PCI DSS Security Awareness Training for University of Tennessee Credit Card Merchants. UT System Administration Information Security Office

Transcription

1 PCI DSS Security Awareness Training for University of Tennessee Credit Card Merchants UT System Administration Information Security Office

2 Agenda Overview of PCI DSS Compliance versus Non-Compliance PCI Policies at UT Roles and Responsibilities Data Breaches POS Terminal Fraud Annual Obligations All materials available at:

3 To Whom PCI Applies All merchants are required to complete the annual Self-Assessment Questionnaire (SAQ) that best matches the processes of the merchant. PCI DSS requirements are applicable to all merchants who process, transmit, or store cardholder data, regardless of the size or number of transactions. PCI DSS requirements are also applicable to all third-party service providers, who must be able to verify their compliant status. The payment brands (e.g., VISA, MasterCard), as well as the acquiring banks (e.g., Elavon, First Data), are responsible for enforcing PCI compliance.

4 The Steps to PCI Compliance Be able to honestly answer Yes to each requirement and subrequirement in the SAQ that is appropriate to your merchant processes. If you answer No for any sub-requirement, you must have a plan of action and date for remediation. Follow those processes for which you have been approved for your specific MID(s). Contact the Treasurer s Office and your campus Chief Business Officer (CBO) immediately should you feel your processes need to change. Contact the Treasurer s Office or the UTSA ISO should you have any questions or concerns about compliance.

5 The Cost of Non-Compliance One compromised UT merchant can adversely affect the remaining merchants throughout the UT system. Fines vary based on card brand, merchant level, and number of violations, and are levied by banks and credit card institutions. Fines of $50,000 per day for non-compliance with published standards Fines as high as $500,000 per data security incident for any merchant that is compromised and not compliant at the time of the incident Liability for all fraud losses incurred from compromised account numbers Liability for the cost of re-issuing cards associated with the compromise Cost may be as high as $50 per card Increased transaction fees charged by the bank Suspension of merchant accounts Incident investigation must be performed by external company certified by the PCI Security Standards Council Estimated cost is $30k - $300 per incident investigation Remediation costs Legal fees UT Fiscal Policy FI0311 states that: University Departments/Units (Merchants) must Cover all costs associated with PCI DSS compliance, as well as any fines, fees, and remediation expenses associated with a security breach. Aside from fines, remember that the university s reputation is at stake! Loss of sales and loss of donations as customer confidence declines Possibly a far greater loss than any fines or fees

6 PCI Policies at UT UT merchants shall regularly review their internal policies and procedures, and update as needed. All employees of UT merchants shall regularly review these policies: FI0311 Credit Card Processing IT0110 Acceptable Use of Information Technology Resources (AUP) FI0115 Reconciling and Reviewing Departmental Ledgers IT0115 Information and Computer System Classification FI0120 Records Management IT0121 Information Security Plan Creating and Data Breach Notification Procedures Merchant s internal policies and procedures Fiscal and IT policies are available on the UT Policy website: Merchant internal documentation templates will be made available on the UTSA ISO website:

7 Roles & Responsibilities from FI0311 Merchants (University Departments/Units): Complete Annual SAQ and maintain compliance at all times Notify Treasurer s Office and campus CBO of any change in approved processing Protect cardholder data and ensure appropriate security controls Internal documented procedures Technical controls on computers that process PCI data Update software on any terminals every 18 months. Place computers in the segmented cardholder data environment (SAQs A-EP, B-IP, C, C-VT, D) Financially responsible for costs associated with compliance: fines, fees, and remediation expenses Immediately notify UTSA ISO and campus CIO in the event of a suspected data breach

8 Roles & Responsibilities from FI0311 Campus/Institute Chief Information Officers: Identify and review systems in PCI scope Provide technical guidance and support in securing systems processing and transmitting CHD Ensure a segmented cardholder data environment exists Notify UTSA ISO of suspected security incidents

9 Roles & Responsibilities from FI0311 Campus/Institute Chief Business Officers: Monitor PCI compliance for the campus/institute Approve the business need for a Merchant ID Approve any changes to credit card processes and communicate changes with Treasurer s Office Review accuracy of SAQs for the campus/institute and sign attestation of accuracy

10 Roles & Responsibilities from FI0311 Audit and Consulting Services: Review departmental policies and procedures Conduct random full audits

11 Roles & Responsibilities from FI0311 UTSA Information Security Office: Consulting, guidance, and oversight related to PCI compliance and IT Security controls Review technical implementations related to PCI Incident response coordination Vulnerability scans Validate SAQs annually with on-site reviews

12 Roles & Responsibilities from FI0311 Treasurer s Office: Approve outsourced electronic payment processors Oversee credit card accounting for approved merchants Manage the Merchant ID approval process Maintain the relationship with the university s processor

13 Primary Causes of PCI Data Breach Being non-compliant with the PCI DSS requirements Unmanned or unattended POS devices Remote access Using vendor-supplied default passwords and settings Attacks on users Unpatched systems PCI devices used for non-pci tasks PCI devices using Wi-Fi networks

14 Detecting a Suspected Data Breach Unexpected system reboots or shutdowns Suspicious after-hours file system activity, or after-hours activity on POS devices Anti-virus programs malfunctioning or becoming disabled for no apparent reason Unknown files, software, and/or devices installed on PCI systems, including archived, compressed, or encrypted files in system directories Unexplained modification or deletion of data Excessive failed login attempts Unexplained user accounts Unknown or unexpected network traffic

15 PCI Incident Response Immediately report any suspected security incident to UTSA ISO and your campus/institute CIO. May be computer, network, or paper-based activity May result in Loss of confidentiality Compromise of integrity Loss of availability Do NOT turn device(s) off, but unplug only the network cable. Do NOT make any changes to device(s)! Label approved PCI devices to help identify what not to touch in the event of a suspected security incident.

16 POS Devices New requirements in PCI v3.x Affecting merchants with SAQs B, B-IP, C, and D Devices used for card-present transactions Policies and procedures Req 9.9 Inventory Req Identifying POS device tampering Req Training Req 9.9.3

17 Identifying POS Terminal Fraud Skimming is the unauthorized capture and transfer of payment data to another source. Skimming purpose Steal payment data from the customer s credit card Steal payment data from the payment infrastructure (i.e., institutions, devices, policies, procedures, standards, etc.) Skimming targets PIN data Unattended or unmanned terminals Merchants with a high transaction volume Terminals with a heavy volume of usage Merchants with periods of high volume sales

18 Identifying POS Terminal Fraud Examples of skimming devices added to ATMs and gas pumps

19 Identifying POS Terminal Fraud Examples of skimming devices added to POS terminals Skimmers can be hidden by the SIM card cover plate and by overlays, or stickers, that cover the keyboard area and can hide damage due to tampering, as well as wires that allow for keyboard logging.

20 Identifying POS Terminal Fraud Examples of handheld skimmers These small, handheld devices, often used by corrupt staff, can store a large amount of CHD and can connect to mobile devices.

21 Identifying POS Terminal Fraud Example of terminal connection change Normal terminal connection cable Changed cable houses additional wires to capture CHD

22 Protecting POS Devices Go through the Treasurer s Office for ordering POS devices. Keep your inventory of POS devices current. Use the PCI DSS Inventory Log found at Keep terminals securely locked away when not in use. If terminals are in a public location, never leave them unmanned or unattended. Employees shall review this training regularly and new employees must review prior to having access to terminals. Allow employees role-based access to the terminals. If access is not needed, access shall not be authorized. Keep up-to-date list of authorized employees on the PCI DSS Inventory Log.

23 Protecting POS Devices Inspect terminals daily to ensure there are no new stickers (could be overlays!) or that original stickers have not been removed or modified. Inspect terminals daily to see if the serial numbers are correct. Inspect terminals daily for broken or different colored casings. Inspect terminal connection cables daily for any signs of tampering. Verify the identity of anyone claiming to be a maintenance or repair person there to work on your POS device and verify who called for them. Report suspicious behavior around POS devices. If you suspect your POS terminal has been tampered with, contact the UTSA ISO immediately.

24 Annual Obligations Documentation Policy FI0311 Other pertinent UT policies Internal policies and procedures (update as needed) Complete PCI Security Awareness Training Update Inventory Update list of devices Update who is explicitly authorized to use Get management authorization each time inventory is updated Label devices to identify owner, contact info, and purpose Remove Access Remove access immediately when an employee leaves Remove access if employee no longer needs

25 Review Overview of PCI DSS PCI Compliant Roles and Responsibilities Data Breaches POS Terminal Fraud Annual Obligations

26 Training Verification For each merchant, every employee involved in the processing of cardholder data must complete training as part of the formal PCI Security Awareness Training. For official verification, please send the following in an to I, (name), attest to having fully completed the University of Tennessee s PCI security training on (date) at (time). I am an employee of (merchant). Your attestation will be documented and kept on file with the UTSA ISO should you need in the event of an audit.

27 Thank you! If you have questions, please contact Sandy Lindsey at Past training information is available on the PCI Compliance website: