PCI DSS Presentation University of Cincinnati

Similar documents

PCI: The Dark Side. May 2012 Roanoke, VA

Property of CampusGuard. Compliance With The PCI DSS

PCI DSS Compliance What Texas BUC$ Need to Know! Ron King CampusGuard

PCI Compliance at The University of South Carolina. Failure is not an option. Rick Lambert PMP University of South Carolina

PCI Compliance. Crissy Sampier, Longwood University Edward Ko, CampusGuard

Payment Card Industry - Achieving PCI Compliance Steps Steps

Payment Card Industry Data Security Standard

PCI Compliance Top 10 Questions and Answers

Josiah Wilkinson Internal Security Assessor. Nationwide

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance

PCI DSS. CollectorSolutions, Incorporated

PCI Compliance. Top 10 Questions & Answers

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

How To Protect Your Business From A Hacker Attack

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May cliftonlarsonallen.com CliftonLarsonAllen LLP

Adyen PCI DSS 3.0 Compliance Guide

Frequently Asked Questions

PCI DSS 3.0 Overview. OSU Business Affairs Business Affairs PIT Crew - Project, Improvement, & Technology Robin Whitlock

Project Title slide Project: PCI. Are You At Risk?

Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions

This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected

PDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.1)

SecurityMetrics Introduction to PCI Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

2015 PCI DSS Meeting. OSU Business Affairs Projects, Improvement, and Technology (PIT) Robin Whitlock

Becoming PCI Compliant

PCI Security Compliance

IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER

Payment Card Industry (PCI) Data Security Standard

PLACE GROUP UK LONDON STUDENT HOUSING GROUP PAYMENT CARD INDUSTRY DATA SECURITY STANDARD COMPLIANCE STATEMENT PCI DSS (09) VERSION: 2009PCIDSSP4S01

WHITE PAPER. PCI Basics: What it Takes to Be Compliant

Payment Card Industry Data Security Standards.

COLORADO STATE UNIVERSITY Financial Procedure Statements FPI 6-6

Varonis Systems & The Payment Card Industry Data Security Standard (PCI DSS)

PAI Secure Program Guide

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

PCI COMPLIANCE GUIDE For Merchants and Service Members

PCI DSS Compliance Information Pack for Merchants

Why Is Compliance with PCI DSS Important?

PCI Data Security Standards

North Carolina Office of the State Controller Technology Meeting

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

Credit Card Processing Overview

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

UCSB Credit Card Processing and PCI Compliance

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry Data Security Standards Compliance

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

CardControl. Credit Card Processing 101. Overview. Contents

PCI Compliance: How to ensure customer cardholder data is handled with care

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions. Version 5.0 (April 2011)

PCI DSS Gap Analysis Briefing

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October cliftonlarsonallen.com CliftonLarsonAllen LLP

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

1/18/10. Walt Conway. PCI DSS in Context. Some History The Digital Dozen Key Players Cardholder Data Outsourcing Conclusions. PCI in Higher Education

PCI Compliance Overview

Payment Cardholder Data Handling Procedures (required to accept any credit card payments)

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase

Your Compliance Classification Level and What it Means

An article on PCI Compliance for the Not-For-Profit Sector

Payment Card Industry Security Standards PCI DSS, PCI-PTS and PA-DSS

PCI-DSS: A Step-by-Step Payment Card Security Approach. Amy Mushahwar & Mason Weisz

It Won t Happen To Me! A Network and PCI Security Webinar Presented By FMS and VendorSafe

Understanding Payment Card Industry (PCI) Data Security

TNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business

Accepting Payment Cards and ecommerce Payments

Merchant guide to PCI DSS

2.0 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI-DSS)

How To Protect Your Data From Being Stolen

How To Protect Visa Account Information

Credit Card Handling Security Standards

Security & Compliance, Sikich LLP

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

La règlementation VisaCard, MasterCard PCI-DSS

PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW

Introduction to PCI DSS Compliance. May 18, :15 p.m. 2:15 p.m.

Dartmouth College Merchant Credit Card Policy for Managers and Supervisors

Payment Card Industry (PCI) Data Security Standard. Attestation of Compliance for Self-Assessment Questionnaire C-VT. Version 2.0

PCI Standards: A Banking Perspective

Presented By: Bryan Miller CCIE, CISSP

Transcription:

PCI DSS Presentation University of Cincinnati

Quick PCI Level Set Higher Ed Challenges Getting Compliant Application w/ customers Q& A

PCI DSS Payment Card Industry Data Security Standard

What is the PCI DSS trying to protect?

