Payment Card Industry Data Security Standards Annual Refresher Training

This refresher course will: Review of the PCI Data Security Standards PCIDSS in a nutshell Payment Card Protection Team Compliance basics Data breach review 2013 Change to How the University’s Compliance is Measured 2013 New Technology: Online SAQ Portal Update of PCIDSS compliance roles at the University Contact information

The Purpose for PCI DSS “The PCI DSS was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally.” PCI DSS Requirements and Security Assessment Procedures, October 2010, pg. 5 Say: PCI DSS was designed on common sense steps that mirror security best practices. The intent of PCI DSS was “to create an additional level of protection for card issuers by ensuring that merchants meet minimum levels of security when they store, process and transmit cardholder data” http://en.wikipedia.org/wiki/PCI_DSS 3) December 15, 2004: release of the first PCI DSS. Updates in 2006, 2008, 2010, 2013.

The twelve Requirements are grouped into six Goals. PCI DSS Quick Reference Guide, slide 8

Payment Card Protection ‘Team’ Employees, contractors or students involved in accepting credit or debit cards (or who touch the cardholder data environment) Merchant Managers & staff (including student workers) Support units: ARS, IT, Purchasing, OGC, third party vendors 2. Credit card brands Visa MasterCard American Express Discover 3. Acquiring bank (Wells Fargo) Ask: Who makes up the PCI DSS team? Answer: Everyone on the slide Ask/say: Why are account managers on the team? Front line (accept cards; hire, train, oversee staff; implement or create policy & practices) Closest to IT professionals associated with the account What is the role of the credit card issuing companies? Oversight of compliance efforts Protect brand and bottom line Why is the bank there? Must also comply with PCI DSS as vendor/third-party service provider to each merchant manager’s account. Store, process, or transfer cardholder data Who else can protect cardholder data? [Answer: the card holder – by using credit cards only with reputable & trustworthy merchants]

Complying with PCI Standards at the University Standards are established & updated by the PCI Council and card issuers Standards are enforced primarily through the University’s contract with Wells Fargo which is managed by Accounts Receivable Services (ARS) ARS oversees PCI compliance through Policy & procedures Merchant Manager training & support Coordination with related units such as University Information Security Facilitation of the annual merchant account compliance review process PCI Council Visa MasterCard AmEx Discover Wells Fargo UMN Accounts Receivable Services Merchant Manager Employees & student workers Starting at the far left, this slide shows the where the PCI Standards begin (PCI Council and card brands) and how the responsibility for compliance flows from their origin all the way to our student cashiers. OIT UIS Dept IT

Broadly speaking…a breach is: What is a data breach? Broadly speaking…a breach is: An unauthorized acquisition of protected data that compromises the security, confidentiality, or integrity of the protected information. One major concern that the PCI Data Security Standards address is how an organization can best protect data from a data breach. A breach can harm the customers whose data is stolen, but it can also harm the institution where the breach occurred. About 47 states now have laws that require an institution to notify customers whose data is breached. This is a costly process – both in terms of money and reputation; but more on that later. What is considered a breach? The definition in this slide is found in some version in each of the state data breach notification laws. The University’s attorneys and University Information Security will consider each word to determine if an incident raises to the level of a data breach. If you believe a breach may have occurred in your area contact abuse@umn.edu.

Leading Causes of a Data Breach Malicious attack Targeted attack with the intent to commit data theft or otherwise inflict harm Negligent employee or contractor Failure to follow established standards Lack of training System glitch IT or business process failures Many requirements of PCI DSS help the University protect itself from data breaches caused by malicious attacks (physical or electronic). At first glance PCI DSS “feels” very technical. However PCI DSS requirements also address the second leading cause of data breaches: employee (or contractor) failure to follow established standards, or employees (or contractors) who innocently do the wrong thing simply because they have not been trained in proper standards or unit data procedures.

Cost of a Breach $5.5 million: the average total organizational cost of a data breach* 39% of incidents involved a negligent employee or contractor 37% concerned a malicious or criminal attack 24% involved system glitches including IT and business process failures $222: The average cost per compromised record for detection, escalation, notification, and remediation (doesn’t include costs associated with damaged reputation)* 1,506,900 records: the number of private records exposed in data breaches at 59 US higher education institutions in 2012** 1.5M X $222 = $333,000,000)/59 = $5,644,068 estimated cost per HE breach Say: Now let’s take a look at some recent numbers. Note also: (1) Monterey Institute of Int’l Studies (Middlebury College), CA; laptop stole in home burglary with unknown # of student SSNs & names. (2) 53-college hack: unknown # of records. DO: READ THE SLIDE ASK: Why might higher ed be an attractive target for data thieves? Higher ed is a target because (a) accounts may not be protected as thoroughly as at large corporate entities, (b) lots of personal data is collected. [ASK FOR EXAMPLES…e.g., student, parent, customer, faculty, ee, visitor data] (2) The $5.5M & $222 figures do not include (1) the opportunity cost associated with loss of current or potential customers, (2) the cost to the card company, (3) the cost to the bank, and (4) the cost to each consumer whose data has been breached (whether or not their identity has been stolen) (3) Banks and credit card brands also may incur millions of dollars in costs when a merchant experiences a data breach, even though the card brand and bank had nothing to do with breach. [Example: cancelling and re-issuing cards and accounts.] ASK: If you were CEO of one of these banks or card brands, what might be your reaction? (note: held full liability for bad security without control) (4) A few years ago several credit card issuing organizations decided to establish data protection and security requirements for any merchant wishing to use their card brand. Originally each card brand had their own set of standards. Differences in requirements as well as the sheer magnitude of these requirements made it virtually impossible for merchants to comply. The answer: create one overarching set of data security standards that could be agreed upon by the major credit card brands. (alternative: legislation – only MN Plastic Card Security Act) The result: Payment Card Industry Data Security Standards (PCIDSS) *2011 Cost of Data Breach Study, Ponemon Institute **http://www.privacyrights.org/data-breach

