880 likes | 1.05k Views
PCI-DSS Compliance and Payment Card Acceptance. Cathy Freeman Cash and Treasury Services Phone: 864-656-0530 Email: Cdorfne@clemson.edu Website : http://www.clemson.edu/cfo/cash-treasury /. Agenda. PCI-DSS Defined Brief History Why is PCI-DSS Compliance Important?
E N D
PCI-DSS Compliance and Payment Card Acceptance Cathy Freeman Cash and Treasury Services Phone: 864-656-0530 Email: Cdorfne@clemson.edu Website: http://www.clemson.edu/cfo/cash-treasury/
Agenda • PCI-DSS Defined • Brief History • Why is PCI-DSS Compliance Important? • Merchant Levels and Requirements • CU PCI-Best Practices • PCI Compliance Responsibilities • Virtual Terminals • Credit Card Payment Information • Who Get’s Overlooked • Accepting Credit Card on Campus • Questions
PCI-DSS Defined • Payment Card Industry Data Security Standards A collaborative effort to achieve a common set of security standards for use by entities that process, store or transport payment card data. • Multiple Credit Card organizations participating in PCI efforts Members include Visa, MasterCard, American Express, Diner’s Club, Discover Card and JCB.
Brief History • The Payment Card Industry Security Standards Council (PCI SSC) was launched on September 7, 2006 to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with focus on improving payment account security throughout the transaction process. • The major credit card companies (VISA, MasterCard, Discover, and American Express) came together and published a uniform set of data security standards that ALL merchants must comply with in connection with the acceptance of payment cards. These new standards are called Payment Card Industry Data Security Standards or PCI DSS. These standards have placed additional responsibilities on CU departments in connection with acceptance of payment cards.
Why is PCI Compliance Important? • Good business practice. • PCI compliance is like insurance. • Large monetary fines assessed to your department and/or Clemson University. • Loss of merchant status for department. • Loss of merchant status for Clemson University. • Loss of faith in Clemson University name. • You are vulnerable!
Why is PCI Compliance Important? • Because they are after us! • Since 2008 educational institutions have experienced a staggering 158 data breaches resulting in over 2.3 million reported records compromised. • Higher ed institutions have become a predominant target for cyber criminals because of the substantial amount of distinct type of data they possess. Databases at colleges include names, addresses, financial information, credit card numbers, SSN and healthcare records of employees, students and parents. Source: Application Security, Inc.
Why is PCI Compliance Important? • Estimated $3.4 Billion Lost to Online Fraud The $700 million increase in estimated total fraud loss (vs. 2010)was driven by the overall growth in ecommerce in 2011. Source: CyberSource Online Fraud Report • Countries With The Most Card Fraud: U.S. and Mexico One recent survey finds that 27% of cardholders (debit, credit and prepaid) around the world have experienced fraud in the past five years. Rates of fraud vary across countries but in Mexico and the United States are more prone to fraud with 44% and 42% of respondents there saying they’ve experienced card fraud. The report from Aite Group and ACI Worldwide, which surveyed over 5000 consumers in 17 countries, notes that U.S. consumers are heavy card users-more card use means greater likelihood for card fraud. Source: Forbes
Why is Compliance Important?You don’t want to make the headlines!
Why is PCI Compliance Important?Costs of Non-Compliance. • The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine on downstream till it eventually hits the merchant. Furthermore, the bank will also most likely either terminate your relationship or increase transaction fees. Penalties are not openly discussed nor widely publicized, but they can be catastrophic to a small business.
Why is PCI Compliance Important?Breach Trends and The Facts • Main causes of a data breach-Hacking in now #1 • Data Breaches Will Likely Affect Your Reputation. • 76% of organizations surveyed acknowledged that their reputation was impacted as a result of the loss or theft of customer information. • Type of Data Most Often Stolen • Password/pin • Credit card or bank payment information • Credit or payment history • Driver’s license/SSN
Why is PCI Compliance Important?Breach Trends and The Facts • It Can Be A Long Road To Recovery • 64% of organizations say they are concerned that data compromised in a data breach will be used to commit other types of fraud. • Breaches Can Strike Twice or Even Three Times • 85% of recent survey respondents indicated that their organization had more than one breach involving customer data in the last 24 months. • Your Reputation Doesn’t Bounce Back Immediately • To restore an organization’s reputation after a breach that involved customer information takes about a year (11.8 months).
