Download presentation
Presentation is loading. Please wait.
Published byStewart Richardson Modified over 9 years ago
1
Identity Protection (Red Flag/PCI Compliance/SSN Remediation) SACUBO Fall Workshop Savannah, GA November 3, 2009
2
Medical University of South Carolina Melissa Smith, MBA Director of Accounting Operations smimel@musc.edu 843-792-9138 Dave Moses, MBA, CISA, PMP, CPHIMS Manager, IT Audit mosesdav@musc.edu 843-792-1309
3
OVERVIEW Red Flags Rule Red Flags Rule PCI (Payment Card Industry) Compliance PCI (Payment Card Industry) Compliance Risks of Non-compliance Risks of Non-compliance Compliance approach Compliance approach Important Websites Important Websites
4
STANDARD DEFINITIONS The Red Flags Rules – issued by Federal Trade Commission (FTC), the federal bank regulatory agencies, and the National Credit Union Administration (NCUA) to ensure that financial institutions and creditors develop and implement written identity theft prevention programs as part of the Fair and Accurate Credit Transactions Act of 2003 (FACTA) The Red Flags Rules – issued by Federal Trade Commission (FTC), the federal bank regulatory agencies, and the National Credit Union Administration (NCUA) to ensure that financial institutions and creditors develop and implement written identity theft prevention programs as part of the Fair and Accurate Credit Transactions Act of 2003 (FACTA) Programs must be in place to provide for the identification, detection, and response to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft. Programs must be in place to provide for the identification, detection, and response to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft.
5
STANDARD DEFINITIONS Red Flags Rules – Update – from the FTC website – Released 10/30/09 Red Flags Rules – Update – from the FTC website – Released 10/30/09 “At the request of Members of Congress, the Federal Trade Commission is delaying enforcement of the “Red Flags” Rule until June 1, 2010, for financial institutions and creditors subject to enforcement by the FTC.” “At the request of Members of Congress, the Federal Trade Commission is delaying enforcement of the “Red Flags” Rule until June 1, 2010, for financial institutions and creditors subject to enforcement by the FTC.”
6
STANDARD DEFINITIONS PCI – Payment Card Industry PCI – Payment Card Industry DSS – Data Security Standards DSS – Data Security Standards PCI SSC- PCI Security Standards Council PCI SSC- PCI Security Standards Council The PCI SSC sets the standards for cardholder data protection The PCI SSC sets the standards for cardholder data protection The founding members of the PCI SSC are responsible for enforcement of the standards. The founding members of the PCI SSC are responsible for enforcement of the standards. MasterCard Worldwide, Visa Inc., American Express, JCB International, and Discover Financial Services MasterCard Worldwide, Visa Inc., American Express, JCB International, and Discover Financial Services
7
STANDARD DEFINITIONS Who must comply with PCI DSS? Who must comply with PCI DSS? Any merchant that accepts or processes payment cards Any merchant that accepts or processes payment cards Everyone! Everyone!
9
RISKS …to the Enterprise –Lost productivity –Reputation –Fines –Notification expenses –Loss of ability to accept payment cards for services rendered (i.e. credit/debit cards, etc.)
10
COMPLIANCE APPROACH Compliance with both the Red Flags and PCI Compliance require the following: Compliance with both the Red Flags and PCI Compliance require the following: –review and understanding of requirements –Enterprise policies and procedures
11
COMPLIANCE APPROACH Red Flags Rules Red Flags Rules –The FTC has created a How-To Guide for navigating the Red Flags Rule and setting a compliance program. Below is a recap of the information in the How-To Guide: 1. Create policies and procedures that help identify the “red flags” in your normal business operations. 2. Design a program that helps detect the “red flags” you have identified. 3. Create procedures that will be taken when “red flags” are detected. 4. Set up a re-evaluation system for your “red flags” program. 4. Set up a re-evaluation system for your “red flags” program.
12
COMPLIANCE APPROACH PCI Compliance PCI Compliance –Review PCI DSS Requirements – from the PCI Quick Reference Guide –Create inventory of payment card processing that is being completed on your campus.
13
COMPLIANCE APPROACH –Develop preliminary budget and resource estimates for compliance –Develop detailed plan for initial compliance –Develop plan for maintaining compliance and on-going training for users
14
COMPLIANCE APPROACH –Develop policies and procedures for payment card acceptance –Train all users on the importance of data security –Remember that PCI Compliance is a continuous process – Assess, Remediate, Report
15
WEBSITES Federal Trade Commission – Fair Credit Reporting – Major Links - you can find the How-To Guide for Red Flags Rules on this website http://www.ftc.gov/os/statutes/fcrajump.shtm PCI Security Standards Council website https://www.pcisecuritystandards.org/ PCI Security Standards Council Quick Reference Guide https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide. pdf https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide. pdf
16
WEBSITES Treasury Institute for Higher Education – there is a PCI DSS blog on this site and other helpful information http://www.treasuryinstitute.org/ Listing of breaches for 2009 http://www.identitytheft.info/breaches09.aspx
17
QUESTIONS Thank you for attending our session! Thank you for attending our session!
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.