PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise
I.Background II.What is PCI-DSS? III.Who must comply? IV.Cost of non-compliance V.Digital Dozen VI.Higher Education Challenges VII.Centralize Compliance Agenda
Cardholder Information Security Program (CISP) Site Data Protection Program (SDP) Discover Information Security Compliance (DISC) Data Security Standard (DSS) Confused Merchants Background ???
Payment Card Industry Data Security Standard (PCI-DSS) Card Associations founded an LLC in One program now Mission: Enhance payment account data security by fostering a broad adoption of PCI-DSS What is PCI-DSS?
Policy decisions made by Executive Committee Participating organizations provide feedback on evolution of PCI What is PCC-DSS?
Payment Card Industry (PCI) Data security requirements apply to all Members, merchants, and service providers that store, process or transmit cardholder data. *Payment Card Industry Data Security Standard Who Must Comply?
Merchant Compliance 1Any merchant-regardless of acceptance channel-processing over 6,000,000 transactions per year. Any merchant that has suffered a hack or an attack that resulted in an account data compromise. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system. 2Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 transactions per year. 3Any merchant processing 20,000 to 1,000,000 e-commerce transactions per year. 4Any merchant processing fewer than 20,000 e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year. Who Must Comply?
In the event of the a breach the acquirer CAN make the merchant responsible for: Any fines from PCI-Co Up to $500,000 per incident Cost to notify victims Cost to replace cards (about $10/card) Cost for any fraudulent transactions Forensics from a QDSC Level 1 certification from a QDSC Cost of Non-Compliance
Example: 50,000 credit cards stolen –PCI Penalty - $100,000 per incident $500,000 if you do not have a self- assessment –Card Replacement - $500,000 –Fraudulent Transaction – $61,750,000 $1, average fraudulent transaction –Bad Publicity – Priceless! Cost of Non-Compliance
States are making PCI law and adding to the cost of compliance –Minnesota passed the state bill 1574 which makes PCI a law Anyone processing more than 20,000 transactions is subject to fines if a breach occurs –Texas is working on a similar bill –Other states are likely to follow
Build and Maritain a Secure Network Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Use and regularly update anti-virus software Develop and maintain secure systems and applications Implement Strong Access Control Measures Restrict access to cardholder data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to cardholder data Regularly Monitor and Test Networks Track and monitor all access to network resources and cardholder data Regularly test security systems and processes Maintain an Information Security Policy Maintain a policy that addresses information security Digital Dozen
Higher education networks comprise an estimated 15% of the total advertised Internet address space* Extremely open by tradition and culture Highly connected networks to commercial internet, regional, national, and international research networks Communities range from 1,000 to 200,000 people Thousands of networked devices Departments control local technology and act independently Understaffed IT department * University of Indiana Higher Education Challenge
Higher education accounted for over 26% of the breaches in % of schools have 0-1 FTE dedicated to PCI 36% of schools have an incident response plan * Survey data from Walt Conway Associates, LLC
Get executive buy-in –President –Treasurer/CFO –CIO Define a commerce committee –IT –Security –Internal Audit –Treasury Centralize Compliance
Define and publish credit card handling policy Acceptable payment channels Handling of PII (Personally Identifiable Information) Requesting merchant IDs Applicability to University employees, work study… Background and credit checks for employees handling credit cards Training and acknowledgement Use of vendors Centralize Compliance
Gap analysis –Review all existing merchants and their procedures –Identify urgent improvements –Operational remediation plan –Technical remediation plan Compliance maintenance –Rules will change –Systems will change –PCI is a journey – not a destination Centralize Compliance
Consider outsourcing Get as many credit card numbers off campus as possible Use a service provider to process credit card transactions Approved scanning vendors Approved hosting centers Centralize Compliance
David R. King President Nelnet Business Solutions Questions?