UGA Extension PCI DSS Awareness Training Presented by the CAES Business Office Notes: The purpose of this training is to introduce PCI-DSS requirements applicable to County Offices and to train relevant personnel in those offices to comply with the requirements. This training is required for all personnel who handle credit cards in a County Office. This is an annual training and must be reviewed on a yearly basis. Updates, if any, will be made on at least a yearly basis.
CAES Credit Card Machine Policy All UGA Extension Offices who process credit card payments must adhere to the UGA CES Credit Card Machine Policy The policy must be reviewed before processing credit card payments The policy may be found at the following link: http://intranet.caes.uga.edu/coextopr/fiscalcomp/documents/UGAExtOfficeCreditCa rdMachinePolicy.pdf If you adhere to this policy, then you most likely will complete the annual Self Assessment Questionnaire B (SAQ:B) This training will present additional information specific to offices completing SAQ:B. A Self Assessment Questionnaire is a questionnaire that reviews your compliance with PCI DSS requirements Completion of an annual SAQ is required for PCI compliance. Notes: Prior to starting this training you must have completed the UGA Extension Credit Card Processing Training. If you have not completed that training, then please complete it first before continuing. In order to simplify compliance requirements as much as possible, the UGA CES credit card machine policy is designed for offices to complete SAQ: B.
PCI DSS Overview PCI DSS stands for “Payment Card Industry Data Security Standards” Developed by the PCI Security Standards Council Global Data Security Standard PCI DSS requirements are applicable to all merchants (e.g., Extension offices) who process, transmit, or store cardholder data, regardless of the size or number of transactions. PCI DSS requirements also apply to all third-party service providers. The payment brands (e.g., VISA, MasterCard), as well as the acquiring banks (e.g., FirstData) are responsible for enforcing PCI DSS compliance. Every person involved in processing cardholder data is required to complete annual PCI DSS security training PCI DSS compliance is not optional! Notes:
PCI DSS Goals and Requirements Notes: This is an overview of all of the PCI-DSS Requirements. However, only certain ones will be applicable to a County Office IF they are following the UGA CES Credit Card Machine Policy. See the next slide for the applicable policies.
PCI DSS Goals and Requirements (SAQ:B) Notes: If you are an office that complies with the requirements in SAQ: B, then only then notated sections above will apply to your office. In the following slides we will discuss and explain each requirement as stated on SAQ: B.
Protect Cardholder Data Requirements (1) 3.2 Do not store sensitive authentication data after authorization (even if encrypted). If sensitive authentication data is received, render all data unrecoverable upon completion of the authorization process. 3.2.1 Do not store the full contents of any track (from the magnetic stripe located on the back of a card, equivalent data contained on a chip, or elsewhere) after authorization. This data is alternatively called full track, track, track 1, track 2, and magnetic-stripe data. 3.2.2 Do not store the card verification code or value (three-digit or four-digit number printed on the front or back of a payment card used to verify card- not-present transactions) after authorization. This is also known as the service code or security code. Notes: Although certain sensitive cardholder information, such as expiration date, full card numbers, and the security code may be provided to us for credit card transactions taken over the phone, we may not store this information in any form.
Protect Cardholder Data Requirements (2) 3.2.3 Do not store the personal identification number (PIN) or the encrypted PIN block after authorization. 3.3 Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed), such that only personnel with a legitimate business need can see more than the first six/last four digits of the PAN. This is set for us by FirstData; it only prints out the last 4 digits. If transactions are taken over the phone, the full account number is taken to perform the transaction, but all but the last 4 digits must be removed when stored. 4.2 Ensure that security policies and operational procedures for encrypting transmissions of cardholder data are documented, in use, and known to all affected parties. Do not send or accept cardholder data through email, instant messaging, text, or any other unencrypted format. Notes: PAN is short for “Primary Account Number”.
