July 2015…... Michigan Community Colleges Performance with NBS Thru October, 2015.

Slides:



Advertisements
Similar presentations
Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Advertisements

Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.
.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.
PCI DSS for Retail Industry
Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.
UCSB Credit Card Processing and PCI Compliance
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
Navigating the New SAQs (Helping the 99% validate PCI compliance)
Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security.
PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.
Complying With Payment Card Industry Data Security Standards (PCI DSS)
2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
University of Utah Financial and Business Services
Property of CampusGuard Compliance With The PCI DSS.
Smart Payment Processing ™ Protecting Your Business from Card Data Theft Presenter: Lucas Zaichkowsky.
Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.
Payment Card PCI DSS Compliance SAQ-D Training Accounts Receivable Services, Controller’s Office 7/1/2012.
PCI DSS Version 3.0 For Controllers and Business Users Luke Harris, Office of State the Controller David Reavis, UNC General Administration November 10,
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?
Jeff Williams Information Security Officer CSU, Sacramento
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Why Comply with PCI Security Standards?
Introduction to PCI DSS
Northern KY University Merchant Training
Payment Card Industry (PCI) Data Security Standard
Web Advisory Committee June 17,  Implementing E-commerce at UW  Current Status and Future Plans  PCI Data Security Standard  Questions.
Payment Card Industry Data Security Standard (PCI DSS) By Roni Argetsinger
PCI 3.0 Boot Camp Payment Card Industry Data Security Standards 3.0.
The ABC’s of PCI DSS Eric Beschinski Relationship Manager Utility Payment Conference Kay Limbaugh Specialist, Electronic Bills & Payments &
PCI DSS Managed Service Solution October 18, 2011.
Protecting Your Credit Card Security Environment (PCI) September 26, 2012 Jacob Arthur, CPA, QSA, CEH Timothy Agee, CISA, CGEIT, QSA FDH Consulting Frasier,
The influence of PCI upon retail payment design and architectures Ian White QSA Head of UK&I and ME PCI Team September 4, 2013 Weekend Conference 7 & 8.
An Introduction to PCI Compliance. Data Breach Trends About PCI-SSC 12 Requirements of PCI-DSS Establishing Your Validation Level PCI Basics Benefits.
NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
PCI requirements in business language What can happen with the cardholder data?
Date goes here PCI COMPLIANCE: What’s All the Fuss? Mark Banbury Vice President and CIO, Plan Canada.
PCI: As complicated as it sounds? Gerry Lawrence CTO
Credit Card Processing Gail “Montreal” Shoffey Keeler August 14, 2007.
PCI DSS Readiness Presented By: Paul Grégoire, CISSP, QSA, PA-QSA
Payment Card PCI DSS Compliance SAQ-A Training Accounts Receivable Services, Controller’s Office 7/1/2012.
Introduction To Plastic Card Industry (PCI) Data Security Standards (DSS) April 28,2012 Cathy Pettis, SVP ICUL Service Corporation.
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Data Security and Payment Card Acceptance Presented by: Brian Ridder Senior Vice President First National September 10, 2009.
Information Security 2013 Roadshow - PCI. Roadshow Outline  What IS PCI  Why we Care about PCI  What PCI Means to You and Me.
Payment Card PCI DSS Compliance SAQ-B Training Accounts Receivable Services, Controller’s Office 7/1/2012.
ThankQ Solutions Pty Ltd Tech Forum 2013 PCI Compliance.
1 Payment Card Industry (PCI) Security Standard Developed by the PCI Security Council formed by major card issuers: Visa, MasterCard, American Express,
Jon Bonham, CISA, QSA Director, ERC
Standards in Use. EMV June 16Caribbean Electronic Payments LLC2.
By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit.
Payment Card Industry (PCI) Rules and Standards
Payment Card Industry (PCI) Rules and Standards
Performing Risk Analysis and Testing: Outsource or In-house
PCI-DSS Security Awareness
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Payment card industry data security standards
Internet Payment.
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
PCI Compliance : Whys and wherefores
Mobile Payments: Balancing Security with Convenience
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Utility Payment Conference
Presented by: Jeff Soukup
Presentation transcript:

July 2015…..

Michigan Community Colleges Performance with NBS Thru October, 2015

Protecting PII Compliance Management

Compliance Alphabet Soup CFPB HEA FERPA GLBA HIPAA FCRA Red Flag Rules PCI DSS SCRA IRS ECOA – Reg. B TILA - Reg. Z EFTA – Reg. E U.S. Bankruptcy Code 11 UDAAP FDCPA SOL Collection Cost State Specific Laws TCPA Audits License & Bonding

PCI DSS: What Every Business Officer Needs to Know

5 Stages of PCI Grief  Denial: It doesn’t apply to me  Anger: It isn’t fair  Bargaining: I’ll do some of it  Depression: I’ll never get there  Acceptance: It will be OK

Manufacturers PCI PTS Pin Entry Devices Ecosystem of payment devices, applications, infrastructure and users Software Developers PCI PA-DSS Payment Applications PCI Security & Compliance P2PE Merchants & Service Providers PCI DSS Secure Environments PCI Security Standards Suite Protection of Cardholder Payment Data

Recent Survey Is your institution PCI compliant now? Do you have written policies for handling credit cards? Do you have a formal process for establishing new merchants? What department has primary responsibility for PCI? How does your institution fund PCI compliance? 87% Yes 82% Yes 59% Finance 70% Centrally 45% Yes Source: Treasury Institute PCI Workshop % Yes

Why is PCI Compliance So Difficult?

Colleges Campuses Are Like Cities…

Looking Like This… 1.Athletics – ticketing and concessions 2.Performing Arts 3.Business Office / Bursars 4.Library – fines and copying fees 5.DVD rental vending 6.Campus Safety Office (parking fees and fines) 7.Dining 8.Book Store 9.Student Center (student activity fees, student newspaper advertising, food courts)

PCI Compliance Myths  “PCI compliance is just another IT project.”  “The PCI DSS is only a recommendation and not a requirement.”  “We don’t process a large number of credit cards, so we don’t have to be compliant.”  “We’ve outsourced our card processing, so we are PCI compliant.”  “PCI only applies to ecommerce.”  “The PCI DSS is unreasonable with inflexible requirements.”  “We use a PA-DSS certified application so we are compliant.”  “Since we don’t store credit card information, we don’t have to be PCI compliant.”  “We use a certified card processor, therefore we don’t have to be PCI compliant.”  “Passing an ASV scan means we are PCI compliant.”

PCI DSS Responsibility Merchant Agreements with Banks Business Office Information Technology

Most of the work… Information Technology Business Office

Preparation for Assessment  Is your campus compliant today?  Who owns “overall responsibility” for the PCI compliance program?  How is ongoing oversight accomplished?  Who has ownership of high level policies and procedures?  How is required training accomplished?  Who controls the technical functionality of your credit card environment?  Who are your third-party service providers?

Can I assess myself? Short answer: Maybe (but you probably don’t want to) Long answer: You can assess yourself, provided: – You follow audit procedures – Your acquirer agrees – An approved officer (think President or CBO) signs on the “dotted line” (attesting to the veracity of the results) – You’re absolutely sure you’re going to do it right

PCI DSS: 6 Goals, 12 Requirements 1.Build and maintain a secure network 1.Install and maintain a firewall configuration to protect data 2.Change vendor-supplied defaults for system passwords and other security parameters 2.Protect cardholder data 3.Protect stored data 4.Encrypt transmission of cardholder magnetic-stripe data and sensitive information across public networks 3.Maintain a vulnerability management program 5.Use and regularly update antivirus software 6.Develop and maintain secure systems and applications 4.Implement strong access control measures 7.Restrict access to data to a need-to-know basis 8.Assign a unique ID to each person with computer access 9.Restrict physical access to cardholder data 5.Regularly monitor and test networks 10.Track and monitor all access to network resources and cardholder data 11.Regularly test security systems and processes 6.Maintain an information security policy 12.Maintain a policy that addresses information security Control ObjectiveRequirements

Merchant Levels Level 1 > 6 million Visa/MC txns/yr > 2.5 million transactions/yr 2 1 to 6 million Visa/MC txns/yr 50,000 to 2.5 million txns/yr 3 20,000 to 1 million Visa/MC ecommerce txns/yr All other Amex Merchants 4 All other Visa/MC merchants N/A Most Colleges and Universities

Level 1 Annual on-site assessment (QSA) Quarterly network scan (ASV) Annual penetration test (ASV) Annual on-site assessment (QSA) Quarterly network scan (ASV) Annual penetration test (ASV) 2 Annual on-site assessment (QSA) Quarterly network scan (ASV) Annual penetration test (ASV) Quarterly network scan (ASV) Annual penetration test (ASV) 3 Annual Self-Assessment Questionnaire (SAQ) Quarterly network scan (ASV) Annual penetration test (ASV) Quarterly network scan (ASV) Annual penetration test (ASV) 4 At discretion of acquirer Annual SAQ Quarterly network scan (ASV) Annual penetration test (ASV)  N/A Validation Requirements

Card-Not Present, All Cardholder Data Functions Outsourced Imprint Only, No Cardholder Data Storage Standalone Dial Out Terminal, No Cardholder Data Storage Payment Application Systems Connected to the Internet All other methods SAQ A (13) (14) SAQ A-EP (139) SAQ B (28) (41) SAQ B-IP (83) SAQ C/VT (80/51) (139/73) SAQ D (286) (326 ) New SAQs Critical Change #1

This is SAQ A for Merchant Performing Arts Describes “Event” customer Internet “Man in the Middle” Service Provider CC Processor Collects shopping cart info Pay Now

This is SAQ A-EP for Merchant Ex: Performing Arts University Web Site customer Service Provider Collects shopping cart info Internet “Man in the Middle”

Critical Change #2 Shared Responsibilities

“Shared Responsibility” Requirement 12: Maintain an Information Security Policy (NEW) Is information maintained about which PCI DSS requirements are maintained by each service provider and which are maintained by the entity? 12.9 (NEW) Do service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment? For Service Providers 12.8Managing relationships with service providers Written agreements with service providers Established process for engaging service providers Monitor service provider compliance For Your College:

Example Contract Language PCI DSS COMPLIANCE: (College) requires that the contractor shall at all times maintain compliance with the most current Payment Card Industry Data Security Standards (PCI DSS). The contractor will be required to provide written confirmation of compliance. Contractor acknowledges responsibility for the security of cardholder data as defined within the PCI DSS. Contractor acknowledges and agrees that cardholder data may only be used for completing the contracted services as described in the full text of this document, or as required by the PCI DSS, or as required by applicable law. In the event of a breach or intrusion or otherwise unauthorized access to cardholder data stored at or for the contractor, contractor shall immediately notify (College) to allow the proper PCI DSS compliant breach notification process to commence. The contractor shall provide appropriate payment card companies, acquiring financial institutions and their respective designees access to the contractor’s facilities and all pertinent records to conduct a review of the contractor’s compliance with the PCI DSS requirements. In the event of a breach or intrusion the contractor acknowledges any/all costs related to breach or intrusion or unauthorized access to cardholder data entrusted to the contractor deemed to be the fault of the contractor shall be the liability of the contractor. Vendor agrees to assume responsibility for informing all such individuals in accordance with applicable law and to indemnify and hold harmless (College) and its officers and employees from and against any claims, damages or other harm related to such breach. (USE: Include in any solicitation / contract that may involve online credit card payments). IMPORTANT: Insert the following statement into the Scope of Work (potentially in the IT section dealing with credit cards and PCI compliance): “Provide documentation of your most current PCI system scan and the signature page from your Record of Compliance (ROC) or Attestation of Compliance (AOC).”

Critical Change #3 9.9 Are devices that capture payment card via direct physical interaction with the card protected against tampering and substitution? Maintain a list Periodic inspection Train personnel Protecting POS Terminals

MOBILE PAYMENTS? Card Readers: Smart Phone/Tablets “Square” and others “Category 3” device None are certified compliant! Mobile Card Terminals Few are certified compliant Check with the PCI SSC

Resources SAQs FAQs White Papers Certified QSAs and ASVs Annual PCI Workshop Listserv

Ron King Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.