with one or more of the following: Social Security Number, driver's license number, California Identification Number, financial account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account, medical information, health insurance information.
20 Protective Measures for high confidentiality information: more
21 Protective Measures for high confidentiality information (cont d): more...
22 Protective Measures for high confidentiality information (cont d):
23 2) Payment Card Industry Data Security Standard (PCI DSS): Primary Account Number (PAN) (credit card number) AND any of the following if stored, processed, or transmitted with the PAN: Cardholder Name, Service Code, Expiration Date.
24 MSSEI: 1. Notice-triggering information High Confidentiality - apply all protective measures listed in Attachment A 2. Payment Card Industry Data May not be stored without explicit approval from UC Berkeley Billing and Payment Services
25 Compliance: Departmental Security Contact Policy Guidelines and Procedures for Blocking Network Access Security Incident Response Procedures
26 Departmental Security Contact Policy To implement this policy, each department needs to appoint a security contact and one or more backup contacts. Departments may agree to share contacts for efficiency. Contacts need to have some familiarity with the computers in their department and be able to determine who a responsible technical person is; it is not necessary for the contact to have extensive security expertise.
27 Guidelines and Procedures for Blocking Network Access When computers pose a serious risk to campus information system resources or the Internet, their network connection may be blocked. If the threat is immediate, the offending computer(s) will be blocked immediately and notification will be sent to the departmental security contact(s) via that the block has occurred.
28 Security Incident Response Procedures Berkeley Campus Plan Implementing UC Requirements for Protection of Computerized Personal Information 1. Definitions 2. Responsibilities 3. Incident Response Process 4. Notification Procedures 5. Reporting Requirements Attachment A: Information Practices Act: Sections , , Attachment B: Revision to IS-3 to Cover SB 1386 Requirements Attachment C: Draft notification text for a 1386 breach
29 Security Incident Response Procedures Remove the threat. Preserve evidence. Maybe re-build the environment to resume operations. Determine whether a breach, then whether notification is required.
30 Security Incident Repercussions Very costly Very intrusive upon regular operations Damaging to the department or project, to the Berkeley Campus, to the University of California, to faculty, to staff
31 Assistance: Technical services and tools Implementing Guidelines Requests for Exception
32 Campus Minimum Security Standards Implementing Guidelines: 1. Software patch updates: See the Software patch updates FAQ page, which includes examples of "noncompliant" operating systems. Also see instructions for: * Microsoft Windows Operating System * Linux/UNIX Operating System * Macintosh Operating System 2. Anti-virus software * Updating Firewall/Antivirus 3. Host-based firewall software etc., etc.
33 Campus Minimum Security Standards Requests for Exception: Departments, units, or individuals who believe their environments require configurations that do not comply with the Minimum Standards may request exceptions to the Policies.
34 Minimum Security Standards MSS for Networked Devices MSS for Electronic Information
35 Data Security on Campus Kate Riley IT Security Analyst IST-Application Services
36 Attacks This campus receives millions attacks per day: Attempts to exploit unpatched systems Attacks specific to application software Phishing attacks
37 Motivation for Attacks Defacement Denial of Service Data Theft
38 Campus Offerings Restricted Data Management (RDM) Scanning Tools AppScan Nessus Aggressive IP Distribution (AID) You
39 Credit Card Data Security 2005: Visa and MasterCard released Payment Card Industry: Data Security Standards (PCI:DSS 1.0) 2008: New Standards (PCI:DSS 1.1) made compliance with standards even more challenging 2009: PCI:DSS 1.2 just released University Cash-Handling Policy (BUS 49) requires that all campus merchants comply with PCI:DSS
40 Credit Card Data Security General rules: Will not capture or transmit the credit card number on the campus network Includes s, spreadsheets, printers, etc. Will not store credit card numbers electronically on campus in any device
41 Payment Card Industry Data Security Standards PCI:DSS defines requirements for: Building and maintaining a secure network Protecting cardholder data Maintaining a vulnerability management program Implementing strong access control measures Regularly monitoring and testing networks Maintaining an information security policy
42 Payment Card Industry Data Security Standards PCI:DSS requires campus merchants to complete an annual self-assessment questionnaire to certify your compliance with security standards for your merchant type
43 PCI Merchant Types There are four PCI:DSS Self Assessment Questionnaires depending on acceptance method
44 SAQ-B: Sample Compliance Total: 26 questions similar to: Is the card number masked when displayed? Are policies, procedures and practices in place to preclude sending unencrypted card numbers by enduser messaging technologies (e.g., , instant message, chat) Is access to system components and cardholder data limited to individuals with business need? Are all paper and electronic media with cardholder data physically secure?
