UC SAN DIEGO2018 MERCHANT PCI DSS CYCLE

AGENDAWhere we are headed

• What is the PCI DSS?• What are the consequences of not complying with the PCI DSS?• 2018 Compliance cycle calendar• Merchant processing methods and SAQ type– Expectations for each SAQ

• Live Demo of CoalfireOne compliance portal• UCSD Compliance Team Contacts

WHAT IS THE PCI DSS?PCI DSS = Payment Card Industry Data Security Standard

• Set of minimum security requirements for processing card payments and handlingcardholder data

• Contractually agreed to by the UC Office of the President on behalf of the campuses

• Acquiring Bank is Bank of America Merchant Services (BAMS), who is responsible forenforcing the PCI DSS with the campus

• Coalfire Systems has been hired by the campus to help demonstrate to the bank thatthe campus is compliant with the standard

ORGANIZATION OF THE PCI DSSThe Payment Card Industry Data Security Standard (PCI DSS) is built on the NIST800-53 IT Security control framework

• Do you have the appropriate security policies in placeto safeguard the precious information that you have?

• Do you have the appropriate procedures in place tosupport that overall security policy?

• Do you have the appropriate secure equipmentconfiguration standards in place to support thesecurity policy?

• Do you actually follow the procedures and usethe configuration standards?

ProceduresProcedures ConfigurationsConfigurations

Trust but VerifyTrust but Verify

Security PolicySecurity Policy

PCI VOCABULARYSelf-Assessment Questionnaire = SAQ• The technical security and business controls that apply to a particular method of processing

card payments• Each merchant is required to complete their individual SAQ and be compliant• All campus SAQs are rolled up into a single SAQ for presentation to BAMSCardholder Data Environment = CDE• The environment in which cardholder data is received, processed, or transmitted• In general this is where the PCI DSS appliesAttestation of Compliance = AOC• Evidence that a service provider has gone through the PCI compliance assessment process

and is compliant with the PCI DSS• Every service provider involved with your cardholder data must ANNUALLY provide an AOC

to their customers

WHY SHOULD WE CARE?If you are not compliant:• High probability of fines• Possibility that the department would lose the ability to accept all card payments• Possibility that the entire campus would lose the ability to accept all card payments

If you have a breach:• Certainty of fines• Very high probability that merchant would be responsible for all fraud losses on

compromised cards• High cost of obtaining a Report on Compliance (ROC) to demonstrate remediation

completed• Bad publicity for campus, loss of customer trust

2018 UCSD PCI COMPLIANCE CALENDARTask Date(s)

Begin working in CoalfireOneportal

12/4/2018 (immediately!)

SAQs completed NO LATERTHAN

1/26/2018

Merchant interviews 1/22/2018 through 2/2/2018

Merchant site visits 2/19/2018 through 2/23/2018

MERCHANT PROCESSING METHODSHow you process payments determines which SAQ version you must complete• Fully Outsourced to someone else• Web site redirects to a compliant third party processor• Point-to-Point Encrypted devices• Non-listed P2PE solution• Chipcard terminal• Virtual Terminal• Networked Kiosks• Everything else

FULLY OUTSOURCEDSAQ A• Merchant hires a third party service provider to do everything• Even web site is managed by third party• Expectations:– Third party service provider gives you evidence of PCI compliance (annually)– There are no business processes where cardholder data is handled outside of the

service provider– Service providers managed– Incident response plan in place

WEB SITE REDIRECTSAQ A• Merchant web site is (minimally) in scope• Payment processing redirects to compliant third party processor• Expectations:– Documentation of full web stack (Operating System, database, shopping cart, CMS

system, applications)– Documentation of who administers each layer of the web stack– Documentation of Requirements 2 and 8 controls– Service providers managed– Incident response plan in place

LISTED P2PE SOLUTIONSAQ P2PE• Uses a validated / listed Point-to-Point Encryption (P2PE) solution listed on the PCI

Council’s website• Consider each Point Of Interaction (POI) device to be its own micro-CDE, needing

appropriate protection and inspection• Expectations:– POI device physical security, tampering inspection– Back office alert-monitoring– Appropriate business processes in place to control / secure / destroy cardholder data

on paper

NON-LISTED P2PE SOLUTIONReduced-scope SAQ D• Similar to P2PE requirements but with more documentation• Expectations:– POI device physical security, tampering inspection– Back office alert-monitoring– Appropriate business processes in place to control / secure / destroy cardholder data on paper

CHIPCARD TERMINALSAQ B• All transactions processed using chipcard terminal• Cardholder data on paper protected, shredded when transaction processed• Terminals are regularly inspected for tampering• Physically secure environment• Security policy in place, staff security awareness• Service providers managed• Incident response plan in place

POI DEVICE INSPECTIONSAQs B, C-VT, P2PE, Reduced-scope D• Regular inspection of Point of Interaction (POI) devices• Look for tampering, additional cables, keyboard overlays, etc.• Staff should at least look at their POI device when they come on shift• Requirement to document “official” inspection of device in an inspection log• Staff must know what to do if they see anything suspicious (“Call for help!”)

STAFF TRAININGSAQs (A), B, C-VT, P2PE, Reduced-scope D• All staff need to know that cardholder data is sensitive data that must be protected and

securely processed• All staff must have annual PCI security training• For merchants with POI devices, staff trained on how to detect tampering• For all staff, they must be trained in what to do if something is wrong– “See something, say something”– Could be as simple as “Call for help”

VIRTUAL TERMINALSAQ C-VT• Use browser to key-enter payments in third party processor virtual terminal• Workstation / laptop / tablet must be devoted to card payment processing only– Single-purpose device– Cannot be used for email, accounting, spreadsheets, web surfing, or anything else

• Workstation must be securely configured and administered• Workstation(s) must be isolated on their own network segment• Expectations:– Minimally functional secure configuration across all workstations, including browser

NETWORKED KIOSKSSAQ C• Card accepting kiosks / devices transmitting cardholder data to third party for

processing• Some of the SAQ C controls may not apply• One merchant in this category

EVERYTHING ELSESAQs B-IP, D• Currently no merchants in these environments on campus• SAQ B-IP similar to a mixture of SAQs B and C-VT• SAQ D requires all PCI controls to be met (>330 controls)– If you store cardholder data electronically, you are in this environment

COALFIREONE COMPLIANCE PORTALDEMO

• Overview / Dashboard• Environment• Requirements• Gap Report• Evidence Library• Resources

UCSD COMPLIANCE TEAMUCSD Compliance Portal on Blink:http://blink.ucsd.edu/finance/cash/credit-debit-cards/pci-dss/index.html

Armando Carlsson• acarlsson@ucsd.eduMatt Linzer• mlinzer@ucsd.edu

Joe Tinucci• joseph.tinucci@coalfire.comSteve Durham• steven.durham@coalfire.com

2018 UCSD PCI COMPLIANCE CALENDARTask Date(s)

Begin working in CoalfireOneportal

12/4/2018 (immediately!)

SAQs completed NO LATERTHAN

1/26/2018

Merchant interviews 1/22/2018 through 2/2/2018

Merchant site visits 2/19/2018 through 2/23/2018

QUESTIONS