PC-DSS Compliance Strategies. 2011 NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA

Similar documents
La règlementation VisaCard, MasterCard PCI-DSS

Josiah Wilkinson Internal Security Assessor. Nationwide

PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

COLORADO STATE UNIVERSITY Financial Procedure Statements FPI 6-6

Frequently Asked Questions

Merchant guide to PCI DSS

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

Why Is Compliance with PCI DSS Important?

How To Protect Your Business From A Hacker Attack

PCI Security Compliance

Payment Card Industry Data Security Standards.

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

Becoming PCI Compliant

How To Comply With The Pci Ds.S.A.S

Adyen PCI DSS 3.0 Compliance Guide

PCI Overview. PCI-DSS: Payment Card Industry Data Security Standard

Project Title slide Project: PCI. Are You At Risk?

Payment Card Industry Data Security Standards Compliance

How To Protect Your Credit Card Information From Being Stolen

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

2015 PCI DSS Meeting. OSU Business Affairs Projects, Improvement, and Technology (PIT) Robin Whitlock

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

University of Sunderland Business Assurance PCI Security Policy

PCI Compliance. Top 10 Questions & Answers

PCI Compliance Top 10 Questions and Answers

Credit Card Processing Overview

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May cliftonlarsonallen.com CliftonLarsonAllen LLP

PCI DSS. CollectorSolutions, Incorporated

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

University Policy Accepting Credit Cards to Conduct University Business

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

TNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business

Understanding Payment Card Industry (PCI) Data Security

SecurityMetrics Introduction to PCI Compliance

CardControl. Credit Card Processing 101. Overview. Contents

Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions

Payment Card Industry Security Standards PCI DSS, PCI-PTS and PA-DSS

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October cliftonlarsonallen.com CliftonLarsonAllen LLP

WHITE PAPER. PCI Basics: What it Takes to Be Compliant

PCI DSS Presentation University of Cincinnati

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase

PCI DSS Compliance Information Pack for Merchants

Payment Card Industry Compliance Overview

P R O G R E S S I V E S O L U T I O N S

Important Info for Youth Sports Associations

This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected

PCI Standards: A Banking Perspective

IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER

PCI Data Security Standards

Clark University's PCI Compliance Policy

* Any merchant that has suffered a hack that resulted in an account data compromise may be escalated to a higher validation level.

The Cost of Payment Card Data Theft and Your Business. Aaron Lego Director of Business Development

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance

PROTECTION OF OUR MERCHANTS AND REFERRAL PARTNERS IS OUR FIRST CONCERN

PDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.1)

Payment Card Industry Data Security Standard (PCI DSS) v1.2

PCI DSS 3.0 Overview. OSU Business Affairs Business Affairs PIT Crew - Project, Improvement, & Technology Robin Whitlock

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

AISA Sydney 15 th April 2009

Payment Card Industry Data Security Standard

Payment Cardholder Data Handling Procedures (required to accept any credit card payments)

PCI Compliance Overview

Achieving Compliance with the PCI Data Security Standard

Your Compliance Classification Level and What it Means

A MERCHANTS GUIDE TO THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS)

PCI Compliance: How to ensure customer cardholder data is handled with care

Two Approaches to PCI-DSS Compliance

Appendix 1 Payment Card Industry Data Security Standards Program

University Policy Accepting and Handling Payment Cards to Conduct University Business

PCI DSS Compliance Services January 2016

Payment Card Industry Data Security Standard

Achieving PCI Compliance for Your Site in Acquia Cloud

It is important to note, the payment brands and acquirers are responsible for enforcing compliance, not the PCI council.

The Cyber Attack and Hacking Epidemic A Legal and Business Survival Guide

Varonis Systems & The Payment Card Industry Data Security Standard (PCI DSS)

Q: What is PCI? Q: To whom does PCI apply? Q: Where can I find the PCI Data Security Standards (PCI DSS)? Q: What are the PCI compliance deadlines?

