1 / 45

Through The Looking Glass

Through The Looking Glass. Living In a Compliance World. Ron King, CPISM. Compliance Reality. PCI. Red Flags. ACH. Q & A. The Players. Reality in 2010. New regulations every year Interpretation Audit processes change Focus on specific information, risk

matana
Download Presentation

Through The Looking Glass

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Through The Looking Glass Living In a Compliance World Ron King, CPISM

  2. Compliance Reality • PCI • Red Flags • ACH • Q & A

  3. The Players

  4. Reality in 2010 • New regulations every year • Interpretation • Audit processes change • Focus on specific information, risk • Our job: recognize applicable regs and come into compliance

  5. Security “Colleges have acquired a well-deserved reputation for vulnerable computer systems, and many students’ Social Security numbers have been exposed to identity thieves. With the advent of malware such as bot-nets – networks created when viral software enslaves remote computers, forcing them to do things like sending out threatening e-mail messages – colleges and universities with porous security can harm people with absolutely no connection to the institution.” Chronicle of Higher Education March 17, 2008

  6. Security: Why Care? • Lost productivity • State laws requiring notification…and often more • Customer expectations that you are protecting their personal information • Lawsuits and financial liability • Reputation - priceless

  7. Calculate the cost of a breach… • Class Action Lawsuits • Notification fines • Monitoring Services • Crisis Management • Forensics • Federal and State Fines • Attorney Fees • Bad Publicity = $Potential Loss

  8. Card Information Security Program (CISP) Data Security Operating Policy Site Data Protection (SDP) Information and Compliance Data Security Program PCI Council

  9. SOFTWARE DEVELOPERS MERCHANTS & PROCESSORS MANUFACTURERS PCI PA-DSS PCI Security & Compliance PCI PTS PCI DSS Payment Application Vendors PIN Transaction Security Data Security Standard Ecosystem of payment devices, applications, infrastructure and users PCI…

  10. April 29 Webinar “Understanding PA-DSS” 1:00 p.m. EDT http://campuscommerce.com

  11. PCI DSS: 6 Goals, 12 Requirements

  12. Merchant Levels Varies by Brand

  13. PCI…

  14. 1st 6 / Last 4 OK Only considered CHD if full PAN stored “Holy Grail” for thieves Covered Data Elements

  15. Colleges and Universities are like Cities…

  16. Looking something like this… • Athletics • Student Accounts • Parking Services • Library • Theatre • Events • Foundation • Continuing Ed • Radio Station • Hotel • Residential Life • Book Store • Student Life • Reprographics • More…

  17. Higher Education Challenges Many groups, organizations and departments want to offer credit card payments, but they all have: • Different needs • Resource limitations • Lack of payment processing knowledge • This poses challenges for IT: • Open networks and systems • Little or no monitoring of traffic • Overloaded IT staff • Fiscal constraints

  18. Education 31% Education Is At Risk Higher Education is Disproportionally Vulnerable Medical Business Gov’t

  19. How Higher Ed Addressing PCI

  20. How Higher Ed Addressing PCI • 81% said Finance leads PCI, rest shared with IT • 58% fund PCI compliance centrally • Between 1 and 1.5 FTE dedicated to PCI • 67% had key policies in place • 19% PCI compliant now • Schools “somewhat satisfied” with acquirer support • Over 50% experienced a data breach (some fined) Source: Treasury Institute

  21. Validating Compliance

  22. Can I assess myself? • Short answer: Maybe(but you probably don’t want to) • Long answer: Despite popular myth, you can assess yourself, provided: • You follow audit procedures • Your acquirer agrees • An approved officer (think President or CFO) signs on the “dotted line” (attesting to the veracity of the results) • You’re absolutely sure you’re going to do it right

  23. No Scanning! 0 233 Move as far to the left as possible! Payment Methods & Validation Requirements

  24. Discovery & Assessment Remediation Validation Re-Validate every 12 months 3 – 12 mos. Managing Compliance

  25. Readiness Review Readiness Review is Key: • Set strategic direction • Gain support of Executive management • Create merchant awareness • Promote support of IT • Organize PCI Committee • Get Executive report • Build Roadmap for PCI Compliance The PCI Project

  26. No Segregation: The “Worst Case Scenario Internet Payment Server Cell Phones Dept PCs Printers Laptops Unzoned: EVERYTHING in scope! PCI Scope • Where most campuses start out • Therefore, the entire network is in scope • You don’t want this!

