OKLAHOMA STATE UNIVERSITY STUDENT UNION HOW IT SERVES OTHERS THROUGH PCI COMPLIANCE
|
|
- Junior Harvey
- 8 years ago
- Views:
Transcription
1
2 OKLAHOMA STATE UNIVERSITY STUDENT UNION HOW IT SERVES OTHERS THROUGH PCI COMPLIANCE TRACIE BROWN ASSOCIATE DIRECTOR OF ADMINISTRATIVE SERVICES MIKE PEASTER INFORMATION TECHNOLOGY MANAGER
3 THE QUESTIONS WE HOPE TO ANSWER How can IT serve others through PCI compliance? What exactly is PCI and what does it mean to be compliant? How long does this process take and is it achievable? What happens behind the scenes to ensure that our customer s cardholder data is protected? Why your front line staff should understand the importance of PCI compliance? Why should you care if your organization is PCI compliant?
4 WHO WE ARE Located in Stillwater, OK Building physically located in the heart of campus Largest in the nation Comprehensive Completed $65 million renovation in September 2012 No. 1 Ranking as the Most Amazing and Comprehensive Union (BestCollegeReviews.org)
5 Administrative Services IT Marketing Human Resources Accounts Receivable Accounts Payable Financial Reporting Building Operations Maintenance Custodial Parking Retail Operations Bookstore Clothing Supplies Technology Store E-Commerce site AREAS OF RESPONSIBILITY Campus Life Center for Ethical Leadership International Students & Scholars Fraternity & Sorority Affairs Non-Traditional Students Off-Campus Student Association Camp Cowboy Student Government Association Service Learning Volunteer Center Allied Arts/Special Events Student Union Activities Board Parent & Family Relations Student organizations Meeting & Conference Services University Dining Services 32 dining options across campus Full service catering operation
6
7 CREDIT CARD PAYMENT CHANNELS Retail Operations (RATEX/Verifone VeriShield) Total Revenue $18.6 million Total Credit Card Sales $5.4 million E-commerce accounts for $1.1 million of these sales University Dining Services (MICROS/Shift4) Total Revenue $21 million Total Credit Card Sales $1.87 million Other (wireless credit card machines)
8
9 BASICS OF PCI Background / History Acronyms PCI DSS Requirements Merchant Level Reporting Requirements Validation Requirements
10 BACKGROUND / HISTORY Prior to 2006 the five major card brands had their own security programs. The goal was similar: to create an additional level of protection for card issuers by ensuring that merchants meet minimum levels of security when they store, process and transmit cardholder data. In 2006, these 5 leading payment brands, American Express, Discover, JCB, Visa, and MasterCard, formed the Payment Card Industry Security Standards Council after several large, well-known institutions and brands had credit card payment data exposed to fraudulent purchases due to inadequate protection. Payment Card Industry Data Security Standards (PCI DSS) were created as a result of these unprecedented assaults on personal and financial data.
11 ACRONYMS PCI Payment Card Industry PCI DSS Payment Card Industry Data Security Standards QSA Qualified Security Assessor SAQ Self Assessment Questionnaire ROC Report on Compliance ASV Authorized Scan Vendor P2PE Point to Point Encryption POI Point of Interaction AOC Attestation of Compliance
12 PCI-DSS REQUIREMENTS 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored Cardholder Data 4. Encrypt transmission of cardholder data across open, public networks 5. Protect all systems against malware and regularly update anti-virus 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need to know 8. Identify and authenticate access to system components 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security for all personnel
13 MERCHANT LEVELS Level / Tier Merchant Criteria Merchants processing over 6 million Visa transactions annually (all channels) or Global merchants identified as Level 1 by any Visa region Merchants processing 1 million to 6 million Visa transactions annually (all channels) Merchants processing 20,000 to 1 million Visa e-commerce transactions annually Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually
14 VALIDATION REQUIREMENTS Level / Tier Validation Requirements Annual Report on Compliance ( ROC ) by Qualified Security Assessor ( QSA ) or Internal Security Assessor ( ISA ) if signed by officer of the company Quarterly network scan by Approved Scan Vendor ( ASV ) Attestation of Compliance Form Annual Self-Assessment Questionnaire ( SAQ ) Quarterly network scan by ASV Attestation of Compliance Form Annual SAQ Quarterly network scan by ASV Attestation of Compliance Form Annual SAQ recommended Quarterly network scan by ASV if applicable Compliance validation requirements set by merchant bank
15 SAQ Validation Type A A-EP (NEW) B B-IP (NEW) P2PE-HW REPORTING REQUIREMENTS Description Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions fully outsourced to a PCI-Compliant Service Provider E-commerce merchants re-directing to a third-party website for payment processing, no electronic cardholder data storage Merchants with only imprint machines or only standalone dial-out payment terminals: No e-commerce or electronic cardholder data storage # of Questions Merchants with only standalone IP-connected payment terminals: No e- commerce or electronic cardholder data storage 0 83 Hardware Payment Terminals in a PCI-Listed P2PE Solution Only NO Electronic Data Storage C-VT C D Merchants using only web-based virtual terminals, no electronic cardholder data storage Merchants with payment application systems connected to the Internet, no electronic cardholder data storage All other merchants (not included in descriptions for SAQs A-C above) and all service providers defined by a payment brand as eligible to complete a SAQ
16
17 WHAT YOU REALLY NEED TO KNOW PCI compliance is going to look differently for everyone in this room based on your environment and the QSAs that you hire. It is important for you to be as knowledgeable about your systems and scope reducing solutions as possible.
