PCI DSS Compliance What Texas BUC$ Need to Know! Ron King CampusGuard rking@campusguard.com

Similar documents
Property of CampusGuard. Compliance With The PCI DSS

PCI DSS 3.0 and You Are You Ready?

PCI DSS Presentation University of Cincinnati

PCI: The Dark Side. May 2012 Roanoke, VA

PCI Compliance at The University of South Carolina. Failure is not an option. Rick Lambert PMP University of South Carolina

Payment Card Industry Data Security Standard

PCI Compliance. Crissy Sampier, Longwood University Edward Ko, CampusGuard

PCI DSS 3.0 Overview. OSU Business Affairs Business Affairs PIT Crew - Project, Improvement, & Technology Robin Whitlock

How To Protect Your Business From A Hacker Attack

Becoming PCI Compliant

PDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.1)

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

PCI DSS. CollectorSolutions, Incorporated

PCI DSS Compliance Information Pack for Merchants

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase

PCI Compliance: How to ensure customer cardholder data is handled with care

PCI 3.1 Changes. Jon Bonham, CISA Coalfire System, Inc.

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May cliftonlarsonallen.com CliftonLarsonAllen LLP

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance

Third-Party Access and Management Policy

AISA Sydney 15 th April 2009

Adyen PCI DSS 3.0 Compliance Guide

An article on PCI Compliance for the Not-For-Profit Sector

PCI Compliance Top 10 Questions and Answers

PCI Compliance. Top 10 Questions & Answers

Project Title slide Project: PCI. Are You At Risk?

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance

PCI Data Security Standards

PCI DSS Gap Analysis Briefing

Why Is Compliance with PCI DSS Important?

This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected

PCI DSS Security Awareness Training for University of Tennessee Credit Card Merchants. UT System Administration Information Security Office

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

PCI Compliance Overview

Payment Card Industry - Achieving PCI Compliance Steps Steps

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

PCI COMPLIANCE GUIDE For Merchants and Service Members

IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

1/18/10. Walt Conway. PCI DSS in Context. Some History The Digital Dozen Key Players Cardholder Data Outsourcing Conclusions. PCI in Higher Education

How To Protect Your Credit Card Information From Being Stolen

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

Achieving PCI Compliance for Your Site in Acquia Cloud

Frequently Asked Questions

COLORADO STATE UNIVERSITY Financial Procedure Statements FPI 6-6

Payment Card Industry Data Security Standard (PCI DSS) v1.2

Important Info for Youth Sports Associations

Data Security Standard (DSS) Compliance. SIFMA June 13, 2012

WHITE PAPER. PCI Basics: What it Takes to Be Compliant

Accepting Payment Cards and ecommerce Payments

9/11/2015. Auditing PCI Compliance. Introductions. Introductions

Understanding Payment Card Industry (PCI) Data Security

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

Understanding the SAQs for PCI DSS version 3

Payment Card Industry Data Security Standards.

DATA SECURITY. Payment Card Industry (PCI) Compliance Steps for Organizations May 26, Merit Member Conference

Payment Card Industry (PCI) Data Security Standard. Attestation of Compliance for Self-Assessment Questionnaire C-VT. Version 2.0

Spokane Airport Board (Spokane International Airport, Airport Business Park, Felts Field) Addendum #1 - Q&A

Payment Card Industry Data Security Standards Compliance

HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

Complying with PCI is a necessary step in safely accepting Payment Cards.

Credit Card Risks: Update on PCI Compliance Monday, May 23 2:40pm 3:55 CPE: 2

PCI Compliance 3.1. About Us

PCI Risks and Compliance Considerations

PCI DSS 101 FOR CTOs AND BUSINESS EXECUTIVES

Payment Card Industry (PCI) Data Security Standard

CSU, Chico Credit Card PCI-DSS Risk Assessment

Credit Card Processing, Point of Sale, ecommerce

PCI on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for PCI on AWS

UCSB Credit Card Processing and PCI Compliance

Merchant guide to PCI DSS

North Carolina Office of the State Controller Technology Meeting

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions. Version 5.0 (April 2011)

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October cliftonlarsonallen.com CliftonLarsonAllen LLP

FREQUENTLY ASKED QUESTIONS The MasterCard Site Data Protection (SDP) Program

How Secure is Your Payment Card Data?

