PCI DSS Compliance What Texas BUC$ Need to Know! Ron King CampusGuard rking@campusguard.com
Whoops!...3.1 Changes 3.1
PCI DSS Responsibility Information Technology Business Office
PCI DSS Work Information Technology Most of the work Business Office
PCI DSS: 6 Goals, 12 Requirements Control Objective 1. Build and maintain a secure network Requirements 1. Install and maintain a firewall configuration to protect data 2. Change vendor-supplied defaults for system passwords and other security parameters 2. Protect cardholder data 3. Maintain a vulnerability management program 4. Implement strong access control measures 3. Protect stored data 4. Encrypt transmission of cardholder magnetic-stripe data and sensitive information across public networks 5. Use and regularly update antivirus software 6. Develop and maintain secure systems and applications 7. Restrict access to data to a need-to-know basis 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 5. Regularly monitor and test networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 6. Maintain an information security policy 12. Maintain a policy that addresses information security
Merchant Levels Level 1 > 6 million Visa/MC txns/yr > 2.5 million transactions/yr 2 1 to 6 million Visa/MC txns/yr 50,000 to 2.5 million txns/yr 3 20,000 to 1 million Visa/MC ecommerce txns/yr Most Colleges and Universities All other Amex Merchants 4 All other Visa/MC merchants N/A
Validation Requirements Level 1 Annual on-site assessment (QSA) Quarterly network scan (ASV) Annual penetration test (ASV) Annual on-site assessment (QSA) Quarterly network scan (ASV) Annual penetration test (ASV) 2 Annual on-site assessment (QSA) Quarterly network scan (ASV) Annual penetration test (ASV) Quarterly network scan (ASV) Annual penetration test (ASV) 3 4 Annual Self-Assessment Questionnaire (SAQ) Quarterly network scan (ASV) Annual penetration test (ASV) At discretion of acquirer Annual SAQ Quarterly network scan (ASV) Annual penetration test (ASV) Quarterly network scan (ASV) Annual penetration test (ASV)! N/A
Business As Usual Business as Usual " Monitor security controls for effectiveness " Ensure all failures are detected and responded to " Review changes in the environment " Organizational structure changes " Periodic reviews and communication to confirm controls continue to be in place " Review hardware and software technologies
Compliance vs. Security Security Compliance
Critical Change #1: New SAQs Card-Not Present, All Cardholder Data Functions Outsourced Imprint Only, No Cardholder Data Storage Standalone Dial Out Terminal, No Cardholder Data Storage Payment Application Systems Connected to the Internet All other methods SAQ A (13) (14) SAQ A-EP (139) SAQ B (28) (41) SAQ B (28) (41) SAQ B-IP (83) SAQ C/VT (80/51) (139/73) SAQ D (286) (326 )
SAQ Changes OR
Fully Outsourced? This is SAQ A for Merchant Service Provider Performing Arts Internet Collects shopping cart info Describes Event CC Processor Pay Now Man in the Middle
Fully Outsourced? This is SAQ A-EP for Merchant Service Provider Performing Arts Pay Now Internet Collects shopping cart info Routes for processing Man in the Middle
Req SAQ A-EP Impact Impact SAQ A SAQ A- EP 1 Firewalls 11 2 Vendor-supplied passwords 21 3 Protect stored CHD 3 4 Encrypt transmission 6 5 Vulnerability management program 7 6 Develop secure systems & apps 16 7 Restrict access to CDH 2 8 Identify and authenticate access 15 9 Restrict physical access 9 10 10 Track and monitor access to network / CHD 15 11 Regularly test security of systems and processes 12 Maintain an information security policy 5 18 15 14 139
Can I Assess Myself? Short answer: Maybe (but you probably don t want to) Long answer: You can assess yourself, provided: You follow audit procedures Your acquirer agrees An approved officer (think President or CFO) signs on the dotted line (attesting to the veracity of the results) You re absolutely sure you re going to do it right
Critical Change #2 Shared Responsibilities
Shared Responsibility Requirement 12: Maintain an Information Security Policy For Your College: 12.8 Managing relationships with service providers 12.8.2 Written agreements with service providers 12.8.3 Established process for engaging service providers 12.8.4 Monitor service provider compliance 12.8.5 (NEW) Is information maintained about which PCI DSS requirements are maintained by each service provider and which are maintained by the entity? For Service Providers 12.9 (NEW) Do service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes on behalf of the customer, or to the extent that they could impact the security of the customer s cardholder data environment?