45 SAQ-D: Sample Compliance Total: 226+ questions cover the topics of: Install and maintain a firewall configuration to protect data Do not use vendor supplied passwords for system defaults and other security parameters Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks Use and regularly update anti-virus software or programs Develop and maintain secure systems and applications Restrict access to cardholder data by business need-to-know Perform penetration testing at least once a year and after any significant infrastructure or application upgrade or modification
46 3 rd Party Service Agreements Service providers are contractually required to adhere to the PCI:DSS requirements All campus credit card operations must have a written agreement that has been reviewed and approved by the campus business contract office No click-on agreements!
47 PCI Data Security Standards PCI:DSS requirements at: Merchants complying with SAQ-C or SAQ- D may need quarterly network scans The campus is working to limit the number of SAQ-C and SAQ-D merchants Reduces our exposure to risk Less costly for the merchant
48 Campus Certification Vendor The University contracted with Trustwave to host the questionnaires online and to conduct the scans Via their online portal trustkeeper.net Each merchant department has a designated administrator who oversees PCI compliance for their merchant accounts
49 Merchant Timeline July-August: 1. PCI:DSS Training PCI Administrators conduct PCI training with all staff handling credit card data 2. Certify PCI:DSS Compliance PCI Administrators certify compliance via the trustkeeper.net portal
50 PCI:DSS Training PCI:DSS Requirement 12.6 Is a formal security awareness program in place to make all employees aware of the importance of cardholder data security? Educate employees upon hire and at least annually Require employees to acknowledge in writing that they have read and understood the company s security policy and procedures
51 Certify PCI:DSS Compliance PCI administrator logs into existing merchant profile in trustkeeper.net Contact Billing and Payment Services Office for PCI administrator changes Pays for the contract extension fee via departmental BluCard Completes and passes the appropriate PCI:DSS Self-Assessment Questionnaire
52 onsequences if not compliant Visa merchants are subject to fines, up to $500,000 per incident, for any merchant or service provider that is compromised and not compliant at the time of the incident FDMS may also impose fines or penalties The campus will no longer be able to selfcertify; we will need to pay for qualified auditors to come on-site to document our compliance Managed response to any breach of sensitive
53 ampus PCI:DSS Compliance Compliance must be documented annually with FDMS and UCOP Based on our campus wide activity, the Controller s Office must file a formal Attestation of Compliance with First Data Merchant Services annually If one merchant answers No to one question, then the entire campus fails
54 ampus Compliance Timeline eptember: Controllers Office files an Attestation of Compliance with University s bank If one merchant answers No to one question, then the entire campus fails compliance
55 Other Credit Card Requirements Payment Application Data Security Standards (PA:DSS) applies to payment applications that are sold, distributed or licensed to third-parties Designed to help software vendors and others develop secure payment applications that: Do not store prohibited data (e.g., full magnetic stripe, CVV2 or PIN data) Ensure the payment application supports compliance with the PCI DSS Ensure software development processes for webbased applications follow secure coding practices
56 Other Credit Card Requirements University Cash-Handling Policy (BUS 49) requires that relationships with a third party vendor to manage credit card acceptance be approved by UCOP Banking Services The third party s background, capabilities, financial condition and references are reviewed Contract agreements are required to meet minimum levels of protection, regulatory compliance, insurance, bonding, and accurate/timely handling of credit card data as outlined in University policy BUS-49
57 Obtaining PCI Compliance aper records ompliant? If we control this connection is it PCI compliant? Is server PCI compliant? Is application PCI compliant? Is this connection PCI compliant? ion PCI nt? PCI compliant UCB Pre-Approved Gateways PCI compliant PCI compliant
58 CI Compliance Timeline July-August: Campus departments conduct PCI training with all staff handling credit card data PCI Administrators obtain and document compliance via the trustkeeper.net portal September: Controllers Office files an Attestation of Compliance with University s bank
