PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.

Slides:

Advertisements

Similar presentations

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Advertisements

Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.

Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.

The Payment Card Industry Data Security Standard (PCI DSS)

Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.

PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.

Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security.

PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.

Complying With Payment Card Industry Data Security Standards (PCI DSS)

2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

Property of CampusGuard Compliance With The PCI DSS.

Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.

Payment Card PCI DSS Compliance SAQ-D Training Accounts Receivable Services, Controller’s Office 7/1/2012.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?

Jeff Williams Information Security Officer CSU, Sacramento

Property of the University of Notre Dame Navigating the Regulatory Maze: Notre Dame’s PCI DSS Solution EDUCAUSE Midwest Regional Conference March 17, 2008.

Visa Cemea Account Information Security (AIS) Programme

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

Copyright Security-Assessment.com 2005 Payment Card Industry Digital Security Standards Presented By Carl Grayson.

GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.

Why Comply with PCI Security Standards?

Introduction to PCI DSS

Northern KY University Merchant Training

Payment Card Industry (PCI) Data Security Standard

Property of the University of Notre Dame Copyright David Seidl, Bob Winding, Mike Chapple, Bob Richman, This work is the intellectual property of.

Disclaimer Copyright Michael Chapple and Jane Drews, This work is the intellectual property of the authors. Permission is granted for this material.

Web Advisory Committee June 17,  Implementing E-commerce at UW  Current Status and Future Plans  PCI Data Security Standard  Questions.

Payment Card Industry Data Security Standard (PCI DSS) By Roni Argetsinger

MasterCard Site Data Protection Program Program Alignment.

PCI DSS Managed Service Solution October 18, 2011.

Protecting Your Credit Card Security Environment (PCI) September 26, 2012 Jacob Arthur, CPA, QSA, CEH Timothy Agee, CISA, CGEIT, QSA FDH Consulting Frasier,

Straight Talk on Campus Commerce 2007 © 2007 TouchNet Information Systems, Inc. All rights reserved. TouchNet Confidential Information. Best Practices.

EDUCAUSE Security Conference Denver, Colorado April 10 to 12, 2006 Bob Beer Biggs Engineering 117 (419)

The influence of PCI upon retail payment design and architectures Ian White QSA Head of UK&I and ME PCI Team September 4, 2013 Weekend Conference 7 & 8.

An Introduction to PCI Compliance. Data Breach Trends About PCI-SSC 12 Requirements of PCI-DSS Establishing Your Validation Level PCI Basics Benefits.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.

The Payment Card Industry (PCI) Data Security Standard: What it is and why you might find it useful Fred Hopper, CISSP TASK - 27 March 2007.

PCI requirements in business language What can happen with the cardholder data?

Brian Cloud August 06, Overall Digital Security  What is Digital Security  Murphy’s Law Since 2005, over 263M records breeched (privacyreports.com)

DATE: 3/28/2014 GETTING STARTED WITH THE INTEGRITY EASY PCI PROGRAM Presenter : Integrity Payment Systems Title: Easy PCI Program.

PCI: As complicated as it sounds? Gerry Lawrence CTO

Credit Card Processing Gail “Montreal” Shoffey Keeler August 14, 2007.

Introduction to Payment Card Industry Data Security Standard

Introduction To Plastic Card Industry (PCI) Data Security Standards (DSS) April 28,2012 Cathy Pettis, SVP ICUL Service Corporation.

Data Security and Payment Card Acceptance Presented by: Brian Ridder Senior Vice President First National September 10, 2009.

Information Security 2013 Roadshow - PCI. Roadshow Outline  What IS PCI  Why we Care about PCI  What PCI Means to You and Me.

Payment Card PCI DSS Compliance SAQ-B Training Accounts Receivable Services, Controller’s Office 7/1/2012.

ThankQ Solutions Pty Ltd Tech Forum 2013 PCI Compliance.

