Upload
anthony-rasch
View
216
Download
3
Tags:
Embed Size (px)
Citation preview
PCI-DSS Compliance and PCI-DSS Compliance and Payment Card AcceptancePayment Card AcceptancePCI-DSS Compliance and PCI-DSS Compliance and
Payment Card AcceptancePayment Card Acceptance
Cathy Freeman
Cash and Treasury Services
Phone: 864-656-0530
Email: [email protected]
Website: http://www.clemson.edu/cfo/cash-treasury/
AgendaAgendaPCI-DSS DefinedBrief HistoryWhy is PCI-DSS Compliance Important?Merchant Levels and RequirementsCU PCI-Best PracticesPCI Compliance ResponsibilitiesVirtual TerminalsCredit Card Payment InformationWho Get’s OverlookedAccepting Credit Card on CampusQuestions
PCI-DSS DefinedPCI-DSS Defined
Payment Card Industry Data Security StandardsA collaborative effort to achieve a common set of security standards for use by entities that process, store or transport payment card data.
Multiple Credit Card organizations participating in PCI effortsMembers include Visa, MasterCard, American Express, Diner’s Club, Discover Card and JCB.
PCI-DSS DefinitionsPCI-DSS DefinitionsCardholder Customer to whom a card is issued or
individual authorized to use the card
Cardholder Data
Full magnetic stripe or the Primary Account Number (PAN) plus any of the following•Cardholder name•Expiration date•Service Code
Cardholder Validation Value or Code
Data element on a card’s magnetic stripe that uses secure cryptographic process to protect data integrity on the stripe, and reveals any alteration or counterfeiting.
Compromise Intrusion into computer system where unauthorized disclosure, modification, or destruction of cardholder data is suspected.
Encryption Process of converting information into an unintelligible form except to holders of a specific cryptographic key. Use of encryption protects information between the encryption process and the decryption process against unauthorized disclosure
PCI-DSS DefinitionsPCI-DSS DefinitionsFirewall Hardware, software, or both that protect
resources of one network from intruders from other networks.
Information Security
Protection of information to insure confidentiality, integrity and availability.
Magnetic Stripe
Data encoded in the magnetic stripe used for authorization during transactions when the card is presented.
Merchant Any person/business that accepts payments by debit or credit cards. It is an agreement between a retailer, a merchant bank and payment processor for the settlement of credit card and/or debit card transactions.
PCI-DSS DefinitionsPCI-DSS DefinitionsPAN Primary Account Number is the payment card
number (credit or debit) that identifies the issuer and the particular cardholder account. Also called Account Number.
POS Point of Sale. Hardware and/or software used to process payment card transactions at merchant locations.
Service Code Three or four digit number on the magnetic stripe that specifies acceptance requirements and limitations for a magnetic stripe read transaction.
Vulnerability Scan
Scans used to identify vulnerabilities in operating systems, services and devices that could be used by hackers to target the company’s private network.
Brief HistoryBrief HistoryThe Payment Card Industry Security Standards
Council (PCI SSC) was launched on September 7, 2006 to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with focus on improving payment account security throughout the transaction process.
The major credit card companies (VISA, MasterCard, Discover, and American Express) came together and published a uniform set of data security standards that ALL merchants must comply with in connection with the acceptance of payment cards. These new standards are called Payment Card Industry Data Security Standards or PCI DSS. These standards have placed additional responsibilities on CU departments in connection with acceptance of payment cards.
Why is PCI Compliance Important ?
Why is PCI Compliance Important ?
Why is PCI Compliance Important?
Why is PCI Compliance Important?
Good business practice.PCI compliance is like insurance.Large monetary fines assessed to your
department and/or Clemson University.Loss of merchant status for department.Loss of merchant status for Clemson
University.Loss of faith in Clemson University name.You are vulnerable!
Why is PCI Compliance Important?
Why is PCI Compliance Important?
Because they are after us!Since 2008 educational institutions have
experienced a staggering 158 data breaches resulting in over 2.3 million reported records compromised.
Higher ed institutions have become a predominant target for cyber criminals because of the substantial amount of distinct type of data they possess. Databases at colleges include names, addresses, financial information, credit card numbers, SSN and healthcare records of employees, students and parents.
Source: Application Security, Inc.
Why is PCI Compliance Important?
Why is PCI Compliance Important?
Estimated $3.4 Billion Lost to Online FraudThe $700 million increase in estimated total fraud loss (vs. 2010)was driven by the overall growth in ecommerce in 2011.
Source: CyberSource Online Fraud ReportCountries With The Most Card Fraud: U.S. and
MexicoOne recent survey finds that 27% of cardholders (debit, credit and prepaid) around the world have experienced fraud in the past five years. Rates of fraud vary across countries but in Mexico and the United States are more prone to fraud with 44% and 42% of respondents there saying they’ve experienced card fraud. The report from Aite Group and ACI Worldwide, which surveyed over 5000 consumers in 17 countries, notes that U.S. consumers are heavy card users-more card use means greater likelihood for card fraud.
Source: Forbes
Why is Compliance Important?
You don’t want to make the headlines!
Why is Compliance Important?
You don’t want to make the headlines!
Why is PCI Compliance Important?
Costs of Non-Compliance.
Why is PCI Compliance Important?
Costs of Non-Compliance.The payment brands may, at their
discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine on downstream till it eventually hits the merchant. Furthermore, the bank will also most likely either terminate your relationship or increase transaction fees. Penalties are not openly discussed nor widely publicized, but they can be catastrophic to a small business.
Why is PCI Compliance Important?
Breach Trends and The Facts
Why is PCI Compliance Important?
Breach Trends and The FactsMain causes of a data breach-Hacking in
now #1Data Breaches Will Likely Affect Your
Reputation. 76% of organizations surveyed acknowledged
that their reputation was impacted as a result of the loss or theft of customer information.
Type of Data Most Often StolenPassword/pinCredit card or bank payment informationCredit or payment historyDriver’s license/SSN
Why is PCI Compliance Important?
Breach Trends and The Facts
Why is PCI Compliance Important?
Breach Trends and The FactsIt Can Be A Long Road To Recovery
64% of organizations say they are concerned that data compromised in a data breach will be used to commit other types of fraud.
Breaches Can Strike Twice or Even Three Times85% of recent survey respondents indicated that
their organization had more than one breach involving customer data in the last 24 months.
Your Reputation Doesn’t Bounce Back ImmediatelyTo restore an organization’s reputation after a
breach that involved customer information takes about a year (11.8 months).
Definition of Merchant LevelsDefinition of Merchant LevelsAll merchants will fall into one of the four merchant levels based on Visa transaction volume over a 12-month period. Transaction volume is based on the aggregate number of Visa transactions (inclusive of credit, debit and prepaid) from a merchant Doing Business As (‘DBA’). In cases where a merchant corporation has more than one DBA, Visa acquirers must consider the aggregate volume of transactions stored, processed or transmitted by the corporate entity to determine the validation level. If data is not aggregated, such that the corporate entity does not store, process or transmit cardholder data on behalf of multiple DBAs, acquirers will continue to consider the DBA’s individual transaction volume to determine the validation level. Merchant levels as defined by Visa:
Merchant LevelsMerchant Levels
Merchant Levels Merchant Levels
Merchant RequirementsMerchant Requirements
QSA Onsite ReviewQSA Onsite Review
Is a detailed audit against the PCI Data Security Standard
Potentially targets all systems and networks that store, process and/or transmit cardholder information
Includes review of contractual relationships, but not assessment of the Third Party themselves.
Must be performed using an offering from a Visa certified provider (QSA)
Biggest difficulties in having onsite reviews are the initial scoping and the subsequent cost of correction to compliant levels.
