Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security
Introductions Cathy Riedl-Farrey Cathy Riedl-Farrey – Controller, Financial Services Anna Pulver Anna Pulver – Information Security Officer Patrick Fitzsimons Patrick Fitzsimons – Internal Auditor 2
Agenda What is PCI Compliance? What is PCI Compliance? What is expected of you? What is expected of you? Time lines Time lines 3
Why we are here PCI (c) Have employees completed awareness training and are they aware of the importance of cardholder data security? 4
Modern-day data security risks Over the past couple decades Over the past couple decades – Increase in payment card usage – Increase in e-commerce – Great convenience Unfortunately… Unfortunately… – Security has not kept pace – The criminals have noticed 5
Therefore… UW-Platteville is concerned. UW-Platteville is concerned. UWPLT adopted a policy regarding storage, transmission, processing of payment card data UWPLT adopted a policy regarding storage, transmission, processing of payment card data – Credit Card Handling Policy, currently being revised – UWPLT must be “PCI Compliant” UWPLT must be “PCI Compliant” 6
We Need You We need your help to achieve compliance! We need your help to achieve compliance! 7
Does compliance apply to you? If you take branded credit card information… PCI applies to you If you take branded credit card information… PCI applies to you – Major brands: VISA, MC, AmEx, Discover – Whether The actual physical card is present, or The actual physical card is present, or You receive the data via phone, web, or mail You receive the data via phone, web, or mail You contract with a hosted provider or in-house dept You contract with a hosted provider or in-house dept – If you “store, transmit or process” cardholder data 8
What is PCI Compliance? Who/What is PCI? PCI DSS – 6 Goals, 12 Requirements The PCI Compliance process PCI Compliance questionnaires What are the implications of compliance? 9
Payment Card Industry Payment Card Industry “PCI” = Payment Card Industry “PCI” = Payment Card Industry – Major brands: VISA, MC, Discover, AmEx Established a Data Security Standard Established a Data Security Standard – PCI DSS Thus, “PCI Compliant” Thus, “PCI Compliant” Current version 3.0 Current version 3.0 Logo from 10
What is PCI Compliance? Who/What is PCI? Who/What is PCI? PCI DSS – 6 Goals, 12 Requirements The PCI Compliance process PCI Compliance questionnaires What are the implications of compliance? 11
PCI DSS Payment Card Industry Data Security Standard Payment Card Industry Data Security Standard 12 general principles/requirements 12 general principles/requirements Establishes a baseline of secure practices Establishes a baseline of secure practices – Will help mitigate costs, in case of a breach. – Not a 100% guarantee to prevent a breach 12
PCI DSS: 6 goals, 12 requirements GoalsPCI DSS Requirements I.Build and Maintain a Secure Network 1.Install and maintain a firewall configuration to protect cardholder data 2.Do not use vendor-supplied defaults for system passwords and other security parameters II. Protect Cardholder Data 3.Protect stored cardholder data 4.Encrypt transmission of cardholder data across open, public networks III. Maintain a Vulnerability Management Program 5.Use and regularly update anti-virus software or programs 6.Develop and maintain secure systems and applications IV. Implement Strong Access Control Measures 7.Restrict access to cardholder data by business need-to-know 8.Assign a unique ID to each person with computer access 9.Restrict physical access to cardholder data V. Regularly Monitor and Test Networks 10.Track and monitor all access to network resources and cardholder data 11.Regularly test security systems and processes Maintain an Information VI. Security Policy 12.Maintain a policy that addresses information security for employees and contractors Handout 13
Why should you care? The number of Requirements that apply to you will determine how involved the compliance process will be for you. The number of Requirements that apply to you will determine how involved the compliance process will be for you. The simpler your business process, the simpler your compliance process. 14
What is PCI Compliance? Who/What is PCI? Who/What is PCI? PCI DSS – 6 Goals, 12 Requirements PCI DSS – 6 Goals, 12 Requirements The PCI Compliance process PCI Compliance questionnaires What are the implications of compliance? 15