18 PCI WHAT? It was 2006, Life was good Then we became aware of something called PCI
19 KEY MILESTONES We worked hard to have the best systems available at the time. We relentlessly pushed on our vendors and OSU Network and IT Security departments to help us be compliant Replace our homegrown ecom site with a PCI compliant storefront 2008 Outsourced E-Commerce credit card processing Upgraded RATEX POS to gain database CC encryption 2010 Upgraded Micros and RATEX POS systems to PCI compliant versions (Still storing CC number) 2010 Surprise visit from internal audits and Protiviti. They made note of the lack of firewalls and network segmentation 2010 BOA requests that OSU start filing the appropriate SAQ s 2011 OSU finally allows us to install firewalls and VPN s to isolate the PCI environment.
20 GETTING READY Student Union engages Coalfire to provide advisory services with the goal of designing a SAQ-C environment and filing a completed SAQ- C (2.0)with all 80 elements confirmed to be compliant. To achieve this, we created configuration and build documents for all components. (firewalls, VPN s, POS terminals, servers, etc) Wrote policy and procedure to address all SAQ-C elements Created an employee training program Installed firewalls and VPN s to isolate the PCI environment Implemented point to point encryption systems to remove POS terminals, servers, and applications from PCI scope Once we implemented the Coalfire design, we had them audit it.
21 COALFIRE SAQ-C (2.0) ASSESSMENT RESULTS
22 TRUE DIGITAL SAQ-C (2.0) ASSESSMENT RESULTS
23 WE MADE IT! QSA assessment reports from both companies were submitted to OSU administration. SAQ-C filed with all items compliant! Good times are here again!
24 HERE S THE GOTCHA.
25 PROTIVITI ASSESSMENT RESULTS
26 MORE WORK Added additional policy and procedure Change testing and implementation Configuration documentation for connected-to systems Add process and procedure for user account tracking and approval Installed an RSA SecurID server to centralize authentication, authorization, ID and password rules enforcement Installed a centralized logging server and directed all in-scope systems capable of generating logs to it Configured the logging server to log exceptions to administrators for review. This alleviates log review requirements. We reported our compliance with the additional 66 elements to OSU Internal Audits and Protiviti. We engage Coalfire to perform a gap analysis of our environment against the full DSS, all 288 elements (2.0).
27 COALFIRE PCI-DSS ASSESSMENT RESULTS
28 RINSE AND REPEAT. AGAIN We reported our compliance of 237/288 controls. We started work on the remaining 51 controls: Contracted with an Authorized Scanning Vendor to perform internal and external penetration testing. Added a yearly risk assessment requirement into policy. Instituted yearly PCI awareness training for all Updated PCI policy to address all 170 in-scope elements Developed a more robust incident response plan Created a daily, weekly, monthly, yearly checklist and procedure document of PCI duties Added an internal scan appliance to handle quarterly internal PCI scans. We engage Coalfire to perform an assessment of the remaining 51 controls.
29 WHERE WE WERE AS OF APRIL 2014
30 PCI DSS /326
31 PCI DSS 3.0: MAJOR CHANGES AND THEMES Strong third-party provider enforcement Maintain a written agreement that acknowledges service provider responsibility. Protecting POS devices from tampering / skimming Maintain an up-to-date detailed list of all devices. Periodically inspect devices to detect tampering. Segmentation and scoping get tougher System components include, any component or device located within, connected to, or that may impact the security of the CDE. Penetration testing requirements are greatly enhanced New SAQ types may change the SAQ that applies to your organization
32 GENERAL NOTES ABOUT PCI DSS seems to be an attempt to stop checkbox compliance and the assessors that enable it. If you are following the intent of the 2.0 standard, the changes in 3.0 may or may not be as significant to your organization. If you are cutting corners, 3.0 requirements could be painful. Service providers need to get serious about PCI.
33 EMV WHAT IS IT? AKA Chip and PIN Global standard for chip card technology to replace mag stripe Typically a chip inset within a plastic card Chips can contain RFID capabilities to enable tap transactions. Chip stores cardholder and application data more securely EMV provides protection against stolen card fraud as well as card reproduction fraud
34 EMV WHAT IS IT? Solutions are comprised of two components: Microprocessor, usually embedded in a payment card EMV-enabled contact based POS Contactless EMV-enabled POS