Credit Card Information Notes: This is a reference of the information displayed on credit cards. If you are unsure of what information is required or how to find it, then please refer back to this slide. PAN stands for “primary account number”
Implement Strong Access Control Measures (1) 7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access. 7.1.2 Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities. Only personnel who need to process credit card transactions in order to fulfill their job duties should have access to the cardholder data and terminals. 7.1.3 Assign access based on individual personnel’s job classification and function. This means that access must be given on an individual basis, as-needed basis. Access cannot be granted to an entire office or groups of employees with varying job classifications and functions without justification. Notes: If you are in a small County Office and the expectation is that all personnel may be expected to process credit card transactions, then ensure that all personnel have attended the necessary trainings and attested to completing the trainings. However, it is a best management practice to restrict access to cardholder information and credit card terminals as much as possible.
Implement Strong Access Control Measures (2) 9.5 Physically secure all media. Media includes hard drives, USB flash drives, paper receipts, reports, and faxes. Must be kept in a locked, secured area. For us, this primarily includes the merchant copies of the receipts, credit card transaction phone records, refund records, and the credit card deposit records. 9.6 Maintain strict control over the internal or external distribution of any kind of media, including the following: 9.6.1 Classify media so the sensitivity of the data can be determined. For us, we should only be storing cardholder data, so it would be classified as such. We should not be storing sensitive authentication data (magnetic strips, security codes, and PIN) 9.6.2 Send the media by secured courier or other delivery method that can be accurately tracked. You must maintain verifiable logs and approvals for moving media within and outside of your office. 9.6.3 Ensure management approves any and all media that is moved from a secured area (including when media is distributed to individuals). The logs must include managerial approval. 9.7 Maintain strict control over the storage and accessibility of media. Notes: It is recommended that merchant copies of receipts are stored in a 12-month accordion folder in order to separate receipts by month and are kept in a lockable, secure location. Only individuals who are authorized to process credit cards may access this location. A sample media transfer log may be found at the following website: http://intranet.caes.uga.edu/coextopr/fiscalcomp/index.html
Implement Strong Access Control Measures (3) 9.8 Destroy media when it is no longer needed for business or legal reasons as follows: 9.8.1 Shred, incinerate, or pulp hard-copy materials so that cardholder data cannot be reconstructed. Secure storage containers used for materials that are to be destroyed. Merchant copies of the receipts should be destroyed after being stored for 1 year. They should be cross-cut shredded or pulped. Credit Card Deposit Records and batch reports must be maintained for 7 years. 9.9 Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution. 9.9.1 Maintain an up-to-date list of devices. The list should include the following: Make, model of device Location of device (for example, the address of the site or facility where the device is located) Device serial number or other method of unique identification. You must maintain this list at the individual office level. Notes: A sample device list may be found at the following website: http://intranet.caes.uga.edu/coextopr/fiscalcomp/index.html
Implement Strong Access Control Measures (4) 9.9.2 Periodically inspect device surfaces to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device). This must be performed at the individual office level. 9.9.3 Provide training for personnel to be aware of attempted tampering or replacement of devices. Training should include the following: Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices. Do not install, replace, or return devices without verification. Be aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices). Report suspicious behavior and indications of device tampering or substitution to appropriate personnel (for example, to a manager or security officer). This training is provided by the CAES Business office. Your office-specific policies may simply state that we provide this training. Notes: Examples of signs that a device might have been tampered with or substituted include unexpected attachments or cables plugged into the device, missing or changed security labels, broken or differently colored casing, or changes to the serial number or other external markings.