Example Contract Language PCI DSS COMPLIANCE: University requires that the contractor shall at all times maintain compliance with the most current Payment Card Industry Data Security Standards (PCI DSS). The contractor will be required to provide written confirmation of compliance. Contractor acknowledges responsibility for the security of cardholder data as defined within the PCI DSS. Contractor acknowledges and agrees that cardholder data may only be used for completing the contracted services as described in the full text of this document, or as required by the PCI DSS, or as required by applicable law. In the event of a breach or intrusion or otherwise unauthorized access to cardholder data stored at or for the contractor, contractor shall immediately notify to allow the proper PCI DSS compliant breach notification process to commence. The contractor shall provide appropriate payment card companies, acquiring financial institutions and their respective designees access to the contractor s facilities and all pertinent records to conduct a review of the contractor s compliance with the PCI DSS requirements. In the event of a breach or intrusion the contractor acknowledges any/all costs related to breach or intrusion or unauthorized access to cardholder data entrusted to the contractor deemed to be the fault of the contractor shall be the liability of the contractor. Vendor agrees to assume responsibility for informing all such individuals in accordance with applicable law and to indemnify and hold harmless and its officers and employees from and against any claims, damages or other harm related to such breach. (USE: Include in any solicitation / contract that may involve online credit card payments). IMPORTANT: Insert the following statement into the Scope of Work (potentially in the IT section dealing with credit cards and PCI compliance): Provide documentation of your most current PCI system scan and the signature page from your Record of Compliance (ROC) or Attestation of Compliance (AOC).
Critical Change #3 Protecting POS Terminals 9.9 Are devices that capture payment card via direct physical interaction with the card protected against tampering and substitution? Maintain a list Periodic inspection Train personnel
When You Think You ve Covered All Your Bases - but what about the Off Campus Alumni Chapter Fundraiser held at private home. * Square on homeowners cell phone, or * Enter Payments on Laptop or Home Computer, or * Take Payment Info on Form and Mail In
MOBILE PAYMENTS? Card Readers: Smart Phone/Tablets Square and others Category 3 device None are certified compliant! Mobile Card Terminals " Few are certified compliant " Check with the PCI SSC
MOBILE PAYMENTS? PayConex Validated PCI Compliant P2PE
Some Guidance Some Guidance No Category 3 Device is considered compliant!
RECENT SURVEY RESULTS Is your institution PCI compliant now? Do you have written policies for handling credit cards? Do you have a formal process for establishing new merchants? What department has primary responsibility for PCI? How does your institution fund PCI compliance? 45% Yes 2% Yes 87% Yes 82% Yes 59% Finance 70% Centrally Source: Treasury Institute PCI Workshop 2015
WHAT YOU SHOULD BE DOING NOW Review policies and procedures Review third-party contracts Review third-party software deployment Review relationship with the university Awareness training for all employees
PCI AWARENESS TRAINING New Employees -- At Initial Hire All Employees -- Annual Retain Records!
STAYING COMPLIANT Keep policies and procedures current Awareness training for new workers Annual training for all Quarterly scans as appropriate Manage your third party vendors Annual attestation (SAQ s)
COMMON AREAS MISSED Policies and procedures (written!) Training Inadequate segmentation Storage of CHD - paper based and electronic Relationships with third-party vendors Relationships with related parties General IT regulations i.e. passwords, firewall, IDs, logging, etc.
COMMON SENSE RULES BUSINESS AS USUAL Never leave a laptop or other computer device unattended Always log out of a computer when it is unattended Make sure anti-virus software is current and running Never download items without authorization If you suspect breach of security, contact IT department immediately
Take-Aways Critical changes in v3.1 Implement compliance as business as usual All employees, students, and volunteer workers are in-scope Awareness training a must! Involve your IT/network security department Make sure your business partners are PCI DSS compliant You are probably doing most things right already
Resources www.pcisecuritystandards.org SAQs FAQs White Papers Certified QSAs and ASVs www.treasuryinstitute.org Annual PCI Workshop Listserv Blog
Ron King (972) 964-8884 rking@campusguard.com Questions