1 Payment Card Industry (PCI) Security Standard Developed by the PCI Security Council formed by major card issuers: Visa, MasterCard, American Express,

BUSINESS CLARITY ™ PCI – The Pathway to Compliance.

Standards in Use. EMV June 16Caribbean Electronic Payments LLC2.

By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.

The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit.

Introduction to PCI DSS

Payment Card Industry (PCI) Rules and Standards

Performing Risk Analysis and Testing: Outsource or In-house

PCI-DSS Security Awareness

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance

Payment card industry data security standards

Internet Payment.

Session 11 Other Assurance Services

Payment Card Industry Data Security Compliance

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance

Presented by: Jeff Soukup

Presentation transcript:

PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise

I.Background II.What is PCI-DSS? III.Who must comply? IV.Cost of non-compliance V.Digital Dozen VI.Higher Education Challenges VII.Centralize Compliance Agenda

Cardholder Information Security Program (CISP) Site Data Protection Program (SDP) Discover Information Security Compliance (DISC) Data Security Standard (DSS) Confused Merchants Background ???

Payment Card Industry Data Security Standard (PCI-DSS) Card Associations founded an LLC One program now Mission: Enhance payment account data security by fostering a broad adoption of PCI-DSS What is PCC-DSS?

Policy decisions made by Executive Committee Participating organizations provide feedback on evolution of PCI What is PCC-DSS?

“Payment Card Industry (PCI) Data security requirements apply to all Members, merchants, and service providers that store, process or transmit cardholder data.” *Payment Card Industry Data Security Standard Who Must Comply?

Merchant Compliance 1Any merchant-regardless of acceptance channel-processing over 6,000,000 transactions per year. Any merchant that has suffered a hack or an attack that resulted in an account data compromise. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system. 2Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 transactions per year. 3Any merchant processing 20,000 to 1,000,000 e-commerce transactions per year. 4Any merchant processing fewer than 20,000 e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year. Who Must Comply?

In the event of the a breach the acquirer CAN make the merchant responsible for: Any fines from PCI-Co Up to $500,000 per incident Cost to notify victims Cost to replace cards (about $10/card) Cost for any fraudulent transactions Forensics from a QDSC Level 1 certification from a QDSC Cost of Non-Compliance

Example: 50,000 credit cards stolen –PCI Penalty - $100,000 per incident $500,000 if you do not have a self- assessment –Card Replacement - $500,000 –Fraudulent Transaction – $61,750,000 $1, average fraudulent transaction –Bad Publicity – Priceless! Cost of Non-Compliance

Build and Maritain a Secure Network Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Use and regularly update anti-virus software Develop and maintain secure systems and applications Implement Strong Access Control Measures Restrict access to cardholder data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to cardholder data Regularly Monitor and Test Networks Track and monitor all access to network resources and cardholder data Regularly test security systems and processes Maintain an Information Security Policy Maintain a policy that addresses information security Digital Dozen

Higher education networks comprise an estimated 15% of the total advertised Internet address space* Extremely “open” by tradition and culture Highly connected networks to commercial internet, regional, national, and international research networks Communities range from 1,000 to 200,000 people Thousands of networked devices Departments control local technology and act independently Understaffed IT department * University of Indiana Higher Education Challenge

Get executive buy-in Define a commerce committee –IT –Security –Internal Audit –Treasury –CFO Centralize Compliance

Define and publish credit card handling policy Acceptable payment channels Handling of PII (Personally Identifiable Information) Requesting merchant IDs Applicability to University employees, work study… Background and credit checks for employees handling credit cards Training and acknowledgement Use of vendors Centralize Compliance

Gap analysis –Review all existing merchants and their procedures –Identify “urgent improvements” –Operational remediation plan –Technical remediation plan Compliance maintenance –Rules will change –Systems will change Centralize Compliance

Consider outsourcing Get as many credit card numbers off campus as possible Use a service provider to process credit card transactions Approved scanning vendors Approved hosting centers Centralize Compliance

David R. King President Nelnet Business Solutions Questions?