Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial...
-
Upload
galilea-mullennix -
Category
Documents
-
view
216 -
download
0
Transcript of Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial...
![Page 1: Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security.](https://reader035.fdocuments.in/reader035/viewer/2022062518/56649c8a5503460f94943e1a/html5/thumbnails/1.jpg)
Merchant Card Processing(PCI Compliance for Supervisors)
Sponsored by UW-Platteville’sFinancial Services and
The Office of Information Security
![Page 2: Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security.](https://reader035.fdocuments.in/reader035/viewer/2022062518/56649c8a5503460f94943e1a/html5/thumbnails/2.jpg)
Introductions
• Cathy Riedl-Farrey – Controller, Financial Services
• Anna Pulver– Information Security Officer
• Patrick Fitzsimons– Internal Auditor
2
![Page 3: Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security.](https://reader035.fdocuments.in/reader035/viewer/2022062518/56649c8a5503460f94943e1a/html5/thumbnails/3.jpg)
Agenda
• What is PCI Compliance?
• What is expected of you?
• Time lines
3
![Page 4: Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security.](https://reader035.fdocuments.in/reader035/viewer/2022062518/56649c8a5503460f94943e1a/html5/thumbnails/4.jpg)
Why we are here
PCI 12.6.1 (c) Have employees completed awareness training and are they aware of the importance of cardholder data security?
4
![Page 5: Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security.](https://reader035.fdocuments.in/reader035/viewer/2022062518/56649c8a5503460f94943e1a/html5/thumbnails/5.jpg)
Modern-day data security risks
• Over the past couple decades– Increase in payment card usage– Increase in e-commerce– Great convenience
• Unfortunately…– Security has not kept pace– The criminals have noticed
5
![Page 6: Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security.](https://reader035.fdocuments.in/reader035/viewer/2022062518/56649c8a5503460f94943e1a/html5/thumbnails/6.jpg)
Therefore…
• UW-Platteville is concerned.• UWPLT adopted a policy regarding storage,
transmission, processing of payment card data– Credit Card Handling Policy, currently being revised– http://www.uwplatt.edu/financial/credit-card-compliance
• UWPLT must be “PCI Compliant”6
![Page 7: Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security.](https://reader035.fdocuments.in/reader035/viewer/2022062518/56649c8a5503460f94943e1a/html5/thumbnails/7.jpg)
We Need You
• We need your help to achieve compliance!
7
![Page 8: Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security.](https://reader035.fdocuments.in/reader035/viewer/2022062518/56649c8a5503460f94943e1a/html5/thumbnails/8.jpg)
Does compliance apply to you?• If you take branded credit card information…
PCI applies to you– Major brands: VISA, MC, AmEx, Discover– Whether
• The actual physical card is present, or• You receive the data via phone, web, or mail• You contract with a hosted provider or in-house dept
– If you “store, transmit or process” cardholder data
8
![Page 9: Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security.](https://reader035.fdocuments.in/reader035/viewer/2022062518/56649c8a5503460f94943e1a/html5/thumbnails/9.jpg)
What is PCI Compliance?
Who/What is PCI? PCI DSS – 6 Goals, 12 Requirements The PCI Compliance process PCI Compliance questionnaires What are the implications of compliance?
9
![Page 10: Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security.](https://reader035.fdocuments.in/reader035/viewer/2022062518/56649c8a5503460f94943e1a/html5/thumbnails/10.jpg)
Payment Card Industry
• “PCI” = Payment Card Industry– Major brands: VISA, MC, Discover, AmEx
• Established a Data Security Standard– PCI DSS
• Thus, “PCI Compliant”• Current version 3.0
Logo from https://www.pcisecuritystandards.org/10
![Page 11: Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security.](https://reader035.fdocuments.in/reader035/viewer/2022062518/56649c8a5503460f94943e1a/html5/thumbnails/11.jpg)
What is PCI Compliance?
Who/What is PCI? PCI DSS – 6 Goals, 12 Requirements The PCI Compliance process PCI Compliance questionnaires What are the implications of compliance?
11
![Page 12: Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security.](https://reader035.fdocuments.in/reader035/viewer/2022062518/56649c8a5503460f94943e1a/html5/thumbnails/12.jpg)
PCI DSS
• Payment Card Industry Data Security Standard• 12 general principles/requirements• Establishes a baseline of secure practices
– Will help mitigate costs, in case of a breach.– Not a 100% guarantee to prevent a breach
12
![Page 13: Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security.](https://reader035.fdocuments.in/reader035/viewer/2022062518/56649c8a5503460f94943e1a/html5/thumbnails/13.jpg)
PCI DSS: 6 goals, 12 requirementsGoals PCI DSS Requirements
I. Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
II. Protect Cardholder Data 3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
III. Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
IV. Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
V. Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes Maintain an Information
VI. Security Policy 12. Maintain a policy that addresses information security for employees and contractors
Handout
13
![Page 14: Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security.](https://reader035.fdocuments.in/reader035/viewer/2022062518/56649c8a5503460f94943e1a/html5/thumbnails/14.jpg)
Why should you care?
• The number of Requirements that apply to you will determine how involved the compliance process will be for you.
The simpler your business process,the simpler your compliance process.
14
![Page 15: Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security.](https://reader035.fdocuments.in/reader035/viewer/2022062518/56649c8a5503460f94943e1a/html5/thumbnails/15.jpg)
What is PCI Compliance?
Who/What is PCI? PCI DSS – 6 Goals, 12 Requirements The PCI Compliance process PCI Compliance questionnaires What are the implications of compliance?
15
![Page 16: Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security.](https://reader035.fdocuments.in/reader035/viewer/2022062518/56649c8a5503460f94943e1a/html5/thumbnails/16.jpg)
University compliance means…
• For the University to be “PCI Compliant”,– all of its CC business units need to be compliant.
• Merchant IDs, applications, operations, etc• Infrastructure: terminals, networks, fax/copy• Personnel
• “If it stores, transmits or processes credit carddata, it must be PCI compliant.”
16
![Page 17: Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security.](https://reader035.fdocuments.in/reader035/viewer/2022062518/56649c8a5503460f94943e1a/html5/thumbnails/17.jpg)
PCI Compliance entails…
1. Training2. Review of business processes3. Annual service level agreements (SLA) and
self-assessment questionnaires (SAQ)
17
![Page 18: Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security.](https://reader035.fdocuments.in/reader035/viewer/2022062518/56649c8a5503460f94943e1a/html5/thumbnails/18.jpg)
PCI Compliance - Training• Supervisor Training: August 8 & August 12
• Operators: on-line training module
18
![Page 19: Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security.](https://reader035.fdocuments.in/reader035/viewer/2022062518/56649c8a5503460f94943e1a/html5/thumbnails/19.jpg)
Operator training
• On-line training module– Go Live 8/12/14– Approx 30 minute video
• Broken into three modules
– Will cover general “operator” material– Individual Departments may need to develop
additional training material to cover their unique processes.
19
![Page 20: Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security.](https://reader035.fdocuments.in/reader035/viewer/2022062518/56649c8a5503460f94943e1a/html5/thumbnails/20.jpg)
Operator training modules
https://www.uwplatt.edu/financial/pci-training
20
![Page 21: Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security.](https://reader035.fdocuments.in/reader035/viewer/2022062518/56649c8a5503460f94943e1a/html5/thumbnails/21.jpg)
The Three Modules
1. Card Security Basics (general)2. Card Present Transactions3. Card Not Present Transactions
21
![Page 22: Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security.](https://reader035.fdocuments.in/reader035/viewer/2022062518/56649c8a5503460f94943e1a/html5/thumbnails/22.jpg)
Annually renewed and tracked
• All training must be renewed annually• All training must be tracked• Identify operators who need to be trained
– Operators must be trained by 10/15/2014• Watch for turn-over, new hires
• Training checklist should be completed• Submit worksheets to [email protected]
22
![Page 23: Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security.](https://reader035.fdocuments.in/reader035/viewer/2022062518/56649c8a5503460f94943e1a/html5/thumbnails/23.jpg)
The Compliance Process
2. Review of business processes– May need to review in light of PCI DSS 3.0
23
![Page 24: Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security.](https://reader035.fdocuments.in/reader035/viewer/2022062518/56649c8a5503460f94943e1a/html5/thumbnails/24.jpg)
The Compliance Process
3. SLA & SAQ– Most SLA’s expire 12/31– SAQ’s will be completed this Fall
24
![Page 25: Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security.](https://reader035.fdocuments.in/reader035/viewer/2022062518/56649c8a5503460f94943e1a/html5/thumbnails/25.jpg)
What is PCI Compliance?
