Embed Size (px)
Citation preview
Payment Card Industry (PCI) Compliance
Jay Baucom, Chief Information OfficerArthur Hohnsbehn, Director of Information TechnologyJason Godfrey, Security ManagerNorth Carolina Community College System
Payment Card Industry (PCI) Compliance
The PCI Security Standards Council isan open global forum for the ongoingdevelopment, enhancement, storage,dissemination and implementation ofsecurity standards for accountdata protection.
Payment Card Industry (PCI) ComplianceThe PCI Security Standards Council’smission is to enhance paymentaccount data security by drivingeducation and awareness of the PCISecurity Standards. The organizationwas founded by American Express,Discover Financial Services, JCBInternational, MasterCard Worldwide,and Visa, Inc.
Payment Card Industry (PCI) CompliancePCI Documentation
Payment Card Industry (PCI) Data Security Standard (DSS) Navigating PCI DSS – Understanding the Intent of the Requirements (version 1.1, February 2008)
Payment Card Industry (PCI) Data Security Standard (DSS) Self–Assessment Questionnaire – Instructions and Guidelines (version 1.1, February 2008)
Payment Card Industry (PCI) Data Security Standard (DSS) Self–Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers (version 1.1, February 2008)
Payment Card Industry (PCI) Data Security Standard (DSS) Glossary, Abbreviations and Acronyms
Payment Card Industry (PCI) ComplianceCommon Terms
Account Number or PAN (Primary Account Number): payment card number that identifies the issuer and card holder.
Acquirer: Bankcard association member that initiates and maintains relationships with the merchants that accept payment cards.
Cardholder data: Full magnetic strip or the PAN plus any of the following:
Cardholder nameExpiration dateService Code
Payment Card Industry (PCI) ComplianceCommon Terms - Continued
DSS: Data Security Standard
Penetration Test: Security-oriented probing of computer system or network to seek out vulnerabilities that an attacker could exploit.
Threat: Condition that may cause information or information processing resources to be intentionally or accidentally lost, modified, exposed, made inaccessible, or otherwise affected to the detriment of the organization.
Payment Card Industry (PCI) ComplianceCommon Terms - Continued
Vulnerability: Weakness in system security procedures, system design, implementation, or internal controls that could be exploited to violate system security policy.
Vulnerability Scan: Scans used to identify vulnerabilities in operating systems, services, and devices that could be used by hackers to target the company’s private network.
Payment Provider: PayPal (Verisign) or Official Payments (OPC).
Payment Card Industry (PCI) ComplianceTrustwave Services
The Office of State Controller (OSC) has a master service agreement with Trustwave to perform vulnerability scans, online SAQ and answer general questions.
30 of the 58 colleges participate in the OSC’s master agreement. Colleges work directly with the OSC for portal access, service delivery, and remediation. The acquirer (bank) is SunTrust.
The remaining 28 colleges are offered services through a supplemental agreement under the OSC master agreement. Colleges work directly with the NCCCS for portal access, service delivery, and remediation. The acquirer (bank) is selected by the college.
Attestation
Payment Card Industry (PCI) ComplianceBasic Steps to Compliance
Compliance (Process\Procedures)
Validation (SAQ\ Vulnerability Scans)
Payment Card Industry (PCI) ComplianceDatatel Colleague e-Commerce
Datatel defines any payment card transaction processed via Colleague to a payment provider (PayPal\OPC) as an e-Commerce transaction. Payment card information is processed and transmitted, but never stored.
Datatel defines any payment card information entered into Colleague (CREN) as a Non e-Commerce transaction. This information is encrypted.
Payment Card Industry (PCI) ComplianceDatatel Colleague e-Commerce
Datatel e-Commerce requires:Licensing e-Commerce
Installing e-Commerce (InstallShield)
Enabling e-CommerceCORE – ECS (e-Commerce Setup)
ECPR – e-Commerce ProvidersECPA – e-Commerce Provider AccountEPAM - e-Comm Provider Acct Mapping
ST – FIWP (Financial Web Parameters)
Payment Card Industry (PCI) Compliancee-Commerce Documentation
e-Commerce 3.7 Release Highlights (Release18.0) (September 18, 2006)
e-Commerce Installation and Administration (August 5, 2008)
Determining My PCI Validation Type - SAQ
Payment Card Industry (PCI) ComplianceValidation Type
Type 1 (SAQ A) – All cardholder data is outsourced.
Type 2 (SAQ B) – Imprint only, no electronic cardholder data is stored.
Type 3 (SAQ B) – Standalone dial-out terminals only, no electronic cardholder data is stored.
Type 4 (SAQ C) – POS or payment system connected to the Internet, no electronic cardholder data is stored.
Type 5 (SAQ D) – All other merchants and all service providers.
Payment Card Industry (PCI) ComplianceValidation Types
Conclusion:With exception of payment card transactions processed utilizing a stand alone dial-up terminal where paper receipts are kept for refund purposes; all other payment card transactions within Colleague (CREN) or utilizing Datatel’s e-Commerce would require a college to submit SAQ D.
Payment Card Industry (PCI) ComplianceValidation Types - Continued
What is the impact to the colleges?Arthur to provide some insight to what the colleges will be doing in addition to their normal processes.
Payment Card Industry (PCI) ComplianceImpact of Validation Type D
Accepting Payment via Telephone (TREG)
ColleagueServer via DMIEPOS (TREG)
Server
Payment VerificationScenario 1
Payment Card Industry (PCI) ComplianceDatatel Colleague Environment
CC ClearingHouse
Internet
Accepting Payment via WebAdvisor (WA)
ColleagueServer via DMI
WA Server
Payment VerificationScenario 2
Payment Card Industry (PCI) ComplianceDatatel Colleague Environment
CC ClearingHouse
Internet
Accepting Payment via Colleague (CREN)
ColleagueServer via DMI
Side Terminal (CC entered via CREN)
Payment VerificationScenario 3
Payment Card Industry (PCI) ComplianceDatatel Colleague Environment
CC ClearingHouse
Internet
Payment Card Industry (PCI) ComplianceDatatel Best Practices
Develop a policy for maintaining payment card data. Non e-Commerce should be purged via COCD.
Purge payment card information in Production before cloning the Production environment to Test using COCD.
If troubleshooting e-Commerce with the DMI listener in debug ( -t –v options), remove the log immediately after the debug information has been obtained. You are not compliant with debug turned on.
Work with your Bookstore provider to determine compliance.
Payment Card Industry (PCI) ComplianceAdditional Information
PCI Security Standards Council https://www.pcisecuritystandards.org/
https://www.pcisecuritystandards.org/education/webinars.shtml (webinars)
Datatel AnswerNet Document #4397 - How to remove sensitive credit card data for PCI Compliance http://www.datatel.com
NC Office of the State Controller
http://www.ncosc.net/programs/risk_mitigation_pci.html
Payment Card Industry (PCI) ComplianceContact Information
NC Office of State Controllerhttp://www.ncosc.net/SECP/SECP_PCIOverview.html
NCCCS System OfficeJay Baucom - (919) 807-6988 [email protected] Jason Godfrey - (919) [email protected] Kim Van Metre - (919) 807-7071 [email protected]
TrustwaveGeneral Questions – (800) [email protected]
Q & A
Payment Card Industry (PCI) ComplianceAdditional Information
