Presentation on theme: "2013 PCI Data Security Awareness Training. What is PCI-DSS? The Payment Card Industry Data Security Standards (PCI-DSS) are regulations that were created."— Presentation transcript:
2013 PCI Data Security Awareness Training
What is PCI-DSS? The Payment Card Industry Data Security Standards (PCI-DSS) are regulations that were created to ensure safe handling of sensitive information and to protect cardholder data.
Importance of Training Your customers will *Appreciate your ability to reduce the threat of identity theft *Trust you to complete transactions without creating duplicate or invalid charges *Enjoy peace of mind, knowing that their credit card information is in good hands The university *Takes pride in a skilled workforce *Values your ability to build customer confidence *Needs your help in limiting potential losses, fines & penalties
…..and you *will have confidence in your ability to safely and efficiently do your job *will recognize and evaluate key security features on valid cards *will be alert to the warning signs of fraud *will know that you can make informed decisions under pressure
UGA Credit Card Policy and Procedure Overview of PCI DSS Yearly Scans and Questionnaires What happens if a breach occurs Audits Changes and Revisions Guest Speakers Questions Agenda
Policy and Procedures Do NOT store, process or transmit credit card information on the UGA network Third-party application for any new or updated changes to credit card acceptance. PCI Questionnaire and Scans Daily Batch Settlements (covering and cross training in case of absences) Daily Transmittals and Reconciliations Retention policy Incident response Background checks
The core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organized: Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security PCI
Yearly Scans and Questionnaires Annual Assessment Questionnaire –Required of all merchants – regardless of level –Self Self-Assessment or performed by Qualified Security Assessor (QSA): A, B, C-VT, C, D Security Vulnerability Scan – Quarterly –Required for External facing IP addresses Web applications POS Software and databases on networks Applies even if there is a re-direction link to third third-party –Must be performed by Approved Scanning Vendor (ASV) –Validation based on Level assigned to merchant, based on transaction volume Visa & MC schedules are different Visas schedule is what most go by
Zappos! – (January) 24 million records including partial credit card numbers illegally accessed. Estimated direct cost – $46,560,000, Global Payments – (February) 1.5 million card numbers and other information stolen in a security breach which reportedly occurred between Jan. 21 and Feb Estimated direct cost – $291,000, Breaches Business
Schnucks Markets – (March) 2.4 million credit and debit card numbers stolen. Estimated direct cost – $465,600, Wyndham Hotels– (June) the FTC files a lawsuit against the hotel chain for failing to secure customer data. Chain was hacked three times in two years, resulting in the theft of more than 600,000 credit card numbers. Estimated direct cost – $11,640,000.00
State of South Carolina– (September) The SC Department of Revenue lost 6.4 million taxpayer records that included Social Security Numbers, Credit Card Numbers, and Debit card numbers. Anyone filing an online tax return from 1998 to 2012 was potentially affected. Estimated direct cost – $12,416,000,000.00
Breaches 2012 – Higher Education University System of Maryland (January) – 8000 records of prospective students, some with credit card numbers were found on a public server. Estimated direct cost – $1,552, Universities of Maine, Arkansas, and Rochester NY (May) 4617 records stolen from the computer stores that serviced the campuses. Estimated direct cost total – $895,698.00
Breach Example 1 A Friday in September: an employee entering credit card information on a kiosk decides to check their . Their inbox contains an from a friend. The subject line reads Still need tickets? The message says He needs to sale these!!! CHEAP! It contains a link. The employee clicks the link& is taken to a website that has nothing to do with football tickets. They leave the site, but have already downloaded malicious software.
Breach Example 2 Over the weekend an attacker manages to spoof a trusted IP address and gain access to a payment card network. The attacker quickly runs through a list of known manufacturers passwords and discovers that no one changed the password on a POS system. It is quick work for the attacker to introduce a backdoor to filter transaction details. It could be months or even years before the vulnerability is detected.
Breach Example 3 While in a checkout line, a customer accidentally knocks over her handbag, scattering its contents on the floor behind and under the counter. While the cashier is distracted by helping the customer, a second person switches out the Point of Sale unit with an identical one set up to skim pin numbers and card information. Thousands of debit and credit card numbers are intercepted before a new POS is installed and the switch is discovered.
Breach Example 4 Strange traffic is logged on your payment card network over Christmas break. A physical sweep of the area where the kiosk is located reveals an unauthorized wireless access point in a nearby closet. One of the custodial staff reports an IT guy doing some work in the closet a few months ago. They were in there early in the morning, and that was memorable. No one on your staff fits the description given.
What is a Compromise or Incident? Malicious Codea virus, worm, Trojan horse, or other malicious code that infects a computer Inappropriate Usagea person violates computing use policies or laws Unauthorized Accessa person gains logical or physical access to a network, system, application, data, or other resource without permission Theft - of data or devices
Immediate Response Should you become aware that any cardholder data was subject to compromise, you alert the following IMMEDIATELY: UGA Office of Information Security UGA Bursars Office Immediately work with the Office of Information Security to limit the exposure. Bursars Office will work with you and Credit Card Processor regarding appropriate response to them as well as customers impacted.
Security Incident Reporting Contacting Information Security –Call EITS Help Desk –Phone : (press 2) –If you cannot get assistance by calling the EITS Help Desk, you can report incidents by sending an to –If criminal violation, notify UGA Police The Role of Information Security –Assess the Situation & Extent of Loss –Collaborate on a Remediation Plan –Legal and Policy Compliance
Compromised System Response Do not access or alter compromised systems Do not turn the compromised machine off Isolate compromised systems from the network Preserve logs and electronic evidence Log all actions taken Be on high alert and monitor all systems
Aftermath The Bursars Office will Provide all compromised accounts to the merchant services provider and to any other agency/company as instructed by the merchant services provider and/or card associations Provide an Incident Response Report document to each Card Association (within the timeframe they specify) If required by the card associations, undergo an independent forensic investigation
Changes and Revisions Update to UGA procedure: All Point-of-Sale Terminals, that utilize a wired connection, must be done so with a Centrex Analog line. The UGA Office of Telephone Services can be consulted should you have any questions on a connection, new or existing. WARNING: NEVER ALLOW ANYONE TO INSPECT, PROGRAM OR REMOVE YOUR TERMINAL UNLESS YOU HAVE OBTAINED AUTHORIZATION FROM THE CREDIT CARD OFFICE. VISA and Card Industry Updates: Technology Innovation Program Effective October 1, 2012, Visa will expand the Technology Innovation Program (TIP) 1 to the U.S. TIP will eliminate the requirement that eligible merchants annually validate their compliance with the PCI DSS for any year in which at least 75 percent of the merchants Visa transactions originate from dual-interface EMV chip-enabled terminals, in addition to meeting other qualification criteria.