35 EMV HOW DOES CONTACT TRANSACTION WORK?
36 EMV HOW DOES A CONTACTLESS TRANSACTION WORK? An EMV chip can be on a contactless card where the chip is tapped or held near the terminal..or. A chip can be inside your smart phone and the phone is waived near the terminal
37 EMV WHAT IT IS, WHAT IT ISN T, & WHY IT S IMPORTANT EMV only prevents card present fraud Does not protect data in transit or at rest Would not have prevented a Target situation IS an important piece of the puzzle October 2015 fraud liability shift to merchants not using EMV
38
39 WHY 3.0 IS CONCERNING? The new focus on connected systems in 3.0 greatly expands the potential number of systems to be considered as in-scope for PCI-DSS. Under 2.0 our e-commerce web server was considered primarily out of scope because we used a hosted payment page. Under 3.0 it s fully inscope! This brings more connected systems into scope Where does the line get drawn now? No single auditor will agree. Potential house of cards scenario for our PCI scope. Expanded PCI scope means more penetration testing and expense Every new device deemed to be in-scope suddenly requires substantially more management overhead
40 THE IDEAL SOLUTIONS FOR EACH PAYMENT CHANNEL E-Commerce Outsource web hosting and payment processing to a PCI-DSS 3.0 validated third-party service provider Miscellaneous charges Use standalone PTS approved dialup or cellular based credit card terminals Bookstore and Dining POS Terminals Use a combination of: EMV PCI Council approved HW-P2PE Tokenization
41 THE TRIFECTA EMV, HW-P2PE, TOKENIZATION EMV Chip and Pin Prevents counterfeit and lost or stolen cards Chip and Signature Prevents only counterfeit cards
42 THE TRIFECTA EMV, HW-P2PE, TOKENIZATION HW-P2PE Account number and card data are protected in transit from the moment of swipe to the payment network Since the merchant has no access to the decryption keys, scope and risk to the merchant are significantly reduced. Council approved HW-P2PE negates the need for network segmentation, firewalls, log management, etc. 35/326 PCI-DSS controls
43 THE TRIFECTA EMV, HW-P2PE, TOKENIZATION TOKENIZATION Uses a randomly generated unique ID Token in place of the primary account number (PAN) so the actual card number is not stored. Since actual card data is replaced with unique ID s, it can be stored indefinitely and used for important business processes.. Reduces PCI scope by removing card number from systems and databases
44 THE TRIFECTA EMV, HW-P2PE, TOKENIZATION Prevent Counterfeit Card Use Prevent Lost or Stolen Card Use Protect Card Data In-Transit Protect Card Data At-Rest (Stored) Protect E-Commerce Transactions EMV HW-P2PE TOKENIZATION X X X X X
45 WHAT WE VE DONE TO ADDRESS PCI-DSS 3.0 MICROS POS (Dining) Affordable non-pci Council approved hardware P2PE available now Hardware P2PE vs software P2PE changes scope At $100 apiece it s worth the investment as an interim device Best thing we can do right now Prevents a Target scenario Non EMV. Most likely replacing in 1 to 2 years E-Commerce (Bookstore) Outsource web hosting and payment processing to a PCI-DSS validated third-party service provider E-Ratex for e-commerce application Cybersource for payment processing Rackspace for web hosting Miscellaneous charges Use standalone PTS approved cellular based credit card terminals
46 WHAT WE VE DONE TO ADDRESS PCI-DSS 3.0 Had Coalfire perform a scope assessment of the planned state of our Spring 2015 environment This is where it s decided what processes, people, and systems are in-scope for inspection and validation Scope assessment has typically been the most controversial portion of our engagements with auditors. Used whitepapers authored by Coalfire on the vendors solutions to argue scope reduction. We also asked them to make suggestions to further reduce our scope.
47 SCOPE ASSESSMENT FINDINGS Significant scope reduction was achieved! Past PCI-DSS 2.0 environment = 170 controls in-scope New PCI-DSS 3.0 environment = 89 controls in-scope Stipulations for the scope reduction granted: Manual card entry on the POS itself is disabled. The VeriFone and Shift4 PTS approved Pin Pads are the only means for accepting card present transactions for MICROS and RATEX. The PTS approved Pin Pads are customer facing where the cashier never handles the card. For payment processing and E-Commerce hosting, we must use PCI-DSS compliant service providers and have a copies of their Attestation of Compliance. Must have an executed agreement with third party service providers detailing the controls managed by the service providers
48 WHAT THIS MEANS FOR US No networks will be in-scope (P2PE) No cardholder data storage to be in-scope (Tokenization) No critical hardware other than the pin pads in-scope (P2PE) No software in-scope (P2PE) No third party payment applications in-scope (P2PE) No Vulnerability scans No penetration testing No log management
49 2.0 SCOPE
50 3.0 SCOPE OSU SERVICE PROVIDERS AGREEMENTS WITH SERVICE PROVIDERS
51 WHAT WE VE LEARNED AND HOW WE VE CHANGED PCI needs to be a part of the conversation on the front end of purchasing systems and delivering services to our customers. Some recent examples include: Food truck/away game solution Ticketing system selection Meeting and Conference Services Shift4 integration with external P2PE pin pads
52 OUR SOLUTION
53 SHIFT4 CHALLENGES Pin pad doesn t have any intelligence and is not integrated with the POS in any way. Constantly displays the same message on the screen no matter the status of the register or reader and causes confusion. Best and only available option for our systems at the time. Stop gap solution to get us through a 3.0 audit. Cashiers needed to be trained to not complain about the shortcomings of the pin pads, but to inform the customer that we are protecting their credit card data. Third party solutions can be a double edged sword. They can address shortcomings that your POS system can t on its own You can end up with a stalemate between the POS system manufacturer and third party when something isn t working as it should.
54 WHAT YOU SHOULD TAKE AWAY FROM OUR PRESENTATION PCI compliance is a journey. Available technology and changing PCI-DSS specifications make it a moving target. If you re arriving late to the PCI game, you ve got many more options than we had. You should be able to leap frog us and save yourself some pain. You might think about hiring your own QSA before someone else does. It just goes better when the QSA works for you and not the other team. It s all in the interpretation. You can shop around for a QSA. You don t want the low bidder that s just going to say you re compliant though, you need to find one that s reasonable and you can work with. Use a firm with P2PE certified assessors if you re going to rely on P2PE for scope reduction. Others may be less likely to grant you as much scope reduction as the ones that fully understand P2PE.
