Payment Card Industry Data Security Standards (PCI DSS)

Transcription

1 Payment Card Industry Data Security Standards (PCI DSS)

2 Agenda What is PCI DSS? What does PCI Standards Mean for you 2 Basic Tips for Compliance Quarterly Scans and Annual Questionnaire Requirements Completing the Attestation & Questionnaire B

3 What is PCI? The Payment Card Industry Data Security Standard (PCI DSS) represents a common set of industry tools and measurements to help ensure the safe handling of sensitive information. The standard provides an actionable framework for developing a robust account data security process - including preventing, detecting and reacting to security incidents.

4 What PCI Standards Mean for You

5 As a merchant, you are responsible for preventing theft of cardholder data. You need to continuously assess your operations, and fix any vulnerabilities that are identified. In operational terms, it means that you are making sure your customers' payment card data is being kept safe for every transaction, and that they and you can have confidence that they're protected against the pain and cost of data breaches.

6 And if DePaul is not compliant, it could be disastrous: Just one incident can severely damage the university s reputation and our ability to conduct credit card business Account data breaches can lead to catastrophic loss of revenue, business relationships and standing in our community Possible negative financial consequences also include: Lawsuits Insurance claims Cancelled accounts Payment card issuer fines Government fines

7

8

9 Departments having a stake in assuring Compliance and avoiding Failures Treasurer s Office Office of General Counsel Information Systems PCI Compliance by University Department Office of Institutional Compliance Financial Affairs Internal Audit

10 2 Basic Tips for Compliance Validation

11 Make sure you never store Sensitive Authentication Data (includes the full track contents of the magnetic stripe or chip, card verification codes and values, PINs and PIN blocks). Take inventory of all the reasons and places you store this data. If the data doesn t serve a valuable business purpose, consider eliminating it. If you don t need it, don t store it!

12 Quarterly Scans and Annual Questionnaire

13 DePaul Compliance Requirements for PCI Security Metrics scans DePaul IPs quarterly looking for Vulnerabilities. The Annual PCI DSS Self-Assessment Questionnaire (SAQ v2.0) is a validation tool intended to assist you in self-evaluating our compliance with the Payment Card Industry Data Security Standard (PCI DSS).

14 Annual Attestation & Questionnaire The PCI DSS SAQ consists of the following components: Attestation of Compliance: The Attestation is your self-certification that you are eligible to perform and have actually performed a PCI DSS self-assessment. Questions correlating to the PCI DSS requirements, appropriate for service providers and merchants.

15 Selecting the SAQ and Attestation that Best Apply to Your Area There are five SAQ categories, briefly described in the table below and selected SAQs detailed in the following slides. SAQ A B C-VT C D Description Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants. Imprint-only merchants with no electronic cardholder data storage, or standalone, dialout terminal merchants with no electronic cardholder data storage Merchants using only web-based virtual terminals, no electronic cardholder data storage Merchants with payment application systems connected to the Internet, no electronic cardholder data storage All other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by a payment brand as eligible to complete an SAQ. DePaul Merchants fall into category A,B, or C.

16 SAQ B Merchants with Only Imprint Machines or Only Standalone, Dial-Out Terminals. No Electronic Cardholder Data Storage. SAQ B has been developed to address requirements applicable to merchants who process cardholder data only via imprint machines or standalone, dial-out terminals. SAQ B merchants confirm that: You use only an imprint machine and/or standalone, dial-out terminals (connected via a phone line to your processor) to take your customers payment card information; The standalone, dial-out terminals are not connected to any other systems within DePaul s environment; The standalone, dial-out terminals are not connected to the Internet; You do not transmit cardholder data over a network (either an internal network or the Internet); You retain only paper reports or paper copies of receipts with cardholder data, and these documents are not received electronically; and You do not store cardholder data in electronic format.

17 PCI DSS Compliance Completion Steps Assess your environment for compliance with the PCI DSS. Complete the Self-Assessment Questionnaire according to the instructions in the Self-Assessment Questionnaire Instructions and Guidelines. Complete the Attestation of Compliance in its entirety. Submit the SAQ, and the Attestation of Compliance, along with any other requested documentation, to the Treasurer s office. The Treasurer s Office and Information Services can assist you if you have questions.

18 What Treasury does with all these Questionnaires? SAQ A (Dept.) SAQ B (Dept.) SAQ C (Dept/IT) Treasurer s Office Acquirer (Elavon) SAQ C (University)

19 SAQ B Stand Alone, Dial-Out Terminals

20

21

22 Protect Cardholder Data

23

24

25 Implement Strong Access Control Measures Requirement 9: Restrict physical access to cardholder data

26

27 Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security for all personnel

28

29 Attestation of Compliance, SAQ B

30

31

32

33

34

35

36 STOP You have completed Questionnaire B Continue with Section on Compensating Controls only if you answered NO to any of the questions.

37 Compensating Controls Compensating controls may be considered for most PCI DSS requirements when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other, or compensating, controls. Compensating controls must satisfy the following criteria: 1. Meet the intent and rigor of the original PCI DSS requirement. 2. Provide a similar level of defense as the original PCI DSS requirement, such that the compensating control sufficiently offsets the risk that the original PCI DSS requirement was designed to defend against. (See Navigating PCI DSS for the intent of each PCI DSS requirement.) 3. Be above and beyond other PCI DSS requirements. (Simply being in compliance with other PCI DSS requirements is not a compensating control.)

38 Appendix C: Compensating Controls

39 Example: Compensating Controls

40

41