Self Assessment Questionnaire A Short course for online merchants
|
|
- Drusilla Gilmore
- 8 years ago
- Views:
Transcription
1 Self Assessment Questionnaire A Short course for online merchants This presentation will cover: PCI DSS Requirements and Reporting Compliance Risks to card holder data when using a Web Hosting Provider How NCSU ecommerce merchants should complete their SAQ A PCI DSS definitions and vocabulary Presented by: Tim Gurganus, PCIP PCI Internal Security Assessor
2 Self Assessment Questionnaire A Review from Merchant Training Merchant responsibility: -> Complete Self Assessment Questionnaire for each merchant Cardholder Data - At a minimum, cardholder data consists of the full 16 digit credit card number. Cardholder data may also appear in the form of the full CCN plus any of the following: cardholder name, expiration date and/or CVV number. Service Provider any organization that stores, transmits or processes cardholder data on behalf of merchants or other service providers. Also other organizations that could impact merchant security (even if they don t have direct access to cardholder data) Examples include web hosting providers, Nelnet, Yahoo Storefront, Paypal, Intelipay.
3 From Merchant Training Things We Need Every Merchant to Do: Read and understand the PCI policies and procedures of the University. These will be presented to each merchant as part of an annual PCI-DSS training class. Complete and Sign Self Assessment Questionnaire annually. Each merchant will complete an annual PCI- DSS training class and then submit a completed SAQ. If you are using a PA-DSS listed application, get compliance documentation from vendor before annual assessment
4 Risks to ecommerce Merchants From a recent presentation on PCI scoping and risks to ecommerce merchants Doesn t my vendor do my Compliance for me? Example: Outsource payment processing to third-party e-commerce provider
5 Risks to ecommerce merchants From a recent presentation on PCI scoping and risks to ecommerce merchants Breach: Outsource payment processing to third-party e-commerce A merchant cannot outsource their PCI DSS responsibility. They may outsource operational responsibility for maintaining security controls.
6 Guidance document for e-commerce merchants released January Merchants may use a variety of technologies to implement e-commerce functionality, including payment-processing applications, applicationprogramming interfaces (APIs), inline frames (iframes), or hosted payment pages. No matter which option a merchant may choose, there are several key considerations to keep in mind regarding the security of cardholder data, including: No option completely removes a merchant s PCI DSS responsibilities. Regardless of the extent of outsourcing to third parties, the merchant retains responsibility for ensuring that payment card data is protected. Connections and redirections between the merchant and the third party can be compromised, and the merchant should monitor its systems to ensure that no unexpected changes have occurred and that the integrity of the connection/redirection is maintained.
7 Guidance document for e-commerce merchants released January Merchants are responsible for the security of the redirect mechanism on their websites Configuration: Merchant s website redirects consumer s browsers to an e-commerce payment processor s website; consumer enters payment directly into the e-commerce payment processor s website. Merchant role/responsibility: Merchant still has responsibility for PCI DSS requirements for some elements of the e-commerce infrastructure even though they have outsourced much PCI DSS responsibility for storage, processing and transmission of cardholder data. This is because compromise of the merchant s website may result in compromise of the redirection mechanism, leading to compromise of Card Holder Data (CHD). Merchant is responsible for: Managing website and servers (if self-hosted), including applicable PCI DSS requirements: Applicable PCI DSS requirements for managing third parties, (e.g., Requirement 12.8) Having written agreements with any third parties and ensuring they protect cardholder data on behalf of the merchant, in accordance with PCI DSS. Securing the web page(s) containing the redirection code and/or function(s).
8 Self Assessment Questionnaire A Short course for online merchants Part 1: Merchant Information Department/College Name: Contact Name: Title: Telephone: Business Address: URL(s) of Payment Application: URL of page with Pay Now link Merchant Account Name:
9 How to Complete Self Assessment Questionnaire A E-Commerce: Mail order / Telephone Order: Event Registration: Fund Raising: Other: Short Description of business: Part 2: Type of Merchant Business Does your company have a relationship with one or more third-party agents (for example web hosting companies, card gateways like Nelnet, Cybersource or Authorize.net) Name of Credit Card Processor (example: Nelnet)
10 How to Complete Self Assessment Questionnaire A Part 2: Type of Merchant Business 2b. Eligibility to Complete SAQ A: Note: You must be able to answer Yes to all of the questions below to be eligible for using SAQ A. If you no longer qualify for SAQ A, send a note explaining that to: merchantservices@ncsu.edu Merchant does not (electronically) store, process or transmit any card holder data on merchant systems or premises, but relies entirely on third party service provider(s) to handle these functions; The third party service provider(s) handling storage, processing, and/or transmission of card holder data is confirmed to be PCI Compliant; Merchant does not store any cardholder data in electronic format; and If Merchant does store card holder data, such data is only in paper reports or copies of receipts and is not received electronically.
