2015 PCI DSS Meeting. OSU Business Affairs Projects, Improvement, and Technology (PIT) Robin Whitlock

Similar documents
PCI DSS 3.0 Overview. OSU Business Affairs Business Affairs PIT Crew - Project, Improvement, & Technology Robin Whitlock

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance

PCI Compliance. Top 10 Questions & Answers

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May cliftonlarsonallen.com CliftonLarsonAllen LLP

PCI Compliance Top 10 Questions and Answers

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

Why Is Compliance with PCI DSS Important?

PCI Data Security Standards

IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

Adyen PCI DSS 3.0 Compliance Guide

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

PCI DSS Compliance Information Pack for Merchants

How To Protect Your Business From A Hacker Attack

Payment Card Industry Data Security Standard

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

Payment Card Industry (PCI) Data Security Standard. Attestation of Compliance for Self-Assessment Questionnaire C-VT. Version 2.0

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance

Two Approaches to PCI-DSS Compliance

Credit Card Processing, Point of Sale, ecommerce

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions. Version 5.0 (April 2011)

Project Title slide Project: PCI. Are You At Risk?

PCI Compliance Overview

PCI DSS. CollectorSolutions, Incorporated

Frequently Asked Questions

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected

Payment Card Industry - Achieving PCI Compliance Steps Steps

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

Property of CampusGuard. Compliance With The PCI DSS

PCI DSS Presentation University of Cincinnati

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

Payment Card Industry (PCI) Data Security Standard

Becoming PCI Compliant

PCI Standards: A Banking Perspective

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

Payment Card Industry Data Security Standards.

An article on PCI Compliance for the Not-For-Profit Sector

Merchant guide to PCI DSS

PCI Security Compliance

WHITE PAPER. PCI Basics: What it Takes to Be Compliant

How To Protect Visa Account Information

How To Protect Your Credit Card Information From Being Stolen

PCI Compliance at The University of South Carolina. Failure is not an option. Rick Lambert PMP University of South Carolina

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

Josiah Wilkinson Internal Security Assessor. Nationwide

CITY OF SAN DIEGO ADMINISTRATIVE REGULATION Number PAYMENT CARD INDUSTRY (PCI) COMPLIANCE POLICY. Page 1 of 9.

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

La règlementation VisaCard, MasterCard PCI-DSS

Varonis Systems & The Payment Card Industry Data Security Standard (PCI DSS)

Payment Card Industry (PCI) Data Security Standard

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

PCI COMPLIANCE GUIDE For Merchants and Service Members

Your Compliance Classification Level and What it Means

PDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.1)

TNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business

Technical breakout session

Sales Rep Frequently Asked Questions

Payment Card Industry Compliance Overview

PCI Compliance. Crissy Sampier, Longwood University Edward Ko, CampusGuard

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October cliftonlarsonallen.com CliftonLarsonAllen LLP

SecurityMetrics Introduction to PCI Compliance

Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions

North Carolina Office of the State Controller Technology Meeting

PCI: The Dark Side. May 2012 Roanoke, VA

PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW

Payment Card Industry Data Security Standards Compliance

HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS

worldpay.com Understanding the 12 requirements of PCI DSS SaferPayments Be smart. Be compliant. Be protected.

PCI Compliance: How to ensure customer cardholder data is handled with care

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

Tokenization Amplified XiIntercept. The ultimate PCI DSS cost & scope reduction mechanism

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

PAI Secure Program Guide

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

Data Security Standard (DSS) Compliance. SIFMA June 13, 2012

COLORADO STATE UNIVERSITY Financial Procedure Statements FPI 6-6

Payment Card Industry Data Security Standard

PCI DSS. Payment Card Industry Data Security Standard.

The Cost of Payment Card Data Theft and Your Business. Aaron Lego Director of Business Development

PCI Compliance 3.1. About Us

Achieving PCI Compliance for Your Site in Acquia Cloud

PCI-DSS: A Step-by-Step Payment Card Security Approach. Amy Mushahwar & Mason Weisz

Understanding the SAQs for PCI DSS version 3

The PCI DSS Compliance Guide For Small Business

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

Understanding Payment Card Industry (PCI) Data Security

Transcription:

2015 PCI DSS Meeting OSU Business Affairs Projects, Improvement, and Technology (PIT) Robin Whitlock 11/3/2015

Today s Presentation What do you need to do? What is PCI DSS? Why PCI DSS? Who Needs to Comply with PCI DSS? What does PCI DSS Compliance Mean? Penalties for Non-Compliance Compliance Life Cycle Goals & Requirements New PCI DSS v3.1 Cardholder Data/Storage What do you have to do? SAQs Resources Questions 2