59 ttps:// Resources/References ISA s List of PCI:DSS Compliant pplications ttp://usa.visa.com/download/merchants/cispist-of-pcidss-compliant-service-providers.pdf A:DSS Qualified Applications ttps:// ndards/vpa/ CI:DSS
60 Resources/References UC Cash-Handling Policy: BUS 49 UCB Minimum Security Standards
61 Contacts m Ray erchantsupport@berkeley.edu ren Eft olicy@berkeley.edu chnical Questions curity@berkeley.edu
SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures
1. Introduction 1.1. Purpose and Background 1.2. Central Coordinator Contact 1.3. Payment Card Industry Data Security Standards (PCI-DSS) High Level Overview 2. PCI-DSS Guidelines - Division of Responsibilities
More informationSection 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015
Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 I. PURPOSE The purpose of this policy is to establish guidelines for processing charges on Payment Cards to protect
More information05.118 Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013
05.118 Credit Card Acceptance Policy Authority: Vice Chancellor of Business Affairs History: Effective July 1, 2011 Updated February 2013 Source of Authority: Office of State Controller (OSC); Office of
More informationClark University's PCI Compliance Policy
ï» Clark University's PCI Compliance Policy Who Should Read this Policy: All persons who have access to credit card information, including: Every employee that accesses handles or maintains credit card
More informationBecoming PCI Compliant
Becoming PCI Compliant Jason Brown - brownj52@michigan.gov Enterprise Security Architect Enterprise Architecture Department of Technology, Management and Budget State of Michigan @jasonbrown17 History
More informationPCI Compliance. Top 10 Questions & Answers
PCI Compliance Top 10 Questions & Answers 1. What is PCI Compliance and PCI DSS? 2. Who needs to follow the PCI Data Security Standard? 3. What happens if I don t comply? 4. What are the basic requirements
More informationFrequently Asked Questions
PCI Compliance Frequently Asked Questions Table of Content GENERAL INFORMATION... 2 PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)...2 Are all merchants and service providers required to comply
More informationGRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY
GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY PURPOSE The Payment Card Industry Data Security Standard was established by the credit card industry in response to an increase in identify theft
More informationTREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS
TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS 1. Introduction Debit and Credit Card Receipt Standards apply to the administration
More informationPCI Compliance Top 10 Questions and Answers
Where every interaction matters. PCI Compliance Top 10 Questions and Answers White Paper October 2013 By: Peer 1 Hosting Product Team www.peer1.com Contents What is PCI Compliance and PCI DSS? 3 Who needs
More informationTNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business
TAKING OUR CUSTOMERS BUSINESS FORWARD The Cost of Payment Card Data Theft and Your Business Aaron Lego Director of Business Development Presentation Agenda Items we will cover: 1. Background on Payment
More informationWhy Is Compliance with PCI DSS Important?
Why Is Compliance with PCI DSS Important? The members of PCI Security Standards Council (American Express, Discover, JCB, MasterCard, and Visa) continually monitor cases of account data compromise. These
More informationCREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 5/25/2011
CREDIT CARD MERCHANT PROCEDURES MANUAL Effective Date: 5/25/2011 Updated: May 25, 2011 TABLE OF CONTENTS Introduction... 1 Third-Party Vendors... 1 Merchant Account Set-up... 2 Personnel Requirements...
More informationAccepting Payment Cards and ecommerce Payments
Policy V. 4.1.1 Responsible Official: Vice President for Finance and Treasurer Effective Date: September 29, 2010 Accepting Payment Cards and ecommerce Payments Policy Statement The University of Vermont
More information2.0 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI-DSS)
CSU, Chico Credit Card Handling Security Standard Effective Date: July 28, 2015 1.0 INTRODUCTION This standard provides guidance to ensure that credit card acceptance and ecommerce processes comply with
More informationPC-DSS Compliance Strategies. 2011 NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA
PC-DSS Compliance Strategies 2011 NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA True or False Now that my institution has outsourced credit card processing, I don t have to worry about compliance?