University compliance means… University compliance means… For the University to be “PCI Compliant”, For the University to be “PCI Compliant”, – all of its CC business units need to be compliant. Merchant IDs, applications, operations, etc Merchant IDs, applications, operations, etc Infrastructure: terminals, networks, fax/copy Infrastructure: terminals, networks, fax/copy Personnel Personnel “If it stores, transmits or processes credit card data, it must be PCI compliant.” “If it stores, transmits or processes credit card data, it must be PCI compliant.” 16
PCI Compliance entails… 1.Training 2.Review of business processes 3.Annual service level agreements (SLA) and self-assessment questionnaires (SAQ) 17
PCI Compliance - Training Supervisor Training: August 8 & August 12 Supervisor Training: August 8 & August 12 Operators: on-line training module Operators: on-line training module 18
Operator training On-line training module On-line training module – Go Live 8/12/14 – Approx 30 minute video Broken into three modules Broken into three modules – Will cover general “operator” material – Individual Departments may need to develop additional training material to cover their unique processes. 19
Operator training modules /pci-training 20
The Three Modules 1.Card Security Basics (general) 2.Card Present Transactions 3.Card Not Present Transactions 21
Annually renewed and tracked All training must be renewed annually All training must be renewed annually All training must be tracked All training must be tracked Identify operators who need to be trained Identify operators who need to be trained – Operators must be trained by 10/15/2014 Watch for turn-over, new hires Watch for turn-over, new hires Training checklist should be completed Training checklist should be completed Submit worksheets to Submit worksheets to 22
The Compliance Process 2. Review of business processes – May need to review in light of PCI DSS
The Compliance Process 3. SLA & SAQ – Most SLA’s expire 12/31 – SAQ’s will be completed this Fall 24
What is PCI Compliance? Who/What is PCI? Who/What is PCI? PCI DSS – 6 Goals, 12 Requirements PCI DSS – 6 Goals, 12 Requirements The PCI Compliance process The PCI Compliance process PCI Compliance questionnaires What are the implications of compliance? 25
PCI Compliance - Questionnaires Provided by PCI Provided by PCI Has been expanded from four variants to eight Has been expanded from four variants to eight – A, A-EP, B, B-IP, C, C-VT, D, P2PE-HW – In order of increasing complexity – Required for PCI Compliance Self-Assessment Questionnaires (SAQ) Self-Assessment Questionnaires (SAQ) Which SAQ applies to a given merchant ID or application depends upon the business model. Which SAQ applies to a given merchant ID or application depends upon the business model. 26
SAQ Highlight 27
What is PCI Compliance? Who/What is PCI? Who/What is PCI? PCI DSS – 6 Goals, 12 Requirements PCI DSS – 6 Goals, 12 Requirements The PCI Compliance process The PCI Compliance process PCI Compliance questionnaires PCI Compliance questionnaires What are the implications of compliance? 28
Business Processes to Consider - 1 Never send (receive) CC#s in Never send (receive) CC#s in Don’t store CC#s in database or spreadsheet Don’t store CC#s in database or spreadsheet Destroy CC# documentation ASAP (cross-cut) Destroy CC# documentation ASAP (cross-cut) – Redesign forms, so you can cut off CC#s Receipts that show more than last four digits are out of compliance Receipts that show more than last four digits are out of compliance Make workstations “dedicated” Make workstations “dedicated” 29
Business Processes to Consider - 2 If you copy, scan, or image CC#s… If you copy, scan, or image CC#s… Remove fax machines from public locations Remove fax machines from public locations Old carbon-copy devices are out of compliance Old carbon-copy devices are out of compliance Do you have integrated workstations? Do you have integrated workstations? – Units that have built-in card-readers Other ideas? Other ideas? 30
Miscellaneous Point #1 Beware the “maverick” Beware the “maverick” – Well-intending faculty or staff – Sets up a business unit without authorization – Beware solicitations – There are no PCI approved mobile devices (i.e. Square) 31
Miscellaneous Points #2 You don’t HAVE to become PCI Compliant. You don’t HAVE to become PCI Compliant. However, if you choose not to comply… However, if you choose not to comply… – You will no longer be able to accept credit cards. 32
Changes in personnel? Are you leaving? Are you leaving? New Supervisor? New Supervisor? Notify with an updated SLA within 5 business days of change. Notify with an updated SLA within 5 business days of – Need to track training to remain compliant 33
Time Line - Summary Supervisor Training 8/8 or 8/12/14 Employees complete on-line training modules Sept 2014 All training complete. Submit training spreadsheet to Controller October 15,
Thank you! Questions? 35