Self Assessment Questionnaire A Short course for online merchants This presentation will cover: PCI DSS Requirements and Reporting Compliance Risks to card holder data when using a Web Hosting Provider How NCSU ecommerce merchants should complete their SAQ A PCI DSS definitions and vocabulary Presented by: Tim Gurganus, PCIP PCI Internal Security Assessor
Self Assessment Questionnaire A Review from Merchant Training Merchant responsibility: -> Complete Self Assessment Questionnaire for each merchant Cardholder Data - At a minimum, cardholder data consists of the full 16 digit credit card number. Cardholder data may also appear in the form of the full CCN plus any of the following: cardholder name, expiration date and/or CVV number. Service Provider any organization that stores, transmits or processes cardholder data on behalf of merchants or other service providers. Also other organizations that could impact merchant security (even if they don t have direct access to cardholder data) Examples include web hosting providers, Nelnet, Yahoo Storefront, Paypal, Intelipay.
From Merchant Training Things We Need Every Merchant to Do: Read and understand the PCI policies and procedures of the University. These will be presented to each merchant as part of an annual PCI-DSS training class. Complete and Sign Self Assessment Questionnaire annually. Each merchant will complete an annual PCI- DSS training class and then submit a completed SAQ. If you are using a PA-DSS listed application, get compliance documentation from vendor before annual assessment
Risks to ecommerce Merchants From a recent presentation on PCI scoping and risks to ecommerce merchants Doesn t my vendor do my Compliance for me? Example: Outsource payment processing to third-party e-commerce provider
Risks to ecommerce merchants From a recent presentation on PCI scoping and risks to ecommerce merchants Breach: Outsource payment processing to third-party e-commerce A merchant cannot outsource their PCI DSS responsibility. They may outsource operational responsibility for maintaining security controls.
Guidance document for e-commerce merchants released January 2013 https://www.pcisecuritystandards.org/pdfs/pci_dss_v2_ecommerce_guidelines.pdf Merchants may use a variety of technologies to implement e-commerce functionality, including payment-processing applications, applicationprogramming interfaces (APIs), inline frames (iframes), or hosted payment pages. No matter which option a merchant may choose, there are several key considerations to keep in mind regarding the security of cardholder data, including: No option completely removes a merchant s PCI DSS responsibilities. Regardless of the extent of outsourcing to third parties, the merchant retains responsibility for ensuring that payment card data is protected. Connections and redirections between the merchant and the third party can be compromised, and the merchant should monitor its systems to ensure that no unexpected changes have occurred and that the integrity of the connection/redirection is maintained.
Guidance document for e-commerce merchants released January 2013 https://www.pcisecuritystandards.org/pdfs/pci_dss_v2_ecommerce_guidelines.pdf Merchants are responsible for the security of the redirect mechanism on their websites Configuration: Merchant s website redirects consumer s browsers to an e-commerce payment processor s website; consumer enters payment directly into the e-commerce payment processor s website. Merchant role/responsibility: Merchant still has responsibility for PCI DSS requirements for some elements of the e-commerce infrastructure even though they have outsourced much PCI DSS responsibility for storage, processing and transmission of cardholder data. This is because compromise of the merchant s website may result in compromise of the redirection mechanism, leading to compromise of Card Holder Data (CHD). Merchant is responsible for: Managing website and servers (if self-hosted), including applicable PCI DSS requirements: Applicable PCI DSS requirements for managing third parties, (e.g., Requirement 12.8) Having written agreements with any third parties and ensuring they protect cardholder data on behalf of the merchant, in accordance with PCI DSS. Securing the web page(s) containing the redirection code and/or function(s).
Self Assessment Questionnaire A Short course for online merchants Part 1: Merchant Information Department/College Name: Contact Name: Title: E-mail: Telephone: Business Address: URL(s) of Payment Application: URL of page with Pay Now link Merchant Account Name:
How to Complete Self Assessment Questionnaire A E-Commerce: Mail order / Telephone Order: Event Registration: Fund Raising: Other: Short Description of business: Part 2: Type of Merchant Business Does your company have a relationship with one or more third-party agents (for example web hosting companies, card gateways like Nelnet, Cybersource or Authorize.net) Name of Credit Card Processor (example: Nelnet)
How to Complete Self Assessment Questionnaire A Part 2: Type of Merchant Business 2b. Eligibility to Complete SAQ A: Note: You must be able to answer Yes to all of the questions below to be eligible for using SAQ A. If you no longer qualify for SAQ A, send a note explaining that to: merchantservices@ncsu.edu Merchant does not (electronically) store, process or transmit any card holder data on merchant systems or premises, but relies entirely on third party service provider(s) to handle these functions; The third party service provider(s) handling storage, processing, and/or transmission of card holder data is confirmed to be PCI Compliant; Merchant does not store any cardholder data in electronic format; and If Merchant does store card holder data, such data is only in paper reports or copies of receipts and is not received electronically.