55 WHAT YOU SHOULD TAKE AWAY FROM OUR PRESENTATION Scope reducing technologies are worth the investment. Our audits get easier each time we reduce our scope. If you re going to buy EMV terminals, try to buy ones that offer a P2PE and tokenization solution too while you re at it. You re going to spend the money, you might as well. There is no PCI silver bullet. Don t rely solely on what vendors tell you regarding their solution. Scope reduction is up to the bank and the QSA. Our scope has consistently been broader than the vendor claimed. This isn t necessarily the fault of the vendor though, There are a lot of differences of opinion between QSA s
56 WHAT YOU SHOULD TAKE AWAY FROM OUR PRESENTATION PCI needs to be a part of the conversation on the front end of purchasing systems and delivering services to our customers. Is the system PCI compliant? Is the third party service provider certified by Visa/Mastercard? Can they provide an AOC? Does their contract acknowledge PCI responsibilities? Can they show scan results? Lastly, is this a service we want to offer our customers?
57 WHAT YOU SHOULD TAKE AWAY FROM OUR PRESENTATION Why should you care about PCI compliance? Compliance with PCI DSS demonstrates our commitment to protecting our customers confidential data which in turn builds trust. Trust means our customers have confidence in doing business with us. Confident customers are more likely to be repeat customers and recommend us to others. Compromised data negatively affects us all. Just one incident can severely damage your reputation and your ability to conduct business effectively into the future. Other negative consequences could include: lawsuits, insurance claims, cancelled accounts, payment card issuer fines, and government fines. More importantly you could lose the ability to accept credit cards for your entire institution, not just your operations, indefinitely.
58 Questions?
59 CONTACT INFORMATION Mike Peaster Tracie Brown
PCI 3.1 Changes. Jon Bonham, CISA Coalfire System, Inc.
PCI 3.1 Changes Jon Bonham, CISA Coalfire System, Inc. Agenda Introduction of Coalfire What does this have to do with the business office Changes to version 3.1 EMV P2PE Questions and Answers Contact Information
More informationPCI DSS 3.0 Overview. OSU Business Affairs Business Affairs PIT Crew - Project, Improvement, & Technology Robin Whitlock
PCI DSS 3.0 Overview OSU Business Affairs Business Affairs PIT Crew - Project, Improvement, & Technology Robin Whitlock 01/16/2015 Purpose of Today s Presentation To provide an overview of PCI 3.0 based
More informationWhy Is Compliance with PCI DSS Important?
Why Is Compliance with PCI DSS Important? The members of PCI Security Standards Council (American Express, Discover, JCB, MasterCard, and Visa) continually monitor cases of account data compromise. These
More informationPCI Compliance. Crissy Sampier, Longwood University Edward Ko, CampusGuard
PCI Compliance Crissy Sampier, Longwood University Edward Ko, CampusGuard Agenda Introductions PCI DSS 101 Chip Cards (EMV) Longwood s PCI DSS Journey Breach Statistics Shortcuts to PCI DSS Compliance
More informationPCI Compliance. How to Meet Payment Card Industry Compliance Standards. May 2015. cliftonlarsonallen.com. 2015 CliftonLarsonAllen LLP
2015 CliftonLarsonAllen LLP PCI Compliance How to Meet Payment Card Industry Compliance Standards May 2015 cliftonlarsonallen.com Overview PCI DSS In the beginning Each major card brand had its own separate
More informationPCI DSS Compliance. 2015 Information Pack for Merchants
PCI DSS Compliance 2015 Information Pack for Merchants This pack contains general information regarding PCI DSS compliance and does not take into account your business' particular requirements. ANZ recommends
More informationPayment Card Industry Data Security Standard
Payment Card Industry Data Security Standard Office of the State Treasurer Ryan Pitroff Banking Services Manager Ryan.Pitroff@tre.wa.gov PCI-DSS A common set of industry tools and measurements to help
More informationCredit Card Processing, Point of Sale, ecommerce
Credit Card Processing, Point of Sale, ecommerce Compliance, Self Auditing, and More John Benson Kurt Willey HACKS REGULATIONS Greater Risk for Merchants Topics Compliance Changes Scans Self Audits
More informationPCI Compliance Overview
PCI Compliance Overview 1 PCI DSS Payment Card Industry Data Security Standard Standard that is applied to: Merchants Service Providers (Banks, Third party vendors, gateways) Systems (Hardware, software)
More informationPCI DSS Compliance What Texas BUC$ Need to Know! Ron King CampusGuard rking@campusguard.com
PCI DSS Compliance What Texas BUC$ Need to Know! Ron King CampusGuard rking@campusguard.com Whoops!...3.1 Changes 3.1 PCI DSS Responsibility Information Technology Business Office PCI DSS Work Information
More informationBecoming PCI Compliant
Becoming PCI Compliant Jason Brown - brownj52@michigan.gov Enterprise Security Architect Enterprise Architecture Department of Technology, Management and Budget State of Michigan @jasonbrown17 History
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Instructions and Guidelines Version 3.2 May 2016 Document Changes Date Version Description October 1, 2008 1.2 October 28,
More informationPCI Risks and Compliance Considerations
PCI Risks and Compliance Considerations July 21, 2015 Stephen Ramminger, Senior Business Operations Manager, ControlScan Jon Uyterlinde, Product Manager, Merchant Services, SVB Agenda 1 2 3 4 5 6 7 8 Introduction
More informationPuzzled about PCI compliance? Proactive ways to navigate through the standard for compliance
Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance March 29, 2012 1:00 p.m. ET If you experience any technical difficulties, please contact 888.228.0988 or support@learnlive.com
More informationAre You Ready For PCI v 3.0. Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014
Are You Ready For PCI v 3.0 Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014 Today s Presenter Corbin Del Carlo QSA, PA QSA Director, National Leader PCI Services Practice 847.413.6319
More informationAdyen PCI DSS 3.0 Compliance Guide
Adyen PCI DSS 3.0 Compliance Guide February 2015 Page 1 2015 Adyen BV www.adyen.com Disclaimer: This document is for guidance purposes only. Adyen does not accept responsibility for any inaccuracies. Merchants
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Instructions and Guidelines Version 1.1 February 2008 Table of Contents About this Document... 1 PCI Data Security Standard
More informationIT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER
July 9 th, 2012 Prepared By: Mark Akins PCI QSA, CISSP, CISA WHITE PAPER IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD PCI DSS for Merchants The Payment
More informationSo you want to take Credit Cards!
