Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security.

Slides:



Advertisements
Similar presentations
Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Advertisements

Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.
Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.
Complying With Payment Card Industry Data Security Standards (PCI DSS)
2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.
This refresher course will:
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Property of CampusGuard Compliance With The PCI DSS.
C USTOMER CREDIT CARD AND DEBIT CARD SECURITY (PCI – DSS COMPLIANCE) What is PCI – DSS Compliance and Who needs to do this?
Payment Card PCI DSS Compliance SAQ-D Training Accounts Receivable Services, Controller’s Office 7/1/2012.
Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?
Jeff Williams Information Security Officer CSU, Sacramento
Property of the University of Notre Dame Navigating the Regulatory Maze: Notre Dame’s PCI DSS Solution EDUCAUSE Midwest Regional Conference March 17, 2008.
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.
Why Comply with PCI Security Standards?
Introduction to PCI DSS
Northern KY University Merchant Training
PCI and how it affects College Stores… ROBIN MAYO | PCIP ECOMMERCE MANAGER EAST CAROLINA UNIVERISTY.
Payment Card Industry (PCI) Data Security Standard
Disclaimer Copyright Michael Chapple and Jane Drews, This work is the intellectual property of the authors. Permission is granted for this material.
Web Advisory Committee June 17,  Implementing E-commerce at UW  Current Status and Future Plans  PCI Data Security Standard  Questions.
Payment Card Industry Data Security Standard (PCI DSS) By Roni Argetsinger
Central Michigan University Payroll and Travel Services 3.
The influence of PCI upon retail payment design and architectures Ian White QSA Head of UK&I and ME PCI Team September 4, 2013 Weekend Conference 7 & 8.
An Introduction to PCI Compliance. Data Breach Trends About PCI-SSC 12 Requirements of PCI-DSS Establishing Your Validation Level PCI Basics Benefits.
NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
PCI requirements in business language What can happen with the cardholder data?
Date goes here PCI COMPLIANCE: What’s All the Fuss? Mark Banbury Vice President and CIO, Plan Canada.
DATE: 3/28/2014 GETTING STARTED WITH THE INTEGRITY EASY PCI PROGRAM Presenter : Integrity Payment Systems Title: Easy PCI Program.
PCI: As complicated as it sounds? Gerry Lawrence CTO
Credit Card Processing Gail “Montreal” Shoffey Keeler August 14, 2007.
Payment Card PCI DSS Compliance SAQ-A Training Accounts Receivable Services, Controller’s Office 7/1/2012.
Viterbo University Credit Card Training Updated
Introduction to Payment Card Industry Data Security Standard
Introduction To Plastic Card Industry (PCI) Data Security Standards (DSS) April 28,2012 Cathy Pettis, SVP ICUL Service Corporation.
Credit Card Merchant Training PCI Why Now? In October 2015, there will be a fraud liability shift that will affect merchants not able to accept.
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
Data Security and Payment Card Acceptance Presented by: Brian Ridder Senior Vice President First National September 10, 2009.
Information Security 2013 Roadshow - PCI. Roadshow Outline  What IS PCI  Why we Care about PCI  What PCI Means to You and Me.
Payment Card PCI DSS Compliance SAQ-B Training Accounts Receivable Services, Controller’s Office 7/1/2012.
ThankQ Solutions Pty Ltd Tech Forum 2013 PCI Compliance.
e-Learning Module Credit/Debit Payment Card Acceptance and Security
1 Payment Card Industry (PCI) Security Standard Developed by the PCI Security Council formed by major card issuers: Visa, MasterCard, American Express,
Fall  Comply with PCI compliance policies set forth by industry  Create internal policies and procedures to protect cardholder data  Inform and.
Standards in Use. EMV June 16Caribbean Electronic Payments LLC2.
By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit.
Introduction to PCI DSS
Payment Card Industry (PCI) Rules and Standards
Payment Card Industry (PCI) Rules and Standards
Performing Risk Analysis and Testing: Outsource or In-house
PCI-DSS Security Awareness
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Payment card industry data security standards
Larry Brownfield, CPO, OHE – KOA, Inc.
Internet Payment.
Session 11 Other Assurance Services
UGA Extension Credit Card Processing Training
Switchover from Teledeposit to VIRTUAL TERMINAL Moneris Solutions
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
UD PCI GUIDELINES A guide for compliance with PCI DSS and the University of Delaware Payment Card Program ALWAYS Process payments immediately using a solution.
Payment Card Industry Data Security Standards (PCI-DSS) Training
Presentation transcript:

Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security

Introductions Cathy Riedl-Farrey Cathy Riedl-Farrey – Controller, Financial Services Anna Pulver Anna Pulver – Information Security Officer Patrick Fitzsimons Patrick Fitzsimons – Internal Auditor 2

Agenda What is PCI Compliance? What is PCI Compliance? What is expected of you? What is expected of you? Time lines Time lines 3

Why we are here PCI (c) Have employees completed awareness training and are they aware of the importance of cardholder data security? 4

Modern-day data security risks Over the past couple decades Over the past couple decades – Increase in payment card usage – Increase in e-commerce – Great convenience Unfortunately… Unfortunately… – Security has not kept pace – The criminals have noticed 5

Therefore… UW-Platteville is concerned. UW-Platteville is concerned. UWPLT adopted a policy regarding storage, transmission, processing of payment card data UWPLT adopted a policy regarding storage, transmission, processing of payment card data – Credit Card Handling Policy, currently being revised – UWPLT must be “PCI Compliant” UWPLT must be “PCI Compliant” 6

We Need You We need your help to achieve compliance! We need your help to achieve compliance! 7

Does compliance apply to you? If you take branded credit card information… PCI applies to you If you take branded credit card information… PCI applies to you – Major brands: VISA, MC, AmEx, Discover – Whether The actual physical card is present, or The actual physical card is present, or You receive the data via phone, web, or mail You receive the data via phone, web, or mail You contract with a hosted provider or in-house dept You contract with a hosted provider or in-house dept – If you “store, transmit or process” cardholder data 8

What is PCI Compliance?  Who/What is PCI?  PCI DSS – 6 Goals, 12 Requirements  The PCI Compliance process  PCI Compliance questionnaires  What are the implications of compliance? 9

Payment Card Industry Payment Card Industry “PCI” = Payment Card Industry “PCI” = Payment Card Industry – Major brands: VISA, MC, Discover, AmEx Established a Data Security Standard Established a Data Security Standard – PCI DSS Thus, “PCI Compliant” Thus, “PCI Compliant” Current version 3.0 Current version 3.0 Logo from 10

What is PCI Compliance? Who/What is PCI? Who/What is PCI?  PCI DSS – 6 Goals, 12 Requirements  The PCI Compliance process  PCI Compliance questionnaires  What are the implications of compliance? 11

PCI DSS Payment Card Industry Data Security Standard Payment Card Industry Data Security Standard 12 general principles/requirements 12 general principles/requirements Establishes a baseline of secure practices Establishes a baseline of secure practices – Will help mitigate costs, in case of a breach. – Not a 100% guarantee to prevent a breach 12

PCI DSS: 6 goals, 12 requirements GoalsPCI DSS Requirements I.Build and Maintain a Secure Network 1.Install and maintain a firewall configuration to protect cardholder data 2.Do not use vendor-supplied defaults for system passwords and other security parameters II. Protect Cardholder Data 3.Protect stored cardholder data 4.Encrypt transmission of cardholder data across open, public networks III. Maintain a Vulnerability Management Program 5.Use and regularly update anti-virus software or programs 6.Develop and maintain secure systems and applications IV. Implement Strong Access Control Measures 7.Restrict access to cardholder data by business need-to-know 8.Assign a unique ID to each person with computer access 9.Restrict physical access to cardholder data V. Regularly Monitor and Test Networks 10.Track and monitor all access to network resources and cardholder data 11.Regularly test security systems and processes Maintain an Information VI. Security Policy 12.Maintain a policy that addresses information security for employees and contractors Handout 13

Why should you care? The number of Requirements that apply to you will determine how involved the compliance process will be for you. The number of Requirements that apply to you will determine how involved the compliance process will be for you. The simpler your business process, the simpler your compliance process. 14

What is PCI Compliance? Who/What is PCI? Who/What is PCI? PCI DSS – 6 Goals, 12 Requirements PCI DSS – 6 Goals, 12 Requirements  The PCI Compliance process  PCI Compliance questionnaires  What are the implications of compliance? 15

