Presentation is loading. Please wait.

Presentation is loading. Please wait.

NC Financial Systems Conference 2010 PCI Compliance & Credit Card Processing What Does It Mean & How Do We Get There?

Similar presentations


Presentation on theme: "NC Financial Systems Conference 2010 PCI Compliance & Credit Card Processing What Does It Mean & How Do We Get There?"— Presentation transcript:

1 NC Financial Systems Conference 2010 PCI Compliance & Credit Card Processing What Does It Mean & How Do We Get There?

2 Agenda 1. PCI / PA-DSS / PTS 2. Changes & Deadlines 3. Watch Out For…… 4. University Strategies

3 Payment Card Industry Evolution Focus on Application & PIN Transactions PA PTS Focus on Application & PIN Transactions PA PTS Focus on Merchant PCI Focus on Merchant PCI Focus on Banks, Processors, Gateways CISP PED Focus on Banks, Processors, Gateways CISP PED Phase 1 Phase 2 Phase 3

4 Who? TrustWave or other ASV You TouchNet CashNet NelNet 3 rd Party Apps Who are the major players? University Compliance PCI Security Standards Council

5 Why PCI? We are all merchants Agreed to comply Agreed to fines and fees No one can relieve us of our obligations PCI-DSS Applies to all merchants Requires an annual self-assessment for each method of payment Requires quarterly network scan by approved scanning vendor (ASV) https://www.pcisecuritystandards.org

6 PCI – Getting Started https://www.pcisecuritystandards.org/pdfs/pcissc_getting_started_with_pcidss.pdf

7 PCI Standard Requirements https://www.pcisecuritystandards.org/pdfs/pcissc_getting_started_with_pcidss.pdf

8 PCI

9 PA-DSS Applies to software vendors and others who develop and sell payment applications Applies to storing, processing and transmitting data In house payment applications that are not sold to a 3 rd party are not subject to PA-DSS but must still be secured in accordance with PCI-DSS Vendor – responsible for certification process Merchant – verify application is listed by the PCI_Security Standards Council as a PA-DSS certified payment application (specific to its release number) https://www.pcisecuritystandards.org/security_standards/vpa

10 PA-DSS Process Review end-to-end functions All input and output Where stored, who has access to PC, where data goes Error Conditions Cached information, notifications Interfaces/Connections to Other Systems Data Flow Encryption Mechanisms Authentication Mechanisms

11 Validated Payment Applications

12 PTS Formerly PCI PED Set of security requirements focused on characteristics and management of devices used in the protection of cardholder PINs and other payment processing related activities Requirements are for manufacturers to follow in the design, manufacture and transport of a device to the entity that implements it Merchants should only use PIN entry devices that are tested and approved by the PCI SSC https://www.pcisecuritystandards.org/security_standards/ped/pedapprovallist.html

13 Approved PIN Transaction Security

14 Why Comply? We are all merchants Agreed to comply Agreed to fines and fees No one can relieve us of our obligations Why Are You Vulnerable? Business vs Faculty vs Vendor Historical Data that Hasnt Gone Away People trying to be helpful Bad Business Practice Phone Payments Alumni Lists Mailing Lists What you dont know CAN hurt you……

15 Cost of Not Complying Recarding Fines from Bank, Visa and card companies Insurance Costs Cost to Universitys Image

16

17 Changes & Deadlines NOW – PCI-DSS compliance – should be performing self-audits July 1, 2010 – PA-DSS & PTS More Changes Coming !!! Lifecycle Process for Changes to PCI DSS

18 What To Do Embrace PCI DSS Objectives as a Reality of Doing Business Educate Campus Merchants about PCI Security Standards Find the Needles, not the Haystacks Start in Business Office Expand to the Campus Enforce PCI Requirements Campus-Wide Have a Procedure Understand the Risks Leverage a Strategy that Minimizes the Number of Systems on Campus which Touch Sensitive Payment Data Architect Big, Implement Small Replace Out-Dated POS equipment with PTS-Compliant Devices Download PCI Security Council Quick Reference Guide - https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf Become familiar with NC OSC PCI Security Compliance Program website

19 OSC PCI Compliance Website Understanding PCI Data Security PCI Security Standards Overview Understanding PCI Data Security PresentationUnderstanding PCI Data Security Presentation Applicability of PCI Data Security Standard (PCI DSS) to Card Capture MethodsApplicability of PCI Data Security Standard (PCI DSS) to Card Capture Methods Policy for Security Incident Plan PCI Related Memorandums Common Payment Services - Report of ComplianceCommon Payment Services - Report of Compliance PCI Data Security Resources State E-Commerce Program PCI Security Standards Council, LLC PCI Data Security Standard (v. 1.2) PCI Self-Assessment Questionnaire (v. 1.2) PCI Penetration Testing Requirement 11.3PCI Penetration Testing Requirement 11.3 VISA's Cardholder Information Security Program (CISP)VISA's Cardholder Information Security Program (CISP) MasterCard's Site Data Protection Program (SDP)MasterCard's Site Data Protection Program (SDP) Glossary of Terms List of Compliant Service Providers Payment Application Data Security StandardPayment Application Data Security Standard Visa's List of Validated Payment ApplicationsVisa's List of Validated Payment Applications PCI Council's List of Validated Payment ApplicationsPCI Council's List of Validated Payment Applications Sample Addendum for Requirement 12.8Sample Addendum for Requirement 12.8 TrustWave TrustKeeper Validation Service Compliance with PCI Data Security StandardsCompliance with PCI Data Security Standards Validation of PCI Compliance RequirementsValidation of PCI Compliance Requirements Trustwave Validation EnrollmentTrustwave Validation Enrollment Trustkeeper Portal Login Responding to Notice of Non- ComplianceResponding to Notice of Non- Compliance PCI Validation for Service ProvidersPCI Validation for Service Providers