Your to do list by December 11: 1. Verify credit card merchant information on the PCI DSS Status Report and provide updates to Business Affairs 2. Merchant managers complete and sign the Cover Page & SAQ Annual PCI DSS Assessment must be completed for all Merchants 3. Obtain 3rd Party PCI DSS Certificate of Compliance (if applicable). This is required if your merchant uses an OST approved 3 rd party vendor other than TouchNet. 4. Business Center Manager or FAM must review and sign 5. Send to Robin Whitlock 3

What is PCI DSS? Payment Card Industry Data Security Standards Continuously evolving security best practices for credit card merchants and cardholder data Common set of industry tools and measurements to help ensure the safe handling of sensitive information Provides an actionable framework for developing a robust account data security process including preventing, detecting and reacting to security incidents (https://www.pcisecuritystandards.org/merchants/index.php) Administered by the PCI Security Standards Council, which was founded by the major credit card companies (VISA, MC, Discover ) 4

Why PCI DSS? 154 breaches of sensitive information to date in 2015 (affecting >153 million records) 1 Notable retail breaches since November 2013 2 Target Home Depot Staples Kmart Albertsons Michaels Neiman Marcus ebay PF Changs UPS Stores Aaron Brothers Goodwill Supervalu Dairy Queen CVS 1 Privacy Rights Clearinghouse, https://www.privacyrights.org, 10/26/15 2 Cyber Attacks on US Companies in 2014, by Riley Walters, http://www.heritage.org/research/reports/2014/10/cyber-attacks-on-us-companies-in-2014 5

Who Needs to Comply with PCI DSS? Applies to all entities that store, process or transmit cardholder data (merchants, payment card issuing banks, processors, developers ) That means you! Compliance is mandatory (ecommerce Policy, Oregon State Treasury,PCI DSS). Merchant Managers are responsible for merchant compliance: Attestation I understand that each merchant has fiscal and data security responsibility for proper use of the Merchant ID. I further understand that failure by the merchant to abide by PCI standards could result in fines to the University and/or loss of Merchant ID. To the best of my knowledge, this cover sheet and the information in the attached PCI SAQ (if applicable) accurately represents the operations, procedures, and practices of the Merchant ID's listed above. (Payment Card Industry Data Security Standards Annual Assessment Cover Page). 6

What does PCI DSS Compliance Mean? In security terms, it means that your business adheres to the PCI DSS requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. In operational terms, it means that you are playing your role to make sure your customers' payment card data is being kept safe throughout every transaction, and that they and you can have confidence that they're protected against the pain and cost of data breaches. (https://www.pcisecuritystandards.org/merchants/index.php) 7

Penalties for Non-Compliance Fines of $50-$90 per cardholder data compromised Non-compliant merchants are penalized by acquiring banks Revocation of merchant credit card acceptance Loss of customers Loss of reputation Possible civil litigation from breached customers Juntoblog, Sorting Out the Consequences of PCI Data Security Noncompliance, http://juntoblog.net/sortingout-the-consequences-of-pci-data-security-noncompliance-2/, 10/26/15 8

Compliance Life Cycle Pre- Assessment / Gap Analysis Implement / Remediate PCI:DSS Validation Ongoing Compliance Monitoring On-going process, not a one-time event 9

PCI DSS Goals & Requirements Goal Requirement 1. Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other parameters 2. Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks 3. Maintain a Vulnerability Management Program 4. Implement Strong Access Control Measures 5. Regularly Monitor and Test Networks 6. Maintain an Information Security Policy 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need-toknow 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security 10

Digital Dozen Requirements by SAQ 1 2 3 4 5 6 7 8 9 10 11 12 A X X A-EP X X X X X X X X X X X X B X X X X X B-IP X X X X X X X X X X C X X X X X X X X X X X X D X X X X X X X X X X X X SAQs A-EP and B-IP are new 3.0/3.1 SAQs Requirement 10 is new to SAQ C with 3.0 11

What s New: PCI DSS v3.1 PCI DSS was updated from v2.0 to v3.1 Focus is on incorporating PCI DSS requirements into day-to-day activities, not just a once-a-year assessment. More requirements across the board Changes to SAQs Incorporation of new/changed requirements Expected testing added Format updates New SAQs: A-EP, B-IP Updated eligibility criteria for existing SAQs 12

What is Cardholder Data? Primary Account Number (PAN) Expiration Date Cardholder Name Chip/Magnetic Strip Data CAV2/CVC2/CVV2 13