More informationJosiah Wilkinson Internal Security Assessor. Nationwide
Josiah Wilkinson Internal Security Assessor Nationwide Payment Card Industry Overview PCI Governance/Enforcement Agenda PCI Data Security Standard Penalties for Non-Compliance Keys to Compliance Challenges
More informationPayment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008
Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008 What is the PCI DSS? And what do the acronyms CISP, SDP, DSOP and DISC stand for? The PCI DSS is a set of comprehensive requirements
More informationPAI Secure Program Guide
PAI Secure Program Guide A complete guide to understanding the Payment Card Industry Data Security Requirements and utilizing the PAI Secure Program. Letter From the CEO Welcome to PAI Secure. As you
More informationTERMINAL CONTROL MEASURES
UCR Cashiering & Payment Card Services TERMINAL CONTROL MEASURES Instructions: Upon completion, please sign and return to cashandmerchant@ucr.edu when requesting a stand-alone dial up terminal. The University
More informationCredit Card Handling Security Standards
Credit Card Handling Security Standards Overview This document is intended to provide guidance to merchants (colleges, departments, auxiliary organizations or individuals) regarding the processing of charges
More informationPCI-DSS Compliance. Ron Dinwiddie Chief Technology Officer J. Spargo & Associates
PCI-DSS Compliance Ron Dinwiddie Chief Technology Officer J. Spargo & Associates Agenda What is PCI Compliance Why is PCI Important How does this impact me? Becoming PCI Compliant JSA PCI Strategy Risk
More informationYour Compliance Classification Level and What it Means
General Information What are the Payment Card Industry (PCI) Data Security Standards? The PCI Data Security Standards represents a common set of industry tools and measurements to help ensure the safe
More informationPCI Compliance for Cloud Applications
What Is It? The Payment Card Industry Data Security Standard (PCIDSS), in particular v3.0, aims to reduce credit card fraud by minimizing the risks associated with the transmission, processing, and storage
More informationFORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY
FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY Page 1 of 6 Summary The Payment Card Industry Data Security Standard (PCI DSS), a set of comprehensive requirements for enhancing payment account
More informationPayment Cardholder Data Handling Procedures (required to accept any credit card payments)
Payment Cardholder Data Handling Procedures (required to accept any credit card payments) Introduction: The Procedures that follow will allow the University to be in compliance with the Payment Card Industry
More informationUnderstanding Payment Card Industry (PCI) Data Security
Understanding Payment Card Industry (PCI) Data Security Office of the State Controller November 2010 State of North Carolina The Enemy Major Security Breaches TJ-Max Heartland Hannaford Foods BJ s Wholesale
More informationPayment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.
Payment Card Industry Data Security Standard Training Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc. March 27, 2012 Agenda Check-In 9:00-9:30 PCI Intro and History
More informationAppendix 1 Payment Card Industry Data Security Standards Program
Appendix 1 Payment Card Industry Data Security Standards Program PCI security standards are technical and operational requirements set by the Payment Card Industry Security Standards Council to protect
More informationCITY OF SAN DIEGO ADMINISTRATIVE REGULATION Number 95.51 PAYMENT CARD INDUSTRY (PCI) COMPLIANCE POLICY. Page 1 of 9.
95.5 of 9. PURPOSE.. To establish a policy that outlines the requirements for compliance to the Payment Card Industry Data Security Standards (PCI-DSS). Compliance with this standard is a condition of
More informationPayment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions
PCI/PA-DSS FAQs Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions What is PCI DSS? The Payment Card Industry Data
More informationProject Title slide Project: PCI. Are You At Risk?
Blank slide Project Title slide Project: PCI Are You At Risk? Agenda Are You At Risk? Video What is the PCI SSC? Agenda What are the requirements of the PCI DSS? What Steps Can You Take? Available Services
More informationThe Cost of Payment Card Data Theft and Your Business. Aaron Lego Director of Business Development
The Cost of Payment Card Data Theft and Your Business Aaron Lego Director of Business Development Presentation Agenda Items we will cover: 1. Background on Payment Card Industry Data Security Standards
More informationUniversity of Virginia Credit Card Requirements
University of Virginia Credit Card Requirements The University of Virginia recognizes that e-commerce is critical for the efficient operation of the University, and in particular for collecting revenue.