POLICY SECTION 509: Electronic Financial Transaction Procedures

PCI COMPLIANCE GUIDE For Merchants and Service Members

A PCI Journey with Wichita State University

Office of Finance and Treasury

PCI Compliance : What does this mean for the Australian Market Place? Nov 2007

Payment Card Industry - Achieving PCI Compliance Steps Steps

PLACE GROUP UK LONDON STUDENT HOUSING GROUP PAYMENT CARD INDUSTRY DATA SECURITY STANDARD COMPLIANCE STATEMENT PCI DSS (09) VERSION: 2009PCIDSSP4S01

The PCI DSS Compliance Guide For Small Business

Application Security. Standard PCI. 26 novembre

PCI DATA SECURITY STANDARD OVERVIEW

PCI-DSS: A Step-by-Step Payment Card Security Approach. Amy Mushahwar & Mason Weisz

Credit Card Risks: Update on PCI Compliance Monday, May 23 2:40pm 3:55 CPE: 2

HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS

Payment Card Industry (PCI) Data Security Standard

FREQUENTLY ASKED QUESTIONS The MasterCard Site Data Protection (SDP) Program

Information for merchants. Program implementation details for merchants. Payment Card Industry Data Security Standard (PCI DSS)

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

How To Ensure Account Information Security

Transcription:

PC-DSS Compliance Strategies 2011 NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA

True or False Now that my institution has outsourced credit card processing, I don t have to worry about compliance?

A bank robber s new target Sony Playstation 100 M accounts compromised (included CC data) Sony stated they couldn t be hacked. LulzSec (ninja hackers) have claimed to be the group behind the recent attack on Sony, and has also upset Nintendo and FBI affiliate Infragard.

Key Takeaways General concepts related to PCI-DSS Reducing the PCI compliance scope Minimizing impact of security breach Importance of removing financial data from the IT environment Issues for Higher Education

Three Levels of Standards PIN Transaction Security Standard Payment cards, scanning terminals, point of sale devices. Only use those approved by acquiring bank (Bank of North Dakota) PA-DSS Payment Application Data Security Standard requires development of secure applications that are sold, distributed and licensed to third party vendors PCI-DSS Includes all merchants that accept credit cards for payment of services and goods

PCI Overview 101 What is PCI? What is DSS? What is the latest PCI DSS 2.0 update? Global credit card security standards council led by a policy-setting committee from VISA, MC, AMEX, etc. A framework for developing a robust payment card data security process Provides clarification and additional guidance Standard updated every 3 years What are the PCI business drivers? Protection of assets Mandatory compliance Security against breaches Brand integrity

PCI compliance is a continuous process Assess NDUS Remediate Report

Assess Identify card holder data Inventory IT assets, business processes for CC payment processing Analyze for vulnerabilities

1. Inventory your campus merchants and their payment systems 1. Determine if system is listed on PCI Council s website of certified payment applications 2. System not listed? Request letter of explanation on position for PA-DSS

Analyze vulnerabilities Assess which departments and colleges may be using and storing CC data Do they have a process in place? Do they use a Hosted application for payments?

Remediate First step: Policy and Procedure Develop and implement a policy specific to electronic payment transactions Plug the holes Fix issues found in assessment

Report Compile and submit required remediation validation records (if applicable), and submit compliance reports to the acquiring bank and card brands you do business with.

PCI-DSS 6 goals, 12 requirements Goals Build and maintain a secure network Protect card holder data Maintain a vulnerability management program Implement strong access control measures Monitor and test networks Maintain an information security policy Requirements 1. Install and maintain a firewall configuration to protect data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored data 4. Encrypt transmission of cc data and sensitive data 5. Use and regularly update anti-virus software 6. Develop and maintain systems and applications 7. Restrict access on a need-to-know basis 8. Unique ID and password required for access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cc data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security

Card Holder Data Card Holder Data Primary Account Number (PAN) Cardholder Name Expiration Date Service Code Sensitive Authentication Data Full magnetic stripe data or equivalent on a chip CAV2/CVC2/CVV2/CID PINs/PIN blocks

Primary Account Number The Primary Account Number (PAN) is the defining factor in the applicability of the PCI DSS requirements. PCI-DSS requirements are applicable if a PAN is stored, processed, or transmitted. PAN not stored or transmitted PCI-DSS does not apply.