Who/What is PCI? PCI DSS – 6 Goals, 12 Requirements The PCI Compliance process PCI Compliance questionnaires What are the implications of compliance?
25
![Page 26: Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security.](https://reader035.fdocuments.in/reader035/viewer/2022062518/56649c8a5503460f94943e1a/html5/thumbnails/26.jpg)
PCI Compliance - Questionnaires
• Provided by PCI• Has been expanded from four variants to eight
– A, A-EP, B, B-IP, C, C-VT, D, P2PE-HW– In order of increasing complexity– Required for PCI Compliance
• Self-Assessment Questionnaires (SAQ)• Which SAQ applies to a given merchant ID or
application depends upon the business model.26
![Page 27: Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security.](https://reader035.fdocuments.in/reader035/viewer/2022062518/56649c8a5503460f94943e1a/html5/thumbnails/27.jpg)
SAQ Highlight
27
![Page 28: Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security.](https://reader035.fdocuments.in/reader035/viewer/2022062518/56649c8a5503460f94943e1a/html5/thumbnails/28.jpg)
What is PCI Compliance?
Who/What is PCI? PCI DSS – 6 Goals, 12 Requirements The PCI Compliance process PCI Compliance questionnaires What are the implications of compliance?
28
![Page 29: Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security.](https://reader035.fdocuments.in/reader035/viewer/2022062518/56649c8a5503460f94943e1a/html5/thumbnails/29.jpg)
Business Processes to Consider - 1
• Never send (receive) CC#s in e-mail• Don’t store CC#s in database or spreadsheet• Destroy CC# documentation ASAP (cross-cut)
– Redesign forms, so you can cut off CC#s• Receipts that show more than last four digits
are out of compliance• Make workstations “dedicated”
29
![Page 30: Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security.](https://reader035.fdocuments.in/reader035/viewer/2022062518/56649c8a5503460f94943e1a/html5/thumbnails/30.jpg)
Business Processes to Consider - 2
• If you copy, scan, or image CC#s…• Remove fax machines from public locations• Old carbon-copy devices are out of
compliance• Do you have integrated workstations?
– Units that have built-in card-readers• Other ideas?
30
![Page 31: Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security.](https://reader035.fdocuments.in/reader035/viewer/2022062518/56649c8a5503460f94943e1a/html5/thumbnails/31.jpg)
Miscellaneous Point #1
• Beware the “maverick”– Well-intending faculty or staff– Sets up a business unit without authorization– Beware solicitations– There are no PCI approved mobile devices (i.e.
Square)
31
![Page 32: Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security.](https://reader035.fdocuments.in/reader035/viewer/2022062518/56649c8a5503460f94943e1a/html5/thumbnails/32.jpg)
Miscellaneous Points #2
• You don’t HAVE to become PCI Compliant.• However, if you choose not to comply…
– You will no longer be able to accept credit cards.
32
![Page 33: Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security.](https://reader035.fdocuments.in/reader035/viewer/2022062518/56649c8a5503460f94943e1a/html5/thumbnails/33.jpg)
Changes in personnel?
• Are you leaving?• New Supervisor?
• Notify [email protected] with an updated SLA within 5 business days of change.– Need to track training to remain compliant
33
![Page 34: Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security.](https://reader035.fdocuments.in/reader035/viewer/2022062518/56649c8a5503460f94943e1a/html5/thumbnails/34.jpg)
Time Line - Summary
• Supervisor Training
8/8 or 8/12/14
• Employees complete on-line training modules
Sept 2014 • All training complete. • Submit training
spreadsheet to Controller
October 15, 2014
34
![Page 35: Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security.](https://reader035.fdocuments.in/reader035/viewer/2022062518/56649c8a5503460f94943e1a/html5/thumbnails/35.jpg)
Thank you!
Questions?
35