Definition of Merchant Levels All merchants will fall into one of the four merchant levels based on Visa transaction volume over a 12-month period. Transaction volume is based on the aggregate number of Visa transactions (inclusive of credit, debit and prepaid) from a merchant Doing Business As (‘DBA’). In cases where a merchant corporation has more than one DBA, Visa acquirers must consider the aggregate volume of transactions stored, processed or transmitted by the corporate entity to determine the validation level. If data is not aggregated, such that the corporate entity does not store, process or transmit cardholder data on behalf of multiple DBAs, acquirers will continue to consider the DBA’s individual transaction volume to determine the validation level. Merchant levels as defined by Visa:
QSA Onsite Review • Is a detailed audit against the PCI Data Security Standard • Potentially targets all systems and networks that store, process and/or transmit cardholder information • Includes review of contractual relationships, but not assessment of the Third Party themselves. • Must be performed using an offering from a Visa certified provider (QSA) • Biggest difficulties in having onsite reviews are the initial scoping and the subsequent cost of correction to compliant levels.
Self Assessment Questionnaire • Is a selected subset of the full Onsite Audit Criteria • Is completed by the Merchant or Service Provider • Is submitted to Acquirer(s) • Is made up mainly of Yes/No/Not Applicable responses • Is broken into five of the six sections from PCI DSS • Build and Maintain a Secure Network • Protect Cardholder Data • Implement Strong Control Measures • Regularly Monitor and Test Networks • Maintain an Information Security Policy
Network Security Scanning • Targets Internet facing devices, systems and applications including • Routers and firewalls • Servers and hosts (including virtual) • Applications • Must be performed using an offering from MasterCard certified provider • May not have any Severity 3 or greater issues: • 5 (Urgent): Trojan Horses, file read and write exploits, remote command execution • 4 (Critical): Potential Trojan Horses, file read exploit • 3 (High): Limited exploit of read, directory browsing and denial of service.
CU PCI Compliance Best Practices • Merchants should discontinue to store credit card numbers and the security code on any computer, server, or database. This includes Excel spreadsheets. • Treat payment card receipts like you would cash. • Keep payment card data secure and confidential. • Limit access to system components and cardholder data to only those individuals whose job requires such access. • Assign all users a unique ID before allowing them to access system components or cardholder data.
CU PCI Compliance Best Practices • Documents containing cardholder data should be kept in a secure environment (i.e. safe, locked file cabinet, etc.). • Never send cardholder information via email. Credit card numbers must not be transmitted in an insecure manner, such as email, unsecured fax or through campus mail. • Fax transmittal of cardholder data is permissible only if the receiving fax is located in a secure environment. • Render sensitive cardholder data unreadable anywhere it is stored.
CU PCI Compliance Best Practices • Manual swipes or imprinters are not authorized for use. • Any new systems/software that process payment cards are required to be approved by the Cash and Treasury Office prior to being purchased. • Any computer system hosting a credit card application must be housed in CCIT’s data centers due to security requirements. • Computer systems that process payment cards must be behind a firewall. • Use and regularly update anti-virus software.
CU PCI Compliance Best Practices • Do not use vendor-supplied defaults for systems passwords and other security parameters. • Computer systems that process payment cards must have the ability to monitor and track access to network resources and cardholder data. • Report all suspected or known security breaches to Cash and Treasury Services and CCIT’s Information Security & Privacy.
Credit Card Data Storage Motto If you don’t need it, DON’T KEEP IT!
CU PCI Compliance Responsibilities Merchant • Complete and submit Security Assessment Questionnaire (SAQ) annually. • Each merchant is responsible for their own PCI DSS Compliance. • Development of a departmental credit card data information security policy, procedures or plan. • Implementation of all data security controls necessary to comply with PCI DSS requirements. • Attendance to an annual PCI DSS Compliance Training conducted by the Cash and Treasury Services Department.
CU PCI Compliance Responsibilities Cash and Treasury Services • Provide guidance and support to the merchants PCI DSS Compliance efforts. • Make recommendations on how to lower a merchants risk of exposure to breaches. • Coordinate and assist in the completion and submission of SAQ’s by all merchants. • Serve as Liaison between merchant and the Credit Card Processer. • Assist merchants in responding to a possible breach.
CU PCI Compliance Responsibilities CCIT Information Security & Privacy • Completes and coordinates with Cash and Treasury Services a single Security Assessment Questionnaire (SAQ) for the University. • Provide guidance and support to the merchants PCI DSS Compliance efforts from a technical perspective. • Make recommendations on how to implement Compensating Controls that will meet particular PCI DSS requirements. • Provide Application and Website Vulnerability Scanning. This can also be done at the system level. • Assist Merchants/Cash and Treasury Services to a possible breach and breach investigation.
