1 / 24

Harvey Gannon CEO - CampusGuard

PCI: What you need to know!. Harvey Gannon CEO - CampusGuard. Full-Service QSA/ASV Firm for PCI Compliance in U.S., Australia and New Zealand We Understand the PCI DSS Focused Solely on Higher Education. Introducing CampusGuard. Quick PCI Overview. What you need to know. Common Myths.

louis
Download Presentation

Harvey Gannon CEO - CampusGuard

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. PCI: What you need to know! Harvey GannonCEO - CampusGuard

  2. Full-Service QSA/ASV Firm for PCI Compliance in U.S., Australia and New Zealand We Understand the PCI DSS Focused Solely on Higher Education Introducing CampusGuard

  3. Quick PCI Overview • What you need to know • Common Myths • Q & A

  4. PCI… One International Standard

  5. Merchant Levels

  6. What’s in your wallet?

  7. What does it include? • Process, transmit or store of credit card data • Electronic, paper, in-person, mail-in, email or faxes, etc • I/T systems, policies, processes, education, training, data destruction, etc • Payments, refunds, chargebacks

  8. But…its really more than that! • Opportunity to find out what is going on • Chance to implement standards on campus • Finance can take control of payments

  9. The Campus Is Like a City

  10. Well, I didn’t get them all…

  11. Looking something like this… • Athletics • Student Accounts • Parking Services • Library • Theatre • Events • Foundation • Continuing Ed • Radio Station • Hotel • Residential Life • Book Store • Student Life • Reprographics • More…

  12. Best Practices • Move swiftly to have finance take the lead • Education and awareness are priority #1 • Senior management buy-in is essential • Establish a roadmap for success • Rapidly implement a few simple changes for “quick wins” • Understand…This is a journey! • Consider how to apply these principles to other PII

  13. Readiness Review Discovery and Assessment Remediation Validation • Merchant Discovery • Payments Analysis • Merchant and I/T Education • Documentation • Preliminary Scanning • Gap Analysis • Correct Problems • Implement policies and processes • Compensating • Controls • ROC or SAQ • Submission • Quarterly Scanning • Penetration Testing Re-Validate every 12 mos 3 - 9 mos. The PCI Project

  14. Common Myths

  15. Myth 1: Identity theft does not occur in AUS • In 2009, the average cost of a data breach in Australia was: • $1.97M • $123/record • 44% involved a malicious or criminal act • 31% involved third party mistakes/errors Source: 2009 Annual Study – Australian Cost of a Data Breach – Ponemon Institute

  16. Education 31% Education Is At Risk Higher Education is Disproportionally Vulnerable Medical Business Gov’t

  17. Myth 2: We don’t have to comply • Or our bank has not notified us yet • Or the card schemes can’t tell us what to do

  18. Myth 3: We don’t have the time Or… this is not a priority • Direct Costs • Discovery / Forensics • Notification costs • Identity monitoring costs • Additional security measures • Fines • Level 1 designation • Indirect Costs • Loss of constituent confidence • Reduced levels of giving • Loss of productivity • Distraction from core business 10,000 accounts X $123 / account = $1.23 Million Reputation – Priceless!

  19. Myth 4: This is not a law or government requirement • Or… we don’t have to notify victims of identity theft therefore we will not incur some of these costs • Matter of contract law • Australian Government Commonwealth Privacy Act – October 2009 (ALRC 108)

  20. Myth 5: I can do this myself • Short answer: TRUE(but you may not want to) • Long answer: Despite popular myth, you can assess yourself, provided: • You follow audit procedures • Your acquirer agrees • An approved officer (think President or CFO) signs on the “dotted line” (attesting to the veracity of the results) • You’re absolutely sure you’re going to do it right

  21. Other Common Myths • Applies to payments only • This is an I/T security issue • My software company is PCI Compliant so I do not have to worry about this • It will cost millions of dollars to comply • I will do something when card schemes start fining

  22. Closing Thoughts • PCI DSS is here! • Don’t look at this as a requirement or a drudgery. • Don’t let others use myths to detract you from protecting your constituents data and therefore the integrity of your institution. • This is an opportunity for finance and a great one at that!

  23. Harvey Gannon CEO - CampusGuard hgannon@campusguard.com

  24. Merchant Levels and Compliance

More Related