11 Reporting PCI-DSS Requirements using SAQ A Requirement 9.6: Physically secure all Media Req. 9.6: Are all paper documents with credit card numbers on them physically secured in a locked room or enclosure where there are a limited number of people with keys? Locked? Not mixed use enclosure/room (completed order forms and 10 other things) Limited number of keys given only to full time University employees using the payment application Document processes for the handling of keys - issuing new keys - returning keys - procedure for handling lost keys Create a PCI Procedures document if needed
12 Reporting PCI-DSS Requirements using SAQ A Requirement 9.7: Maintain strict control of the distribution of card holder data Req. 9.7(a) Do you have rules and/or procedures that are followed when forms with card numbers on them are moved from your office to another location, department or company? Yes/No Distribution means card holder data leaves your office (premises) and goes to another location, department or company Strict means you have rules or specific procedures that are followed for controlling distribution of media containing card numbers
13 Reporting PCI-DSS Requirements using SAQ A Req. 9.7 (b) Do you have a method for labeling paper documents with credit card numbers on them Yes/No Do you have a specific label for forms or reports containing card holder data? Do you keep all forms or reports containing card holder data in a specific location? You must have a method for labeling sensitive credit card data
14 Reporting PCI-DSS Requirements using SAQ A Requirement 9.7.2: Track all media when card holder data is distributed Req : When paper forms with credit card numbers on them are moved/sent to another location, do you use a secured courier OR do you keep a log recording how many were moved/sent, when and who moved it or picked it up? Tracking If you have internal office gopher, keep a log of how many forms, who picked it up and when. OR use a secure courier service If just moving a box to storage, count how many forms are put in the box before you move it and verify you have the same number when you get to the destination
15 Reporting PCI-DSS Requirements using SAQ A Req. 9.8: When media is moved from a secured area, is management approval obtained prior to moving the media (this is especially important when media is distributed to individuals)? Yes/No When media is moved from a secured area, are logs recorded ( what was moved, who and when)? Yes/No Paper log of what was moved (how many forms, boxes, etc.), where, approval with reason, when moved Not stated, but the move should be to another secure location locked with limited keys and access by current employees only
16 Reporting PCI-DSS Requirements using SAQ A Req. 9.9: Is strict control maintained over the stored media? Is access to media with credit card numbers restricted to university employees with a business need? Guidelines for access to card holder data: Have written procedures for issuing keys, returning keys, dealing with lost keys Lock the secure enclosure when not open for business Only open lock when removing or returning an item Try to minimize the amount of card hold data removed at a time Strict: rules or specific procedures for controlling access to stored media containing credit card numbers
17 Reporting PCI-DSS Requirements using SAQ A Req. 9.9: Is strict control maintained over the stored media? Is access to media with credit card numbers restricted to university employees with a business need? Guidelines for access to card holder data (continued): Keys are given to only people with a business need to have one Keys are turned in when no longer needed Locked when not open for business Enclosure locked except when taking something out or putting it back Related requirement not in SAQ report conduct periodic media inventory checking to see that it is up to date and accurate check must be done at least annually
18 Reporting PCI-DSS Requirements using SAQ A Req. 9.10: Is media destroyed when no longer needed for business or legal reasons? Yes / No Use a cross cut shredder (use micro cut if possible ~ smaller pieces) 1/8 square is good, less than inch long chads Have a card number retention policy shred at least once a year Destroy paper forms that are older than your retention policy University Record Retention and Disposition policy:
19 Reporting PCI-DSS Requirements using SAQ A Req : (a) Are hardcopy materials crosscut shredded, incinerated or pulped so that card holder data cannot be reconstructed (b) Are containers of paper to be destroyed secured to prevent access to the contents?
20 Reporting PCI-DSS Requirements using SAQ A Req : Is your list of service providers up to date? Yes / No Providing and maintaining a list was part of assignment after Demystifying PCI DSS Compliance merchant training
21 Reporting PCI-DSS Requirements using SAQ A Req : In the contract with your service provider, does the service provider specifically accept responsibility for the security of card holder data that the service provider possess or collects? Yes / No / n/a Find the contract and check What if my service provider doesn t collect or possess card holder data?