Self Assessment Questionnaire
Self Assessment Questionnaire
Is a selected subset of the full Onsite Audit CriteriaIs completed by the Merchant or Service ProviderIs submitted to Acquirer(s)Is made up mainly of Yes/No/Not Applicable
responsesIs broken into five of the six sections from PCI DSS
Build and Maintain a Secure NetworkProtect Cardholder DataImplement Strong Control MeasuresRegularly Monitor and Test NetworksMaintain an Information Security Policy
Network Security ScanningNetwork Security ScanningTargets Internet facing devices, systems and
applications includingRouters and firewallsServers and hosts (including virtual)Applications
Must be performed using an offering from MasterCard certified provider
May not have any Severity 3 or greater issues:5 (Urgent): Trojan Horses, file read and write
exploits, remote command execution4 (Critical): Potential Trojan Horses, file read exploit3 (High): Limited exploit of read, directory browsing
and denial of service.
Merchant RequirementsSix Goals, Twelve Requirements
Merchant RequirementsSix Goals, Twelve Requirements
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor supplied defaults for system passwords and other security parameters
Protect Cardholder Data
3. Protect stored cardholder data4. Encrypt transmissions of cardholder data
across open, public networks.
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
Merchant RequirementsSix Goals, Twelve Requirements
Merchant RequirementsSix Goals, Twelve Requirements
Implement StrongAccess Control Measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor andTest Networks
10.Track and monitor all access to network resources and cardholder data
11.Regularly test security systems and processes
Maintain an Information Security Policy
12.Maintain a policy that addresses information security
CU PCI Compliance Best Practices
CU PCI Compliance Best Practices
1.Merchants should discontinue to store credit card numbers and the security code on any computer, server, or database. This includes Excel spreadsheets.2.Treat payment card receipts like you would cash.3. Keep payment card data secure and confidential.4. Limit access to system components and cardholder data to only those individuals whose job requires such access.5.Assign all users a unique ID before allowing them to access system components or cardholder data.
CU PCI Compliance Best Practices
CU PCI Compliance Best Practices
7. Documents containing cardholder data should be kept in a secure environment (i.e. safe, locked file cabinet, etc.).
8. Never send cardholder information via email. Credit card numbers must not be transmitted in an insecure manner, such as email, unsecured fax or through campus mail.
9. Fax transmittal of cardholder data is permissible only if the receiving fax is located in a secure environment.
10. Render sensitive cardholder data unreadable anywhere it is stored.
CU PCI Compliance Best Practices
CU PCI Compliance Best Practices
11. Manual swipes or imprinters are not authorized for use.
12. Any new systems/software that process payment cards are required to be approved by the Cash and Treasury Office prior to being purchased.
13. Any computer system hosting a credit card application must be housed in CCIT’s data centers due to security requirements.
14. Computer systems that process payment cards must be behind a firewall.
15. Use and regularly update anti-virus software.
CU PCI Compliance Best Practices
CU PCI Compliance Best Practices
16. Do not use vendor-supplied defaults for systems passwords and other security parameters.
17. Computer systems that process payment cards must have the ability to monitor and track access to network resources and cardholder data.
18. Report all suspected or known security breaches to Cash and Treasury Services and CCIT’s Information Security & Privacy.
Credit Card Data Storage Motto
Credit Card Data Storage Motto
If you don’t need If you don’t need it,it,
DON’T KEEP IT!DON’T KEEP IT!
CU PCI Compliance Responsibilities
CU PCI Compliance Responsibilities
MerchantComplete and submit Security Assessment Questionnaire (SAQ) annually. Each merchant is responsible for their own PCI DSS Compliance.Development of a departmental credit card data information security policy, procedures or plan.Implementation of all data security controls necessary to comply with PCI DSS requirements.Attendance to an annual PCI DSS Compliance Training conducted by the Cash and Treasury Services Department.
