1 / 24

Northern KY University Merchant Training

Northern KY University Merchant Training. Discussion Topics. What is PCI-DSS? Credit Card Processing Two specific facets (Technical & Functional) Penalties for non-compliance Risks Plan of Action. What is PCI-DSS?.

yates
Download Presentation

Northern KY University Merchant Training

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Northern KY UniversityMerchant Training

  2. Discussion Topics • What is PCI-DSS? • Credit Card Processing • Two specific facets • (Technical & Functional) • Penalties for non-compliance • Risks • Plan of Action

  3. What is PCI-DSS? • Payment Card Industry Data Security Standards (DSS) initially created by Visa and MasterCard (officially in 2006) now includes Discover, Amex and JCB. • All credit card companies in the U.S. have endorsed the Standard • PCI-DSS created so there would be common industry security requirements

  4. Purpose • Mandated by credit card companies – “If you accept our credit card(s), you must follow these rules.” • Protect customers against fraud and identity theft. • To avoid breaches and fraud resulting in lost revenue.

  5. What PCI is NOT • PCI is NOT something we can ignore. • PCI is NOT a project -- It is an ongoing program. • It is NOT a silver bullet. • It is NOT an option -- If we accept credit cards as a source of payment, we must comply. • It is not static

  6. Twelve Requirements There are Twelve seemingly simple requirements….however Approximately 230 subsets of requirements depending on the Merchant Level and SAQ required to complete.

  7. PCI DSS Requirements Goal: Build and Maintain a Secure Network • 1. Install and maintain a firewall configuration to protect cardholder data • 2. Do not use vendor-supplied defaults for system passwords and other • security parameters Goal: Protect Cardholder Data • 3. Protect stored cardholder data • 4. Encrypt transmission of cardholder data across open, public networks Goal: Maintain a Vulnerability Management Program • 5. Use and regularly update anti-virus software or programs • 6. Develop and maintain secure systems and applications Goal: Implement Strong Access Control Measures • 7. Restrict access to cardholder data by business need to know • 8. Assign a unique ID to each person with computer access • 9. Restrict physical access to cardholder data Goal: Regularly Monitor and Test Networks • 10. Track and monitor all access to network resources and cardholder data • 11. Regularly test security systems and processes Goal: Maintain an Information Security Policy • 12. Maintain a policy that addresses information security for all personnel

  8. SAQsAttestations of Compliance are included as part of each SAQ.

  9. Scope “Any network component, server, or application that is included in or connected to the cardholder data environment”

  10. Scope • Map network(s) and cardholder data flow • Use an automated tool to find your data • Interview each campus merchant • Understand business and data needs • Determine actual business processes • Identify third-party service providers • Get details on all payment applications Logs, traces • Vendors can be frustrating

  11. Penalties • Fines up to $500,000 from each credit card company + $197 per account holder • Forensic Investigation by QSA (Qualified Security Assessor) begins at $10,000. • Increased auditing requirements • Negative Public Relations • Losing the ability to process credit card transactions completely Websites: www.privacyrights.org/ and www.pcisecuritystandards.org/

  12. College & University Breaches • University breaches have increased exponentially since 2005 • Open vulnerable networks • Numerous merchants across campuses • Payment processes spread over large geographical area

  13. Security Breaches Approximately 600,000,000 records breached since 2005. The running represents the approximate number of *records* that have been compromised due to security breaches, not necessarily the number of *individuals* affected. Some individuals may be the victims of more than one breach, which would affect the totals.  Since 2010 there have been 88 breaches (mostly universities, a few high schools) 98% of hacking successes are as the result of using default passwords. Always change default passwords.

  14. Universities Are At Risk • Network penetration, server hacking, SQL injections, stolen laptop computers, desktop computers, unlocked offices/desks, unsecured USB portable drives, CD’s, DVD’s, containing sensitive information; particularly PAN numbers, ssn, names, addresses, birthdates.

  15. Credit Card Processing

  16. Dial-Up Terminal Interchange Authorization Request Authorization Confirmation Settlement $$$ Processor Merchant Card Owner’s Bank Issued Card Discount Fees Services Fees $ ACH Fees Banking Fees Merchant’s Bank

  17. SSL Terminal Interchange Authorization Request Merchant Settlement Authorization Confirmation Card Owner’s Bank Issued Card Processor $$$ $ Merchant’s Bank

  18. Internet Processing Interchange Authorization Request Settlement Authorization Confirmation Gateway Card Owner’s Bank Issued Card Processor $$$ $ Merchant’s Bank

  19. Mobile Processing Interchange Authorization Request Cellular Network Authorization Confirmation Settlement $$$ Processor Card Owner’s Bank Issued Card $ Merchant’s Bank

  20. Cost Comparison

  21. Spectrum of Risk Equipment/Point of Sale System Cash Dial Terminals Mobile (Encrypted Reader) Wireless Terminals (using cell phone networks) SSL Terminals Website Redirected Payments Virtual Terminals Web-based Applications Wi-Fi Terminals WEP/WPA Encrypted Wireless Networks- must be WPA2 Any system storing Card Holder Data (prohibited by PCI) Manual Imprinters

  22. In the future… EMV- Europay Visa Mastercard October 2015 P2PE- Point to Point Encryption

  23. Questions?

More Related