22 Reporting PCI-DSS Requirements using SAQ A Adding/Changing service providers requires prior approval by the NCSU Controller s Office Req : Are you aware of the NCSU process for using new service providers? When merchants want to add a service provider, they should consult with OIT-ISS and get approval from Controller s office OIT-ISS must assess the security and PCI compliance of the service provider prior to engaging the service provider
23 Reporting PCI-DSS Requirements using SAQ A Assessing hosting provider security Use Google search to find information on your hosting providers information security Look for: Security and data protection policies Information on firewalls, security patching, log monitoring Information on server sharing Information on root or shell access Incident response procedures Information on how to harden your website or webserver
24 Reporting PCI-DSS Requirements using SAQ A Assessing hosting provider security Look for information on features like HackerSafe, SiteLock or SecuredbySymantec where the hosting provider will scan your website for vulnerabilities Look for information on security update policy and responsibility Look for information on incident response or how to report security incidents
25 Reporting PCI-DSS Requirements using SAQ A The security and PCI-DSS compliance of service providers must be checked at least annually. Req : Are you aware of the NCSU process to monitor compliance of your service providers? Merchants will need to work with OIT-ISS to obtain documentation from the service provider including: Executive summary of Report on Compliance (ROC) Certificate of PCI compliance other documentation of PCI compliance. The process is for merchants to work with OIT to get the required documentation.
26 How to Complete Self Assessment Questionnaire A Part 3: PCI-DSS Validation Based on the results noted in the SAQ A dated (completion date), (Merchant company name) asserts the following compliance status: Compliant All sections of the PCI SAQ are complete, and all questions yes, resulting in an overall compliant rating. Thereby demonstrating full compliance with the PCI DSS. Non-compliant Not all sections of the PCI SAQ are complete or some questions are answered No, resulting in an overall Non-compliant rating, thereby not demonstrating full compliance with the PCI DSS. Target date for compliance: An entity submitting this form with a status of Non-Compliant is required to complete the Action plan in Part 4 of this document.
27 How to Complete Self Assessment Questionnaire A Part 3a: Confirmation of Compliant Status Merchant Confirms: PCI DSS Self-Assessment Questionnaire A, Version 2.0, was completed according to the instructions given. All information within the above referenced SAQ and in this attestation fairly represents the results of my assessment. I have read the PCI DSS and I recognize that I must maintain full PCI DSS compliance at all times.
28 How to Complete Self Assessment Questionnaire A Part 3b: Merchant Acknowledgement Signature of Merchant Executive Officer Date Merchant Executive Officer Name Title
29 How to Complete Self Assessment Questionnaire A Appendix D: Appendix D: Explain N/A and Special For Example: If you marked Special for Requirement 9 Then state: Merchant has no order forms or reports that contain credit card data
30 How to Complete Self Assessment Questionnaire A Part 4: Action Plan for Non-Compliant Status If you cannot meet a requirement: - Indicate which requirement is not in place - Indicate a date when requirement 9 or 12 will be in place.
31 How to Complete Self Assessment Questionnaire A Glossary Cardholder Data - At a minimum, cardholder data consists of the full 16 digit credit card number. Cardholder data may also appear in the form of the full CCN plus any of the following: cardholder name, expiration date and/or CVV number. Distribution - card holder data leaves your office (premises) and goes to another location, department or company. Media Paper documents with full 16 digit credit card numbers on them along with the card holder name and expiration date. Media can also be electronic storage of full 16 digit credit card numbers, card holder name and expiration date.
32 How to Complete Self Assessment Questionnaire A Glossary Policy - Organization-wide rules governing acceptable use of computing resources, security practices, and guiding development of operational procedures for all NCSU merchants. Procedure Descriptive narrative for a policy. Procedure is the how to for a policy and describes how the policy is to be implemented. Service Provider any organization that stores, transmits or processes cardholder data on behalf of merchants or other service providers. Also other organizations that could impact merchant security (even if they don t have direct access to cardholder data) Examples include web hosting providers, Nelnet, Yahoo Storefront, Paypal, Intelipay.
33 How to Complete Self Assessment Questionnaire A Merchant Assignment Using the instructions given in this presentation, complete a SAQ A form for each merchant account in the next 2 weeks Send completed SAQ A PDF file to: pciservices@ncsu.edu If keeping card numbers on paper forms: Complete your key management document Document your distribution rules/policies Create a method for labeling sensitive credit card data Track when, where, what and who moves credit card data forms in a log Document your rules/policies for accessing stored forms containing credit card data Decide on a data retention policy for paper forms containing credit card data Check your contracts with service providers that you share card data with to see if they meet Requirement 12.8 If not done already, submit your list of service providers to OIT-ISS Collect information on the security policy of your web hosting provider
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance Card-not-present Merchants, All Cardholder Data Functions Fully Outsourced Version 3.0 February
More informationAttestation of Compliance, SAQ A
Attestation of Compliance, SAQ A Instructions for Submission The merchant must complete this Attestation of Compliance as a declaration of the merchant s compliance status with the Payment Card Industry
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Merchants with Only Imprint Machines or Only Standalone, Dial-out Terminals Electronic Cardholder
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Imprint Machines or Stand-alone Dial-out Terminals Only, no Electronic Cardholder Data Storage
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other SAQ-Eligible Merchants and Service Providers Version 2.0 October 2010 Document
More informationTREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS
TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS 1. Introduction Debit and Credit Card Receipt Standards apply to the administration
More informationUnderstanding the SAQs for PCI DSS version 3
Understanding the SAQs for PCI DSS version 3 The PCI DSS self-assessment questionnaires (SAQs) are validation tools intended to assist merchants and service providers report the results of their PCI DSS
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Self-Assessment Questionnaire A Version 2.0 Attestation Of Compliance, SAQ A Instructions for Submission The merchant must
More informationWhy Is Compliance with PCI DSS Important?