Reporting PCI-DSS Requirements using SAQ A Requirement 9.6: Physically secure all Media Req. 9.6: Are all paper documents with credit card numbers on them physically secured in a locked room or enclosure where there are a limited number of people with keys? Locked? Not mixed use enclosure/room (completed order forms and 10 other things) Limited number of keys given only to full time University employees using the payment application Document processes for the handling of keys - issuing new keys - returning keys - procedure for handling lost keys Create a PCI Procedures document if needed
Reporting PCI-DSS Requirements using SAQ A Requirement 9.7: Maintain strict control of the distribution of card holder data Req. 9.7(a) Do you have rules and/or procedures that are followed when forms with card numbers on them are moved from your office to another location, department or company? Yes/No Distribution means card holder data leaves your office (premises) and goes to another location, department or company Strict means you have rules or specific procedures that are followed for controlling distribution of media containing card numbers
Reporting PCI-DSS Requirements using SAQ A Req. 9.7 (b) Do you have a method for labeling paper documents with credit card numbers on them Yes/No Do you have a specific label for forms or reports containing card holder data? Do you keep all forms or reports containing card holder data in a specific location? You must have a method for labeling sensitive credit card data
Reporting PCI-DSS Requirements using SAQ A Requirement 9.7.2: Track all media when card holder data is distributed Req. 9.7.2: When paper forms with credit card numbers on them are moved/sent to another location, do you use a secured courier OR do you keep a log recording how many were moved/sent, when and who moved it or picked it up? Tracking If you have internal office gopher, keep a log of how many forms, who picked it up and when. OR use a secure courier service If just moving a box to storage, count how many forms are put in the box before you move it and verify you have the same number when you get to the destination
Reporting PCI-DSS Requirements using SAQ A Req. 9.8: When media is moved from a secured area, is management approval obtained prior to moving the media (this is especially important when media is distributed to individuals)? Yes/No When media is moved from a secured area, are logs recorded ( what was moved, who and when)? Yes/No Paper log of what was moved (how many forms, boxes, etc.), where, approval with reason, when moved Not stated, but the move should be to another secure location locked with limited keys and access by current employees only
Reporting PCI-DSS Requirements using SAQ A Req. 9.9: Is strict control maintained over the stored media? Is access to media with credit card numbers restricted to university employees with a business need? Guidelines for access to card holder data: Have written procedures for issuing keys, returning keys, dealing with lost keys Lock the secure enclosure when not open for business Only open lock when removing or returning an item Try to minimize the amount of card hold data removed at a time Strict: rules or specific procedures for controlling access to stored media containing credit card numbers
Reporting PCI-DSS Requirements using SAQ A Req. 9.9: Is strict control maintained over the stored media? Is access to media with credit card numbers restricted to university employees with a business need? Guidelines for access to card holder data (continued): Keys are given to only people with a business need to have one Keys are turned in when no longer needed Locked when not open for business Enclosure locked except when taking something out or putting it back Related requirement not in SAQ report 9.9.1 conduct periodic media inventory checking to see that it is up to date and accurate check must be done at least annually
Reporting PCI-DSS Requirements using SAQ A Req. 9.10: Is media destroyed when no longer needed for business or legal reasons? Yes / No Use a cross cut shredder (use micro cut if possible ~ smaller pieces) 1/8 square is good, less than inch long chads Have a card number retention policy shred at least once a year Destroy paper forms that are older than your retention policy University Record Retention and Disposition policy: http://policies.ncsu.edu/regulation/reg-01-25-12 http://policies.ncsu.edu/regulation/reg-01-25-12
Reporting PCI-DSS Requirements using SAQ A Req. 9.10.1: (a) Are hardcopy materials crosscut shredded, incinerated or pulped so that card holder data cannot be reconstructed (b) Are containers of paper to be destroyed secured to prevent access to the contents?
Reporting PCI-DSS Requirements using SAQ A Req. 12.8.1 : Is your list of service providers up to date? Yes / No Providing and maintaining a list was part of assignment after Demystifying PCI DSS Compliance merchant training
Reporting PCI-DSS Requirements using SAQ A Req. 12.8.2: In the contract with your service provider, does the service provider specifically accept responsibility for the security of card holder data that the service provider possess or collects? Yes / No / n/a Find the contract and check What if my service provider doesn t collect or possess card holder data?