Whitepaper. PCI Compliance: Protect Your Business from Data Breach

OKLAHOMA STATE UNIVERSITY STUDENT UNION HOW IT SERVES OTHERS THROUGH PCI COMPLIANCE

Whitepaper. PCI Compliance: Protect Your Business from Data Breach

Are You Ready For PCI v 3.0. Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014

FREQUENTLY ASKED QUESTIONS The MasterCard Site Data Protection (SDP) Program

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics

Josiah Wilkinson Internal Security Assessor. Nationwide

PCI Overview. Lee Buttke Director of Consulting QSA, CPISM, CISSP

CITY OF SAN DIEGO ADMINISTRATIVE REGULATION Number PAYMENT CARD INDUSTRY (PCI) COMPLIANCE POLICY. Page 1 of 9.

PC-DSS Compliance Strategies NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA

What s New in PCI DSS Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 1

PAI Secure Program Guide

So you want to take Credit Cards!

PCI Standards: A Banking Perspective

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

How To Protect Your Data From Being Stolen

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

Payment Card Industry - Data Security Standard (PCI-DSS) Security Policy

SecurityMetrics Introduction to PCI Compliance

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

Transcription:

PCI DSS Compliance What Texas BUC$ Need to Know! Ron King CampusGuard rking@campusguard.com

Whoops!...3.1 Changes 3.1

PCI DSS Responsibility Information Technology Business Office

PCI DSS Work Information Technology Most of the work Business Office

PCI DSS: 6 Goals, 12 Requirements Control Objective 1. Build and maintain a secure network Requirements 1. Install and maintain a firewall configuration to protect data 2. Change vendor-supplied defaults for system passwords and other security parameters 2. Protect cardholder data 3. Maintain a vulnerability management program 4. Implement strong access control measures 3. Protect stored data 4. Encrypt transmission of cardholder magnetic-stripe data and sensitive information across public networks 5. Use and regularly update antivirus software 6. Develop and maintain secure systems and applications 7. Restrict access to data to a need-to-know basis 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 5. Regularly monitor and test networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 6. Maintain an information security policy 12. Maintain a policy that addresses information security

Merchant Levels Level 1 > 6 million Visa/MC txns/yr > 2.5 million transactions/yr 2 1 to 6 million Visa/MC txns/yr 50,000 to 2.5 million txns/yr 3 20,000 to 1 million Visa/MC ecommerce txns/yr Most Colleges and Universities All other Amex Merchants 4 All other Visa/MC merchants N/A

Validation Requirements Level 1 Annual on-site assessment (QSA) Quarterly network scan (ASV) Annual penetration test (ASV) Annual on-site assessment (QSA) Quarterly network scan (ASV) Annual penetration test (ASV) 2 Annual on-site assessment (QSA) Quarterly network scan (ASV) Annual penetration test (ASV) Quarterly network scan (ASV) Annual penetration test (ASV) 3 4 Annual Self-Assessment Questionnaire (SAQ) Quarterly network scan (ASV) Annual penetration test (ASV) At discretion of acquirer Annual SAQ Quarterly network scan (ASV) Annual penetration test (ASV) Quarterly network scan (ASV) Annual penetration test (ASV)! N/A

Business As Usual Business as Usual " Monitor security controls for effectiveness " Ensure all failures are detected and responded to " Review changes in the environment " Organizational structure changes " Periodic reviews and communication to confirm controls continue to be in place " Review hardware and software technologies

Compliance vs. Security Security Compliance

Critical Change #1: New SAQs Card-Not Present, All Cardholder Data Functions Outsourced Imprint Only, No Cardholder Data Storage Standalone Dial Out Terminal, No Cardholder Data Storage Payment Application Systems Connected to the Internet All other methods SAQ A (13) (14) SAQ A-EP (139) SAQ B (28) (41) SAQ B (28) (41) SAQ B-IP (83) SAQ C/VT (80/51) (139/73) SAQ D (286) (326 )

SAQ Changes OR

Fully Outsourced? This is SAQ A for Merchant Service Provider Performing Arts Internet Collects shopping cart info Describes Event CC Processor Pay Now Man in the Middle

Fully Outsourced? This is SAQ A-EP for Merchant Service Provider Performing Arts Pay Now Internet Collects shopping cart info Routes for processing Man in the Middle

Req SAQ A-EP Impact Impact SAQ A SAQ A- EP 1 Firewalls 11 2 Vendor-supplied passwords 21 3 Protect stored CHD 3 4 Encrypt transmission 6 5 Vulnerability management program 7 6 Develop secure systems & apps 16 7 Restrict access to CDH 2 8 Identify and authenticate access 15 9 Restrict physical access 9 10 10 Track and monitor access to network / CHD 15 11 Regularly test security of systems and processes 12 Maintain an information security policy 5 18 15 14 139

Can I Assess Myself? Short answer: Maybe (but you probably don t want to) Long answer: You can assess yourself, provided: You follow audit procedures Your acquirer agrees An approved officer (think President or CFO) signs on the dotted line (attesting to the veracity of the results) You re absolutely sure you re going to do it right

Critical Change #2 Shared Responsibilities

Shared Responsibility Requirement 12: Maintain an Information Security Policy For Your College: 12.8 Managing relationships with service providers 12.8.2 Written agreements with service providers 12.8.3 Established process for engaging service providers 12.8.4 Monitor service provider compliance 12.8.5 (NEW) Is information maintained about which PCI DSS requirements are maintained by each service provider and which are maintained by the entity? For Service Providers 12.9 (NEW) Do service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes on behalf of the customer, or to the extent that they could impact the security of the customer s cardholder data environment?

