1 / 29

Welcome to the 2nd Annual Campus Merchant Awareness Training Meeting

Agenda. IntroductionsMerchant Account BasicsFAQ'sWhat Have We Learned In this case, left is always better!PCI Compliance ChangesPCI Compliance OverviewResources. Merchant Accounts Updates. System down?- Voice Authorization- 1.800.936.2632 Need MID.Questions on Accounts? DST 1.800.228.588

apu
Download Presentation

Welcome to the 2nd Annual Campus Merchant Awareness Training Meeting

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Welcome to the 2nd Annual Campus Merchant Awareness Training Meeting

    2. Agenda Introductions Merchant Account Basics FAQ’s What Have We Learned… In this case, left is always better! PCI Compliance Changes PCI Compliance Overview Resources

    3. Merchant Accounts Updates System down?- Voice Authorization- 1.800.936.2632 – Need MID. Questions on Accounts? DST 1.800.228.5882- 24/7 service Statement issues Authorization Problems Supplies Bursar Support Services Dial Pay Wireless Terminal POS Terminals

    4. Merchant Accounts Updates Account /Statement Review Review Monthly for errors & charges Jul VS zero floor limit fee Analyze yearly for cost/service assessment Minimum Charges on Statements Visa EIRF’s 2.30%- manually entered cards Plastic bag around card Clean terminal Rub card magnetic strip Debit pin pads

    5. Merchant Accounts Updates Sales Calls Bank of America Merchant Contact Upgrading Pin Devices Fraud Control- http://usa.visa.com/merchants/risk_management/index.html American Express Rate Change-All campus 2.05% consumer card; Discover 1.75% Staff Training Resources- Many options for the front line staff as well as IT and MRP’s.

    6. Merchant Accounts Updates Phishing Alert-   Bank of America temporarily suspended your account. Reason: Billing failure. We need you to complete an account update so we can unlock your account. To start the update process follow the link below :  http://www.secureyouraccountnow.com  Once you have completed the process, we will send you an email notifying that your account is available again. After that you can access your account at any time. The information provided will be treated in confidence and stored in our secure database. If you fail to provide required information your account will be automatically deleted from Bank of America database.

    7. Frequently Asked Questions Service Charges – No- Varied rules between Visa and other card brands. Flat fee versus %. May be some legislation changes No service charge encourages prompt payment customer response Establishing minimum charge amount- Card organizations forbid you from establishing any transaction dollar limits.

    8. More FAQ’s Requiring pictured identification Card organizations state the credit card sale cannot be turned down due to lack of picture id. Phone authorization Card not signed Suspected counterfeit card Fax Machines & Laptops MOTO’s - Virtual Terminals & Dial Pay

    9. Still More FAQ’s Self Assessment Questionnaire Annual A great % of merchants have completed Security Policies/Procedures Departmental Campus Network Configuration Abraham Kuo- UITS Security Operations

    10. What Have We Learned?- That in this case-Left is always better! Merchant Compromise Paper and fax machines SAQ C Merchants Compliance Failures Shopping Cart, Operating Systems and Other Patches Firewall Rule Review Segmentation /flat networks Look for an alternative (“Move to the left”) Keep MOTO to Dial Pay or Point of Sale Terminal

    11. Compliance Changes New Annual third party assessment MasterCard Notification of Level 2 Merchants Report on Compliance (ROC) assessment & documentation SAQ Specific You are not alone, we are right beside you. SAQ C Training

    12. Questions?

    13. PCI Compliance : Requirements and Resources Sylvia Johnson, University Information Security Officer Kelley Bogart, Senior Information Security Specialist October 23, 2009

    14. Agenda Role of the Information Security Office PCI Overview InfoSec PCI Web Page – Compliance Roadmap Payment Methods & Validation Requirements Ongoing Compliance

    15. InfoSec Role Information Security Policy: Access to UA data, computers and network is subject to policies and laws. PCI compliance is mandated by: contract with Bank of America FRS Policy 8.14. Info Security Policy: InfoSec will issue guidance to assist units in implementing information security related policies.

    16. What/Who Does PCI Cover? PCI security requirements apply to all merchants who store, process or transmit card holder data all system components in or connected to the card holder data environment network components servers applications Brief overview of the Data Security Standard For detailed explanation, refer to full set of training modules on the Info Sec websiteBrief overview of the Data Security Standard For detailed explanation, refer to full set of training modules on the Info Sec website

    17. Digital Dozen 6 goals and 12 requirements6 goals and 12 requirements

    18. PCI Requirements 225 specifics Some technical Some operational Consequences: Monetary fines Restrictions on merchant processing Loss of privilege Merchant Responsible Persons are responsible for ALL of them Break down into 225 specifics Break down into 225 specifics

    19. http://security.arizona.edu/pci InfoSec PCI Web Page Includes a link to FSO-Bursar’s Department Services’ website, where you can find information about non-PCI payment card issues.InfoSec PCI Web Page Includes a link to FSO-Bursar’s Department Services’ website, where you can find information about non-PCI payment card issues.

    20. Payment Methods & Validation Requirements Your payment method determines which requirements apply to you. Each column shows which Self-Assessment Questionnaire applies and whether scans are required. At the bottom of the column, applicable PCI requirements are shown. We’re going to be referring to payment methods by the corresponding Self Assessment Questionnaire. Because of its minimal requirements, the SAQ A method is recommended for website payments entered by your customers. SAQ B is the recommended method for payments entered by the merchant. Both SAQ C and D require quarterly scanning of all IP addresses in the CHD environment and substantial efforts to prepare for scanning. They are appropriate for merchants in the retail business, or whose processes demand a more complex payment solution. Both methods demand substantial technical expertise. Another reason you may want to think twice about SAQ C or D is that, beginning next calendar year, these payment methods will need to undergo an onsite assessment by a Qualified Security Assessor. An onsite assessment is a thorough review of all applicable requirements. Your payment method determines which requirements apply to you. Each column shows which Self-Assessment Questionnaire applies and whether scans are required. At the bottom of the column, applicable PCI requirements are shown. We’re going to be referring to payment methods by the corresponding Self Assessment Questionnaire. Because of its minimal requirements, the SAQ A method is recommended for website payments entered by your customers. SAQ B is the recommended method for payments entered by the merchant. Both SAQ C and D require quarterly scanning of all IP addresses in the CHD environment and substantial efforts to prepare for scanning. They are appropriate for merchants in the retail business, or whose processes demand a more complex payment solution. Both methods demand substantial technical expertise. Another reason you may want to think twice about SAQ C or D is that, beginning next calendar year, these payment methods will need to undergo an onsite assessment by a Qualified Security Assessor. An onsite assessment is a thorough review of all applicable requirements.

    21. On-Site Assessment

    22. Report on Compliance Posted on the website is the Report on Compliance template, a document that you can use to prepare for the onsite assessment. The ROC includes ALL the requirements and subrequirements. We’ve developed separate versions for SAQs A, B and C. These only include the requirements you need to satisfy for your payment method. The first column is the stated requirement. The second column indicates what SecurityMetrics will do or ask for when performing the onsite assessment. The versions for SAQ A, B and C available on the InfoSec website include a third column with documentation requirements. Posted on the website is the Report on Compliance template, a document that you can use to prepare for the onsite assessment. The ROC includes ALL the requirements and subrequirements. We’ve developed separate versions for SAQs A, B and C. These only include the requirements you need to satisfy for your payment method. The first column is the stated requirement. The second column indicates what SecurityMetrics will do or ask for when performing the onsite assessment. The versions for SAQ A, B and C available on the InfoSec website include a third column with documentation requirements.

    23. Process Flow Diagram A description of how the credit card information moves through the network To which systems the data is passed/stored Through which network devices the data passes Which ports and protocols are used to pass data Which and when encryption algorithms are used Which data is stored, where and for how long (PAN, CVV2/CVC2, expiration date, etc.) All inbound sources of CHD to the network All outbound flows of CHD (e.g., to a payment processor, 3rd parties) Security Metrics will want to see a process flow diagram. This diagram is particularly important for SAQ C merchants because it is one of the things that the assessor will use to determine whether you are appropriately classified as a SAQ C merchant, or rather should be responsible for all 225 requirements. A process flow diagram needs to contain the following: … Use Cornell Spider to locate any electronically stored CHD.Security Metrics will want to see a process flow diagram. This diagram is particularly important for SAQ C merchants because it is one of the things that the assessor will use to determine whether you are appropriately classified as a SAQ C merchant, or rather should be responsible for all 225 requirements. A process flow diagram needs to contain the following: … Use Cornell Spider to locate any electronically stored CHD.

    24. Continuous Compliance Proper care and feeding of your CHD environment Many requirements have time intervals required for achieving compliance. Compliance is a continuous process where merchants need to develop processes to meet all time based requirements. I’m going to briefly explain those requirements. If you brought the compliance timeline handout, you may follow along.Proper care and feeding of your CHD environment Many requirements have time intervals required for achieving compliance. Compliance is a continuous process where merchants need to develop processes to meet all time based requirements. I’m going to briefly explain those requirements. If you brought the compliance timeline handout, you may follow along.

    25. SAQ A Compliance Timeline We recommend quarterly employee training on merchant security (fraudulent cards, no entry in hosted order page of MOTO, care with paper invoices with CHD (out of public areas), no emailing of CCNs) Also, attend the mandatory training annually. [CLICK] [The Merchant Responsible Person needs to review and acknowledge the Campus Merchant Bankcards Acceptance Agreement annually]. [CLICK] Although not required, merchants should use Cornell Spider once a year to search for CHD. This is especially important for merchants taking mail orders or telephone orders. [CLICK] SAQ A merchants must destroy hardcopy materials with CHD when they are no longer needed. I suggest establishing a periodic review of any stored documents, including receipts. [CLICK] You must maintain a program to monitor your service providers’ PCI compliance status. [CLICK] The quarter before the assessment – begin assessment preparation. [CLICK] This way, you’ll be able to fully document for the assessment that you’ve met the requirements We recommend quarterly employee training on merchant security (fraudulent cards, no entry in hosted order page of MOTO, care with paper invoices with CHD (out of public areas), no emailing of CCNs) Also, attend the mandatory training annually. [CLICK] [The Merchant Responsible Person needs to review and acknowledge the Campus Merchant Bankcards Acceptance Agreement annually]. [CLICK] Although not required, merchants should use Cornell Spider once a year to search for CHD. This is especially important for merchants taking mail orders or telephone orders. [CLICK] SAQ A merchants must destroy hardcopy materials with CHD when they are no longer needed. I suggest establishing a periodic review of any stored documents, including receipts. [CLICK] You must maintain a program to monitor your service providers’ PCI compliance status. [CLICK] The quarter before the assessment – begin assessment preparation. [CLICK] This way, you’ll be able to fully document for the assessment that you’ve met the requirements

    26. SAQ B Compliance Timeline Again, we recommend quarterly employee training. This includes the mandatory annual meeting. [CLICK] [The Merchant Responsible Person needs to review and acknowledge the Campus Merchant Bankcards Acceptance Agreement annually]. [CLICK] You must maintain a program to monitor your service providers’ PCI compliance status. [CLICK] You also need to keep a list of service providers. [CLICK] Using Spider annually to search for CHD is important for SAQ B merchants, as MOTO's may be stored electronically. [CLICK] SAQ B merchants must destroy hardcopy materials with CHD when they are no longer needed. A periodic review of any stored documents such as receipts will help. [CLICK] Once a year, review your local security policy and make any necessary updates. [CLICK] The quarter before the assessment – begin assessment preparation. [CLICK] All this leads up to the assessment.Again, we recommend quarterly employee training. This includes the mandatory annual meeting. [CLICK] [The Merchant Responsible Person needs to review and acknowledge the Campus Merchant Bankcards Acceptance Agreement annually]. [CLICK] You must maintain a program to monitor your service providers’ PCI compliance status. [CLICK] You also need to keep a list of service providers. [CLICK] Using Spider annually to search for CHD is important for SAQ B merchants, as MOTO's may be stored electronically. [CLICK] SAQ B merchants must destroy hardcopy materials with CHD when they are no longer needed. A periodic review of any stored documents such as receipts will help. [CLICK] Once a year, review your local security policy and make any necessary updates. [CLICK] The quarter before the assessment – begin assessment preparation. [CLICK] All this leads up to the assessment.

    27. SAQ C Compliance Timeline Quarterly employee training is recommended, and includes the mandatory annual meeting. [CLICK] [Review and acknowledgement of the Campus Merchant Bankcards Acceptance Agreement annually by the Merchant Responsible Person]. [CLICK] You must maintain a program to monitor your service providers’ PCI compliance status and maintain a current listing of service providers. [CLICK] Using Spider annually to search for CHD is important for SAQ C merchants, particularly those taking mail and telephone orders. [CLICK] Once a year, review your local security policy and make any necessary updates. [CLICK] By establishing a periodic review of any stored documents with CHD, you can stay in compliance with the requirement to destroy hardcopy materials with CHD when they are no longer needed. [CLICK] SAQ C merchants must obtain vulnerability scans [CLICK] and they must check for rogue wireless access points on a quarterly basis. [CLICK] Set aside time during the quarter before the assessment to review the Report on Compliance template and finalize all requirements for the assessment. [CLICK] All this leads up to the assessment. Quarterly employee training is recommended, and includes the mandatory annual meeting. [CLICK] [Review and acknowledgement of the Campus Merchant Bankcards Acceptance Agreement annually by the Merchant Responsible Person]. [CLICK] You must maintain a program to monitor your service providers’ PCI compliance status and maintain a current listing of service providers. [CLICK] Using Spider annually to search for CHD is important for SAQ C merchants, particularly those taking mail and telephone orders. [CLICK] Once a year, review your local security policy and make any necessary updates. [CLICK] By establishing a periodic review of any stored documents with CHD, you can stay in compliance with the requirement to destroy hardcopy materials with CHD when they are no longer needed. [CLICK] SAQ C merchants must obtain vulnerability scans [CLICK] and they must check for rogue wireless access points on a quarterly basis. [CLICK] Set aside time during the quarter before the assessment to review the Report on Compliance template and finalize all requirements for the assessment. [CLICK] All this leads up to the assessment.

    28. SAQ D Compliance Timeline I'm not going to belabor the details of the SAQ D requirements. I think this slide says it for me. And this is only a partial list of requirements.I'm not going to belabor the details of the SAQ D requirements. I think this slide says it for me. And this is only a partial list of requirements.

    29. Campus Resources Abraham Kuo- UITS - 626.9736 Kelley Bogart – ISO - 626.8232 Robbyn Lennon – FSO-Bursar’s - 621.5781 Security Metrics – Securitymetrics.com BankofAmerica.com/merchantsupport https://www.pcisecuritystandards.org/ Prioritized Approach for DSS 1.2 -https://www.pcisecuritystandards.org/education/prioritized.shtml PCI Quick Reference Guide https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf

    30. Questions?

More Related