2013 PCI:DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Dan Hough & Robin Whitlock 12/31/2013
Today’s Presentation What do you have to do? What is PCI DSS? Why is it important? Compliance Life Cycle Cardholder Data/Storage Goals & Requirements Resources Questions
Your to do list by January 31st: Verify credit card merchant information with Business Affairs Obtain 3rd Party PCI DSS Certificate of Compliance (if applicable) Merchant managers complete and sign the Cover Page & SAQ (Annual PCI DSS Assessment must be completed for all Merchants). Business Center Manager or FAM must review and sign. Send to Dan Hough and Robin Whitlock This is your to do list after this meeting. Keep it in mind as we go through the presentation. Verify The status report is a list of merchants by business Center and shows the merchant name, MID Type, MID #, the contact person, and which SAQ you must complete. A printed Status Report in back of room. Please take a moment to verify that everything is correct and that the correct contact person is listed. You can write any changes on it or email them to me. You can also find the report on our website after the meeting.
What is PCI DSS? Payment Card Industry Data Security Standards Administered by the PCI Security Standards Council, which was founded by the major credit card companies (VISA, MC, Disc…) Mirror best security practices Applies to all entities that store, process or transmit cardholder data (merchants, payment card issuing banks, processors, developers…) That means you! Define PCI Developed by the leading credit card networks (Visa, MC, Discover) Req’d for all entities that store, process, or transmit cardholder data This means all of you!
Why Is Compliance Important? Reputation protection (customers, acquirers and payment brands, OST) Reduce potential legal liabilities Avoid fines and legal costs Avoid Investigative charges Data compromise may result in higher PCI DSS validation level Maintain MID Understanding of information & risks Continue accepting cards Compliance is mandatory (eCommerce Policy, Oregon State Treasury,PCI DSS). Why do you all think compliance is important? Reputation Reduce legal liabilities Avoid costs Avoids additional work – if you have a breach you must now report at the highest validation level. Maintain your Merchant ID (because this is mandatory) Gives you a better understanding of the process and risks
Why PCI:DSS ? Educational institutions: 716 breaches (~17%) 4,139 breaches of sensitive information (>662 million records) since 2005 (Ref: PrivacyRights.org 12/31/13) Educational institutions: 716 breaches (~17%) Since 2005 there have been over 4000 breaches of sensitive information, 579 last year alone. Educational institutions make up ~17% of these breaches. 716 since 2005 and 45 of them occurred last year!
Target Data Breach
Think it can’t happen here? It already has!!! In 2005 Hackers broke into the Bookstores online application and stole credit card data Summer 2012 we discovered that a vendor had taken some information, it wasn’t credit card information but it was still sensitive information, from the cashiers office to use in development of their application. Though the data was not taken maliciously and we are confident that it was not shared with others it was still a breach and we had to respond to it.
Compliance Life Cycle Ongoing Compliance Monitoring PCI:DSS Validation Pre-Assessment / Gap Analysis Implement / Remediate Ongoing Compliance Monitoring Compare what you are doing to the requirements in your SAQ. Look for what’s broken or where you are not in compliance Fix it Complete and submit the PCI-DSS SAQ by January 31st. 1 Pre-Assessment/Gap Analysis and 2 Implement/Remediate are ongoing throughout the year. 3 is what we are doing now, but you still have a chance to remediate issues prior to submission. If you find that you are not in compliance with standards and fix it before you submit the SAQ that is great. If you cant fix it before you submit the SAQ you must state when and how you are going to fix it on the SAQ. The process isn’t done when you complete the SAQ. Now that you know what is expected you need to stay in compliance and watch out for weak spots in your processes.
Chip/Magnetic Strip Data What is Cardholder Data? Primary Account Number (PAN) Expiration Date Cardholder Name So What are we trying to protect? We are protecting Cardholder Data The Primary Account Number (PAN) Expiration Date Name Chip/Magnetic Strip Data 3 digit code on the back of the card It is preferred that you do not store any of this data, though you can store the PAN, Expiration, and Cardholder Name if it is protected. You may never store the chip/magnetic strip data or the CVC2 # Chip/Magnetic Strip Data CAV2/CVC2/CVV2
Sensitive Authentication Data[2] PCI Data Storage Data Element Storage Permitted Protection Required Cardholder Data Primary Account Number (PAN) Yes Cardholder Name[1] Yes[1] Expiration Date[1] Sensitive Authentication Data[2] Full Magnetic Strip Data[3] No N/A CAV2/CVC2/CVV2 These data elements must be protected if stored in conjunction with the PAN. Sensitive authentication data must not be stored after authorization (even if encrypted). Magnetic stripe or chip.
PCI DSS Goals & Requirements (digital dozen) Build and Maintain a Secure Network (2) Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other parameters Protect Cardholder Data (2) Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks We attempt to protect this data by following the PCI:DSS These are called the digital dozen and provide an overview of what you will be asked during the reporting process. Depending on how you accept credit cards some of these may not apply to you. If you are using our network to transmit or process credit card data make sure that a firewall is in place to restrict who can get to it. Don’t use default passwords. If you have a card swipe terminal and you need to enter a password to process refunds or to batch out, change it from 1234 so only authorized staff can access it. Protect cardholder data. – if you must store it physically or electronically make sure its protected. When I say electronically it does not mean an excel file of account numbers its regarding the servers for those who use Micros and TouchNet If you are using the network to transmit data make sure its encrypted and protected.
PCI DSS Goals & Requirements Maintain a Vulnerability Management Program (2) Use and regularly update anti-virus software Develop and maintain secure systems and applications Implement Strong Access Control Measures (3) Restrict access to cardholder data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to cardholder data Maintain Use and update your antivirus software Keep software and applications up to date and protected Implement Strong Restrict who can access the data to those who need to know Use unique logins If you store info in a file cabinet, (again not recommended!!!!) restrict who can get to it.
PCI DSS Goals & Requirements Regularly Monitor and Test Networks (2) Track and monitor all access to network resources and cardholder data Regularly test security systems and processes Maintain an Information Security Policy (1) Maintain a policy that addresses information security Monitor and test networks that transmit this data. Track who has access to it Maintain a Information security policy. You can tell some of these things are already provided in the OSU environment and some only apply to certain scenarios. If you don’t know ask your IT staff or ask us.
Misconceptions Self assessment means you’re compliant Compliance means you won’t suffer a breach Outsourcing takes away your need for compliance PCI:DSS is just about IT A single product can make you compliant Compliance can be automated
What do we have to do? Level/ Tier Merchant Criteria Validation Requirements 1 Merchants processing over 6 million Visa transactions annually (all channels) Annual Report on Compliance by Qualified Security Assessor (“QSA”) Quarterly network scan by Approved Scan Vendor (“ASV”) Attestation of Compliance Form 2 Merchants processing 1 million to 6 million Visa transactions annually (all channels) Annual Self-Assessment Questionnaire Quarterly network scan by ASV 3 Merchants processing 20,000 to 1 million Visa e-commerce transactions annually Annual SAQ 4 Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually Quarterly network scan by ASV if applicable Requirements set by acquirer We are tier 4 and must complete an annual SAQ. There are several different versions and the one you must complete is indicated on the status report. The reason we put this up there is to show you how easy we have it. If you have a breach, you automatically go up to tier 1 which means more work and more costs!
Changes from Last Year.. TouchNet merchants must complete the cover page and the SAQ-A Before we go into all the documents, for all of those who completed this last year here are a couple of changes…
Annual PCI DSS Assessment Documents Documents due by January 31st, 2014: OSU Cover Page Self Assessment Questionnaire (SAQ A-D Appropriate to merchant) 3rd Party PCI DSS Certificate of Compliance (if applicable) Resources available on our website: Status Report by Business Center SAQ Forms, Instructions, and guidelines Navigating the PCI DSS Glossary Now lets take a look at what this entails.
PCI DSS Assessment Cover Page The purpose of the cover page is to verify our records and to make any necessary updates. You will be asked to provide contact info, how you are using your merchant ID, what hardware/software you are using. Dan will speak to the detail of the form. You may also consolidate similar merchants on this page.
Multiple Merchant Consolidation Multiple merchants can be can be combined into a single submittal if: The merchant IDs (MIDs) are of the same type (i.e. all POS, Web…) All merchants are managed by same merchant manager The same policies and procedures apply to all merchants Strictest SAQ will apply (the one with the most questions) List all merchants on cover page. Overview. Example UHDS
Self Assessment Questionnaire (SAQ) Completed by the merchant manager Subset of full requirements Broken down by Goals & Requirements Made up of Yes / No / Not Applicable responses NA or “Compensating Control”- must be explained No- Must have Remediation Date and Actions Attestation Section Fill out the Merchant Version Do not complete the Service Provider Version
SAQ Example-Requirements Made up of Yes / No / Not Applicable responses If Yes, done with this question. NA or “Compensating Control”- must be explained No- Must have Remediation Date and Actions
Compliance Summary This example is a summary for an SAQ-A. Minimal. If you say no to one question in the section you must report that you are not compliant for the entire section. You must provide the remediation date and actions on this page.
SAQ Example- Explanation of Non-Applicability If you marked N/A, this is where you describe it. Do not just call it requirement 12, include the specific sub-section being addressed, for example 12.8.
SAQ Example-Compensating Controls If you think you have a compensating control this is where you explain it. Yes – You are meeting the requirement but in a different way than what is described
SAQ Example-Attestation There are two parts of Attestation of Compliance. Make sure you complete the Merchant version, not Qualified Security Assessor Company version. Complete “Merchant” version not Qualified Security Assessor Company version (if avail). OSU does not use a Qualified Security Assessor Company
Your to do list by January 31st: Verify credit card merchant information with Business Affairs Obtain 3rd Party PCI DSS Certificate of Compliance (if applicable) Merchant managers complete and sign the Cover Page & SAQ (Annual PCI DSS Assessment must be completed for all Merchants). Business Center Manager or FAM must review and sign. Send to Dan Hough and Robin Whitlock Electronic submission is preferred. This is your to do list after this meeting. Keep it in mind as we go through the presentation. Verify The status report is a list of merchants by business Center and shows the merchant name, MID Type, MID #, the contact person, and which SAQ you must complete. A printed Status Report in back of room. Please take a moment to verify that everything is correct and that the correct contact person is listed. You can write any changes on it or email them to me. You can also find the report on our website after the meeting.
Resources PCI Compliance for OSU Credit Card Merchants (instructions & forms) http://oregonstate.edu/fa/businessaffairs/staff/PCI OSU FIS Manual http://oregonstate.edu/fa/manuals/fis/1401-06 OUS Policy Guideline for Electronic Commerce http://www.ous.edu/dept/cont-div/fpm/elec-40-005 Oregon Accounting Manual - Credit Card Acceptance for Payment http://www.oregon.gov/DAS/CFO/SARS/policies/oam/10.35.00.pr.pdf Oregon State Treasury Cash Management Policy http://www.oregon.gov/treasury/Divisions/Finance/StateAgencies/Pages/Cash-Management-Manual.aspx Payment Card Industry Data Security Standards https://www.pcisecuritystandards.org/merchants/ We will also email you a link to this presentation, which will be posted on the OSU PCI website.
Business Affairs Contacts Thank You Business Affairs Contacts Robin Whitlock Robin.Whitlock@OregonState.edu, 541-737-0622 Dan Hough Dan.Hough@OregonState.edu, 541-737-2935 For those of you that have done this before, what advice to you have for others or what questions do you still have?