Example Contract Language PCI DSS COMPLIANCE: University requires that the contractor shall at all times maintain compliance with the most current Payment Card Industry Data Security Standards (PCI DSS). The contractor will be required to provide written confirmation of compliance. Contractor acknowledges responsibility for the security of cardholder data as defined within the PCI DSS. Contractor acknowledges and agrees that cardholder data may only be used for completing the contracted services as described in the full text of this document, or as required by the PCI DSS, or as required by applicable law. In the event of a breach or intrusion or otherwise unauthorized access to cardholder data stored at or for the contractor, contractor shall immediately notify to allow the proper PCI DSS compliant breach notification process to commence. The contractor shall provide appropriate payment card companies, acquiring financial institutions and their respective designees access to the contractor s facilities and all pertinent records to conduct a review of the contractor s compliance with the PCI DSS requirements. In the event of a breach or intrusion the contractor acknowledges any/all costs related to breach or intrusion or unauthorized access to cardholder data entrusted to the contractor deemed to be the fault of the contractor shall be the liability of the contractor. Vendor agrees to assume responsibility for informing all such individuals in accordance with applicable law and to indemnify and hold harmless and its officers and employees from and against any claims, damages or other harm related to such breach. (USE: Include in any solicitation / contract that may involve online credit card payments). IMPORTANT: Insert the following statement into the Scope of Work (potentially in the IT section dealing with credit cards and PCI compliance): Provide documentation of your most current PCI system scan and the signature page from your Record of Compliance (ROC) or Attestation of Compliance (AOC).

Critical Change #3 Protecting POS Terminals 9.9 Are devices that capture payment card via direct physical interaction with the card protected against tampering and substitution? Maintain a list Periodic inspection Train personnel

When You Think You ve Covered All Your Bases - but what about the Off Campus Alumni Chapter Fundraiser held at private home. * Square on homeowners cell phone, or * Enter Payments on Laptop or Home Computer, or * Take Payment Info on Form and Mail In

MOBILE PAYMENTS? Card Readers: Smart Phone/Tablets Square and others Category 3 device None are certified compliant! Mobile Card Terminals " Few are certified compliant " Check with the PCI SSC

MOBILE PAYMENTS? PayConex Validated PCI Compliant P2PE

Some Guidance Some Guidance No Category 3 Device is considered compliant!

RECENT SURVEY RESULTS Is your institution PCI compliant now? Do you have written policies for handling credit cards? Do you have a formal process for establishing new merchants? What department has primary responsibility for PCI? How does your institution fund PCI compliance? 45% Yes 2% Yes 87% Yes 82% Yes 59% Finance 70% Centrally Source: Treasury Institute PCI Workshop 2015

WHAT YOU SHOULD BE DOING NOW Review policies and procedures Review third-party contracts Review third-party software deployment Review relationship with the university Awareness training for all employees

PCI AWARENESS TRAINING New Employees -- At Initial Hire All Employees -- Annual Retain Records!

STAYING COMPLIANT Keep policies and procedures current Awareness training for new workers Annual training for all Quarterly scans as appropriate Manage your third party vendors Annual attestation (SAQ s)

COMMON AREAS MISSED Policies and procedures (written!) Training Inadequate segmentation Storage of CHD - paper based and electronic Relationships with third-party vendors Relationships with related parties General IT regulations i.e. passwords, firewall, IDs, logging, etc.

COMMON SENSE RULES BUSINESS AS USUAL Never leave a laptop or other computer device unattended Always log out of a computer when it is unattended Make sure anti-virus software is current and running Never download items without authorization If you suspect breach of security, contact IT department immediately

Take-Aways Critical changes in v3.1 Implement compliance as business as usual All employees, students, and volunteer workers are in-scope Awareness training a must! Involve your IT/network security department Make sure your business partners are PCI DSS compliant You are probably doing most things right already

Resources www.pcisecuritystandards.org SAQs FAQs White Papers Certified QSAs and ASVs www.treasuryinstitute.org Annual PCI Workshop Listserv Blog

Ron King (972) 964-8884 rking@campusguard.com Questions

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information