More informationMiami University. Payment Card Data Security Policy
Miami University Payment Card Data Security Policy IT Policy IT Standard IT Guideline IT Procedure IT Informative Issued by: IT Services SCOPE: This policy covers all units within Miami University that
More informationPayment Card Industry Data Security Standards.
Payment Card Industry Data Security Standards. Your guide to protecting cardholder data Helping you manage the risk. Credit Card fraud and data compromises are an increasingly serious problem, costing
More informationUniversity of Sunderland Business Assurance PCI Security Policy
University of Sunderland Business Assurance PCI Security Policy Document Classification: Public Policy Reference Central Register IG008 Policy Reference Faculty / Service IG 008 Policy Owner Chief Financial
More informationAccounting and Administrative Manual Section 100: Accounting and Finance
No.: C-13 Page: 1 of 6 POLICY: It is the policy of the University of Alaska that all payment card transactions are to be executed in compliance with standards established by the Payment Card Industry Security
More informationHow To Protect Your Business From A Hacker Attack
Payment Card Industry Data Security Standards The payment card industry data security standard PCI DSS Visa and MasterCard have developed the Payment Card Industry Data Security Standard or PCI DSS as
More informationDartmouth College Merchant Credit Card Policy for Managers and Supervisors
Dartmouth College Merchant Credit Card Policy for Managers and Supervisors Mission Statement Dartmouth College requires all departments that process, store or transmit credit card data remain in compliance
More informationVanderbilt University
Vanderbilt University Payment Card Processing and PCI Compliance Policy and Procedures Manual PCI Compliance Office Information Technology Treasury VUMC Finance Table of Contents Policy... 2 I. Purpose...
More informationPCI Compliance: Protection Against Data Breaches
Protection Against Data Breaches Get Started Now: 877.611.6342 to learn more. www.megapath.com The Growing Impact of Data Breaches Since 2005, there have been 4,579 data breaches (disclosed through 2013)
More informationSymposium (FBOS) PCI Compliance. Connecting Great Ideas and Great People. Agenda
2010 Finance & Business Operations Symposium (FBOS) PCI Compliance Cort M. Kane COO, designdata Judy Durham CFO, NPES Kymberly Bonzelaar, Sr. VP Capital One Richard Eggleston, Sr. Project Director, TMAR
More informationWorldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)
Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS) What is PCI DSS? The 12 Requirements Becoming compliant with SaferPayments Understanding the jargon SaferPayments Be smart.
More informationUniversity of Dayton Credit / Debit Card Acceptance Policy September 1, 2009
University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009 Effective Date of this Policy: August 1, 2008 Last Revision: September 1, 2009 Contact for More Information: UDit Internal Auditor
More informationMinnesota State Colleges and Universities System Procedures Chapter 5 Administration. Guideline 5.23.1.10 Payment Card Industry Technical Requirements
Minnesota State Colleges and Universities System Procedures Chapter 5 Administration Payment Card Industry Technical s Part 1. Purpose. This guideline emphasizes many of the minimum technical requirements
More informationThe following are responsible for the accuracy of the information contained in this document:
AskUGA 1 of 5 Credit/Debit Cards Responsible administrator: Senior Vice President for Finance and Administration Related Procedure: The Credit/Debit Card Processing Procedures Responsible department: Bursar's
More informationUniversity Policy Accepting Credit Cards to Conduct University Business
BROWN UNIVERSITY University Policy Accepting Credit Cards to Conduct University Business Purpose Brown University requires all departments that are involved with credit card handling to do so in compliance
More informationCyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance
Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance A Non-Technical Guide Essential for Business Managers Office Managers Operations Managers Compliant? Bank Name
More informationPCI COMPLIANCE GUIDE For Merchants and Service Members
PCI SAQ C-VT PCI COMPLIANCE GUIDE For Merchants and Service Members PCI DSS v2.0 SAQ CVT Merchant Guide 1 Contents Contents... 2 Introduction... 3 Defining an SAQ C Merchant... 3 REQUIREMENTS FOR SAQ-VT...
