1. What you need to know about PCI-DSS Jane Drews Chief Information Security Officer Information Security & Policy Office jane-drews@uiowa.edu, 5-5537

2. Topics 1.PCI-DSS Basics for University of Iowa merchants 2.Point to Point Encryption (P2PE) 3.EMV Credit Cards 4.Isolated “PCI Environment” for University CC operations

3. PCI-DSS: Basics 1.UI policy requires merchants to comply with PCI-DSS, no exceptions 2.Reducing PCI-DSS “scope” is our strategy to reduce UI compliance requirements, and minimize the institution’s risk of a card data breach 3.Scope is about communication between devices Any IT device or system involved in processing card payments, or that shares the infrastructure that supports payments, is “in scope” and must comply Encryption has been touted by some vendors as a way to avoid the rigor of compliance, however that has not been demonstrated, and is not UI policy 4.It is not the card brands, but the acquiring bank’s decision on how we must validate our compliance

4. Point to Point Encryption (P2PE): P2PE Standard = technology and processes to protect account data from the point of interaction (card reader) to the point of initial decryption (transaction processor) Card reader establishes encrypted “tunnel” through which PAN is sent to the processor. Authorization code is returned, and sent to the point of sale cash register or the server PAN is never seen by the cash register or the server The merchant is never allowed to perform encryption key management under the P2PE standard

5. Point to Point Encryption (P2PE): The standard for point-to-point encryption solutions does not supersede the PCI Data Security Standard, PCI PIN Security Requirements, or any other PCI Standards The P2PE standards are not a recommendation, and do not obligate merchants, service providers, or financial institutions to purchase or deploy such solutions P2PE capable devices will be the target for attacks, as the PAN could be intercepted by malware before encryption occurs Implementing P2PE doesn’t eliminate need to comply with PCI-DSS

6. EMV Credit Cards Referred to as “chip and pin” or “chip and signature” cards Smart cards that store data on a chip rather than on a magnetic stripe, although most cards currently use both for backward compatibility, transition purposes Can be contact cards (reader) or contactless cards (RFID) Banks can transfer liability/costs for face-to-face (card present) fraud to merchants that don’t support EMV cards (Oct 2015) Supporting EMV cards does not eliminate the need to comply with PCI-DSS

7. UI’s Isolated PCI Environment: 1.All peripherals migrate to PCI network (registers, readers, etc): Any device involved in transaction processing that connects to UI network 2. All servers migrate to ITF data center: A.Level III (high sensitivity) data storage/handling servers, critical operations servers, and servers with peripherals move to High Security Zone Secure configuration required, very restricted communications, full logging, monitored system and data access, etc. B.Non-critical web servers that don’t pass CC information move to Medium Zone, Co-Managed Zone, or Co-Location Zone Secure configuration required, no communication with peripherals, full logging, etc. 3. Goal is to simplify compliance responsibilities