  27. Case Study: The commercial software is PA-DSS certified, but 1 – Firewall configuration 7 – Access to system components and cardholder data 8– Assign unique ID to each person with computer access 9 – Restrict physical access 11– Regularly test security systems and processes 12– Maintain a policy that addresses information security

  28. Internet Payment Server Cell Phones Dept PCs Printers Laptops Reduce Your PCI Scope! Let’s Try That Again • Strategic Scope • Only payment systems are in scope • Better all around

  29. Readiness Review Discovery and Assessment Remediation Validation • Payments Analysis • Merchant Discovery • Documentation • Preliminary Scanning • Gap Analysis • Correct Problems • Compensating • Controls • ROC or SAQ • Submission • Vulnerability • Scanning • Penetration Testing Re-Validate every 12 mos 3 – 12 mos. The PCI Project

  30. But I Was Compliant! PCI is a data protection standard, but does not guarantee security

  31. Helpful Sites • PCI Standards Council • www.pcisecuritystandards.org/ • Card Associations • www.visa.com/cisp • www.mastercard.com/sdp • Higher Education Treasury Institute • www.treasuryinstitute.org • Other PCI Sites • www.pcianswers.com • www.pcicomplianceguide.org • PCI Assistance • www.campusguard.com/

  32. Red Flags June 1!!

  33. Does your campus… … Perform criminal background checks on your employees? … Have a policy on handling of CSI for both IT and the human element? … Train all vendors and employees on the policy? … Have a Vendor Management Program? … Collect applications for financing? … Collect checks or credit cards for payments? … Have customers that pay for services AFTER the service was completed? … Have any employees storing CSI in their homes? … Transfer CSI in their vehicles? … Enter other businesses or homes for a business purpose? … Utilize 3rd party providers for cleaning, insurance, IT services, payroll, etc.? … Hire or recruit employees? … Accept monthly payments from your customers? … And the list goes on "No" to any of these "Yes" to any of these

  34. 8 Steps to “Safe Harbor” (Organizations must make a reasonable effort to protect CSI) • Designation of an Identity Theft Prevention Officer • A risk assessment of material internal and external risks to the security of CSI • The design and implementation of a written Information Security Policy • Employees must be trained on security policies • Evaluation, adjustment, monitoring, and enforcement of the program on an ongoing basis • A plan for security incidents • A Vendor Management Program • Must have an Identity Theft Prevention Program

  35. What about ACH?

  36. Two ACH Audits • ACH Rules Compliance Audit • mandatory for all participating Depository Financial Institutions (DFIs), and also for all Third Party Service Providers who perform any function of a DFI in the ACH process

  37. Two ACH Audits • Data Security Audit • mandatory for all Originators of WEB transactions • If you outsource, then the responsibility falls onto the third-party service provider

  38. Projections on Compliance NACHA is currently in the process of reviewing its Data Security requirements • analyzing the impacts of implementing a system of certification similar to PCI • Similarities and differences between credit card and ACH processing • An educated guess: within 2 years the adoption of something very close to the PCI DSS • account data at rest will need to be encrypted or tokenized, not just firewalled

  39. What does this mean to you? • When passed, each higher education institution will have to go through (another) audit, this time by NACHA – if you originate ACH files or store banking information • Best Practice: outsource where you can!

  40. Does PCI DSS Make Sense for ACH? • PCI DSS is designed to mitigate theft • NACHA needs something designed to mitigate fraud • Do we need yet another data standard? • Or can we make PCI DSS work for NACHA? • I think so

  41. Team Project

  42. Some Final Thoughts • You are probably doing many things right today • Figure out what you need to do • Create a campus-wide program • Speak up!

  43. Helpful Sites • PCI Standards Council • www.pcisecuritystandards.org/ • Card Associations • www.visa.com/cisp • www.mastercard.com/sdp • Other PCI Sites • www.pcianswers.com • www.pcicomplianceguide.org • PCI Assistance • www.campusguard.com/

  44. April 29 Webinar “Understanding PA-DSS” 1:00 p.m. EDT http://campuscommerce.com

  45. Ron King CampusGuard rking@campusguard.com

More Related