Misconceptions of PCI DSS in K12 Illustration by Lance Jackson Presented by: Barry Campbell Business Development Mgr. bcampbellfars@gmail.com Kaitlyn Hetzel Account Services Manager khetzel@schoolpay.com
What is PCI DSS? Who here knows what PCI-DSS stands for? Payment Card Industry Data Security Standard It is the security requirement that any entity that has access to credit card numbers is required, by VISA, MasterCard, etc., to adhere to.
Link Between Candy Jar and PCI Winner of the Candy Jar announced Winner of the best answer announced Dawn Fortes (Volusia County) Candy represents cardholder data & the jar represents a system that s PCI Compliant Easier to demonstrate our message and won t break any health code violations - Exercise in fun-counting candies in a jar - How it feels when you re establishing your policy is more like this..
PCI-DSS is One Thing- Right? Like a bunny?
Sort of. It s 6 Object Controls Object controls logically group related things. PCI DSS comes down to six areas of focus: 1. Build and maintain a secure network 2. Protect cardholder data 3. Maintain a vulnerability management program 4. Implement strong access control measures 5. Regularly monitor and test networks 6. Maintain an information security policy
Ah! So it s Six Things. Right? Like SIX bunnies
Each Object Control has one or more Requirements For example, Build and Maintain a Secure Network has these two requirements: Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameter.
So How Come I Now Have 220 Bunnies? Meet the SUB requirements!
Making Sense of It All PCI is ultimately a logical set of business operation standards It s not a one and done you always do it PCI DSS isn t a guarantee it s a starting point, not the finish line
The Misconceptions..
M1-It s About ecommerce It s about cardholder data Best practice: Every human and system location in the district that *could* come in contact with or leave a record of a 16 digit card number is a threat to your PCI compliance. Document these and establish a policy for that data interaction.
M2 PCI DSS is Someone s or Some Department s Job PCI is no one person s job, it is everyone s job. Everyone s job who touches cardholder data, that is. Best practice is to have set of policies and procedures that define the behavior of everyone (staff) and everything (hardware/software) in the district that touches cardholder data.
M3 Our Online Payment Service Handles IT If you have an online payment system, they can offload a lot of PCI headaches If you take any credit card payments in person you will be responsible for handling the PCI compliance on those payments Best Practice: Know what your minimum exposure and workload is. If you only take online payments make sure your policy states that But you still are REQUIRED to have a policy
M4- You Have to Pay a Fee to To be PCI Compliant PCI Compliance Fees Are Becoming Commonplace but it is NOT a requirement for PCI Compliance Best practices to cut your costs: Inquire with your processor if there is a PCI Compliance fee/merchant account Inquire if there is any ability to handle PCI at the District level Make sure you are aware of any PCI related procedures that they require
We re Back! Each bunny represents a single PCI question there are 220 of them per Merchant account!
The Rule Breakers. A fun look at the people that make you say, What were they thinking?
The List Keepers
The 80 s Marketers Donor forms.filled out with way too much data
The Get it Rights
So What Should You Do Step One Determine the scope of the PCI policy you will need Where are you taking payments, online, in person both? How many departments are taking payments? How many merchant accounts do we have? Step Two write your policy and have staff sign off on it Step Three make sure your online providers are Level One PCI Providers Each software system that takes payment or touches card data needs to be PCI compliant too All except the smallest companies are required to being audited and appear on a VISA list
Validate Software Providers to the District It is easy to get the status of your various system providers. Just do the following: 1. Ask if they* have a ROC (Report of Compliance provided by audit firm) 2. Are they listed HERE: http://www.visa.com/splisting/searchgrsp.do *Please note whoever owns the interface where the card number is collected should have their name on the ROC
Conclusion Slide Controlling your risk is manageable Make your payments policies and procedures cross departmental Always reduce scope where and when you can - Reduce the number of payment vendors you support - Reduce access to and interaction with 16 digit account numbers