Reporting PCI-DSS Requirements using SAQ A Adding/Changing service providers requires prior approval by the NCSU Controller s Office Req. 12.8.3: Are you aware of the NCSU process for using new service providers? When merchants want to add a service provider, they should consult with OIT-ISS and get approval from Controller s office OIT-ISS must assess the security and PCI compliance of the service provider prior to engaging the service provider
Reporting PCI-DSS Requirements using SAQ A Assessing hosting provider security Use Google search to find information on your hosting providers information security Look for: Security and data protection policies Information on firewalls, security patching, log monitoring Information on server sharing Information on root or shell access Incident response procedures Information on how to harden your website or webserver http://www.wufoo.com/privacy/ http://weblog.mediatemple.net/2010/08/06/security-facts/ http://www.wufoo.com/faq/ http://michaelquale.com/91657/securing-hardening-your-media-temple-dv/ http://www.wufoo.com/security/
Reporting PCI-DSS Requirements using SAQ A Assessing hosting provider security Look for information on features like HackerSafe, SiteLock or SecuredbySymantec where the hosting provider will scan your website for vulnerabilities Look for information on security update policy and responsibility Look for information on incident response or how to report security incidents
Reporting PCI-DSS Requirements using SAQ A The security and PCI-DSS compliance of service providers must be checked at least annually. Req. 12.8.4: Are you aware of the NCSU process to monitor compliance of your service providers? Merchants will need to work with OIT-ISS to obtain documentation from the service provider including: Executive summary of Report on Compliance (ROC) Certificate of PCI compliance other documentation of PCI compliance. The process is for merchants to work with OIT to get the required documentation.
How to Complete Self Assessment Questionnaire A Part 3: PCI-DSS Validation Based on the results noted in the SAQ A dated (completion date), (Merchant company name) asserts the following compliance status: Compliant All sections of the PCI SAQ are complete, and all questions yes, resulting in an overall compliant rating. Thereby demonstrating full compliance with the PCI DSS. Non-compliant Not all sections of the PCI SAQ are complete or some questions are answered No, resulting in an overall Non-compliant rating, thereby not demonstrating full compliance with the PCI DSS. Target date for compliance: An entity submitting this form with a status of Non-Compliant is required to complete the Action plan in Part 4 of this document.
How to Complete Self Assessment Questionnaire A Part 3a: Confirmation of Compliant Status Merchant Confirms: PCI DSS Self-Assessment Questionnaire A, Version 2.0, was completed according to the instructions given. All information within the above referenced SAQ and in this attestation fairly represents the results of my assessment. I have read the PCI DSS and I recognize that I must maintain full PCI DSS compliance at all times.
How to Complete Self Assessment Questionnaire A Part 3b: Merchant Acknowledgement Signature of Merchant Executive Officer Date Merchant Executive Officer Name Title
How to Complete Self Assessment Questionnaire A Appendix D: Appendix D: Explain N/A and Special For Example: If you marked Special for Requirement 9 Then state: Merchant has no order forms or reports that contain credit card data
How to Complete Self Assessment Questionnaire A Part 4: Action Plan for Non-Compliant Status If you cannot meet a requirement: - Indicate which requirement is not in place - Indicate a date when requirement 9 or 12 will be in place.
How to Complete Self Assessment Questionnaire A Glossary Cardholder Data - At a minimum, cardholder data consists of the full 16 digit credit card number. Cardholder data may also appear in the form of the full CCN plus any of the following: cardholder name, expiration date and/or CVV number. Distribution - card holder data leaves your office (premises) and goes to another location, department or company. Media Paper documents with full 16 digit credit card numbers on them along with the card holder name and expiration date. Media can also be electronic storage of full 16 digit credit card numbers, card holder name and expiration date.
How to Complete Self Assessment Questionnaire A Glossary Policy - Organization-wide rules governing acceptable use of computing resources, security practices, and guiding development of operational procedures for all NCSU merchants. Procedure Descriptive narrative for a policy. Procedure is the how to for a policy and describes how the policy is to be implemented. Service Provider any organization that stores, transmits or processes cardholder data on behalf of merchants or other service providers. Also other organizations that could impact merchant security (even if they don t have direct access to cardholder data) Examples include web hosting providers, Nelnet, Yahoo Storefront, Paypal, Intelipay.
How to Complete Self Assessment Questionnaire A Merchant Assignment Using the instructions given in this presentation, complete a SAQ A form for each merchant account in the next 2 weeks Send completed SAQ A PDF file to: pciservices@ncsu.edu If keeping card numbers on paper forms: Complete your key management document Document your distribution rules/policies Create a method for labeling sensitive credit card data Track when, where, what and who moves credit card data forms in a log Document your rules/policies for accessing stored forms containing credit card data Decide on a data retention policy for paper forms containing credit card data Check your contracts with service providers that you share card data with to see if they meet Requirement 12.8 If not done already, submit your list of service providers to OIT-ISS Collect information on the security policy of your web hosting provider