Why Is Compliance with PCI DSS Important? The members of PCI Security Standards Council (American Express, Discover, JCB, MasterCard, and Visa) continually monitor cases of account data compromise. These
More informationPayment Card Industry (PCI) Data Security Standard. Attestation of Compliance for Self-Assessment Questionnaire C-VT. Version 2.0
Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Self-Assessment Questionnaire C-VT Version 2.0 October 2010 Attestation of Compliance, SAQ C-VT Instructions for Submission
More informationPCI Compliance. How to Meet Payment Card Industry Compliance Standards. May 2015. cliftonlarsonallen.com. 2015 CliftonLarsonAllen LLP
2015 CliftonLarsonAllen LLP PCI Compliance How to Meet Payment Card Industry Compliance Standards May 2015 cliftonlarsonallen.com Overview PCI DSS In the beginning Each major card brand had its own separate
More informationPayment Cardholder Data Handling Procedures (required to accept any credit card payments)
Payment Cardholder Data Handling Procedures (required to accept any credit card payments) Introduction: The Procedures that follow will allow the University to be in compliance with the Payment Card Industry
More informationAnnual Trustwave PCI Self Assessment Questionnaire (SAQ) Educational Presentation. Understanding the Merchants Responsibilities for PCI Compliance
Annual Trustwave PCI Self Assessment Questionnaire (SAQ) Educational Presentation Understanding the Merchants Responsibilities for PCI Compliance Agenda Discussion on Merchant Responsibilities Discussion
More informationIT TECHNICAL SECURITY REVIEW CHECKLISTS FOR E-COMMERCE WEBSITES
IT TECHNICAL SECURITY REVIEW CHECKLISTS FOR E-COMMERCE WEBSITES Currently there are three University approved e-commerce website configurations: (1) MERCHANT-MANAGED E-COMMERCE IMPLEMENTATION (2) SHARED-MANAGEMENT
More informationAccounting and Administrative Manual Section 100: Accounting and Finance
No.: C-13 Page: 1 of 6 POLICY: It is the policy of the University of Alaska that all payment card transactions are to be executed in compliance with standards established by the Payment Card Industry Security
More informationPCI Compliance Updates
PCI Compliance Updates E-Commerce / Cloud Security Adam Goslin, Chief Operations Officer AGoslin@HighBitSecurity.com Direct: 248.388.4328 PCI Guidance Google: PCI e-commerce guidance https://www.pcisecuritystandards.org/pdfs/pci_dss_v2_ecommerce_guidelines.pdf
More informationManaged Hosting & Datacentre PCI DSS v2.0 Obligations
Any physical access to devices or data held in an Melbourne datacentre that houses a customer s cardholder data must be controlled and restricted only to approved individuals. PCI DSS Requirements Version
More information05.118 Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013
05.118 Credit Card Acceptance Policy Authority: Vice Chancellor of Business Affairs History: Effective July 1, 2011 Updated February 2013 Source of Authority: Office of State Controller (OSC); Office of
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Application Connected to Internet, No Electronic Cardholder Data Storage Version
More informationPOLICY NAME : MERCHANT (PCI) POLICY AND PROCEDURES ACCEPTING CREDIT/DEBIT CARD PAYMENTS
Publication Date 2009-08-11 Issued by: Financial Services Chief Information Officer Revision V 1.0 POLICY NAME : MERCHANT (PCI) POLICY AND PROCEDURES ACCEPTING CREDIT/DEBIT CARD PAYMENTS Overview: There
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Self-Assessment Questionnaire D Service Providers For use with PCI DSS Version 3.1 Revision 1.1 July 2015 Section 1: Assessment
More informationPayment Card Industry Data Security Standards
Payment Card Industry Data Security Standards PCI DSS Rhonda Chorney Manager, Revenue Capital & General Accounting Today s Agenda 1. What is PCI DSS? 2. Where are we today? 3. Why is compliance so important?