CU PCI Compliance Responsibilities
CU PCI Compliance Responsibilities
Cash and Treasury ServicesProvide guidance and support to the merchants PCI DSS Compliance efforts.Make recommendations on how to lower a merchants risk of exposure to breaches.Coordinate and assist in the completion and submission of SAQ’s by all merchants.Serve as Liaison between merchant and the Credit Card Processer.Assist merchants in responding to a possible breach.
CU PCI Compliance Responsibilities
CU PCI Compliance Responsibilities
CCIT Information Security & PrivacyCompletes and coordinates with Cash and Treasury Services a single Security Assessment Questionnaire (SAQ) for the University.Provide guidance and support to the merchants PCI DSS Compliance efforts from a technical perspective.Make recommendations on how to implement Compensating Controls that will meet particular PCI DSS requirements.Provide Application and Website Vulnerability Scanning. This can also be done at the system level.Assist Merchants/Cash and Treasury Services to a possible breach and breach investigation.
Virtual Terminals and PCI Compliance
Virtual Terminals and PCI Compliance
A virtual terminal is a web-based application that allows merchants to accept credit card payments using their Internet connected computers. Like the traditional credit card terminals that you see at most retail stores, virtual terminals can accept both swiped and keyed transactions.Virtual terminal workstations must be segmented and secured. A merchant must meet the following criteria:Merchant’s only payment processing is via a virtual terminal accessed by an Internet-connected web browser
Virtual Terminals and PCI Compliance
Virtual Terminals and PCI Compliance
Merchant accesses the virtual terminal via a computer that is isolated in a single location, and is not connected to other locations or systems within your environment
Merchant’s virtual terminal solution is provided and hosted by a PCI DSS validated third party service provider
Merchant’s computer does not have software installed that causes cardholder data to be stored (for example, there is no software for batch processing or store-and-forward)
Merchant’s computer does not have any attached hardware devices that are used to capture or store cardholder data (for example, there are no card readers attached)
Virtual Terminals and PCI Compliance
Virtual Terminals and PCI Compliance
Merchant does not otherwise receive or transmit cardholder data electronically through any channels (for example, via an internal network or the Internet)
Merchant does not store cardholder data in electronic format
If merchant does store cardholder data, such data is only in paper reports or copies of paper receipts and is not received electronically.
Credit Card PaymentsCredit Card Payments
Nearly one-third (30%) of students put tuition on their credit card, an increase from 24 percent in the previous study.
84% of the student population overall have credit cards.
92% of undergraduate credit cardholders charged textbooks, school supplies, or other direct education expenses, up from 85% when the study was conducted in 2004
Source: Sallie Mae, “How Undergraduate Students Use Credit Cards:, April 2009)
Credit Card PaymentsCredit Card Payments
E-commerce & Online Payment
Point of Sale Terminals
Current credit card payment methods on campus
Credit Card PaymentsCredit Card Payments
In FY 2012, Clemson University merchants processed:
Total Transactions (Online and POS): 201,731
Total Revenue (Online and POS): $53,042,373.91
Number of Merchants: 110
What Gets Overlooked?What Gets Overlooked?
Paper
What Gets Overlooked?What Gets Overlooked?
People
What Gets Overlooked?What Gets Overlooked?
Process
PCI Compliance Cycle
Accepting Credit Cards on Campus
Accepting Credit Cards on Campus
Thinking of taking payment cards or changing your current process? Contact Cash and Treasury Services first.
Do not go it alone. The state of South Carolina mandates who we can use for credit card processing. PayPal Accounts and devices like Square for your IPAD or IPhone cannot be used.
Our current credit card processing companies are FirstData, TouchNet and Official Payments.
Contact Cash and Treasury Services for current credit card rates charged by FirstData, TouchNet and Official Payments.
Clemson University accepts American Express, Discover, MasterCard and Visa.
Just Remember…Just Remember…Data Security is an ongoing process
Recognize the risks at all levels to your department.
Understand what you can do to be proactive.
Determine what behaviors and processes may have to change.
