Payment Card Industry - Achieving PCI Compliance Steps Steps



Similar documents
PCI DSS. CollectorSolutions, Incorporated

PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW

PCI DSS Presentation University of Cincinnati

How To Protect Your Business From A Hacker Attack

Why Is Compliance with PCI DSS Important?

PDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.1)

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

Data Security Standard (DSS) Compliance. SIFMA June 13, 2012

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions. Version 5.0 (April 2011)

Property of CampusGuard. Compliance With The PCI DSS

PCI Compliance at The University of South Carolina. Failure is not an option. Rick Lambert PMP University of South Carolina

PCI Compliance. Top 10 Questions & Answers

Payment Card Industry Data Security Standard

PCI DSS Compliance Information Pack for Merchants

Frequently Asked Questions

PCI Compliance Overview

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

PCI Compliance Top 10 Questions and Answers

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May cliftonlarsonallen.com CliftonLarsonAllen LLP

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October cliftonlarsonallen.com CliftonLarsonAllen LLP

How To Protect Your Data From Being Stolen

2015 PCI DSS Meeting. OSU Business Affairs Projects, Improvement, and Technology (PIT) Robin Whitlock

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

Sales Rep Frequently Asked Questions

Josiah Wilkinson Internal Security Assessor. Nationwide

Project Title slide Project: PCI. Are You At Risk?

How To Protect Your Credit Card Information From Being Stolen

Adyen PCI DSS 3.0 Compliance Guide

Information Technology

Becoming PCI Compliant

Payment Card Industry Data Security Standards.

PCI Data Security Standards

Dartmouth College Merchant Credit Card Policy for Managers and Supervisors

Credit Card Handling Security Standards

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER

Your Compliance Classification Level and What it Means

Simplêfy Client Support and Information Services. PCI Compliance Guidebook

HOW SECURE IS YOUR PAYMENT CARD DATA?

SecurityMetrics Introduction to PCI Compliance

PCI Security Compliance

GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY

WHITE PAPER. PCI Basics: What it Takes to Be Compliant

PCI DSS 3.0 Overview. OSU Business Affairs Business Affairs PIT Crew - Project, Improvement, & Technology Robin Whitlock

Payment Card Industry Compliance Overview

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

PCI DSS Compliance What Texas BUC$ Need to Know! Ron King CampusGuard

Merchant guide to PCI DSS

Understanding Payment Card Industry (PCI) Data Security

TNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business

Credit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

Bottom line you must be compliant. It s the law. If you aren t compliant, you are leaving yourself open to fines, lawsuits and potentially closure.

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

An article on PCI Compliance for the Not-For-Profit Sector

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance

PCI Standards: A Banking Perspective

PAI Secure Program Guide

2.0 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI-DSS)

Dartmouth College Merchant Credit Card Policy for Processors

This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected

Payment Card Industry (PCI) Data Security Standard

The Cost of Payment Card Data Theft and Your Business. Aaron Lego Director of Business Development

How To Protect Visa Account Information

FREQUENTLY ASKED QUESTIONS The MasterCard Site Data Protection (SDP) Program

PCI Compliance: How to ensure customer cardholder data is handled with care

Protecting Your Customers' Card Data. Presented By: Oliver Pinson-Roxburgh

FREQUENTLY ASKED QUESTIONS The MasterCard Site Data Protection (SDP) Program

1/18/10. Walt Conway. PCI DSS in Context. Some History The Digital Dozen Key Players Cardholder Data Outsourcing Conclusions. PCI in Higher Education

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

White Paper September 2013 By Peer1 and CompliancePoint PCI DSS Compliance Clarity Out of Complexity

PCI COMPLIANCE GUIDE For Merchants and Service Members

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

It is important to note, the payment brands and acquirers are responsible for enforcing compliance, not the PCI council.

Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions

University Policy Accepting Credit Cards to Conduct University Business

It Won t Happen To Me! A Network and PCI Security Webinar Presented By FMS and VendorSafe

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase

HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

Transcription:

CUR RITY SE Data Security Requirements for K-12 January 28, 2010 Payment Card Industry (PCI)

SE CUR RITY 1 Welcome To Join The Voice Conference Dial 866-939-3921 Technical issues press 0 Q & A We ll leave time to address questions during the last 15 minutes of the presentation. You may submit questions at any time using the Ask a Question feature located in the lower right corner of the webcast console. Presentation Slides You will receive an email with a link to download today s presentation.

SE CUR RITY What is PCI PCI is a Data Security Standard d (DSS) Governed by the Payment Card Industry (PCI) Security Council Made up of 12 requirements including standards for: Security management Policies i and procedures Network architecture Software design Other critical protective measures Transcends Industry & traditional borders 2 www.pcisecuritystandards.org

SE CUR RITY 12 PCI Requirements Goals PCI DSS Requirements Validated by Self or Outside Assessment Build and Maintain a Secure Network Protect Cardholder Data 1. Install and maintain a firewall configuration to protect cardholder data 2. Don t use vendor supplied defaults for system stem passwords and other security parameters 3. Protect stored data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks 5. Use and regularly update anti virus software 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need to know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security 3

SE CUR RITY PCI for School Districts Business is business Do you accept, process, store, or transmit data? Do you have a responsibility to protect your customer data? Do hackers and identity thieves care where or how they get the data? Security transcends industry So does credit cards use Instances of identity theft continue to increase yearly in all industries i Card companies to transfer costs onto noncompliant organizations Compliance is less expensive than noncompliance 4

Steps to Achieving PCI SE CUR RITY Compliance What is Cardholder Data? Sensitive Authentication Data full magnetic stripe, PIN data or card validation codes Personal Account Number (PAN) plus any of the following: Cardholder name Expiration i date Service Code 5

Steps to Achieving PCI SE CUR RITY Compliance (cont.) Identify ALL cardholder data in your organization, consider: Electronic cardholder data residing in: Applications, databases, spreadsheets, emails, files, copy machine hard drives, voice mails & calls that may (or may not) be recorded for accuracy, etc Hardcopy cardholder data residing in: desks, cabinets, trash, fax machines, copy machines, unlocked shred bins, etc Ignorance of location is no defense Vendors / 3 rd Party Processors Don t forget your vendors If they aren t complaint, find someone who is 6

Steps to Achieving PCI SE CUR RITY Compliance Know your level: l Definition (# of transactions annually) Level 1 More than 6 million SAQ - Self Assessment Questionnaire Network Security Scan by an ASV On-site Audit by a QSA N/A Required Quarterly Required Annually Level 2 1 to 6 million Required Annually Required Quarterly N/A Level 3 20,000 to 1 million Required Annually Required Quarterly N/A Level 4 All others Required Annually Required Quarterly N/A 7

Steps to Achieving PCI SE CUR RITY Compliance (cont.) PCI a three step process: Completion of the proper Self Assessment Questionnaire (SAQ) Clean Report from your Approved Scanning Vendor (ASV) Delivery of your results to the card companies Step 1: Complete the proper SAQ SAQ Self-Assessment Questionnaire Description SAQ Type ID 1 Card not present (e commerce or mail/telephone order) merchants, all cardholder data A functions outsourced. Does not apply to face to face merchants 2 Imprint only merchants with no electronic cardholder data storage B 3 Stand alone terminal merchants, no electronic cardholder data storage B 4 Merchants with POS systems connected to the Internet, no electronic cardholder data storage 5 All other merchants (not including in Types 1 4) and all service providers defined by a payment card brand as eligible to complete a SAQ C D 8

Steps to Achieving PCI SE CUR RITY Compliance (cont.) Step 2: ASV External Quarterly Scanning Confusion about the required types of Security Scanning External Quarterly Scan Internal Penetration and Scanning Web Application Penetration Review Wireless Security Review Define your scope advantages of a properly segmented network Step 3: Reporting Submit your completed SAQ and/or Attestation, along with any Compensating Controls Worksheets, according to instructions from your acquirer or payment brand. 9

Benefits of Achieving SE CUR RITY PCI Benefits of achieving i compliance Secure your customer s data Avoiding fines Trust of your customers Protect t your reputation ti Interdepartmental cooperation 10

Risks & Penalties of SE CUR RITY 11 Noncompliance Here is what organizations are telling us about PCI: It s just too expensive. We are just going to sit on this until we are forced to do something Data breaches cost organizations $202 per compromised customer record in 2008 a 40% increase since 2005. It is estimated a breach will cost on average of $500,000 000 in fines from the PCI Council. (this includes neither the cost of a forensic investigation, nor the fees resulting from civil/class action lawsuit.) You could also lose the ability to use credit cards I trust everyone I work with, and everyone knows they have a responsibility to protect card holder data. PCI More than 88% of all cases in this year s study involved insider negligence (stats from the Ponemon Institute, 2009)

SE CUR RITY Costs of PCI Compliance Costs associated with obtaining and maintaining PCI compliance are significantly less than the cost of non compliance Currently think of PCI as insurance For now - no proactive compliance monitoring for lower level merchants If hacked while not compliant, no recourse Down the Road Think of PCI as a requirement Eventually, proactive compliance monitoring will work its way down the merchant levels 12

SE CUR RITY Common Mistakes Assuming that since their Payment Processor is compliant, they don t need to obtain PCI Compliance Submitting SAQ with No responses. Submitting SAQ with Yes responses which are incorrect. Allowing non-qualified individuals perform the required scanning and penetration testing. Not keeping gathered information for next year. 13

SE CUR RITY In Conclusion Understand d your responsibility / risks Know where cardholder data resides: Stored (electronic & hardcopy) Processed Transmitted PCI requires vigilance and annual updates requires a change in culture Remember: PCI is an organizational certification (not an IT certification) 14

SE CUR RITY Q&A Joe Oleksak k Security Assurance Manager 248-223-3587 223 3587 Joe.Oleksak@plantemoran.com Judy Wright Education Partner 248-223-3304 223 3304 Judy.Wright@plantemoran.com 15

Thank you. DATA SE CURITY

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information