More informationInformation Technology
Credit Card Handling Security Standards Overview Information Technology This document is intended to provide guidance to merchants (colleges, departments, organizations or individuals) regarding the processing
More informationStandards for Business Processes, Paper and Electronic Processing
Payment Card Acceptance Information and Procedure Guide (for publication on the Treasury Webpages) A companion guide to University policy 6120, Payment Card Acceptance Standards for Business Processes,
More informationSan Jose Airport PCI@SJC. Diane Mack-Williams SJC Airport Technology Services ACI NA San Diego, 15th October 2011
San Jose Airport PCI@SJC Diane Mack-Williams SJC Airport Technology Services ACI NA San Diego, 15th October 2011 Why PCI-DSS at SJC? SJC as a Service Provider Definition: Business entity that is not a
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C-VT and Attestation of Compliance
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C-VT and Attestation of Compliance Merchants with Web-Based Virtual Payment Terminals No Electronic Cardholder Data Storage
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Instructions and Guidelines Version 1.1 February 2008 Table of Contents About this Document... 1 PCI Data Security Standard
More informationOffice of Finance and Treasury
Office of Finance and Treasury How to Accept & Process Credit and Debit Card Transactions Procedure Related Policy Title Credit Card Processing Policy For University Merchant Locations Responsible Executive
More informationPDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.1)
PDQ has created an Answer Guide for the Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C to help wash operators complete questionnaires. Part of the Access Customer Management
More informationHow To Ensure Account Information Security
Global PCI DSS Framework Emöke Bitter Business Leader, Risk Management 26 February 2009 Agenda Introduction Merchants Service Providers Registry of Service Providers Payment Applications Resources Information
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Standard Attestation of Compliance for Self-Assessment Questionnaire D Service Providers Version 3.1 April 2015 Section 1: Assessment Information Instructions for Submission
More informationBecoming PCI Compliant
Becoming PCI Compliant Jason Brown - brownj52@michigan.gov Enterprise Security Architect Enterprise Architecture Department of Technology, Management and Budget State of Michigan @jasonbrown17 History
More informationPayment Card Industry Data Security Standard C-VT Guide
Payment Card Industry Data Security Standard Self-Assessment Questionnaire C-VT Guide Prepared for: University of Tennessee Merchants 12 April 2013 Prepared by: University of Tennessee System Administration
More informationPayment Card Industry Data Security Standard
Payment Card Industry Data Security Standard Office of the State Treasurer Ryan Pitroff Banking Services Manager Ryan.Pitroff@tre.wa.gov PCI-DSS A common set of industry tools and measurements to help
More informationPCI Compliance. Top 10 Questions & Answers
PCI Compliance Top 10 Questions & Answers 1. What is PCI Compliance and PCI DSS? 2. Who needs to follow the PCI Data Security Standard? 3. What happens if I don t comply? 4. What are the basic requirements
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Instructions and Guidelines Version 3.2 May 2016 Document Changes Date Version Description October 1, 2008 1.2 October 28,
More information2.0 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI-DSS)
CSU, Chico Credit Card Handling Security Standard Effective Date: July 28, 2015 1.0 INTRODUCTION This standard provides guidance to ensure that credit card acceptance and ecommerce processes comply with
More informationProject Title slide Project: PCI. Are You At Risk?
Blank slide Project Title slide Project: PCI Are You At Risk? Agenda Are You At Risk? Video What is the PCI SSC? Agenda What are the requirements of the PCI DSS? What Steps Can You Take? Available Services
More information6-8065 Payment Card Industry Compliance
0 0 0 Yosemite Community College District Policies and Administrative Procedures No. -0 Policy -0 Payment Card Industry Compliance Yosemite Community College District will comply with the Payment Card
More informationHow To Complete A Pci Ds Self Assessment Questionnaire
Department PCI Self-Assessment Questionnaire Version 1.1 2009 Attestation of Compliance Instructions for Submission This Department PCI Self-Assessment Questionnaire has been developed as an assessment
More informationCyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance
Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance A Non-Technical Guide Essential for Business Managers Office Managers Operations Managers Compliant? Bank Name
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.0 February 2014 Section 1: Assessment Information Instructions for Submission
More informationPC-DSS Compliance Strategies. 2011 NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA
PC-DSS Compliance Strategies 2011 NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA True or False Now that my institution has outsourced credit card processing, I don t have to worry about compliance?
More informationPCI DSS E-commerce Guidelines
Standard: PCI Data Security Standard (PCI DSS) Version: 2.0 Date: January 2013 Author: E-commerce Special Interest Group PCI Security Standards Council Information Supplement: PCI DSS E-commerce Guidelines
More information1/18/10. Walt Conway. PCI DSS in Context. Some History The Digital Dozen Key Players Cardholder Data Outsourcing Conclusions. PCI in Higher Education
PCI in Higher Education Walter Conway, QSA 403 Labs, LLC Walt Conway PCI consultant, blogger, trainer, speaker, author Former Visa VP Help schools become PCI compliant Represent Higher Education at PCI
More informationUW Platteville Credit Card Handling Policy
UW Platteville Credit Card Handling Policy Issued: December 2011 Revision History: November 7, 2013; July 11, 2014; November 1, 2014; August 24, 2015 Overview: In order for UW Platteville to accept credit
More informationThis appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected
This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected officials, administrative officials and business managers.