20 OSC PCI Compliance Website

21 Things to Look For Rogue Departments Miscellaneous Revenue Mailers with credit card information mailed back to university Receipting – type of payments should be monitored Point of Sale (POS) Analog line Make sure model does not retain card information; should be truncated Web-Based Applications Processor – FirstData, VisaNet, Nashville, etc. Payment Gateway – CPS, PayPoint Gateway, 3 rd party with OSC approval 3 rd party applications – PCI certificate of compliancy if using 3 rd party credit card, ensure they remit on daily basis

22 The Clock is Ticking…

23 PCI References PCI Council: https://www.pcisecuritystandards.org/index.shtml https://www.pcisecuritystandards.org/index.shtml OSC PCI: pci.html pci.html Useful Info:

24 Cost of Non-Compliance Did you know: –A breach with any one merchant on our campus could mean that ALL credit card transactions for the University may cease. We each have ONE chain number for each campus Each chain has all our merchants attached to it. The cut off comes at the chain level – not the merchant

25 Cost of Non-Compliance In 2008 millions personal credit card records of Americans were compromised.

26 Cost of Non-Compliance If your credit card processing system is breached/compromised Your credit card system is stopped You pay fines You pay for forensics audit (from $10,000-$100,000) You lose the right to process credit cards until compliance is achieved and verified. You pay for replacement cost of cards that were compromised (about $200 per card) You pay more fines based on if any of the credit cards were used fraudulently (up to $500,000 per incident)

27 What ECU is Doing Currently all Credit Card Transactions, except athletics are using Touchnet Athletics use Paciolan System Students use Bill Payment Suite –Statements –Banner Balances –Banner payment/charge history

28 What ECU is Doing Touchnet U-PAY Sites Parking & Traffic (T2) Alumni (Imodules) Continuing Education (AceWare) Housing (CBORD) Orientation (In-house written) On-Line Giving (In-house written)

29 What ECU is Doing Touchnet Payment Point –Graduate School Applications (Banner) Touchnet eCheck – In process of implementing Convenience Fees – In process of implementing (along with stopping the use of VISA credit cards)

30 What ECU is Doing Touchnet U-Store (works as a shopping cart type application) Evaluating for small campus divisions that would like to do credit card processing: Library – Membership, special events College of Education – camp fees College of Business – tests/ events

31 What ECU is Doing Security Department Changes that are coming to ECU Locking down any PC that does credit card transactions (athletics & box office & staff computers) –No adobe –No administrative privileges –No software updates –No profile changes –Static IP for credit card processing only –Staff doing credit card processing with other tasks will have two computers – one dedicated to Credit Card processing

32 What ECU is Doing No electronic storage of Credit Card numbers is allowed Financial Services is responsible for credit card compliance – IT advices. Paper copies with credit card numbers are securely locked up and only kept during the time that the card number is needed. It is destroyed when not needed anymore. All credit card requests go through IT, Cash Management Director and Finance

33 What UNCW is Doing No electronic storage of Credit Card numbers is allowed Controllers Office is responsible for credit card compliance – IT advices. Paper copies with credit card numbers are securely locked up and only kept during the time that the card number is needed. It is destroyed when not needed anymore. All credit card requests go through Controllers Office, Director of Student Accounts/Cashiers Office and Financial Systems

34 What UNCW is Doing Currently all new Credit Card Transactionsare using Touchnet Students use Bill Payment Suite –Statements –Banner Balances –Banner payment/charge history –eRefunds

35 What UNCW is Doing Touchnet U-PAY Sites Athletics (JumpTV & In-house written) Graduate School (Apply Yourself) Public Service (AceWare) Housing (In-house written) Orientation (In-house written) Annual Giving (RuffaloCody) Alumni Association (In-house written) Creative Writing Ecotone (One Cow Standing) Admissions (AdmissionsPro) Box Office (eTix)

36 What UNCW is Doing Touchnet Payment Point –Registrar Office Reenrollment Fees (Banner) Touchnet PayPath –Implementing July 1, 2010 Convenience Fees – In process of implementing (along with stopping the use of VISA credit cards) for student payments only

37 University Strategies Round Table Discussion of How Universities are Handling PCI Compliance and e-Commerce Back-to-Basics List for PCI Compliance (All of these items are doable, but require focused effort and attention to detail.) Identify all campus merchants and pay points Verify all payment software is PA-DSS certified Verify PIN data collection devices are PTS compliant Verify that any hosting centers in use are PCI DSS certified Complete and submit annual compliance reports Perform regular PCI training for campus merchants Scan campus computers for unprotected card data How and What are WE Doing?


Download ppt "NC Financial Systems Conference 2010 PCI Compliance & Credit Card Processing What Does It Mean & How Do We Get There?"

Similar presentations


Ads by Google