Want to know more?Resources
Want to know more?Resources
PCI Data Security Standards PCI for Merchantshttps://www.pcisecuritystandards.org/merchants/index.php PCI Data Security Standardshttps://www.pcisecuritystandards.org/security_standards/index.php CU Network Security Policyhttp://www.clemson.edu/ccit/about/policies/network_security.html
Points of ContactPoints of ContactHas data been compromised? The first 24
hours are critical!Contact:
Office of Information Security and Privacy864-656-7131
http://www.clemson.edu/ccit/help_support/safe_computing
/ And
Cash and Treasury Services Banking and Payment Card Coordinator
864-656-0530http://www.clemson.edu/cfo/cash-treasury/
Points of ContactPoints of ContactA confidential Ethics Line is provided as a service to assist any member of the University community with reporting concerns or issues about questionable practices. These may include fraud, theft, conflicts of interest, abuse of assets or property, or violations of laws or regulations.
Toll Free: 1-877-503-7283 (1-877-50FRAUD)Available 24 hours a day, seven days a week. Leave
a message. or
www.clemson.edu/administration/internalaudit/contactus.html
QuestionsQuestions
1) What Does PCI-DSS Stand For?
a. Protect Computer Identity-Data Security Standard
b. Payment Card Industry-Data Security Standard
c. Payment Card Industry-Data Safety Standard
d. Payment Card Identification-Develop Security Servic
e
PCI Compliance Training Questions
PCI Compliance Training Questions
1) What Does PCI-DSS Stand For?
a. Protect Computer Identity-Data Security Standard
b. Payment Card Industry-Data Security Standard
c. Payment Card Industry-Data Safety Standard
d. Payment Card Identification-Develop Security
Service
PCI Compliance Training Questions
PCI Compliance Training Questions
Next Question
1) What Does PCI-DSS Stand For?
a. Protect Computer Identity-Data Security Standard
b. Payment Card Industry-Data Security Standard
c. Payment Card Industry-Data Safety Standard
d. Payment Card Identification-Develop Security
Service
PCI Compliance Training Questions
PCI Compliance Training Questions
Next Question
1) What Does PCI-DSS Stand For?
a. Protect Computer Identity-Data Security Standards
b. Payment Card Industry-Data Security Standards
c. Payment Card Industry-Data Safety Standards
d. Payment Card Identification-Develop Security
Service
PCI Compliance Training Questions
PCI Compliance Training Questions
Next Question
1) What Does PCI-DSS Stand For?
a. Protect Computer Identity-Data Security Standards
b. Payment Card Industry-Data Security Standards
c. Payment Card Industry-Data Safety Standards
d. Payment Card Identification-Develop Security
Service
PCI Compliance Training Questions
PCI Compliance Training Questions
Next Question
2) When was the Payment Card Industry Security Standards Council launched?
a. September 7th, 2003
b. September 7th, 2004
c. September 7th, 2005
d. September 7th, 2006
PCI Compliance Training Questions
PCI Compliance Training Questions
2) When was the Payment Card Industry Security Standards Council launched?
a. September 7th, 2003
b. September 7th, 2004
c. September 7th, 2005
d. September 7th, 2006
PCI Compliance Training Questions
PCI Compliance Training Questions
Next Question
2) When was the Payment Card Industry Security Standards Council launched?
a. September 7th, 2003
b. September 7th, 2004
c. September 7th, 2005
d. September 7th, 2006
PCI Compliance Training Questions
PCI Compliance Training Questions
Next Question
2) When was the Payment Card Industry Security Standards Council launched?
a. September 7th, 2003
b. September 7th, 2004
c. September 7th, 2005
d. September 7th, 2006
PCI Compliance Training Questions
PCI Compliance Training Questions
Next Question
2) When was the Payment Card Industry Security Standards Council launched?
a. September 7th, 2003
b. September 7th, 2004
c. September 7th, 2005
d. September 7th, 2006
PCI Compliance Training Questions
PCI Compliance Training Questions
Next Question
3) The Payment Card Industry Security Standards Council (PCI SSC) breaks merchants up into 4 compliance levels?