More informationINFORMATION SECURITY POLICY. Policy for Credit Card Acceptance to Conduct College Business
DELAWARE COLLEGE OF ART AND DESIGN 600 N MARKET ST WILMINGTON DELAWARE 19801 302.622.8000 INFORMATION SECURITY POLICY including Policy for Credit Card Acceptance to Conduct College Business stuff\policies\security_information_policy_with_credit_card_acceptance.doc
More informationTwo Approaches to PCI-DSS Compliance
Disclaimer Copyright Michael Chapple and Jane Drews, 2006. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes,
More informationPCI Policies 2011. Appalachian State University
PCI Policies 2011 Appalachian State University Table of Contents Section 1: State and Contractual Requirements Governing Campus Credit Cards A. Cash Collection Point Approval for Departments B. State Requirements
More informationJune 19, 2013. Bobbi McCracken, Associate Vice Chancellor Financial Services. Subject: Internal Audit of PCI Compliance.
RIVERSIDE: AUDIT & ADVISORY SERVICES June 19, 2013 To: Bobbi McCracken, Associate Vice Chancellor Financial Services Subject: Internal Audit of PCI Compliance Ref: R2013-03 We have completed our audit
More informationPCI Compliance. How to Meet Payment Card Industry Compliance Standards. May 2015. cliftonlarsonallen.com. 2015 CliftonLarsonAllen LLP
2015 CliftonLarsonAllen LLP PCI Compliance How to Meet Payment Card Industry Compliance Standards May 2015 cliftonlarsonallen.com Overview PCI DSS In the beginning Each major card brand had its own separate
More informationHow To Protect Your Credit Card Information From Being Stolen
Visa Account Information Security Tool Kit Welcome to the Visa Account Information Security Program 2 Contents 1. Securing cardholder data is everyone s concern 4 2. Visa Account Information Security (AIS)
More informationUsing Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4
WHITEPAPER Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 An in-depth look at Payment Card Industry Data Security Standard Requirements 10, 11,
More informationPCI Data Security and Classification Standards Summary
PCI Data Security and Classification Standards Summary Data security should be a key component of all system policies and practices related to payment acceptance and transaction processing. As customers
More informationCREDIT CARD MERCHANT POLICY. All campuses served by Louisiana State University (LSU) Office of Accounting Services
Louisiana State University Finance and Administrative Services Operating Procedure FASOP: AS-22 CREDIT CARD MERCHANT POLICY Scope: All campuses served by Louisiana State University (LSU) Office of Accounting
More informationCREDIT CARD SECURITY POLICY PCI DSS 2.0
Responsible University Official: University Compliance Officer Responsible Office: Business Office Reviewed Date: 10/29/2012 CREDIT CARD SECURITY POLICY PCI DSS 2.0 Introduction and Scope Introduction
More information6-8065 Payment Card Industry Compliance
0 0 0 Yosemite Community College District Policies and Administrative Procedures No. -0 Policy -0 Payment Card Industry Compliance Yosemite Community College District will comply with the Payment Card
More informationPCI Data Security Standards
PCI Data Security Standards An Introduction to Bankcard Data Security Why should we worry? Since 2005, over 500 million customer records have been reported as lost or stolen 1 In 2010 alone, over 134 million
More informationPOLICY SECTION 509: Electronic Financial Transaction Procedures
Page 1 POLICY SECTION 509: Electronic Financial Transaction Procedures Source: NDSU President NDSU VP for Finance and Administration NDSU VP for Information Technology A. Purpose / Rationale Many NDSU
More informationImportant Info for Youth Sports Associations
Important Info for Youth Sports Associations What the Heck is PCI DSS and Why Should I Care? Joe Posey Terrapin Financial Services Your Club is an ecommerce Business You accept online registration over
More informationSimplêfy Client Support and Information Services. PCI Compliance Guidebook
Simplêfy Client Support and Information Services PCI Compliance Guidebook Simplêfy, Inc. 301 Science Drive, Suite 280 Moorpark, CA 93021 Phone 888.341.2999 Fax 877.280.0885 Simplêfy is a Registered Trademark
More informationEAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )
EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy ) Background Due to increased threat of identity theft, fraudulent credit card activity and other instances where cardholder