More information688 Sherbrooke Street West, Room 730 James Administration Building, Room 524
'McGill Sylvia Franke, LL.B., B.Sc. Albert Caponi, C.A. Chief Information Officer Assistant Vice-Principal (Financial Services) 688 Sherbrooke Street West, Room 730 James Administration Building, Room
More informationCITY OF SAN DIEGO ADMINISTRATIVE REGULATION Number 95.51 PAYMENT CARD INDUSTRY (PCI) COMPLIANCE POLICY. Page 1 of 9.
95.5 of 9. PURPOSE.. To establish a policy that outlines the requirements for compliance to the Payment Card Industry Data Security Standards (PCI-DSS). Compliance with this standard is a condition of
More informationPCI Compliance at The University of South Carolina. Failure is not an option. Rick Lambert PMP University of South Carolina ricklambert@sc.
PCI Compliance at The University of South Carolina Failure is not an option Rick Lambert PMP University of South Carolina ricklambert@sc.edu Payment Card Industry Data Security Standard (PCI DSS) Who Must
More informationPCI DSS 3.0 Overview. OSU Business Affairs Business Affairs PIT Crew - Project, Improvement, & Technology Robin Whitlock
PCI DSS 3.0 Overview OSU Business Affairs Business Affairs PIT Crew - Project, Improvement, & Technology Robin Whitlock 01/16/2015 Purpose of Today s Presentation To provide an overview of PCI 3.0 based
More informationAppendix 1 Payment Card Industry Data Security Standards Program
Appendix 1 Payment Card Industry Data Security Standards Program PCI security standards are technical and operational requirements set by the Payment Card Industry Security Standards Council to protect
More informationClark University's PCI Compliance Policy
ï» Clark University's PCI Compliance Policy Who Should Read this Policy: All persons who have access to credit card information, including: Every employee that accesses handles or maintains credit card
More informationPCI Policies 2011. Appalachian State University
PCI Policies 2011 Appalachian State University Table of Contents Section 1: State and Contractual Requirements Governing Campus Credit Cards A. Cash Collection Point Approval for Departments B. State Requirements
More informationFrequently Asked Questions
PCI Compliance Frequently Asked Questions Table of Content GENERAL INFORMATION... 2 PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)...2 Are all merchants and service providers required to comply
More informationCredit Card Handling Security Standards
Credit Card Handling Security Standards Overview This document is intended to provide guidance to merchants (colleges, departments, auxiliary organizations or individuals) regarding the processing of charges
More informationPayment Card Industry - Achieving PCI Compliance Steps Steps
CUR RITY SE Data Security Requirements for K-12 January 28, 2010 Payment Card Industry (PCI) SE CUR RITY 1 Welcome To Join The Voice Conference Dial 866-939-3921 Technical issues press 0 Q & A We ll leave
More informationUniversity Policy Accepting and Handling Payment Cards to Conduct University Business
BROWN UNIVERSITY University Policy Accepting and Handling Payment Cards to Conduct University Business Table of Contents Purpose... 2 Scope... 2 Authorization... 2 Establishing a new account... 2 Policy
More informationCOLLEGE POLICY ON CREDIT/DEBIT CARD PAYMENT PROCESSING
COLLEGE POLICY ON CREDIT/DEBIT CARD PAYMENT PROCESSING Supersedes: None Date: March 17, 2014 I. PURPOSE To establish business processes and procedures for the processing of credit/debit card payments as
More informationMerchant guide to PCI DSS
Merchant guide to PCI DSS Contents What is PCI DSS and why was it introduced?... 3 Who needs to become PCI DSS compliant?... 3 BOIPA Simple PCI DSS - 3 step approach to helping businesses... 3 What does
More informationPayment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions
PCI/PA-DSS FAQs Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions What is PCI DSS? The Payment Card Industry Data
More informationProcessing e-commerce payments A guide to security and PCI DSS requirements
Processing e-commerce payments A guide to security and PCI DSS requirements August 2014 Contents Foreword by Peter Bayley 3 The systems involved 4 The key steps involved 4 The Payment Industry (PCI) Data
More informationRegistration and PCI DSS compliance validation
Visa Europe A Guide for Third Party Agents Registration and PCI DSS compliance validation October 2015 Version 1.1 Visa Europe 2015 Contents 1 Introduction... 4 1.1 Definitions of Agents... 4 2 Registration
More informationAISA Sydney 15 th April 2009
AISA Sydney 15 th April 2009 Where PCI stands today: Who needs to do What, by When Presented by: David Light Sense of Security Pty Ltd Agenda Overview of PCI DSS Compliance requirements What & When Risks
More informationImportant Info for Youth Sports Associations