a. True
b. False
PCI Compliance Training Questions
PCI Compliance Training Questions
3) The Payment Card Industry Security Standards Council (PCI SSC) breaks merchants up into 4 compliance levels?
a. True
b. False
PCI Compliance Training Questions
PCI Compliance Training Questions
Next Question
3) The Payment Card Industry Security Standards Council (PCI SSC) breaks merchants up into 4 compliance levels?
a. True
b. False
PCI Compliance Training Questions
PCI Compliance Training Questions
Next Question
4) The Self-Assessment Questionnaire (SAQ) is filled out by the merchant?
a. True
b. False
PCI Compliance Training Questions
PCI Compliance Training Questions
4) The Self-Assessment Questionnaire (SAQ) is filled out by the merchant?
a. True
b. False
PCI Compliance Training Questions
PCI Compliance Training Questions
Next Question
4) The Self-Assessment Questionnaire (SAQ) is filled out by the merchant?
a. True
b. False
PCI Compliance Training Questions
PCI Compliance Training Questions
Next Question
5) There are 6 requirements for PCI-DSS compliance?
a. True
b. False
PCI Compliance Training Questions
PCI Compliance Training Questions
5) There are 6 requirements for PCI-DSS compliance?
a. True
b. False
PCI Compliance Training Questions
PCI Compliance Training Questions
Next Question
5) There are 6 requirements for PCI-DSS compliance?
a. True
b. False
PCI Compliance Training Questions
PCI Compliance Training Questions
Next Question
6) Which of the following is a Clemson University PCI Compliance best practice?
a. Keep payment card data confidential
b. Computer systems that process payment card
s must be behind a
firewall
c. Render
sensitive cardholder data unreadable anywhe
re it is
stored
d. All of the Above
PCI Compliance Training Questions
PCI Compliance Training Questions
PCI Compliance Training Questions
PCI Compliance Training Questions
Next Question
PCI Compliance Training Questions
PCI Compliance Training Questions
Next Question
PCI Compliance Training Questions
PCI Compliance Training Questions
Next Question
PCI Compliance Training Questions
PCI Compliance Training Questions
Next Question
7) You can send cardholder information via email?
a. True
b. False
PCI Compliance Training Questions
PCI Compliance Training Questions
PCI Compliance Training Questions
PCI Compliance Training Questions
Next Question
PCI Compliance Training Questions
PCI Compliance Training Questions
Next Question
8) Which of the following is a PCI Compliance responsibility for the merchant?
a. Complete the Self-Assessment Questionnaire
b. Development of a departmental credit card
data information security policy, procedures
or plan
c. Attend annual PCI DSS Compliance Training
d. All of the Above
PCI Compliance Training Questions
PCI Compliance Training Questions
PCI Compliance Training Questions
PCI Compliance Training Questions
Next Question
PCI Compliance Training Questions
PCI Compliance Training Questions
Next Question
PCI Compliance Training Questions
PCI Compliance Training Questions
Next Question
PCI Compliance Training Questions
PCI Compliance Training Questions
Next Question
9) A virtual terminal workstation can be located in an open area for anyone to use?
a. True
b. False
PCI Compliance Training Questions
PCI Compliance Training Questions
PCI Compliance Training Questions
PCI Compliance Training Questions
Next Question
PCI Compliance Training Questions
PCI Compliance Training Questions
Next Question
10) PayPal or devices like Square can be used to accept payments on campus?
a. True
b. False
PCI Compliance Training Questions
PCI Compliance Training Questions
PCI Compliance Training Questions
PCI Compliance Training Questions
Finish
PCI Compliance Training Questions
PCI Compliance Training Questions
Finish
Thank you for taking the PCI Compliance Training.
Need More Help?Contact
Cathy Freeman at [email protected] or 864-656-0530
To acknowledge that you have read and completed the online PCI Compliance
training, continue to the website below.
Clemson.edu/esig