1 / 0

Financial and Business Services Income Accounting and Student Loan Services Kim Stringham

University of Utah. Financial and Business Services Income Accounting and Student Loan Services Kim Stringham. Objectives. Understand PCI requirements. Identify the roles and responsibilities of the many players. Identify what needs to be done to reach & maintain compliance.

gur
Download Presentation

Financial and Business Services Income Accounting and Student Loan Services Kim Stringham

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. University of Utah Financial and Business Services Income Accounting and Student Loan Services Kim Stringham
  2. Objectives Understand PCI requirements. Identify the roles and responsibilities of the many players. Identify what needs to be done to reach & maintain compliance. Introduce new technologies.
  3. Payment Card Industry Data Security Standard What is PCI DSS? PCI DSS stands for Payment Card Industry Data Security Standard. This standard is a set of controls to protect cardholder data by mitigating data breaches and preventing cardholder data fraud. Defined by the Payment Card Industry Security Standards Council (PCI SSC) , the standard was created to increase controls around cardholder data to reduce credit card fraud. All merchants, processors, acquirers, issuers, service providers, and other entities that store, process or transmit cardholder information are required to comply with the PCI DSS. PA-DSS vs. PCI DSS? The Payment Application Data Security Standard (PA-DSS) requires vendors who supply payment application software to validate the application with the PCI Council. The validated application must be placed or used in a PCI DSS compliant environment for full compliance to be achieved. The merchant is responsible for the compliant environment.
  4. 12 PCI DSS Requirements
  5. PCI DSS Merchant Levels For Visa, MasterCard and Discover Network More information available at the PCI Security Council website: www.pcisecuritystandards.org Abbreviations: ROC = Report on Compliance, QSA = Qualified Security Assessor, ASV = Approved Scanning Vendor, SAQ = Self Assessment Questionnaire, PCI SSC = Payment Card Industry Security Standards Council *For non-compliant businesses only, an annual signed “Attestation of non-storage of non-compliant data” is required
  6. Self-Assessment Questionnaires V 3.0 A –Card-not-Present, All Cardholder Data Functions Fully Outsourced A-EP – Partially Outsourced E-Commerce Merchants Using a Third-Party Website for Payment Processing B – Only Imprint Machines or Only Standalone, Dial-out Terminals. No Electronic Cardholder Data Storage B-IP – Standalone, IP-Connected Terminals. No Electronic Cardholder Data Storage C –Payment Application Connected to Internet, No Electronic Cardholder Data Storage C-VT –Web-Based Virtual Payment Terminals, NECDS (key: no payment application D –Full Standard for all other SAQ-Eligible Merchants
  7. Roles and Responsibilities Merchant Adhere to the PCI DSS standard. Create a corporate security strategy to become and stay PCI compliant. Create and maintain a compliant infrastructure. Acquiring Bank Provide support, advice, and general guidance on PCI. Ensure any products, software, or gateways added or in use are certified as PCI compliant. Quarterly reporting to the card brands on a merchant’s compliance status. This reporting reflects date and status of the SAQ/ROC, scan date(s) and results, information from the merchant completed Prioritized Approach containing the areas of non-compliance with current percentage completed and expected completion dates for full compliance. Card Networks/Brands Enforcement of compliance with the PCI DSS and determination of any non-compliance penalties are carried out by the individual payment brands and not by the Councilor WFMS. PCI Data Security Council An open global forum, launched in 2006, is responsible for the development, management, education, and awareness of the PCI Security Standards, including the Data Security Standard (PCI DSS), Payment Application Data Security Standard (PA-DSS), and PIN Transaction Security (PTS) requirements. The Council's five founding global payment brands -- American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. -- have agreed to incorporate the PCI DSS as the technical requirements of each of their data security compliance programs and have equal input. Each founding member also recognizes the QSAs, PA-QSAs and ASVs certified by the PCI Security Standards Council. Website,https://www.pcisecuritystandards.org/
  8. Don’t Delegate Compliance Never assume your software vendor or service provider is maintaining your PCI Compliance You should be able to answer the following questions: What equipment, software, and services do we use for processing and where are they located? Do we have a complete inventory? Do we have a hardware based firewall? What anti-virus software do we use and who updates it? Do we have remote access software on our system? Is it always turned on? Is 2 factor authentication used? Is there one id and password per individual user? Are passwords changed regularly? Who reviews our log files? Who trains the employees to follow guidelines & how? Can we document everything PCI related?
  9. Know what you have...Possible components at point of sale
  10. What Data Are You Storing?
  11. Understand your Network and Data Storage
  12. 12 Steps to Information Security
  13. Only 5 Steps for Dial-up Terminals
  14. Don’t Skimp on POS /Upgrades