Important Info for Youth Sports Associations What the Heck is PCI DSS and Why Should I Care? Joe Posey Terrapin Financial Services Your Club is an ecommerce Business You accept online registration over
More informationPCI Data Security and Classification Standards Summary
PCI Data Security and Classification Standards Summary Data security should be a key component of all system policies and practices related to payment acceptance and transaction processing. As customers
More informationPCI on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for PCI on AWS
PCI on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for PCI on AWS David Clevenger November 2015 Summary Payment Card Industry (PCI) is an accreditation body that
More informationPCI Compliance Top 10 Questions and Answers
Where every interaction matters. PCI Compliance Top 10 Questions and Answers White Paper October 2013 By: Peer 1 Hosting Product Team www.peer1.com Contents What is PCI Compliance and PCI DSS? 3 Who needs
More informationTERMINAL CONTROL MEASURES
UCR Cashiering & Payment Card Services TERMINAL CONTROL MEASURES Instructions: Upon completion, please sign and return to cashandmerchant@ucr.edu when requesting a stand-alone dial up terminal. The University
More informationNew York University University Policies
New York University University Policies Title: Payment Card Industry Data Security Standard Policy Effective Date: April 11, 2012 Supersedes: N/A Issuing Authority: Executive Vice President for Finance
More informationHow To Protect Your Business From A Hacker Attack
Payment Card Industry Data Security Standards The payment card industry data security standard PCI DSS Visa and MasterCard have developed the Payment Card Industry Data Security Standard or PCI DSS as
More informationMerchant Card Processing Request Form
Merchant Card Processing Request Form This form must be filled out and approved before accepting credit card payments at any new location or via any website. of Application: Type of Request: e-commerce
More informationThird Party Agent Registration and PCI DSS Compliance Validation Guide
Visa Europe Third Party Agent Registration and PCI DSS Compliance Validation Guide May 2016 Version 1.3 Visa Europe 2015 Contents 1 Introduction... 4 1.1 Definitions of Agents... 4 2 Registration Process...
More informationUniversity of Virginia Credit Card Requirements
University of Virginia Credit Card Requirements The University of Virginia recognizes that e-commerce is critical for the efficient operation of the University, and in particular for collecting revenue.
More informationAre You Ready For PCI v 3.0. Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014
Are You Ready For PCI v 3.0 Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014 Today s Presenter Corbin Del Carlo QSA, PA QSA Director, National Leader PCI Services Practice 847.413.6319
More informationUniversity of Oregon Policy Statement Development Form
University of Oregon Policy Statement Development Form Policy Title: Electronic Commerce Policy submitted by: Name: Mark McCulloch Phone: 541 346 6249 Email: mmccullo@uoregon.edu Organization: Business
More informationSpokane Airport Board (Spokane International Airport, Airport Business Park, Felts Field) Addendum #1 - Q&A
Spokane Airport Board (Spokane International Airport, Airport Business Park, Felts Field) Request for Proposals (RFP) for PCI DSS COMPLIANCE SERVICES Project # 15-49-9999-016 Addendum #1 - Q&A May 29,
More informationPayment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008
Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008 What is the PCI DSS? And what do the acronyms CISP, SDP, DSOP and DISC stand for? The PCI DSS is a set of comprehensive requirements
More informationPCI Compliance. What is New in Payment Card Industry Compliance Standards. October 2015. cliftonlarsonallen.com. 2015 CliftonLarsonAllen LLP
cliftonlarsonallen.com PCI Compliance What is New in Payment Card Industry Compliance Standards October 2015 Overview PCI DSS In the beginning Each major card brand had its own separate criteria for implementing
More informationCOLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL
PAYMENT CARD INDUSTRY COMPLIANCE (PCI) Effective June 1, 2011 Page 1 of 6 (1) Definitions a. Payment Card Industry Data Security Standards (PCI-DSS): A set of standards established by the Payment Card
More informationThe Design Society. Information Security Policy
The Design Society Policies and Forms That Conform to PCI DSS SAQ A Version 2.0 June 2014 About this Document This document contains The Design Society information security policies. This document is
More informationPresented by. Tim Gurganus. Amanda Richardson
Presented by Tim Gurganus Amanda Richardson Facts about NCSU and PCI-DSS Compliance We have around 120 Merchants We have over 225 Merchant IDs 30% of merchants have less than 100 transactions a year We
