What Every Director Needs to Know About Credit Cards & Patron Privacy Complying with PCI is a necessary step in safely accepting Payment Cards.
Know the Risks! Some Interesting Facts: 94% of data breaches involved servers * 96% were not in PCI DSS compliance * Data Breach Regulations: 46 of 50 States mandate consumer notification of unauthorized access to private information $145 - average cost per compromised record ** PCI compliance is a key strategy to avoid a data breach! * 2012 Data Breach Investigations Report ** Ponemon Institute LLC. (2015). 2014 Cost of Data Breach Study: Global Analysis
What is PCI? Payment Card Industry Data Security Standard A VISA coordinated initiative started in 2004 Rules, methods, and procedures to reduce payment card fraud Compliance effort varies with where and how you take payment cards Mandates use of Validated services and products
Who are the PCI stakeholders? Since its inception, the PCI Standard has been applied to stakeholders in the order of greatest exposure. Organizations involved with payment cards: Processors Banks Service Providers Application Developers Merchants Library Today the focus is on Merchants That Means You!
Merchants (You the Library) Must comply with PCI based upon Merchant Category: Online (card not present) POS (card present) Online Merchants subscribe to a service with PCI- DSS POS Merchants install products with PA-DSS Merchant is responsible for: Appropriate policies and procedures Securing their network Documenting their PCI compliance status annually using a tool called the Self Assessment Questionnaire (SAQ)
PCI Compliance Best Practices Avoid storing cardholder data! Online merchants (payments over the Internet) Lessen the burden by outsourcing to a validated service provider (e.g., using a third-party payment gateway) POS merchants (over-the-counter & selfservice) You are responsible for protecting cardholder data at the point of sale and as it flows through the payment system. Segment your network to minimize exposure Install PA-DSS validated payment applications Use approved secure card readers
SAQ by Merchant Category Careful! Compliance Burden Increases with SAQ Level Merchant Type Online Payments Internet Protocol Terminals w/p2p Encryption Internet Protocol Terminals Payment Application Connected to Internet Keyboard Input to a Dedicated Computer All Other Merchants Self-Assessment Questionnaire 1 Restrict Physical Access to 8 11 7 8 23 Data 2 Information Security Policy 8 3 10 7 12 3 Protect Card Data 3 4 5 5 4 20 4 Encrypt Transmission of Data 2 1 3 3 3 4 5 Restrict Data to Need-to-Know 5 5 5 6 6 Firewall 15 2 2 2 28 7 Anti-Virus Software 3 3 3 3 10 8 No Default Passwords 14 3 8 23 9 Secure Systems and 8 9 8 13 13 8 27 Applications 10 Assign Unique IDs for Access 17 16 32 11 Regularly Test Systems Best SAQ for 8 libraries SAQs 1 for libraries 10 that accept counter, 16 12 Track and Monitor Access that accept 6 payments 13 13 18 self-check, 21 or kiosk payments. 17 39 Number of Questions 1 4 only by Internet Browser 97 26 SAQ 62 depends 103 upon payment 57 product. 240
Additional PCI Requirements (1) Quarterly external vulnerability scans (Req. 11.2) If your payment systems are on a network connected to the Internet, PCI DSS requires you to have quarterly scans performed The automated scans look for weaknesses an attacker might exploit to access your systems PCI DSS requires these scans to be conducted by a PCI-certified Approved
Additional PCI Requirements (2) Internal and external penetration testing (Req. 11.3) A penetration test simulates an attack on your organization s network infrastructure or applications Penetration testing determines what attackers can access and what trouble they can cause
Let s Look at Some Success Stories Stirling Prentice Systems Librarian
Why Comprise? What we were looking for: ILS compatibility Bilingual interface PCI compliance Compatibility with Moneris Website & discovery layer integration
The Importance of PCI Compliance Peace of mind: Respecting and securing patron info City of Ottawa s requirements
Comprise at OPL Just credit card transactions Pay Fines Button on site and in catalogue Reconciliation reports ILS vs. Soft Launch Adapting to New Standards
Payments steady growth Payment Year Payment Type % Paid Bills % of Amounts Paid CASH 62.2% 51.8% 2012 CHECK 0.9% 2.1% CREDITCARD 13.3% 15.9% DEBITCARD 23.6% 30.3% CASH 59.4% 49.3% 2013 CHECK 0.7% 1.8% CREDITCARD 13.5% 15.9% DEBITCARD 23.4% 29.6% ONLINE 3.1% 3.4% CASH 55.2% 45.6% 2014 CHECK 0.5% 1.3% CREDITCARD 14.6% 16.5% DEBITCARD 23.3% 29.2% ONLINE 6.5% 7.3% CASH 52.7% 43.4% 2015 (so far) CHECK 0.4% 1.4% CREDITCARD 14.9% 16.4% DEBITCARD 22.8% 28.5% ONLINE 9.1% 10.3%