Property of CampusGuard. Compliance With The PCI DSS

Similar documents
PCI: The Dark Side. May 2012 Roanoke, VA

PCI DSS Compliance What Texas BUC$ Need to Know! Ron King CampusGuard

PCI Compliance at The University of South Carolina. Failure is not an option. Rick Lambert PMP University of South Carolina

PCI DSS Presentation University of Cincinnati

PCI Compliance. Crissy Sampier, Longwood University Edward Ko, CampusGuard

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

PCI DSS Gap Analysis Briefing

Project Title slide Project: PCI. Are You At Risk?

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase

PCI Compliance. Top 10 Questions & Answers

Payment Card Industry - Achieving PCI Compliance Steps Steps

PCI Compliance Top 10 Questions and Answers

Frequently Asked Questions

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance

PCI DSS Compliance Information Pack for Merchants

PCI Compliance Overview

Protecting Your Customers' Card Data. Presented By: Oliver Pinson-Roxburgh

PCI Data Security Standards

PCI DSS. CollectorSolutions, Incorporated

How To Protect Your Business From A Hacker Attack

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

Payment Card Industry Data Security Standard

2015 PCI DSS Meeting. OSU Business Affairs Projects, Improvement, and Technology (PIT) Robin Whitlock

WHITE PAPER. PCI Basics: What it Takes to Be Compliant

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

PCI Standards: A Banking Perspective

PCI Compliance: How to ensure customer cardholder data is handled with care

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

Payment Card Industry Data Security Standards Compliance

PCI DSS 3.0 Overview. OSU Business Affairs Business Affairs PIT Crew - Project, Improvement, & Technology Robin Whitlock

This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected

SecurityMetrics Introduction to PCI Compliance

How To Protect Your Credit Card Information From Being Stolen

Adyen PCI DSS 3.0 Compliance Guide

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May cliftonlarsonallen.com CliftonLarsonAllen LLP

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

Josiah Wilkinson Internal Security Assessor. Nationwide

IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER

Two Approaches to PCI-DSS Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

Becoming PCI Compliant

Understanding Payment Card Industry (PCI) Data Security

An article on PCI Compliance for the Not-For-Profit Sector

Data Security & PCI Compliance & PCI Compliance Securing Your Contact Center Securing Your Contact Session Name :

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions. Version 5.0 (April 2011)

PAI Secure Program Guide

Data Security Standard (DSS) Compliance. SIFMA June 13, 2012

1/18/10. Walt Conway. PCI DSS in Context. Some History The Digital Dozen Key Players Cardholder Data Outsourcing Conclusions. PCI in Higher Education

PCI Security Compliance

TNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business

White Paper September 2013 By Peer1 and CompliancePoint PCI DSS Compliance Clarity Out of Complexity

PDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.1)

Mobile Device Payment Card Processing: How Secure is It? Richard Poworski CISSP, ISP, ITCP, SCF, PCI QSA, PCIP Managing Consultant

How To Protect Visa Account Information

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October cliftonlarsonallen.com CliftonLarsonAllen LLP

Payment Card Industry (PCI) Data Security Standard

June 19, Bobbi McCracken, Associate Vice Chancellor Financial Services. Subject: Internal Audit of PCI Compliance.

It Won t Happen To Me! A Network and PCI Security Webinar Presented By FMS and VendorSafe

Introduction to PCI DSS Compliance. May 18, :15 p.m. 2:15 p.m.

Merchant guide to PCI DSS

Technical breakout session

Introduction to PCI DSS

Varonis Systems & The Payment Card Industry Data Security Standard (PCI DSS)

Payment Card Industry Data Security Standards

SecurityMetrics. PCI Starter Kit

Your Compliance Classification Level and What it Means

PCI COMPLIANCE TO BUILD HIGHER CONFIDENCE FOR CARD HOLDER AND BOOST CASHLESS TRANSACTION. Suresh Dadlani, ControlCase

FREQUENTLY ASKED QUESTIONS The MasterCard Site Data Protection (SDP) Program

How To Ensure Account Information Security

Payment Card Industry Data Security Standard

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

Payment Card Industry Data Security Standards.

The Cost of Payment Card Data Theft and Your Business. Aaron Lego Director of Business Development

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

FREQUENTLY ASKED QUESTIONS The MasterCard Site Data Protection (SDP) Program

How To Protect Your Data From Being Stolen

PCI COMPLIANCE GUIDE For Merchants and Service Members

So you want to take Credit Cards!

Payment Card Industry Security Standards PCI DSS, PCI-PTS and PA-DSS

Spokane Airport Board (Spokane International Airport, Airport Business Park, Felts Field) Addendum #1 - Q&A

Payment Card Industry (PCI) Data Security Standard. Attestation of Compliance for Self-Assessment Questionnaire C-VT. Version 2.0

Payment Card Industry Data Security Standard (PCI DSS) v1.2

Sales Rep Frequently Asked Questions

Transcription:

Compliance With The PCI DSS

Today s Agenda PCI DSS Introduction How are Colleges and Universities Affected? How Do You Validate Compliance? Best Practices Q&A

CampusGuard Full-Service QSA/ASV Firm We Know Security Focused Solely on Higher Education

The Target Breach 40 million customers Insider? POS was the vector Lessons for all

PCI MANUFACTURERS PCI PTS PIN Transaction Security SOFTWARE DEVELOPERS PCI PA-DSS Payment Application Vendors MERCHANTS & PROCESSORS PCI DSS Data Security Standard PCI Security & Compliance Ecosystem of payment devices, applications, infrastructure and users

PCI Relationships Responsible for managing the PCI DSS and certifying QSAs and ASVs Bank Communicates and educates merchants on PCI DSS and reports compliance status to Card Associations CREDIT CARD SECURITY Responsible for enforcing and monitoring merchant compliance with the PCI DSS Merchant Responsible for safeguarding credit card data and complying with the PCI DSS

Penalties can be Huge In the event of a breach the bank can make the merchant responsible for: Fines from card associations Up to $500,000 + Cost to notify victims + Cost to replace cards + Cost for any fraudulent transactions + Forensics + Level 1 certification Bad Publicity Priceless!

How Much Time Left? You are assumed to be compliant NOW! Banks will be requiring your validation SOON!

Higher Ed Is Vulnerable Past 3 Years Higher Education 33% Government Healthcare 6% 8% Financial Services 14% Other 17% 22% Retailers Source: Privacy Rights Clearinghouse

Colleges and Universities are like Cities

A Campus Is A City" Challenges for PCI Compliance: Open networks and systems Scope conversations complex Overloaded staff Fiscal constraints

PCI in Higher Education Source: 2012 Treasury Institute PCI Workshop

PCI in Higher Education Source: 2012 Treasury Institute PCI Workshop

PCI in Higher Education Source: 2012 Treasury Institute PCI Workshop

PCI in Higher Education Source: 2012 Treasury Institute PCI Workshop

PCI DSS: 6 Goals, 12 Requirements Control Objective 1. Build and maintain a secure network Requirements 1. Install and maintain a firewall configuration to protect data 2. Change vendor-supplied defaults for system passwords and other security parameters 2. Protect cardholder data 3. Maintain a vulnerability management program 4. Implement strong access control measures 3. Protect stored data 4. Encrypt transmission of cardholder magnetic-stripe data and sensitive information across public networks 5. Use and regularly update antivirus software 6. Develop and maintain secure systems and applications 7. Restrict access to data to a need-to-know basis 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 5. Regularly monitor and test networks 6. Maintain an information security policy 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security

Merchant Levels Level 1 > 6 million Visa/MC txns/yr > 2.5 million transactions/yr 2 1 to 6 million Visa/MC txns/yr 50,000 to 2.5 million txns/yr 3 20,000 to 1 million Visa/MC ecommerce txns/yr Most Colleges and Universities All other Amex Merchants 4 All other Visa/MC merchants N/A

Validation Requirements Level 1 2 3 4 Annual on-site assessment (QSA) Quarterly network scan (ASV) Annual penetration test (ASV) Annual on-site assessment (QSA) Quarterly network scan (ASV) Annual penetration test (ASV) Annual Self-Assessment Questionnaire (SAQ) Quarterly network scan (ASV) Annual penetration test (ASV) At discretion of acquirer Annual SAQ Quarterly network scan (ASV) Annual penetration test (ASV) Annual on-site assessment (QSA) Quarterly network scan (ASV) Annual penetration test (ASV) Quarterly network scan (ASV) Annual penetration test (ASV) Quarterly network scan (ASV) Annual penetration test (ASV) N/A

Self-Assessment Questionnaires Card-Not Present, All Cardholder Data Functions Outsourced Imprint Only, No Cardholder Data Storage Standalone Dial Out Terminal, No Cardholder Data Storage Payment Application Systems Connected to the Internet All other methods SAQ A SAQ B SAQ B SAQ C / VT SAQ D (11 questions) (29 questions) (29 questions) (80/51 questions) (286 questions) 11 286 Move as far to the left as possible!

Can I assess myself? Short answer: Maybe (but you probably don t want to) Long answer: You can assess yourself, provided: You follow audit procedures Your acquirer agrees An approved officer (think President or CFO) signs on the dotted line (attesting to the veracity of the results) You re absolutely sure you re going to do it right

What s in PCI Scope? Office Workstations? Card Swipe Machine? Student in dorm? Shopping Cart? Computer Lab? Phone Transaction?

PCI DSS Assessment Service Provider PCI DSS Level 1 Internet Your Campus? PA-DSS Payment Application PCI DSS SAQ A/B/C/D??

Case Study: The commercial software was PA-DSS certified, but 1 Firewall configuration 7 Access to system components and cardholder data 8 Assign unique ID to each person with computer access 9 Restrict physical access 11 Regularly test security systems and processes 12 Maintain a policy that addresses information security

Managing Compliance

Compliance Finish Line!?

PCI Compliance Discovery and Assessment Remediation Validation Payments Analysis Merchant Discovery Documentation Preliminary Scanning Gap Analysis Correct Problems Compensating Controls ROC or SAQ Submission Quarterly Scanning Penetration Testing Re-Validate every 12 mos

Awareness Training PCI DSS General Info Security Red Flags Identity Theft HIPAA Clery Act FERPA Title IX GLBA

Online Training: PCI DSS Topics An overview of PCI DSS PCI DSS objectives and requirements Costs of non-compliance Sensitive Authentication Data Hard-copy storage Protecting cardholder information Payment card transactions Remote access Good work practices Security incidents Restricted computer access Restricted physical access Tracking and monitoring Social engineering

Online Training: Administration

Closing Thoughts PCI is a journey PCI requires partnerships Requires perseverance Keep the faith

Ron King, CampusGuard rking@campusguard.com (972) 964-8884

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information