PCI Compliance: The Gateway to Paradise

1. PCI Compliance: The Gateway to Paradise

2. Present a single face to your customers - Every decision that we make should be based on looking through the eyes of our customer. If we see the world through their eyes, we will be best prepared to understand and help them. Work in different ways for different classes of customers � This could mean many things. For instance, we might contemplate market segmentation by 2yr, 4yr, graduate, proprietary schools if they have distinctly different student/family customers that they are serving or unique problems that they are trying to solve. Another possibility is that some customers may want full service and some customers may want more self service (this will be discussed in greater depth later in the presentation). The key point here is that where definitive �classes� of customers exist, defined by distinctly similar needs and problems, then develop and institutionalize ways to serve them uniquely. Know what your customers will ask for before they do � This comes from being immersed in the business of higher education, from listening, and from being aware of the challenges that the customer faces and by being willing to consider how to help them solve their problems. This also applies to students and families that we serve directly with AMPP. An example of this is if we were to notice FAQ�s coming in to our call center, then we would want to find a way to answer that question for all customers before they have to call us Present a single face to your customers - Every decision that we make should be based on looking through the eyes of our customer. If we see the world through their eyes, we will be best prepared to understand and help them. Work in different ways for different classes of customers � This could mean many things. For instance, we might contemplate market segmentation by 2yr, 4yr, graduate, proprietary schools if they have distinctly different student/family customers that they are serving or unique problems that they are trying to solve. Another possibility is that some customers may want full service and some customers may want more self service (this will be discussed in greater depth later in the presentation). The key point here is that where definitive �classes� of customers exist, defined by distinctly similar needs and problems, then develop and institutionalize ways to serve them uniquely. Know what your customers will ask for before they do � This comes from being immersed in the business of higher education, from listening, and from being aware of the challenges that the customer faces and by being willing to consider how to help them solve their problems. This also applies to students and families that we serve directly with AMPP. An example of this is if we were to notice FAQ�s coming in to our call center, then we would want to find a way to answer that question for all customers before they have to call us

4. Payment Card Industry Data Security Standard (PCI-DSS) Card Associations founded an LLC in 2006 http://www.pcisecuritystandards.org One program now Mission: Enhance payment account data security by fostering a broad adoption of PCI-DSS

6. �Payment Card Industry (PCI) Data security requirements apply to all Members, merchants, and service providers that store, process or transmit cardholder data.� *Payment Card Industry Data Security Standard

8. In the event of the a breach the acquirer CAN make the merchant responsible for: Any fines from PCI-Co Up to $500,000 per incident Cost to notify victims Cost to replace cards (about $10/card) Cost for any fraudulent transactions Forensics from a QDSC Level 1 certification from a QDSC

9. Example: 50,000 credit cards stolen PCI Penalty - $100,000 per incident $500,000 if you do not have a self-assessment Card Replacement - $500,000 Fraudulent Transaction � $61,750,000 $1,235 - 2004 average fraudulent transaction Bad Publicity � Priceless!

10. Cost of Non-Compliance States are making PCI law and adding to the cost of compliance Minnesota passed the state bill 1574 which makes PCI a law Anyone processing more than 20,000 transactions is subject to fines if a breach occurs Texas is working on a similar bill Other states are likely to follow

12. Higher education networks comprise an estimated 15% of the total advertised Internet address space* Extremely �open� by tradition and culture Highly connected networks to commercial internet, regional, national, and international research networks Communities range from 1,000 to 200,000 people Thousands of networked devices Departments control local technology and act independently Understaffed IT department * University of Indiana

13. Higher Education Challenge Higher education accounted for over 26% of the breaches in 2006. 68% of schools have 0-1 FTE dedicated to PCI 36% of schools have an incident response plan* Survey data from Walt Conway Associates, LLC

14. Get executive buy-in President Treasurer/CFO CIO Define a commerce committee IT Security Internal Audit Treasury

15. Define and publish credit card handling policy Acceptable payment channels Handling of PII (Personally Identifiable Information) Requesting merchant IDs Applicability to University employees, work study� Background and credit checks for employees handling credit cards Training and acknowledgement Use of vendors

16. Gap analysis Review all existing merchants and their procedures Identify �urgent improvements� Operational remediation plan Technical remediation plan Compliance maintenance Rules will change Systems will change PCI is a journey � not a destination

17. Consider outsourcing Get as many credit card numbers off campus as possible Use a service provider to process credit card transactions Approved scanning vendors Approved hosting centers

18. David R. King President Nelnet Business Solutions dking@infinet-inc.com