So you want to take Credit Cards! Payment Card Industry - Data Security Standard: (PCI-DSS) Doug Cox GSEC, CPTE, PCI/ISA, MBA dcox@umich.edu Data Security Analyst University of Michigan PCI in Higher Ed
More information2015 PCI DSS Meeting. OSU Business Affairs Projects, Improvement, and Technology (PIT) Robin Whitlock
2015 PCI DSS Meeting OSU Business Affairs Projects, Improvement, and Technology (PIT) Robin Whitlock 11/3/2015 Today s Presentation What do you need to do? What is PCI DSS? Why PCI DSS? Who Needs to Comply
More informationA PCI Journey with Wichita State University
A PCI Journey with Wichita State University Blaine Linehan System Software Analyst III Financial Operations & Business Technology Division of Administration & Finance 1 Question #1 How many of you know
More informationPCI Compliance. Top 10 Questions & Answers
PCI Compliance Top 10 Questions & Answers 1. What is PCI Compliance and PCI DSS? 2. Who needs to follow the PCI Data Security Standard? 3. What happens if I don t comply? 4. What are the basic requirements
More informationPayment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.
Payment Card Industry Data Security Standard Training Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc. March 27, 2012 Agenda Check-In 9:00-9:30 PCI Intro and History
More information1/18/10. Walt Conway. PCI DSS in Context. Some History The Digital Dozen Key Players Cardholder Data Outsourcing Conclusions. PCI in Higher Education
PCI in Higher Education Walter Conway, QSA 403 Labs, LLC Walt Conway PCI consultant, blogger, trainer, speaker, author Former Visa VP Help schools become PCI compliant Represent Higher Education at PCI
More informationPCI Compliance Top 10 Questions and Answers
Where every interaction matters. PCI Compliance Top 10 Questions and Answers White Paper October 2013 By: Peer 1 Hosting Product Team www.peer1.com Contents What is PCI Compliance and PCI DSS? 3 Who needs
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other SAQ-Eligible Merchants and Service Providers Version 2.0 October 2010 Document
More informationPCI DSS Gap Analysis Briefing
PCI DSS Gap Analysis Briefing The University of Chicago October 1, 2012 Walter Conway, QSA 403 Labs, LLC Agenda The PCI DSS ecosystem - Key players, roles - Cardholder data - Merchant levels and SAQs UofC
More informationYour guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions. Version 5.0 (April 2011)
Your guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions Version 5.0 (April 2011) Contents Contents...2 Introduction...3 What are the 12 key requirements of
More informationPCI DSS 3.0 and You Are You Ready?
PCI DSS 3.0 and You Are You Ready? 2014 STUDENT FINANCIAL SERVICES CONFERENCE Linda Combs combslc@jmu.edu Ron King rking@campusguard.com AGENDA PCI and Bursar Office Role Key Themes in v3.0 Timelines Changes
More informationProject Title slide Project: PCI. Are You At Risk?
Blank slide Project Title slide Project: PCI Are You At Risk? Agenda Are You At Risk? Video What is the PCI SSC? Agenda What are the requirements of the PCI DSS? What Steps Can You Take? Available Services
More informationNorth Carolina Office of the State Controller Technology Meeting
PCI DSS Security Awareness Training North Carolina Office of the State Controller Technology Meeting April 30, 2014 agio.com A Note on Our New Name Secure Enterprise Computing was acquired as the Security
More informationPCI DSS v3.0 SAQ Eligibility
http://www.ambersail.com Disclaimer: The information in this document is provided "as is" without warranties of any kind, either express or implied, including, without limitation, implied warranties of
More informationPCI Compliance. What is New in Payment Card Industry Compliance Standards. October 2015. cliftonlarsonallen.com. 2015 CliftonLarsonAllen LLP
cliftonlarsonallen.com PCI Compliance What is New in Payment Card Industry Compliance Standards October 2015 Overview PCI DSS In the beginning Each major card brand had its own separate criteria for implementing
More informationPCI Compliance for Healthcare
PCI Compliance for Healthcare Best practices for securing payment card data In just five years, criminal attacks on healthcare organizations are up by a stunning 125%. 1 Why are these data breaches happening?