Maintain an Information Security Policy (1) 12.1 Establish, publish, maintain, and disseminate a security policy. This is set at the individual office level. This policy must include that it follows the provisions of the CAES Credit Card Machine Policy. 12.1.1 Review the security policy at least annually and update the policy when the environment changes. Be sure to include the date the update occurred on the policy document. 12.3 Develop usage policies for critical technologies and define proper use of these technologies. 12.3.1 Explicit approval by authorized parties 12.3.3 A list of all such devices and personnel with access 12.3.5 Acceptable uses of the technology The devices portion is included in the CAES Credit Card Machine Policy. You may only use authorized devices stated within the policy. You must maintain a list of authorized personnel and what is considered acceptable uses. For acceptable uses, only credit card transactions for official business may be processed in person or by phone. 12.4 Ensure that the security policy and procedures clearly define information security responsibilities for all personnel. This is included in the CAES Credit Card Machine Policy Notes: Examples of critical technologies include, but are not limited to, remote access and wireless technologies, laptops, tablets, removable electronic media, e-mail usage and Internet usage. A sample Office specific security policy may be found at the following website: http://intranet.caes.uga.edu/coextopr/fiscalcomp/index.html The policy must be reviewed annually. If changes are made to the policy, then submit the updated policy to the CAES Fiscal Compliance Coordinator along with that year’s SAQ.
Maintain an Information Security Policy (2) 12.5 Assign to an individual or team the following information security management responsibilities: 12.5.3 Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations. This is covered in the CAES Credit Card Machine Policy. 12.6 Implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures. This is addressed by the CAES Business Office through this training. 12.8 Maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, as follows: 12.8.1 Maintain a list of service providers including a description of the service provided. 12.8.2 Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess or otherwise store, process or transmit on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment. These sections are addressed by the CAES Business Office. Notes:
Maintain an Information Security Policy (3) 12.8.3 Ensure there is an established process for engaging service providers including proper due diligence prior to engagement. 12.8.4 Maintain a program to monitor service providers’ PCI DSS compliance status at least annually. 12.8.5 Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity. These sections are addressed by the CAES Business Office. 12.10.1 Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum: Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum Specific incident response procedures Business recovery and continuity procedures Data backup processes Analysis of legal requirements for reporting compromises Coverage and responses of all critical system components Reference or inclusion of incident response procedures from the payment brands. You must establish an incident response plan for your individual office. Notes:
The Cost of Non-Compliance Suspension of merchant account(s) Fines to be paid by the merchant As high as $500,000 per data security incident As high as $50,000 per day for non-compliance with published standards All fraud losses incurred from compromised account numbers to be paid by the merchant From the date of the compromise forward Cost of re-issuing credit cards to be paid by the merchant Notes: Recall that the “merchant” in these examples is the individual County Office.
The Cost of Non-Compliance Increased transaction fees charged by the bank to be paid by the merchant External incident investigation to be paid by the merchant Estimated cost is $30,000 - $300,000 per incident investigation Remediation costs to be paid by the merchant Legal fees, settlements, and judgments to be paid by the merchant Notes:
Primary Causes of PCI Data Breaches Being non-compliant with the PCI-DSS requirements Attacks on users Malware Man-in-the-middle attacks Default or guessable passwords PCI devices used for non-PCI tasks PCI devices using Wi-Fi networks Physical tampering of unmanned or unattended POS devices Remote access Unpatched systems Notes: For us, the primary causes would be not following PCI-DSS requirements and physical tampering of the devices. POS terminal fraud will be discussed more in-depth on the following slides.