Data Element Storage Permitted Protection Required Covered Data Elements 1 st 6 / Last 4 OK Cardholder data Only considered CHD if full PAN stored Sensitive authentication Holy Grail data for thieves PAN Yes Yes Cardholder name Yes * Yes Service code Yes * Yes Expiration date Yes* Yes Magnetic stripe CVC2/CVV2/CID PIN/PIN block No No No No storage permitted No storage permitted No storage permitted

Merchant Levels Level Visa and MasterCard Amex 1 > 6 million Visa/MC txns/yr > 2.5 million Amex txns/yr 2 1 to 6 million Visa/MC txns/yr 50,000 to 2.5 million txns/yr 3 20,000 to 1 million Visa/MC ecommerce txns/yr All other Amex Merchants 4 All other Visa/MC merchants N/A

Merchant Levels and Compliance Validation Level Visa and MasterCard Amex 1 2 3 4 Annual on-site assessment (QSA) Quarterly network scan by (ASV) Annual on-site assessment (QSA) Quarterly network scan (ASV) Annual Self-Assessment Questionnaire (SAQ) Quarterly network scan (ASV) At discretion of acquirer Annual SAQ Quarterly network scan (ASV) (recommended) Annual on-site assessment (QSA) Quarterly network scan (ASV) Quarterly network scan (ASV) Quarterly network scan (ASV) (recommended) N/A

Payment Methods & Validation Requirements 1 2 3 4 5 Payment Method Card-Not- Present, All Cardholder Data Functions Outsourced Imprint Only, No Cardholder Data Storage Standalone Dial Out Terminal, No Cardholder Data Storage POS Connected to Internet All Other Methods SAQ A SAQ B SAQ B SAQ C SAQ D Validation Requirements 13 Questions 24 Questions No Scanning! 24 Questions 32 Questions Quarterly Scan 233 Questions Quarterly Scan 0 233 Move as far to the left as possible!

6 Objectives and 12 Requirements 1. Build and maintain a secure network 2. Protect cardholder data 3. Maintain a vulnerability management program 4. Implement strong access control measures 5. Regularly monitor and test networks 6. Maintain an information security policy 1. Install and maintain a firewall configuration to protect data 2. Change vendor-supplied defaults for system passwords and other security parameters 3. Protect stored data 4. Encrypt transmission of cardholder magnetic-stripe data and sensitive information across public networks 5. Use and regularly update antivirus software 6. Develop and maintain secure systems and applications 7. Restrict access to data to a need-to-know basis 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security * Augmented by 230+ sub requirements

Managing Compliance Scanning request: Complete scan request form White list scanner IP addresses in your IDS/IPS Vulnerability scans will: Fingerprint the host (port scan, banner check, etc) Perform checks on open ports Well-known vulnerabilities Mis-configurations Backdoors/Trojan horse applications

Managing Compliance

Validation

PCI Scope No Segmentation: The Worst Case Scenario Internet Where most campuses start out Therefore, the entire network is in scope You don t want this! Cell Phones Printers Laptops Payment Server Dept PCs Unzoned: EVERYTHING in scope!

Reduce Your PCI Scope! Let s Try That Again Internet Strategic Scope Only payment systems are in scope Better all around Payment Server Cell Phones Dept PCs Printers Laptops

Some Data Breach Stats Source: Verizon 2009 Data Breach Investigations Report

News Travels Fast: TJ Maxx / Marshall s

PCI Non-Compliance In the event of a breach the acquirer can make the merchant responsible for: Any fines from card associations Up to $500,000 If you haven t validated with a SAQ Cost to notify victims Cost to replace cards Cost for any fraudulent transactions Forensics Level 1 certification from a QSA

3 rd Party Payment Systems Many colleges and universities adopt the use of a 3 rd party processor or payment system for tuition and other payments. Great idea Limits scope for the PCI DSS Purchasing of PA-DSS compliant systems Can help in compliance effort Not a panacea

Questions Contact Treasurer s s Office Susan Albonetti 64793 susan.albonetti@uc.edu