More informationSection 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015
Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 I. PURPOSE The purpose of this policy is to establish guidelines for processing charges on Payment Cards to protect
More informationPCI Compliance 3.1. About Us
PCI Compliance 3.1 University of Hawaii About Us Helping organizations comply with mandates, recover from security breaches, and prevent data theft since 2000. Certified to conduct all major PCI compliance
More informationPCI Compliance: How to ensure customer cardholder data is handled with care
PCI Compliance: How to ensure customer cardholder data is handled with care Choosing a safe payment process for your business Contents Contents 2 Executive Summary 3 PCI compliance and accreditation 4
More informationPCI DSS 101 FOR CTOs AND BUSINESS EXECUTIVES
PCI DSS 101 FOR CTOs AND BUSINESS EXECUTIVES CUTTING THROUGH THE COMPLEXITY AND CONFUSION Over the years, South African retailers have come under increased pressure to gain PCI DSS (Payment Card Industry
More informationAchieving PCI Compliance for Your Site in Acquia Cloud
Achieving PCI Compliance for Your Site in Acquia Cloud Introduction PCI Compliance applies to any organization that stores, transmits, or transacts credit card data. PCI Compliance is important; failure
More informationFrequently Asked Questions
PCI Compliance Frequently Asked Questions Table of Content GENERAL INFORMATION... 2 PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)...2 Are all merchants and service providers required to comply
More informationPCI DSS. CollectorSolutions, Incorporated
PCI DSS Robert Cothran President CollectorSolutions www.collectorsolutions.com CollectorSolutions, Incorporated Founded as Florida C corporation in 1999 Approximately 235 clients in 35 states Targeted
More informationMaking Sense of the PCI Puzzle
Making Sense of the PCI Puzzle Sponsored By: A guide to organizing your merchant accounts on campus Contributors from Coalfire Systems, Inc. Joseph Tinucci Justin Orcutt Eva Araya 1 The Big Picture Navigating
More informationAn article on PCI Compliance for the Not-For-Profit Sector
Level 8, 66 King Street Sydney NSW 2000 Australia Telephone +61 2 9290 4444 or 1300 922 923 An article on PCI Compliance for the Not-For-Profit Sector Page No.1 PCI Compliance for the Not-For-Profit Sector
More informationJune 19, 2013. Bobbi McCracken, Associate Vice Chancellor Financial Services. Subject: Internal Audit of PCI Compliance.
RIVERSIDE: AUDIT & ADVISORY SERVICES June 19, 2013 To: Bobbi McCracken, Associate Vice Chancellor Financial Services Subject: Internal Audit of PCI Compliance Ref: R2013-03 We have completed our audit
More informationCyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance
Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance A Non-Technical Guide Essential for Business Managers Office Managers Operations Managers Compliant? Bank Name
More informationTarget Security Breach
Target Security Breach Lessons Learned for Retailers and Consumers 2014 Pointe Solutions, Inc. PO Box 41, Exton, PA 19341 USA +1 610 524 1230 Background In the aftermath of the Target breach that affected
More informationMerchant guide to PCI DSS
Merchant guide to PCI DSS Contents What is PCI DSS and why was it introduced?... 3 Who needs to become PCI DSS compliant?... 3 BOIPA Simple PCI DSS - 3 step approach to helping businesses... 3 What does
More informationTokenization Amplified XiIntercept. The ultimate PCI DSS cost & scope reduction mechanism
Tokenization Amplified XiIntercept The ultimate PCI DSS cost & scope reduction mechanism Paymetric White Paper Tokenization Amplified XiIntercept 2 Table of Contents Executive Summary 3 PCI DSS 3 The PCI
More informationPAI Secure Program Guide
PAI Secure Program Guide A complete guide to understanding the Payment Card Industry Data Security Requirements and utilizing the PAI Secure Program. Letter From the CEO Welcome to PAI Secure. As you
More informationPCI DSS Overview. By Kishor Vaswani CEO, ControlCase
PCI DSS Overview By Kishor Vaswani CEO, ControlCase Agenda About PCI DSS PCI DSS Applicability to Banks, Merchants and Service Providers PCI DSS Technical Requirements Overview of PCI DSS 3.0 Changes Key
More informationData Security Basics for Small Merchants
Data Security Basics for Small Merchants 28 October 2015 Stan Hui Director, Merchant Risk Lester Chan Director, Merchant Risk Disclaimer The information or recommendations contained herein are provided
More informationProperty of CampusGuard. Compliance With The PCI DSS
Compliance With The PCI DSS Today s Agenda PCI DSS Introduction How are Colleges and Universities Affected? How Do You Validate Compliance? Best Practices Q&A CampusGuard Full-Service QSA/ASV Firm We Know
More informationPCI Data Security Standards
PCI Data Security Standards An Introduction to Bankcard Data Security Why should we worry? Since 2005, over 500 million customer records have been reported as lost or stolen 1 In 2010 alone, over 134 million
More informationData Security Standard (DSS) Compliance. SIFMA June 13, 2012
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance SIFMA June 13, 2012 EisnerAmper Consulting Services Group Overview of EisnerAmper Fifth fhlargest accounting firm in the Metro New York
More informationMasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.
MasterCard PCI & Site Data Protection (SDP) Program Update Academy of Risk Management Innovate. Collaborate. Educate. The Payment Card Industry Security Standards Council (PCI SSC) Open, Global Forum Founded
More informationHOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS
HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS August 23, 2011 MOSS ADAMS LLP 1 TODAY S PRESENTERS Presenters Francis Tam, CPA, CISA, CISM, CITP, CRISC, PCI QSA Managing Director, IT Security
More informationHow To Protect Your Credit Card Information From Being Stolen
Visa Account Information Security Tool Kit Welcome to the Visa Account Information Security Program 2 Contents 1. Securing cardholder data is everyone s concern 4 2. Visa Account Information Security (AIS)
More informationPCI Compliance at The University of South Carolina. Failure is not an option. Rick Lambert PMP University of South Carolina ricklambert@sc.
PCI Compliance at The University of South Carolina Failure is not an option Rick Lambert PMP University of South Carolina ricklambert@sc.edu Payment Card Industry Data Security Standard (PCI DSS) Who Must
More informationPayment Card Industry (PCI) Data Security Standard. Attestation of Compliance for Self-Assessment Questionnaire C-VT. Version 2.0
Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Self-Assessment Questionnaire C-VT Version 2.0 October 2010 Attestation of Compliance, SAQ C-VT Instructions for Submission
More informationUnderstanding the SAQs for PCI DSS version 3
Understanding the SAQs for PCI DSS version 3 The PCI DSS self-assessment questionnaires (SAQs) are validation tools intended to assist merchants and service providers report the results of their PCI DSS
More informationWhat are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:
What is the PCI standards council? The Payment Card Industry Standards Council is an institution set-up by American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International
More informationHow Secure is Your Payment Card Data?
How Secure is Your Payment Card Data? Complying with PCI DSS SLIDE 1 PRESENTERS Francis Tam, CPA, CISA, CISM, CITP, CRISC, PCI QSA Managing Director, IT Security Practice PCI Practice Leader Francis has
More informationCredit Card Processing Overview
CardControl 3.0 Credit Card Processing Overview Overview Credit card processing is a very complex and important system for anyone that sells goods. This guide will hopefully help educate and inform new
More informationWhat s New in PCI DSS 2.0. 2010 Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 1
What s New in PCI DSS 2.0 2010 Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 1 Agenda PCI Overview PCI 2.0 Changes PCI Advanced Technology Update PCI Solutions 2010 Cisco and/or
More informationPayment Card Industry - Achieving PCI Compliance Steps Steps
CUR RITY SE Data Security Requirements for K-12 January 28, 2010 Payment Card Industry (PCI) SE CUR RITY 1 Welcome To Join The Voice Conference Dial 866-939-3921 Technical issues press 0 Q & A We ll leave
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Self-Assessment Questionnaire D Service Providers For use with PCI DSS Version 3.1 Revision 1.1 July 2015 Section 1: Assessment
More informationThe PCI DSS Compliance Guide For Small Business
PCI DSS Compliance in a hosted infrastructure A Rackspace White Paper Spring 2010 Summary The Payment Card Industry Data Security Standard (PCI DSS) is a global information security standard defined by
More informationDon Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer
Complying with the PCI DSS All the Moving Parts Don Roeber Vice President, PCI Compliance Manager Lisa Tedeschi Assistant Vice President, Compliance Officer Types of Risk Operational Risk Normal fraud
More informationOffice of Finance and Treasury
Office of Finance and Treasury How to Accept & Process Credit and Debit Card Transactions Procedure Related Policy Title Credit Card Processing Policy For University Merchant Locations Responsible Executive
More informationPCI-DSS: A Step-by-Step Payment Card Security Approach. Amy Mushahwar & Mason Weisz
PCI-DSS: A Step-by-Step Payment Card Security Approach Amy Mushahwar & Mason Weisz The PCI-DSS in a Nutshell It mandates security processes for handling, processing, storing and transmitting payment card
More informationSellWise User Group. Thursday, February 19, 2015
SellWise User Group Thursday, February 19, 2015 Slides and recording posted on scouting.org/financeimpact Look on the Council Fiscal Management Tab, then look at the bottom left for Sellwise Support/User
More informationUniversity of Sunderland Business Assurance PCI Security Policy
University of Sunderland Business Assurance PCI Security Policy Document Classification: Public Policy Reference Central Register IG008 Policy Reference Faculty / Service IG 008 Policy Owner Chief Financial
More informationPayment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008
Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008 What is the PCI DSS? And what do the acronyms CISP, SDP, DSOP and DISC stand for? The PCI DSS is a set of comprehensive requirements
More informationPC-DSS Compliance Strategies. 2011 NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA
PC-DSS Compliance Strategies 2011 NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA True or False Now that my institution has outsourced credit card processing, I don t have to worry about compliance?
More informationPCI on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for PCI on AWS
PCI on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for PCI on AWS David Clevenger November 2015 Summary Payment Card Industry (PCI) is an accreditation body that
More informationPayment Card Industry Data Security Standard (PCI DSS) v1.2
Payment Card Industry Data Security Standard (PCI DSS) v1.2 Joint LA-ISACA and SFV-IIA Meeting February 19, 2009 Presented by Mike O. Villegas, CISA, CISSP 2009-1- Agenda Introduction to PCI DSS Overview
More informationThis appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected
This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected officials, administrative officials and business managers.
More informationPCI DSS Compliance Services January 2016
PCI DSS Compliance Services January 2016 20160104-Galitt-PCI DSS Compliance Services.pptx Agenda 1. Introduction 2. Overview of the PCI DSS standard 3. PCI DSS compliance approach Copyright Galitt 2 Introduction
More informationThe State of Security and Compliance for E- Commerce and Retail
The State of Security and Compliance for E- Commerce and Retail Current state of security PCI regulations and compliance Does the data you hold require PCI compliance Security and safeguarding against
More informationTREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS
TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS 1. Introduction Debit and Credit Card Receipt Standards apply to the administration
More informationPayment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions
PCI/PA-DSS FAQs Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions What is PCI DSS? The Payment Card Industry Data
More informationPCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:
What is PCI DSS? PCI DSS is an acronym for Payment Card Industry Data Security Standards. PCI DSS is a global initiative intent on securing credit and banking transactions by merchants & service providers
More informationCardControl. Credit Card Processing 101. Overview. Contents
CardControl Credit Card Processing 101 Overview Credit card processing is a very complex and important system for anyone that sells goods. This guide will hopefully help educate and inform new and old
More informationPayment Card Industry Data Security Standards Compliance
Payment Card Industry Data Security Standards Compliance Please turn off, or to vibrate, all cell-phones/electronics Expected course length: 1 Hour Questions are welcomed. Who Created It? & What Is It?
More informationINFORMATION TECHNOLOGY FLASH REPORT
INFORMATION TECHNOLOGY FLASH REPORT Understanding PCI DSS Version 3.0 Key Changes and New Requirements November 8, 2013 On November 7, 2013, the PCI Security Standards Council (PCI SSC) announced the release
More informationAISA Sydney 15 th April 2009
AISA Sydney 15 th April 2009 Where PCI stands today: Who needs to do What, by When Presented by: David Light Sense of Security Pty Ltd Agenda Overview of PCI DSS Compliance requirements What & When Risks
More informationSpokane Airport Board (Spokane International Airport, Airport Business Park, Felts Field) Addendum #1 - Q&A
Spokane Airport Board (Spokane International Airport, Airport Business Park, Felts Field) Request for Proposals (RFP) for PCI DSS COMPLIANCE SERVICES Project # 15-49-9999-016 Addendum #1 - Q&A May 29,
More informationTNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business
TAKING OUR CUSTOMERS BUSINESS FORWARD The Cost of Payment Card Data Theft and Your Business Aaron Lego Director of Business Development Presentation Agenda Items we will cover: 1. Background on Payment
More informationCOLORADO STATE UNIVERSITY Financial Procedure Statements FPI 6-6
1. Procedure Title: PCI Compliance Program COLORADO STATE UNIVERSITY Financial Procedure Statements FPI 6-6 2. Procedure Purpose and Effect: All Colorado State University departments that accept credit/debit
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.0 February 2014 Section 1: Assessment Information Instructions for Submission
More informationJosiah Wilkinson Internal Security Assessor. Nationwide
Josiah Wilkinson Internal Security Assessor Nationwide Payment Card Industry Overview PCI Governance/Enforcement Agenda PCI Data Security Standard Penalties for Non-Compliance Keys to Compliance Challenges
More informationSales Rep Frequently Asked Questions
V 02.21.13 Sales Rep Frequently Asked Questions OMEGA Processing Data Protection Program February 2013 - Updated In response to a national rise in data breaches and system compromises, OMEGA Processing
More informationIntroduction to PCI DSS Compliance. May 18, 2009 1:15 p.m. 2:15 p.m.
Introduction to PCI DSS Compliance May 18, 2009 1:15 p.m. 2:15 p.m. Disclaimer The opinions of the contributors expressed herein do not necessarily state or reflect those of the National Association of
More informationPayment Card Industry Data Security Standards
Payment Card Industry Data Security Standards Discussion Objectives Agenda Introduction PCI Overview and History The Protiviti Difference Questions and Discussion 2 2014 Protiviti Inc. CONFIDENTIAL: This
More informationPCI: It Never Ends. Why?
PCI: It Never Ends. Why? How to stay prepared? Shekar Swamy American Technology Corporation St. Louis, MO January 13, 2011 PCI compliance basics It s all about Data Security 12 major areas of compliance
More informationPCI Standards: A Banking Perspective
Slide 1 PCI Standards: A Banking Perspective Bob Brown, CISSP Wachovia Corporate Information Security Slide 2 Agenda 1. Payment Card Initiative History 2. Description of the Industry 3. PCI-DSS Control
More informationTwo Approaches to PCI-DSS Compliance
Disclaimer Copyright Michael Chapple and Jane Drews, 2006. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes,
More informationUCSB Credit Card Processing and PCI Compliance
UCSB Credit Card Processing and PCI Compliance Sandra Featherson Associate Director of Controls Campus Credit Card Coordinator May 2011 Agenda Campus Credit Card Process Overview Terminology Approval/Acceptance
More informationWHITE PAPER. PCI Basics: What it Takes to Be Compliant
WHITE PAPER PCI Basics: What it Takes to Be Compliant Introduction A long-running worldwide advertising campaign by Visa states that the card is accepted everywhere you want to be. Unfortunately, and through
More informationTechnical breakout session
Technical breakout session Small leaks sink great ships Managing data security, fraud and privacy risks Tarlok Birdi, Deloitte Ron Borsholm, WTS May 27, 2009 Agenda 1. PCI overview: the technical intent
More information