POS Terminal Fraud Skimming POS malware and man-in-the-middle attacks Stealing payment data from the customer’s credit card Stealing payment data from the payment infrastructure Cloning and PIN harvesting POS malware and man-in-the-middle attacks More prevalent with EMV devices Malware used to intercept random number assigned during the transaction, replacing it with a different pre-computed number POS fraud targets PIN data Unattended or unmanned terminals Merchants with a high transaction volume Merchants with periods of high volume sales Notes:
Identifying POS Terminal Fraud Examples of skimming devices added to POS terminals Skimmers can be hidden by the SIM card cover plate and by overlays, or stickers that cover the keyboard area and can hide damage due to tampering, as well as wires that allow for keyboard logging. Notes:
Identifying POS Terminal Fraud Example of Terminal Tampering: Terminals will have a sticker attached to the underside, which provides details of the product and will include a serial number. The majority of terminals will also have a method of displaying the serial number electronically. As part of your regular checks, note the serial number on the back of the terminal and check this against the electronic serial number. Additionally, run your finger along the label to check that it is not hiding a compromise. Notes:
Identifying POS Terminal Fraud Examples of handheld skimmers These small, handheld devices, often used by corrupt staff, can store a large amount of CHD and can connect to mobile devices. Notes:
Identifying POS Terminal Fraud Example of terminal connection change Normal terminal connection cable Notes: Changed cable houses additional wires to capture CHD
Identifying POS Terminal Fraud Remember that you are looking for signs of tampering or substitution, but you should not open the device yourself. Inspect terminals often to ensure there are no new stickers (could be overlays!) or that original stickers have not been removed or modified. Inspect terminals often to see if the serial numbers are correct. Inspect terminals often for broken or different colored casings, as well as loosened or missing screws. Notes:
Identifying POS Terminal Fraud Inspect terminal connection cables often for any signs of tampering. Verify the identity of anyone claiming to be a maintenance or repair person there to work on your POS device. Verify who called prior to granting access to the device. Do not install, replace, or return devices without authorization. Report suspicious behavior around POS devices. Be aware of anyone handling, unplugging, or opening the device. If you suspect your POS terminal has been tampered with in any way, please contact your District Office immediately. Notes:
Protecting POS Devices Keep terminals secured when not in use. If terminals are in a public location, never leave them unmanned or unattended. Regularly inspect the devices. The more the device is used, the more often it should be inspected. If the device is rarely used, always inspect before the next use. Have more than one person responsible for inspection. Notes:
Protecting POS Devices Keep your inventory of POS devices current. Use the PCI DSS Inventory Log This log should include each person who is approved to use the devices. Employees shall review this training regularly and new employees must review prior to having access to terminals. Allow employees role-based access to the terminals. If access is not needed, access should not be authorized. Access should be removed immediately upon termination of employment. Notes: A sample Inventory Log may be found at the following website: http://intranet.caes.uga.edu/coextopr/fiscalcomp/index.html
Self-Assessment Questionnaires Be able to honestly answer “Yes” to each requirement in the SAQ that is appropriate to your merchant processes. For most offices, this will be SAQ:B. Do not answer “Yes” if it is not true. You must be honest in completing this questionnaire. If you answer “No” for any sub-requirement, you must have a plan of action and date for remediation. If you answer “N/A”, then you must provide an explanation in Appendix C. Contact the CAES Business Office’s Fiscal Compliance Coordinator should you have any questions or concerns about compliance. Notes: A guide for completing SAQ: B may be found at the following website: http://intranet.caes.uga.edu/coextopr/fiscalcomp/index.html
UGA Extension Office Roles & Responsibilities Complete annual SAQ and maintain PCI compliance at all times Notify the CAES Business Office’s Fiscal Compliance Coordinator of any proposed change in approved processing. Maintain internal documented policies and procedures Submit your policies to the CAES Business Office’s Fiscal Compliance Coordinator. Any updates to internal policies should be submitted annually along with the SAQ for that year. Maintain and update device list Maintain checkout log for moving cardholder information Complete PCI-DSS awareness training Annual Training is required for all employees who process credit cards All new employees who will handle credit cards must complete the training prior to processing credit cards in addition to the UGA Extension Credit Card Processing Training Notes:
PCI Incident Response Do NOT turn device(s) off! Do NOT make any changes to device(s)! Immediately report any suspected security incident to your District Office and the CAES Fiscal Compliance Coordinator. Notes:
Questions and Further Instructions Upon completing this training, please attest to your completion by clicking the following link and following the instructions provided: https://ugeorgia.qualtrics.com/jfe/form/SV_9Ab2Xnsk4JyW4QZ Contact Information: Timothy Gray, CAES Fiscal Compliance Coordinator tgray88@uga.edu 706-542-1861 Notes: