240 likes | 384 Views
PCI: What you need to know!. Harvey Gannon CEO - CampusGuard. Full-Service QSA/ASV Firm for PCI Compliance in U.S., Australia and New Zealand We Understand the PCI DSS Focused Solely on Higher Education. Introducing CampusGuard. Quick PCI Overview. What you need to know. Common Myths.
E N D
PCI: What you need to know! Harvey GannonCEO - CampusGuard
Full-Service QSA/ASV Firm for PCI Compliance in U.S., Australia and New Zealand We Understand the PCI DSS Focused Solely on Higher Education Introducing CampusGuard
Quick PCI Overview • What you need to know • Common Myths • Q & A
What does it include? • Process, transmit or store of credit card data • Electronic, paper, in-person, mail-in, email or faxes, etc • I/T systems, policies, processes, education, training, data destruction, etc • Payments, refunds, chargebacks
But…its really more than that! • Opportunity to find out what is going on • Chance to implement standards on campus • Finance can take control of payments
Looking something like this… • Athletics • Student Accounts • Parking Services • Library • Theatre • Events • Foundation • Continuing Ed • Radio Station • Hotel • Residential Life • Book Store • Student Life • Reprographics • More…
Best Practices • Move swiftly to have finance take the lead • Education and awareness are priority #1 • Senior management buy-in is essential • Establish a roadmap for success • Rapidly implement a few simple changes for “quick wins” • Understand…This is a journey! • Consider how to apply these principles to other PII
Readiness Review Discovery and Assessment Remediation Validation • Merchant Discovery • Payments Analysis • Merchant and I/T Education • Documentation • Preliminary Scanning • Gap Analysis • Correct Problems • Implement policies and processes • Compensating • Controls • ROC or SAQ • Submission • Quarterly Scanning • Penetration Testing Re-Validate every 12 mos 3 - 9 mos. The PCI Project
Myth 1: Identity theft does not occur in AUS • In 2009, the average cost of a data breach in Australia was: • $1.97M • $123/record • 44% involved a malicious or criminal act • 31% involved third party mistakes/errors Source: 2009 Annual Study – Australian Cost of a Data Breach – Ponemon Institute
Education 31% Education Is At Risk Higher Education is Disproportionally Vulnerable Medical Business Gov’t
Myth 2: We don’t have to comply • Or our bank has not notified us yet • Or the card schemes can’t tell us what to do
Myth 3: We don’t have the time Or… this is not a priority • Direct Costs • Discovery / Forensics • Notification costs • Identity monitoring costs • Additional security measures • Fines • Level 1 designation • Indirect Costs • Loss of constituent confidence • Reduced levels of giving • Loss of productivity • Distraction from core business 10,000 accounts X $123 / account = $1.23 Million Reputation – Priceless!
Myth 4: This is not a law or government requirement • Or… we don’t have to notify victims of identity theft therefore we will not incur some of these costs • Matter of contract law • Australian Government Commonwealth Privacy Act – October 2009 (ALRC 108)
Myth 5: I can do this myself • Short answer: TRUE(but you may not want to) • Long answer: Despite popular myth, you can assess yourself, provided: • You follow audit procedures • Your acquirer agrees • An approved officer (think President or CFO) signs on the “dotted line” (attesting to the veracity of the results) • You’re absolutely sure you’re going to do it right
Other Common Myths • Applies to payments only • This is an I/T security issue • My software company is PCI Compliant so I do not have to worry about this • It will cost millions of dollars to comply • I will do something when card schemes start fining
Closing Thoughts • PCI DSS is here! • Don’t look at this as a requirement or a drudgery. • Don’t let others use myths to detract you from protecting your constituents data and therefore the integrity of your institution. • This is an opportunity for finance and a great one at that!
Harvey Gannon CEO - CampusGuard hgannon@campusguard.com