1 / 22

PCI

PCI. PCI Compliance on Campus What’s Next NYSOBBA Conference June 11, 2013 Syracuse, New York. What is PCI and PCI DSS?. PCI is the Payment Card Industry which includes the card brands VISA, Mastercard , Discover and American Express

qamra
Download Presentation

PCI

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PCI PCI Compliance on Campus What’s Next NYSOBBA Conference June 11, 2013 Syracuse, New York

  2. What is PCI and PCI DSS? PCI is the Payment Card Industry which includes the card brands VISA, Mastercard, Discover and American Express PCI DSS (Payment Card Industry Data Security Standards) became the collaborative efforts of all credit card issuers to develop a set of requirements designed to ensure that the processing, storage or transmission of credit card information is done in a secure environment 

  3. Card Associations PCI SSC CREDIT CARD SECURITY Merchant Banks PCI Relationships

  4. SOFTWARE DEVELOPERS MERCHANTS & PROCESSORS MANUFACTURERS PCI PA-DSS PCI Security & Compliance PCI PTS PCI DSS Payment Application Vendors PIN Transaction Security Data Security Standard PCI “Ecosystem” Ecosystem of payment devices, applications, infrastructure and users

  5. What is PCI DSS? PCI DSS: Payment Card Industry Data Security Standard Goal is to protect “Cardholder Data” These standards applies to anyone or entity that accepts credit or debit cards as payment regardless of the method of acceptance.

  6. PCI DSS Goals and Requirements

  7. PCI DSS Goals and Requirements Cont’d

  8. Who Must Comply? • On Campus • Point-of-Sale • Mail / Fax-in Orders • Telephone Order • Online forms • Systems Involved • Processing or storing data? • Other systems connected?

  9. Merchant Levels under PCI

  10. Merchant Level 3 Requirements Is not required to do an Onsite Assessment Must complete and annual Self Assessment Questionnaire (SAQ) Required to perform a quarterly network security scan by a qualified ASV (Approved Scanning Vendor)

  11. Merchant Level 4 Requirements Is not required to do an Onsite Assessment Must complete and annual Self Assessment Questionnaire (SAQ) Required to perform a quarterly network security scan by a qualified ASV (Approved Scanning Vendor) Consult with your bank regarding the deadline

  12. What is PA DSS? PA DSS are the PCI Security Standards Council managed program that payment applications are to follow so that merchants using those applications can be PCI-DSS compliant PA DSS is applicable to software vendors who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement. PA DSS is not for internally developed or customized applications, nor back office or database applications , nor for fully hosted service providers

  13. What SAQ Applies to My Institution?

  14. Self-Assessment Questionnaires

  15. Validation Requirements

  16. What Does this Mean to Higher Education? Under PCI DSS, Colleges and Universities are treated the same as any merchant and must adhere to these standards. PCI DSS is a business issue that has an Information Technology (IT) component, it’s not only an IT issue PCI DSS involves education, training, communication and an ongoing process of monitoring for compliance

  17. Higher Ed Is Vulnerable Government Higher Education Healthcare 6% 33% 8% Financial Services 14% 17% 22% Other Retailers Source: Privacy Rights Clearinghouse

  18. PCI Myths PCI is an IT project Outsourcing will make us compliant One vendor and product will make up compliant PCI will make us secure We completed a SAQ (Security Assessment Questionnaire) so we are compliant All our vendor software is PCI compliant

  19. 2.0 and Beyond • Version 2.0: Clarifications, New Cycle • Relationship between PCI DSS and PA-DSS • PAN is defining factor • Testing procedures • 3-year cycle • Virtualization (new SAQ C-VT) • Encryption (P2PE) • Mobile Devices

  20. Evolution Of the Mobile Devices PERSONAL DATA BUSINESS DATA

  21. Productivity • Cost Savings Compromised Information Mobile Devices Challenge

  22. Conclusion PCI compliance is never complete, it is something that must be constantly assessed The risk associated with meeting PCI standards should weigh heavily any decision to pursue emerging technologies such as mobile devices for payment processing PCI Security Standards Council website https://www.pcisecuritystandards.org

More Related