PCI Data Storage Cardholder Data Sensitive Authentication Data [4] Data Element Storage Permitted Protection Required Primary Account Number (PAN) Yes Yes Cardholder Name [3] Yes Yes [3] Expiration Date [3] Yes Yes [3] Full Magnetic Strip Data [5] No N/A CAV2/CVC2/CVV2 No N/A 1.BEST PRACTICE: DO NOT STORE CARDHOLDER DATA. 2.NEVER store using electronic media, for example database or spreadsheet. 3.These data elements must be protected if stored in conjunction with the PAN. 4.Sensitive authentication data must not be stored after authorization (even if encrypted). 5.Magnetic stripe or chip. 14

What do we have to do? Level/ Tier Merchant Criteria Validation Requirements 1 Merchants processing over 6 million Visa transactions annually (all channels) 2 Merchants processing 1 million to 6 million Visa transactions annually (all channels) 3 Merchants processing 20,000 to 1 million Visa e-commerce transactions annually 4 Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually Annual Report on Compliance by Qualified Security Assessor ( QSA ) Quarterly network scan by Approved Scan Vendor ( ASV ) Attestation of Compliance Form Annual Self-Assessment Questionnaire Quarterly network scan by ASV Attestation of Compliance Form Annual SAQ Quarterly network scan by ASV Attestation of Compliance Form Annual SAQ Quarterly network scan by ASV if applicable Requirements set by acquirer 15

Annual PCI DSS Assessment Documents Documents due by December 11, 2015: 1. OSU Cover Page 2. Self Assessment Questionnaire (SAQ A-D Appropriate to merchant) 3. 3 rd Party PCI DSS Certificate of Compliance (if applicable) 16

Self Assessment Questionnaire (SAQ) Completed by the merchant manager Subset of full requirements Broken down by Goals & Requirements Made up of Yes / No / Not Applicable responses NA or Compensating Control - must be explained No- Must have Remediation Date and Actions Attestation Section Fill out the Merchant Version Do not complete the Service Provider Version Details will be covered in break-out sessions 17

Which SAQ? See PCI DSS Status Report for your merchant SAQ # Questions ASV Scan? Pen Test? Description A 14 No No Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. Not applicable to face-toface merchants. A-EP 139 Yes Yes E-commerce merchants who outsource all payment processing and have a website that does not directly receive cardholder data but can impact security of the payment transaction. Not applicable to face-toface merchants. B 41 No No Imprint-only merchants with no electronic cardholder data storage, or standalone, dial-out terminal merchants with no electronic cardholder data storage. Terminals not IP-connected. B-IP 83 Yes No Merchants with standalone, IP-connected point of sale terminals. C 139 Yes Yes Merchants with payment application systems connected to the Internet, no electronic cardholder data storage. D 326 Yes Yes All other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by a payment brand as eligible to complete an SAQ. Source: PCI Compliance Guide, "New! More! A First Look at the PCI DSS 3.0 SAQs" 18

Multiple Merchant Consolidation Multiple merchants can be combined into a single submittal if: 1. The merchant IDs (MIDs) are of the same type (i.e. all POS, Web ) 2. All merchants are managed by same merchant manager 3. The same policies and procedures apply to all merchants 4. Strictest SAQ will apply (the one with the most questions) 5. List all merchants on cover page 19

Misconceptions Self assessment means you re compliant Compliance means you won t suffer a breach Outsourcing takes away your need for compliance PCI:DSS is just about IT A single product can make you compliant Compliance can be automated 20

SAQ Review Sessions Line-by-line review of PCI DSS 3.1 SAQs OSU-specific information Changes from version 2.0 to 3.1 Schedule: SAQ A: 11/4/15 10:00AM SAQ B: 11/4/15 11:00AM SAQ B-IP: 11/9/15 9:00AM SAQ C: 11/9/15 11:00AM 21

Your to do list by December 11: 1. Verify credit card merchant information on the PCI DSS Status Report and provide updates to Business Affairs 2. Merchant managers complete and sign the Cover Page & SAQ Annual PCI DSS Assessment must be completed for all Merchants 3. Obtain 3rd Party PCI DSS Certificate of Compliance (if applicable) This is required if your merchant uses an OST approved 3 rd party vendor other than TouchNet. 4. Business Center Manager or FAM must review and sign. 5. Send to Robin Whitlock Electronic submission is preferred. 22

Resources Copies of your last assessment can be emailed to you on request Annual PCI Compliance for OSU Credit Card Merchants web site: http://fa.oregonstate.edu/businessaffairs/annual-pci-compliance-osu-credit-cardmerchants Status Report by Business Center Forms: Cover Page and SAQ OSU-specific SAQ instructions Other supporting documents 23

Thank You Robin Whitlock Business Affairs Contact Robin.Whitlock@OregonState.edu, 541-737-0622 24

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information