University compliance means… University compliance means… For the University to be “PCI Compliant”, For the University to be “PCI Compliant”, – all of its CC business units need to be compliant. Merchant IDs, applications, operations, etc Merchant IDs, applications, operations, etc Infrastructure: terminals, networks, fax/copy Infrastructure: terminals, networks, fax/copy Personnel Personnel “If it stores, transmits or processes credit card data, it must be PCI compliant.” “If it stores, transmits or processes credit card data, it must be PCI compliant.” 16

PCI Compliance entails… 1.Training 2.Review of business processes 3.Annual service level agreements (SLA) and self-assessment questionnaires (SAQ) 17

PCI Compliance - Training Supervisor Training: August 8 & August 12 Supervisor Training: August 8 & August 12 Operators: on-line training module Operators: on-line training module 18

Operator training On-line training module On-line training module – Go Live 8/12/14 – Approx 30 minute video Broken into three modules Broken into three modules – Will cover general “operator” material – Individual Departments may need to develop additional training material to cover their unique processes. 19

Operator training modules /pci-training 20

The Three Modules 1.Card Security Basics (general) 2.Card Present Transactions 3.Card Not Present Transactions 21

Annually renewed and tracked All training must be renewed annually All training must be renewed annually All training must be tracked All training must be tracked Identify operators who need to be trained Identify operators who need to be trained – Operators must be trained by 10/15/2014 Watch for turn-over, new hires Watch for turn-over, new hires Training checklist should be completed Training checklist should be completed Submit worksheets to Submit worksheets to 22

The Compliance Process 2. Review of business processes – May need to review in light of PCI DSS

The Compliance Process 3. SLA & SAQ – Most SLA’s expire 12/31 – SAQ’s will be completed this Fall 24

What is PCI Compliance? Who/What is PCI? Who/What is PCI? PCI DSS – 6 Goals, 12 Requirements PCI DSS – 6 Goals, 12 Requirements The PCI Compliance process The PCI Compliance process  PCI Compliance questionnaires  What are the implications of compliance? 25

PCI Compliance - Questionnaires Provided by PCI Provided by PCI Has been expanded from four variants to eight Has been expanded from four variants to eight – A, A-EP, B, B-IP, C, C-VT, D, P2PE-HW – In order of increasing complexity – Required for PCI Compliance Self-Assessment Questionnaires (SAQ) Self-Assessment Questionnaires (SAQ) Which SAQ applies to a given merchant ID or application depends upon the business model. Which SAQ applies to a given merchant ID or application depends upon the business model. 26

SAQ Highlight 27

What is PCI Compliance? Who/What is PCI? Who/What is PCI? PCI DSS – 6 Goals, 12 Requirements PCI DSS – 6 Goals, 12 Requirements The PCI Compliance process The PCI Compliance process PCI Compliance questionnaires PCI Compliance questionnaires  What are the implications of compliance? 28

Business Processes to Consider - 1 Never send (receive) CC#s in Never send (receive) CC#s in Don’t store CC#s in database or spreadsheet Don’t store CC#s in database or spreadsheet Destroy CC# documentation ASAP (cross-cut) Destroy CC# documentation ASAP (cross-cut) – Redesign forms, so you can cut off CC#s Receipts that show more than last four digits are out of compliance Receipts that show more than last four digits are out of compliance Make workstations “dedicated” Make workstations “dedicated” 29

Business Processes to Consider - 2 If you copy, scan, or image CC#s… If you copy, scan, or image CC#s… Remove fax machines from public locations Remove fax machines from public locations Old carbon-copy devices are out of compliance Old carbon-copy devices are out of compliance Do you have integrated workstations? Do you have integrated workstations? – Units that have built-in card-readers Other ideas? Other ideas? 30

Miscellaneous Point #1 Beware the “maverick” Beware the “maverick” – Well-intending faculty or staff – Sets up a business unit without authorization – Beware solicitations – There are no PCI approved mobile devices (i.e. Square) 31

Miscellaneous Points #2 You don’t HAVE to become PCI Compliant. You don’t HAVE to become PCI Compliant. However, if you choose not to comply… However, if you choose not to comply… – You will no longer be able to accept credit cards. 32

Changes in personnel? Are you leaving? Are you leaving? New Supervisor? New Supervisor? Notify with an updated SLA within 5 business days of change. Notify with an updated SLA within 5 business days of – Need to track training to remain compliant 33

Time Line - Summary Supervisor Training 8/8 or 8/12/14 Employees complete on-line training modules Sept 2014 All training complete. Submit training spreadsheet to Controller October 15,

Thank you! Questions? 35