  15. Train your StaffMonitor your Staff
  16. Maintenance is Key Data security is more than completing a SAQ every 12 months Begin SAQ at least three months before its due Stay up to date PCI council changes Payment network mandates The latest trends in data compromise Scan Complete a passing external scan at least quarterly And every time changes are made to the system Use internal scans to detect and correct vulnerabilities Daily review that Anti-Virus, File Integrity Monitoring, and Logging are running
  17. Chip & PIN– a.k.a EMV Near Field Communication (NFC) Required vs. Encouraged Liability Shift in the U.S. effective October 1, 2015 Merchants not using EMV will take the financial hit on fraudulent, card-present transactions. Benefits Physical Cards are less likely to be used fraudulently. Compliance No changes in compliance requirements. Disclaimer E-Commerce/Phone transactions not affected.
  18. PCI Compliance Changes/Dates *Standards are updated due to the need for additional guidance, clarification, or evolving requirements for strong security standards. For more information on PCI updates, visit www.pcisecuritystandards.org
  19. End to End Encryption Point to Point Encryption ≠ E2EE PCI DSS terminology Must be an approved hardware/software combination Scope Reduction SAQ D – most requirements are not applicable Hardware Encryption is VITAL! Integration with Gateway, Software, Hardware Always seek Acquiring Bank & QSA approval
  20. Mobile Payments – PCI DSS Mobile Payments February 2013 - The PCI Security Standards Council has published the PCI Mobile Payment Acceptance Security Guidelines for Merchants as End Users. This guide educates merchants on the risk factors that need to be addressed in order to protect card data when using mobile devices to accept payments. Please visit: https://www.pcisecuritystandards.org/security_standards/documents.php?document=pcidss_mobile_payment_sec_guidelines Guidelines to Consider Single purpose tablets, iPads Hot Spot vsWiFi Reduced functionality (browsing) End to End Encryption Devices Acquiring Bank products Banking Policy
  21. Consequences and Penalties for Non-Compliance or Breach The consequences and costs of non-compliance and of a data compromise can be devastating and may include: Loss of the ability to process card payments. Loss of consumer confidence and brand reputation. Drop in revenues. Heavy fines, penalties and expenses. Up to $500,000 a month per violation (payment network imposed fines). Actual damages to cardholders. Attorneys’ fees. Potential state and federal fines. Notification and Remediation Process Merchantreports suspected or known breach to Bank upon findings and card brands are notified. Card brands notify Bank of Common Point of Purchase investigation. Remediation requires demonstration, documentation, and deadlines. Costly forensic investigation may be required. In some cases, you may be required to shut down all POS, gateways, or IP connected terminals and install “dial-up” terminals until the environment is remediated and deemed safe. Data breaches now cost $194 per compromised record and averaged $5.5 million per data breach event.* *From a March 2012 Ponemon Institute study (www.ponemon.org)
  22. PCI Resources
  23. Payment Card Industry Glossary ASV Acronym for “Approved Scanning Vendor.” Company approved by the PCI SSC to conduct external vulnerability scanning services. Cardholder Data At a minimum, cardholder data consists of the full PAN. Cardholder data may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date and/or service code See Sensitive Authentication Data for additional data elements that may be transmitted or processed (but not stored) as part of a payment transaction. Environment The people, processes and technology that store, process or transmit cardholder data or sensitive authentication data, including any connected system components. Compensating Controls Compensating controls may be considered when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other controls. Compensating controls must: (1) Meet the intent and rigor of the original PCI DSS requirement; (2) Provide a similar level of defense as the original PCI DSS requirement; (3) Be “above and beyond” other PCI DSS requirements (not simply in compliance with other PCI DSS requirements); and (4) Be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement. Network Segmentation Network segmentation isolates system components that store, process, or transmit cardholder data from systems that do not. Adequate network segmentation may reduce the scope of the cardholder data environment and thus reduce the scope of the PCI DSS assessment. P2PE Point to Point Encryption. Penetration Test Penetration tests attempt to exploit vulnerabilities to determine whether unauthorized access or other malicious activity is possible. Penetration testing includes network and application testing as well as controls and processes around the networks and applications, and occurs from both outside the network trying to come in (external testing) and from inside the network. QSA Acronym for “Qualified Security Assessor,” company approved by the PCI SSC to conduct PCI DSS on-site assessments. Sensitive Authentication Data Security-related information (including but not limited to card validation codes/values, full magnetic-stripe data, PINs, and PIN blocks) used to authenticate cardholders and/or authorize payment card transactions. https://www.pcisecuritystandards.org/documents/pci_glossary_v20.pdf
More Related