Merchant For the purposes of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. Note that a merchant that accepts payment cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers. For example, an ISP is a merchant that accepts payment cards for monthly billing, but also is a service provider if it hosts merchants as customers. Any NDUS institution that accepts credit cards for payment

Merchant Classification Four levels of classification Level Merchant Classification Criteria 3 Visa: any merchant processing 20,000-1 M e-commerce transactions MasterCard: any merchant processing 20,000-150,000 e-commerce transactions AMEX: any merchant regardless of transaction channel that processes less than 50,000 transactions 4 Visa: any merchant that processes fewer than 20,000 Visa e-commerce transactions or processes fewer than 1 M Visa transactions MasterCard: Any merchant that processes fewer than 20,000 MasterCard e-commerce transactions and less than 6 MasterCard transactions

Merchant Validation Merchant Level 3 Validation Actions Validated By Deadline Annual PCI Self-Assessment Questionnaire and Quarterly Network Scan 4 Annual PCI Self-Assessment Questionnaire and Quarterly Network Scan Merchant Qualified Independent Scan Vendor Merchant Qualified Independent Scan Vendor AMEX recommended 10/31/06 Validation requirements and dates are determined by the merchant s acquirer

Merchant Responsibilities Meeting the requirements of PCI-DSS Requiring by contract that engaged third parties meet all PCI security standards Understanding what processors those third parties use Completing the PCI Self-Assessment Questionnaire, if required Hiring a qualified independent scan vendor, if required Engaging a qualified outside assessor, if necessary Protecting other confidential/sensitive information

Acquirer Also referred to as acquiring bank or acquiring financial institution. Entity that initiates and maintains relationships with merchants for the acceptance of payment cards. Bank of North Dakota

SAQ Self Assessment Questionnaire (SAQ) is a validation tool for organizations that are not required to undergo an on-site assessment for PCI DSS compliance. Different SAQs are specified for various business functions. The organization s acquiring bank/financial organization can also determine if a SAQ needs to be completed.

Hosted Payment Acceptance Vendors Entities that transmit and process e- commerce transactions and remove the scope of payment process from the Merchant s systems and network. Vendor examples include TouchNet, CyberSource, and Heartland.

True or False Athletics uses a third party processor to process credit cards. The Athletics department processes seat and ticket reservation requests when customers call in. The person responsible for making the reservations and obtaining payments uses the payment gateway from the third party processor to submit credit card payment. My institution is compliant for PCI-DSS.

PCI Compliance Scope Issues If CC payment information touches your systems and network, it is within scope of PCI What to look for. IPv6 does not lend well to the requirements of PCI Wireless POS/swipe machines/terminals Access to CC information Solutions: Some good, some not so good Virtual machines, separate, dedicated machines, NAT, internal subnets, etc.

Ten Step Approach to Compliance 1. Create a work group to develop policy and procedure related to PCI 1. Form a coalition group compromised of key stakeholders to write, develop, implement, disseminate policy and procedure. 2. Inventory campus merchants and payment systems 3. Determine if each payment system is listed on the PCI Council s Web site of certified payment applications 4. Contact those vendors whose systems are not listed and request a letter explaining their position on PA-DSS 5. Require all Hosted payment vendors to be PA-DSS compliant

Ten Step Approach to Compliance 6. Centralize payment environment, require all campus merchants to adhere to PCI policy, standards, and procedures 7. Review new and contracts up for renewal to ensure the contract meets or exceeds PCI standards 8. Require education and training for all who have access to CC data 9. Do background checks for all employees who handle CC data 10. Assume guardianship and management of IT related resources for CC data

PC-DSS Compliance Strategies Theresa Semmens, CISA Theresa.Semmens@ndsu.edu

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information