Remediation, a Key Approach to Reducing Scope

Similar documents
Payment Card Industry Data Security Standard

Ecommerce Guide to PCI DSS 3.0

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER

2015 PCI DSS Meeting. OSU Business Affairs Projects, Improvement, and Technology (PIT) Robin Whitlock

Property of CampusGuard. Compliance With The PCI DSS

PCI DSS Compliance Information Pack for Merchants

PCI Standards: A Banking Perspective

A PCI Journey with Wichita State University

Project Title slide Project: PCI. Are You At Risk?

Protecting Your Customers' Card Data. Presented By: Oliver Pinson-Roxburgh

Complying with Payment Card Industry Data Security Standards (PCI DSS) Requirements. Approaches in Higher Education

The PCI DSS Compliance Guide For Small Business

Payment Card Industry Data Security Standard

A Compliance Overview for the Payment Card Industry (PCI)

Payment Card Industry (PCI) Data Security Standard

PCI Compliance Training

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

PCI Compliance at The University of South Carolina. Failure is not an option. Rick Lambert PMP University of South Carolina

PCI DSS. CollectorSolutions, Incorporated

How To Protect Your Credit Card Information From Being Stolen

Frequently Asked Questions

Clark University's PCI Compliance Policy

Two Approaches to PCI-DSS Compliance

Payment Card Industry Compliance Overview

PCI DSS. Payment Card Industry Data Security Standard.

Payment Card Industry Data Security Standards Compliance

PCI DSS Gap Analysis Briefing

Sales Rep Frequently Asked Questions

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

How To Protect Your Business From A Hacker Attack

PCI Compliance Overview

Credit Card Processing, Point of Sale, ecommerce

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

Third Party Agent Registration and PCI DSS Compliance Validation Guide

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance

1/18/10. Walt Conway. PCI DSS in Context. Some History The Digital Dozen Key Players Cardholder Data Outsourcing Conclusions. PCI in Higher Education

Spokane Airport Board (Spokane International Airport, Airport Business Park, Felts Field) Addendum #1 - Q&A

PCI Compliance: How to ensure customer cardholder data is handled with care

University Policy Accepting Credit Cards to Conduct University Business

Understanding Payment Card Industry (PCI) Data Security

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

How To Ensure Account Information Security

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

PCI DSS 101 FOR CTOs AND BUSINESS EXECUTIVES

Technical breakout session

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance

Processing e-commerce payments A guide to security and PCI DSS requirements

June 19, Bobbi McCracken, Associate Vice Chancellor Financial Services. Subject: Internal Audit of PCI Compliance.

PCI Compliance. Top 10 Questions & Answers

FAQ S: TRUSTWAVE TRUSTKEEPER PCI MANAGER

This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected

Adyen PCI DSS 3.0 Compliance Guide

PCI DSS 3.0 Overview. OSU Business Affairs Business Affairs PIT Crew - Project, Improvement, & Technology Robin Whitlock

Payment Card Industry Data Security Standards.

Registry of Service Providers

Policy. London School of Economics & Political Science. PCI DSS Compliance. Jethro Perkins IMT. Information Security Manager. Version Release 1.

Registration and PCI DSS compliance validation

E Pay. A Case Study in PCI Compliance. Illinois State Treasurer. Dan Rutherford

IT TECHNICAL SECURITY REVIEW CHECKLISTS FOR E-COMMERCE WEBSITES

WHITE PAPER. PCI Basics: What it Takes to Be Compliant

PCI Security Compliance

Validation of PCI Compliance Requirements NC Office of the State Controller June 23, 2015

Version 7.4 & higher is Critical for all Customers Processing Credit Cards!

Why Is Compliance with PCI DSS Important?

Data Security Standard (DSS) Compliance. SIFMA June 13, 2012

Point-to-Point Encryption (P2PE)

Data Security Basics for Small Merchants

Payment Card Industry (PCI) Data Security Standard. Attestation of Compliance for Self-Assessment Questionnaire C-VT. Version 2.0

PCI Compliance Top 10 Questions and Answers

Kim Decarolis Compliance and Security Specialist (248) Mark Wayne Vice President Compliance and Security Specialist

Third-Party Access and Management Policy

PCI DSS Compliance What Texas BUC$ Need to Know! Ron King CampusGuard

Introduction to PCI DSS Compliance. May 18, :15 p.m. 2:15 p.m.

Making Sense of the PCI Puzzle

SecurityMetrics Introduction to PCI Compliance

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

Mobile Device Payment Card Processing: How Secure is It? Richard Poworski CISSP, ISP, ITCP, SCF, PCI QSA, PCIP Managing Consultant

Transcription:

Remediation, a Key Approach to Reducing Scope Keeping it as simple as possible to minimize cost and complexity. Dennis Self, CISSP Director, IT Security & Compliance Samford University Truth is not democratic. Dennis Self, 2013.

Session Summary: Based on the success of a comparable institution, Samford University adopted a model for PCI compliance based on remediation of its credit card transactions/merchants to reduce scope. Only Self Assessment Questionnaire A and B were required to attain PCI compliance. The benefits were remarkable in cost and complexity avoidance, though some compromise was required that affected transaction processing efficiency in some areas.

Suggested Audience: Small to medium institutions that have low to moderate credit card transaction volume. The presentation will review technical and business considerations.

About Samford University: Samford University is a private, Christian university Founded in 1841 Fall 2013 enrollment is 4,833 Carnegie Classification: Master s M

Schools: Ten schools: Arts Arts and Sciences Business Divinity Education Law Nursing Pharmacy Health Professions Public Health

About Samford s PCI Scope 27 merchants Payment Gateway Vendors: TouchNet Paypal Several third party vendors

Disclaimer: I am not a Qualified Security Assessor. Any information presented and any questions answered are for general information and to relate our experience and are provided without guarantee of any kind. You should find answers to your questions through certified resources.

Definition Remediate (OED): to provide a remedy for, redress, counteract; to take remedial action against.

Self Assessment Qualification: Level 3 and Level 4 merchants qualify for self-assessment. Enforcement by your acquiring bank Levels established by the card brands Definitions can be found on card brand web sites

Assessment Qualification: In general, from Visa: Level 1 - over 6 million Visa transactions/yr. Level 2-1 to 6 million transactions/year. Level 3-20,000 to 1 million transactions/year. Level 4 - less than 20,000 Visa transactions/year. Levels 1 & 2 require 3 rd party validation.

PCI DSS Getting Started: Based on PCI Data Security Standard Requirements: Step 1: Assess Step 2: Remediate Step 3: Report

Initial Surprises: PCI security requirements are stunningly detailed Stunned that credit card companies would demand or expect such effort from enterprises like ours. It takes a lot of work to be compliant at any level.

It s About Security It is about security, not compliance. Address the security. Compliance measures your security program.

Key Factors at Samford: Objective: Qualify for SAQ A and SAQ B. Complexity driver: Internet involvement. SAQ A, B, and P2PE-HW keep Internet out of scope.

About Samford s Compliance Student Accounts e-bill moved to 3 rd party in 2009. Compliance efforts on remaining merchants in 2010. 90% compliant - March 30, 2012. 100% compliant - Fall, 2012

The PCI Compliance Working Group Key participants: Merchants Departments that support merchants. Meeting participants: 9 to 16.

The Compliance Effort Joint effort Accounting Information Technology Merchants Focus: merchant account ownership Removed non-samford merchants Remediated some to reduce reputational risk. Identified all campus merchants. Gap analysis by merchant to comply with SAQ A or B.

The Compliance Effort Consulted with other institutions Collected the best policies and models Identified factors that needed normalizing.

Particularly Helpful Sources: Auburn University practical experience, organization, processes, and the foundation for our Credit Card Processing and Security Policy. Indiana University Security Incident Kit. Bentley University - remediation: why, how, rationale. Toby Nelson, QSA, Trustwave. All things PCI-DSS. Saint Louis Community College Online PCI training. Many other sources

The Compliance Effort The single factor that most affects security and compliance difficulty: Internet involvement. We got the data off our network. If you can, KEEP YOUR NETWORK OUT OF IT.

A Painful, Repeated Lesson Vendors are not very interested in your compliance. Vendor compliance does not make you compliant!

The Compliance Effort Determined remediation to SAQ A and B the least complex, least costly. Surveyed activities and costs for SAQ C and D. Estimated minimum upfront technology costs at $100,000. Some institutions spent well over $1,000,000. Identified key issues for broad categorization of merchants into SAQ A, B, C or D.

The Two Thorniest Issues: 1. Bookstore registers with integrated swipes. 2. Taking credit card information over the phone and keying it into payment applications. Alternatives: 1. Install dial out card swipes. 2. Write the transaction and take it to the Bursar.

Two Time-Consuming Issues: 1. Getting the policy done, approved and in effect. 2. Bookstore reaching acceptance of remediation and no longer using the integrated swipes in the registers.

And now PCI DSS 3.0?

Rationalizing The Chart The following chart was created based on counts of SAQ responses and testing activities. Technical difficulty and business impact were not directly assessed. It is clear that initial and ongoing costs increase sharply as the difficulty of the SAQ increases. All SAQs are more detailed and involved than before.

Difficulty Based on Counts 3.0

PCI DSS Requirement Samples SAQ A 9.5 SAQ D 1.1.1-1.1.7

- Based on Counts 2.0 and 3.0

Difficulty Based on Counts

PCI DSS 3.0: SAQ D is the default if your merchant cannot precisely fit another SAQ. A-EP invokes major infrastructure requirements. Initial guidance from PCI SSC is not out yet.

Outlook for Samford University Several of our SAQ A merchants may face alternatives: 1. Outsource the shopping cart. 2. Host the application with a PCI-DSS 3.0 compliant hosting company. 3. Create a dedicated PCI compliant datacenter. 4. Overhaul to conform to SAQ A-EP or SAQ D.

Outlook for Samford University The overall cost for compliance is going up. Review, perform gap analysis between 2.0 and 3.0. Reactivate our PCI Compliance Working Group.

Outlook for Samford University Assume there will be no easing of requirements for any SAQ. Prepare for the new requirements. Hold off on major new investments until clarification is available.

Questions? Dennis Self, CISSP Director IT Security & Compliance Samford University DLSelf@Samford.edu (205) 726-2692

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information