1 / 44

Meeting the New PCI Standards in Higher Ed

Meeting the New PCI Standards in Higher Ed. Ron King rking@campusguard.com. Statistics. Timelines. Key Changes. Questions?. CampusGuard . Full-Service QSA/ASV Firm for PCI Compliance Focused Solely on Higher Education. The Target Breach. 100 million + accounts POS was the vector

eugene
Download Presentation

Meeting the New PCI Standards in Higher Ed

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Meeting the New PCI Standards in Higher Ed Ron King rking@campusguard.com

  2. Statistics Timelines Key Changes Questions?

  3. CampusGuard • Full-Service QSA/ASV Firm for PCI Compliance • Focused Solely on Higher Education

  4. The Target Breach • 100 million + accounts • POS was the vector • Lessons for all…

  5. Where Are We?

  6. Higher Ed Statistics “Leading statisticians…are exceedingly skeptical of the claim that that decisive evidence has been obtained.” Sir Ronald Fisher Cigarettes, Cancer and Statistics Centennial Review, v.2 151-166 (1958)

  7. Compromise Statistics • Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year • Over 80% of compromised systems were “card present” or in person transactions • Majority of compromise incidents involve use of vulnerable payment applications • Over 50% of the merchants do not survive the breach … or undergo disruptive business changes

  8. Higher Education 6% 33% 8% Financial Services 14% 17% 22% Retailers Higher Ed Is Vulnerable Past 3 Years Government Healthcare Other Source: Privacy Rights Clearinghouse

  9. Penalties can be Huge • Bad Publicity – Priceless! • In the event of a breach the bank can make the merchant responsible for: • Fines from card associations • Up to $500,000 • + Cost to notify victims • + Cost to replace cards • + Cost for any fraudulent transactions • + Forensics • + Level 1 certification

  10. Source: Treasury Institute for Higher Education

  11. ? Source: Treasury Institute for Higher Education

  12. Source: Treasury Institute for Higher Education

  13. Source: Treasury Institute for Higher Education

  14. Source: Treasury Institute for Higher Education

  15. Our QSA company Source: Treasury Institute for Higher Education

  16. PCI Security Standards Suite Protection of Cardholder Payment Data Merchants & Service Providers PCI DSS Secure Environments Software Developers PCI PA-DSS Payment Applications Manufacturers PCI PTS Pin Entry Devices PCI Security & Compliance P2PE Ecosystem of payment devices, applications, infrastructure and users

  17. Responsible for managing the PCI DSS and certifying QSAs and ASVs Responsible for enforcing and monitoring merchant compliance with the PCI DSS CREDIT CARD SECURITY Merchant Bank Responsible for safeguarding credit card data and complying with the PCI DSS Communicates and educates merchants on PCI DSS and reports compliance status to Card Associations PCI Relationships

  18. Who Must Be PCI Compliant? Your Campus Service Provider PCI DSS Internet Payment Application PCI DSS SAQ

  19. The Rest of Us

  20. 11/07/2013 – Released 01/01/2014 – Effective 02/ 28/2014 – SAQs Published 12/31/2014 – v2.0 Retired PCI DSS Version 3.0 Let’s talk about it…

  21. PCI DSS Life Cycle We are here 1/01/2014 Interim Period? 12/31/2014

  22. Key Themes in v3.0 • Business as Usual • Clarity • Security as a Shared Responsibility

  23. PCI DSS: 6 Goals, 12 Requirements Control Objective Requirements No Change*

  24. Merchant Levels No Change! Most Colleges and Universities

  25. Validation Requirements No Change!

  26. New SAQs!

  27. This is SAQ A for Merchant customer Service Provider University Web Site Performing Arts Collects shopping cart info Internet Describes “Event” Pay Now CC Processor “Man in the Middle”

  28. This is SAQ A-EP for Merchant customer Service Provider University Web Site Ex: Performing Arts Internet Pay Now Collects shopping cart info “Man in the Middle”

  29. Impact

  30. Can I assess myself? • Short answer:Maybe (but you probably don’t want to) • Long answer:You can assess yourself, provided: • You follow audit procedures • Your acquirer agrees • An approved officer (think President or CFO) signs on the “dotted line” (attesting to the veracity of the results) • You’re absolutely sure you’re going to do it right

  31. “Business as Usual” • Payment security as an everyday item • Discipline that is always maintained “Do we have the culture to protect our customer’s data every day and every hour?”

  32. “Business as Usual” • Monitor security controls for effectiveness • Ensure all failures are detected and responded to • Review changes in the environment • Organizational structure changes • Periodic reviews and communication to confirm controls continue to be in place • Review hardware and software technologies

  33. Compliance vs. Security Security Compliance

  34. “Clarity”

  35. “Shared Responsibility”

  36. “Shared Responsibility” Requirement 12: Maintain an Information Security Policy For Merchants: 12.8 Managing relationships with service providers 12.8.2 Written agreements with service providers 12.8.3 Established process for engaging service providers 12.8.4 Monitor service provider compliance 12.8.5 (NEW) Is information maintained about which PCI DSS requirements are maintained by each service provider and which are maintained by the entity? For Service Providers 12.9 (NEW) Do service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment?

  37. Example Contract Language PCI DSS COMPLIANCE: ____ University requires that the contractor shall at all times maintain compliance with the most current Payment Card Industry Data Security Standards (PCI DSS). The contractor will be required to provide written confirmation of compliance. Contractor acknowledges responsibility for the security of cardholder data as defined within the PCI DSS.Contractor acknowledges and agrees that cardholder data may only be used for completing the contracted services as described in the full text of this document, or as required by the PCI DSS, or as required by applicable law.In the event of a breach or intrusion or otherwise unauthorized access to cardholder data stored at or for the contractor, contractor shall immediately notify _____ to allow the proper PCI DSS compliant breach notification process to commence. The contractor shall provide appropriate payment card companies, acquiring financial institutions and their respective designees access to the contractor’s facilities and all pertinent records to conduct a review of the contractor’s compliance with the PCI DSS requirements. In the event of a breach or intrusion the contractor acknowledges any/all costs related to breach or intrusion or unauthorized access to cardholder data entrusted to the contractor deemed to be the fault of the contractor shall be the liability of the contractor. Vendor agrees to assume responsibility for informing all such individuals in accordance with applicable law and to indemnify and hold harmless ______and its officers and employees from and against any claims, damages or other harm related to such breach. (USE:  Include in any solicitation / contract that may involve online credit card payments).  IMPORTANT:  Insert the following statement into the Scope of Work (potentially in the IT section dealing with credit cards and PCI compliance):“Provide documentation of your most current PCI system scan and the signature page from your Record of Compliance (ROC) or Attestation of Compliance (AOC).”

  38. Physical Protection of POS Terminals • 9.9 Are devices that capture payment card via direct physical interaction with the card protected against tampering and substitution? • Maintain a list • Periodic inspection • Train personnel

  39. MOBILE PAYMENTS? Card Readers: Smart Phone/Tablets • “Square” and others • “Category 3” device • None are certified compliant! Mobile Card Terminals • Few are certified compliant • Check with the PCI SSC

  40. What About Mobile Payments? Who Needs Mobile? • Fundraising – off campus events • Student Groups • Athletic Events What they will say… • “Other schools use it” • “PCI Council addresses Mobile” • None are certified compliant!

  41. What About Mobile Payments? No Category 3 Device is considered compliant

  42. Closing Thoughts • v3.0 is an important improvement, but doesn’t change what you should be doing to comply with PCI, nor how QSAs will conduct reviews • Promotes understanding that PCI is a shared responsibility • Aimed a making compliance a part of “Business as Usual” • More information about the intent of the requirements and how they should be applied • Helps colleges and universities adopt a framework of continuous security, and move closer to the true intent of the Standard

  43. Resources https://www.pcisecuritystandards.org/ http://www.treasuryinstitute.org • SAQs • FAQs • White Papers • Certified QSAs and ASVs • PCI Blog • Annual PCI Workshop

  44. Questions? Ron King rking@campusguard.com 972-964-8884

More Related