More informationPCI DSS Compliance What Texas BUC$ Need to Know! Ron King CampusGuard rking@campusguard.com
PCI DSS Compliance What Texas BUC$ Need to Know! Ron King CampusGuard rking@campusguard.com Whoops!...3.1 Changes 3.1 PCI DSS Responsibility Information Technology Business Office PCI DSS Work Information
More informationDATA SECURITY. Payment Card Industry (PCI) Compliance Steps for Organizations May 26, 2010. 2010 Merit Member Conference
2010 Merit Member Conference Compliance Steps for Organizations May 26, 2010 Payment Card Industry (PCI) 1 Welcome 2 Welcome Q & A We ll leave time to address questions during the last 15 minutes of the
More informationPOLICY & PROCEDURE DOCUMENT NUMBER: 3.3101. DIVISION: Finance & Administration. TITLE: Policy & Procedures for Credit Card Merchants
POLICY & PROCEDURE DOCUMENT NUMBER: 3.3101 DIVISION: Finance & Administration TITLE: Policy & Procedures for Credit Card Merchants DATE: October 24, 2011 Authorized by: K. Ann Mead, VP for Finance & Administration
More informationPCI-DSS Compliance. Ron Dinwiddie Chief Technology Officer J. Spargo & Associates
PCI-DSS Compliance Ron Dinwiddie Chief Technology Officer J. Spargo & Associates Agenda What is PCI Compliance Why is PCI Important How does this impact me? Becoming PCI Compliant JSA PCI Strategy Risk
More informationUnderstanding Payment Card Industry (PCI) Data Security
Understanding Payment Card Industry (PCI) Data Security Office of the State Controller November 2010 State of North Carolina The Enemy Major Security Breaches TJ-Max Heartland Hannaford Foods BJ s Wholesale
More informationFREQUENTLY ASKED QUESTIONS The MasterCard Site Data Protection (SDP) Program
FREQUENTLY ASKED QUESTIONS The MasterCard Site Data Protection (SDP) Program MERCHANTS Can Level 1 merchants currently use internal auditors to perform an onsite assessment? Yes. However, after June 30,
More informationFAQ S: TRUSTWAVE TRUSTKEEPER PCI MANAGER
FAQ S: TRUSTWAVE TRUSTKEEPER PCI MANAGER SAQ FAQ S Q: Should I complete the PCI Wizard or should I go straight to the PCI Forms? A: The PCI Wizard has been designed to simplify the self-assessment requirement
More informationINFORMATION SECURITY POLICY. Policy for Credit Card Acceptance to Conduct College Business
DELAWARE COLLEGE OF ART AND DESIGN 600 N MARKET ST WILMINGTON DELAWARE 19801 302.622.8000 INFORMATION SECURITY POLICY including Policy for Credit Card Acceptance to Conduct College Business stuff\policies\security_information_policy_with_credit_card_acceptance.doc
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.0 February 2014 Section 1: Assessment Information Instructions for Submission
More informationEAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )
EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy ) Background Due to increased threat of identity theft, fraudulent credit card activity and other instances where cardholder
More informationCREDIT CARD PROCESSING POLICY AND PROCEDURES
CREDIT CARD PROCESSING POLICY AND PROCEDURES Note: For purposes of this document, debit cards are treated the same as credit cards. Any reference to credit cards includes credit and debit card transactions.
More informationFREQUENTLY ASKED QUESTIONS The MasterCard Site Data Protection (SDP) Program
FREQUENTLY ASKED QUESTIONS The MasterCard Site Data Protection (SDP) Program MERCHANTS Can Level 1 merchants currently use internal auditors to perform an onsite assessment? Yes. However, after June 30,
More informationMinnesota State Colleges and Universities System Procedures Chapter 5 Administration. Guideline 5.23.1.10 Payment Card Industry Technical Requirements
Minnesota State Colleges and Universities System Procedures Chapter 5 Administration Payment Card Industry Technical s Part 1. Purpose. This guideline emphasizes many of the minimum technical requirements
More informationCase 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 1 of 116 PageID: 4879. Appendix A
Case 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 1 of 116 PageID: 4879 Appendix A Case 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 2 of 116 PageID: 4880 Payment Card Industry (PCI)
More informationCREDIT CARD NUMBER HANDLING PROCEDURES POLICY. 2014 October
CREDIT CARD NUMBER HANDLING PROCEDURES POLICY 2014 October Royal Roads University Page 1 of 6 21 October 2014 Table of Contents Policy Statement... 3 Rationale... 3 Applicability of the Policy... 3 Definitions...
More informationSimplêfy Client Support and Information Services. PCI Compliance Guidebook
Simplêfy Client Support and Information Services PCI Compliance Guidebook Simplêfy, Inc. 301 Science Drive, Suite 280 Moorpark, CA 93021 Phone 888.341.2999 Fax 877.280.0885 Simplêfy is a Registered Trademark
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.0 February 2014 Section 1: Assessment Information Instructions for Submission
More information