More informationUCSB Credit Card Processing and PCI Compliance
UCSB Credit Card Processing and PCI Compliance Sandra Featherson Associate Director of Controls Campus Credit Card Coordinator May 2011 Agenda Campus Credit Card Process Overview Terminology Approval/Acceptance
More informationPCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com
Policy/Procedure Description PCI DSS Policies Install and Maintain a Firewall Configuration to Protect Cardholder Data Establish Firewall and Router Configuration Standards Build a Firewall Configuration
More informationPCI DSS Compliance. 2015 Information Pack for Merchants
PCI DSS Compliance 2015 Information Pack for Merchants This pack contains general information regarding PCI DSS compliance and does not take into account your business' particular requirements. ANZ recommends
More informationTechnical breakout session
Technical breakout session Small leaks sink great ships Managing data security, fraud and privacy risks Tarlok Birdi, Deloitte Ron Borsholm, WTS May 27, 2009 Agenda 1. PCI overview: the technical intent
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Instructions and Guidelines Version 1.1 February 2008 Table of Contents About this Document... 1 PCI Data Security Standard
More informationInformation Security Services. Achieving PCI compliance with Dell SecureWorks security services
Information Security Services Achieving PCI compliance with Dell SecureWorks security services Executive summary In October 2010, the Payment Card Industry (PCI) issued the new Data Security Standard (DSS)
More informationPCI Overview. PCI-DSS: Payment Card Industry Data Security Standard
PCI-DSS: Payment Card Industry Data Security Standard Why is this important? Cardholder data and personally identifying information are easy money That we work with this information makes us a target That
More informationPCI Compliance: How to ensure customer cardholder data is handled with care
PCI Compliance: How to ensure customer cardholder data is handled with care Choosing a safe payment process for your business Contents Contents 2 Executive Summary 3 PCI compliance and accreditation 4
More informationPayment Card Industry Data Security Standard PCI-DSS #SA7D, Platform Database, Tuning & Security
Payment Card Industry Data Security Standard PCI-DSS #SA7D, Platform Database, Tuning & Security John Mason Slides & Code - labs.fusionlink.com Blog - www.codfusion.com What is PCI-DSS? Created by the
More informationMasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.
MasterCard PCI & Site Data Protection (SDP) Program Update Academy of Risk Management Innovate. Collaborate. Educate. The Payment Card Industry Security Standards Council (PCI SSC) Open, Global Forum Founded
More informationPOLICY & PROCEDURE DOCUMENT NUMBER: 3.3101. DIVISION: Finance & Administration. TITLE: Policy & Procedures for Credit Card Merchants
POLICY & PROCEDURE DOCUMENT NUMBER: 3.3101 DIVISION: Finance & Administration TITLE: Policy & Procedures for Credit Card Merchants DATE: October 24, 2011 Authorized by: K. Ann Mead, VP for Finance & Administration
More informationPCI Training for Retail Jamboree Staff Volunteers. Securing Cardholder Data
PCI Training for Retail Jamboree Staff Volunteers Securing Cardholder Data Securing Cardholder Data Introduction This PowerPoint presentation is designed to educate Retail Jamboree Staff volunteers on
More informationInformation Technology
Credit Card Handling Security Standards Overview Information Technology This document is intended to provide guidance to merchants (colleges, departments, organizations or individuals) regarding the processing
More informationCHEAT SHEET: PCI DSS 3.1 COMPLIANCE
CHEAT SHEET: PCI DSS 3.1 COMPLIANCE WHAT IS PCI DSS? Payment Card Industry Data Security Standard Information security standard for organizations that handle data for debit, credit, prepaid, e-purse, ATM,
More informationPCI-DSS: A Step-by-Step Payment Card Security Approach. Amy Mushahwar & Mason Weisz
PCI-DSS: A Step-by-Step Payment Card Security Approach Amy Mushahwar & Mason Weisz The PCI-DSS in a Nutshell It mandates security processes for handling, processing, storing and transmitting payment card
More informationUniversity Policy Accepting and Handling Payment Cards to Conduct University Business
BROWN UNIVERSITY University Policy Accepting and Handling Payment Cards to Conduct University Business Table of Contents Purpose... 2 Scope... 2 Authorization... 2 Establishing a new account... 2 Policy