The University at Risk TGS targeted their self-identified list of 100 top universities in the world. Included: Princeton, Stanford, Harvard, Johns Hopkins, Cornell, Duke, Purdue, Boston University, Texas A&M, University of Texas, University of Colorado, Penn State, University of Pittsburgh, University of Florida, Ohio State, University of Maryland, University of Wisconsin, University of Michigan. http://bits.blogs.nytimes.com/2012/10/03/hackers-breach-53-universities-dump-thousands-of-personal-records-online/?smid=tw-share

The University as Data “Gold Mine” But, it isn’t always about the money. Hacktivism In their own words: “As a wise man once said: "Those who cannot remember the past are condemned to repeat it."   Updates* We wanted to bring to your attention different examples from Europe, how the laws change so often that even the teachers have a hard time adjusting to them, let alone, the students, to the US, where tuition fees have spiked up so much that by the time you finish any sort of degree, you will be in more debt than you can handle and with no certainty that you will get a job, to Asia, where strict & limited teachings still persist and never seem to catch up with the times and most of the time fail to prep you up for a world where foreign affairs are crucial in this day and age. Even so, we figured, how hypocrites we'd have to be to enforce our own beliefs in this release, that's why, this turned out into an open debate where you are all welcome to participate. You don't have to talk about it with us, what's important is that you bring up the subject "today's education" in day-to-day conversations with your family, friends, people close to you and try to understand the system better, together. How it works, how a certain type of diploma can or cannot help you in your road to the career you want to pursue. As for us, we have taken the time to gather opinions and points of views from different anonymous members, all around the globe. On behalf of Team GhostShell, I would like to respectfully thank all those that have contributed to this release. It has been a unique experience.”

Change in 2013 Wells Fargo and Visa raised the University’s compliance demonstration requirements. This change was based on the annual number of Visa transactions. This means: Compliance is now measured by a security assessor For 2013 we will use a Qualified Security Assessor (QSA) from CampusGuard, a firm specializing in higher education security Individual merchants must continue to complete the annual Self-Assessment Questionnaires (SAQ), and… The University will only be considered PCI compliant if all accounts are deemed compliant by the assessor

New Technology Rolled out an online portal for SAQ completion & document collection The portal provides merchant managers with 24/7 access to complete their SAQs Managers can ask the assessor questions directly through the portal A secure ‘document locker’ provides each merchant with a dedicated area to store PCI-related documents

Updated Contacts for 2013 Accounts Receivable Services pmtcard@umn.edu General inquiries Darla Schroeder, Cash Application Manager (612-626-7215), schro077@umn.edu Terminal issues Account set-up, close, modify Reconciliation, chartstring or other accounting issues University Information Security abuse@umn.edu Your IT professionals _______ Laura Gilbert, PCI-DSS Compliance Analyst (612-624-7892) gilbert7@umn.edu Manager training CampusGuard portal Annual assessment : SAQ &UMN form completion ROC assessment Remediation plan oversight Policy questions Vendor relationship support (e.g., pen testing, 3rd party outsourcing) Say: If you have any questions, here are some first contacts and resources that can help. Thanks for coming today! Please complete an evaluation and let us know what was good, what was missing, and what we might present in a different way.

Allow time in your schedule to fully manage your account. Resources Be familiar with University policy & procedures Accepting Revenue Via Payment Cards Obtaining Approval to Accept Credit Cards Managing Payment Card Acceptance Your IT professionals Applicable University Forms UM 1624 Payment Card Manager Form UM 1623 Employee Non-Disclosure Form UM 1705 Desktop Usage Agreement (only required for SAQ-A e-commerce solutions) Controller’s Office Website: General and SAQ-specific training materials & guidance documents PCI Security Standards Website: SAQ forms, guidance docs PCI Glossary Look for emails throughout the year from the Controller’s Office and partner departments about program changes, new issues, annual deadlines and training. Allow time in your schedule to fully manage your account.