Virtual Terminals and PCI Compliance A virtual terminal is a web-based application that allows merchants to accept credit card payments using their Internet connected computers. Like the traditional credit card terminals that you see at most retail stores, virtual terminals can accept both swiped and keyed transactions. Virtual terminal workstations must be segmented and secured. A merchant must meet the following criteria: • Merchant’s only payment processing is via a virtual terminal accessed by an Internet-connected web browser
Virtual Terminals and PCI Compliance • Merchant accesses the virtual terminal via a computer that is isolated in a single location, and is not connected to other locations or systems within your environment • Merchant’s virtual terminal solution is provided and hosted by a PCI DSS validated third party service provider • Merchant’s computer does not have software installed that causes cardholder data to be stored (for example, there is no software for batch processing or store-and-forward) • Merchant’s computer does not have any attached hardware devices that are used to capture or store cardholder data (for example, there are no card readers attached)
Virtual Terminals and PCI Compliance • Merchant does not otherwise receive or transmit cardholder data electronically through any channels (for example, via an internal network or the Internet) • Merchant does not store cardholder data in electronic format • If merchant does store cardholder data, such data is only in paper reports or copies of paper receipts and is not received electronically.
Credit Card Payments Nearly one-third (30%) of students put tuition on their credit card, an increase from 24 percent in the previous study. 84% of the student population overall have credit cards. 92% of undergraduate credit cardholders charged textbooks, school supplies, or other direct education expenses, up from 85% when the study was conducted in 2004 Source: Sallie Mae, “How Undergraduate Students Use Credit Cards:, April 2009)
Credit Card Payments Current credit card payment methods on campus Point of Sale Terminals E-commerce & Online Payment
Credit Card Payments In FY 2012, Clemson University merchants processed: Total Transactions (Online and POS): 201,731 Total Revenue (Online and POS): $53,042,373.91 Number of Merchants: 110
What Gets Overlooked? Paper
What Gets Overlooked? People
What Gets Overlooked? Process PCI Compliance Cycle
Accepting Credit Cards on Campus • Thinking of taking payment cards or changing your current process? Contact Cash and Treasury Services first. • Do not go it alone. The state of South Carolina mandates who we can use for credit card processing. PayPal Accounts and devices like Square for your IPAD or IPhone cannot be used. • Our current credit card processing companies are FirstData, TouchNet and Official Payments. • Contact Cash and Treasury Services for current credit card rates charged by FirstData, TouchNet and Official Payments. • Clemson University accepts American Express, Discover, MasterCard and Visa.
Just Remember… • Data Security is an ongoing process • Recognize the risks at all levels to your department. • Understand what you can do to be proactive. • Determine what behaviors and processes may have to change.
Want to know more?Resources PCI Data Security Standards PCI for Merchants https://www.pcisecuritystandards.org/merchants/index.php PCI Data Security Standards https://www.pcisecuritystandards.org/security_standards/index.php CU Network Security Policy http://www.clemson.edu/ccit/about/policies/network_security.html
Points of Contact Has data been compromised? The first 24 hours are critical! Contact: Office of Information Security and Privacy 864-656-7131 http://www.clemson.edu/ccit/help_support/safe_computing/ And Cash and Treasury Services Banking and Payment Card Coordinator 864-656-0530 http://www.clemson.edu/cfo/cash-treasury/
Points of Contact A confidential Ethics Line is provided as a service to assist any member of the University community with reporting concerns or issues about questionable practices. These may include fraud, theft, conflicts of interest, abuse of assets or property, or violations of laws or regulations. Toll Free: 1-877-503-7283 (1-877-50FRAUD) Available 24 hours a day, seven days a week. Leave a message.or www.clemson.edu/administration/internalaudit/contactus.html
PCI Compliance Training Questions 1) What Does PCI-DSS Stand For? • Protect Computer Identity-Data Security Standard • Payment Card Industry-Data Security Standard • Payment Card Industry-Data Safety Standard • Payment Card Identification-Develop Security Service
PCI Compliance Training Questions 1) What Does PCI-DSS Stand For? • Protect Computer Identity-Data Security Standard • Payment Card Industry-Data Security Standard • Payment Card Industry-Data Safety Standard • Payment Card Identification-Develop Security Service Answer: B Incorrect Good try. PCI-DSS stands for Payment Card Industry-Data Security Standard. Next Question
PCI Compliance Training Questions 1) What Does PCI-DSS Stand For? • Protect Computer Identity-Data Security Standard • Payment Card Industry-Data Security Standard • Payment Card Industry-Data Safety Standard • Payment Card Identification-Develop Security Service Answer: B Correct Good Job! The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment. Next Question