More informationAchieving Compliance with the PCI Data Security Standard
Achieving Compliance with the PCI Data Security Standard June 2006 By Alex Woda, MBA, CISA, QDSP, QPASP This article describes the history of the Payment Card Industry (PCI) data security standards (DSS),
More informationAISA Sydney 15 th April 2009
AISA Sydney 15 th April 2009 Where PCI stands today: Who needs to do What, by When Presented by: David Light Sense of Security Pty Ltd Agenda Overview of PCI DSS Compliance requirements What & When Risks
More information2.1.2 CARDHOLDER DATA SECURITY
University of Oxford Finance Division FINANCIAL POLICY 2.1.2 CARDHOLDER DATA SECURITY Date: 21 March 2013 Version: 2.1.2 Status: Approved Author: Simon Blee Bridget Midwinter TABLE OF CONTENTS Page EXECUTIVE
More informationHow To Ensure Account Information Security
Global PCI DSS Framework Emöke Bitter Business Leader, Risk Management 26 February 2009 Agenda Introduction Merchants Service Providers Registry of Service Providers Payment Applications Resources Information
More informationData Security & PCI Compliance & PCI Compliance Securing Your Contact Center Securing Your Contact Session Name :
Data Security & PCI Compliance Securing Your Contact Center Session Name : Title Introducing Trevor Horwitz Pi Principal, i TrustNet t trevor.horwitz@trustnetinc.com John Simpson CIO, Noble Systems Corporation
More informationWhat are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:
What is the PCI standards council? The Payment Card Industry Standards Council is an institution set-up by American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International
More informationSales Rep Frequently Asked Questions
V 02.21.13 Sales Rep Frequently Asked Questions OMEGA Processing Data Protection Program February 2013 - Updated In response to a national rise in data breaches and system compromises, OMEGA Processing
More informationPCI DSS Presentation University of Cincinnati
PCI DSS Presentation University of Cincinnati Quick PCI Level Set Higher Ed Challenges Getting Compliant Application w/ customers Q& A PCI DSS Payment Card Industry Data Security Standard What is the PCI
More informationPOLICY NAME : MERCHANT (PCI) POLICY AND PROCEDURES ACCEPTING CREDIT/DEBIT CARD PAYMENTS
Publication Date 2009-08-11 Issued by: Financial Services Chief Information Officer Revision V 1.0 POLICY NAME : MERCHANT (PCI) POLICY AND PROCEDURES ACCEPTING CREDIT/DEBIT CARD PAYMENTS Overview: There
More informationThis appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected
This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected officials, administrative officials and business managers.
More informationUNL PAYMENT CARD POLICY AND PROCEDURES. Table of Contents
UNL PAYMENT CARD POLICY AND PROCEDURES Table of Contents Payment Card Merchant Security Standards Policy and Procedures... 2 Introduction... 4 Payment Card Industry Data Security Standard... 4 Definitions...
More informationSo you want to take Credit Cards!
So you want to take Credit Cards! Payment Card Industry - Data Security Standard: (PCI-DSS) Doug Cox GSEC, CPTE, PCI/ISA, MBA dcox@umich.edu Data Security Analyst University of Michigan PCI in Higher Ed
More informationQ: What is PCI? Q: To whom does PCI apply? Q: Where can I find the PCI Data Security Standards (PCI DSS)? Q: What are the PCI compliance deadlines?
Q: What is PCI? A: The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain
More informationCOLORADO STATE UNIVERSITY Financial Procedure Statements FPI 6-6
1. Procedure Title: PCI Compliance Program COLORADO STATE UNIVERSITY Financial Procedure Statements FPI 6-6 2. Procedure Purpose and Effect: All Colorado State University departments that accept credit/debit
More informationPCI General Policy. Effective Date: August 2008. Approval: December 17, 2015. Maintenance of Policy: Office of Student Accounts REFERENCE DOCUMENTS:
Effective Date: August 2008 Approval: December 17, 2015 PCI General Policy Maintenance of Policy: Office of Student Accounts PURPOSE: To protect against the exposure and possible theft of account and personal
More information* Any merchant that has suffered a hack that resulted in an account data compromise may be escalated to a higher validation level.
Q: What is PCI? A: The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain
More information