Presentation is loading. Please wait.

Presentation is loading. Please wait.

PCI Compliance & Credit Card Processing

Published byMakayla Erven Modified over 10 years ago

Similar presentations

Presentation on theme: "PCI Compliance & Credit Card Processing"— Presentation transcript:

1 PCI Compliance & Credit Card Processing
What Does It Mean & How Do We Get There?

2 Agenda 1. PCI / PA-DSS / PTS 2. Changes & Deadlines 3. Watch Out For……
4. University Strategies

3 Payment Card Industry Evolution
Focus on Banks, Processors, Gateways CISP PED Focus on Merchant PCI Focus on Application & PIN Transactions PA PTS Phase 1 Phase 2 Phase 3

4 Who? You Who are the major players? University Compliance PCI Security
Standards Council TrustWave or other ASV University Compliance TouchNet CashNet NelNet 3rd Party Apps

5 Why PCI? https://www.pcisecuritystandards.org We are all merchants
Agreed to comply Agreed to fines and fees No one can relieve us of our obligations PCI-DSS Applies to all merchants Requires an annual self-assessment for each method of payment Requires quarterly network scan by approved scanning vendor (ASV)

6 PCI – Getting Started

7 PCI Standard Requirements

8 PCI

9 PA-DSS Applies to software vendors and others who develop and sell payment applications Applies to storing, processing and transmitting data In house payment applications that are not sold to a 3rd party are not subject to PA-DSS but must still be secured in accordance with PCI-DSS Vendor – responsible for certification process Merchant – verify application is listed by the PCI_Security Standards Council as a PA-DSS certified payment application (specific to its release number)

10 PA-DSS Process Review end-to-end functions All input and output
Where stored, who has access to PC, where data goes Error Conditions Cached information, notifications Interfaces/Connections to Other Systems Data Flow Encryption Mechanisms Authentication Mechanisms

11 Validated Payment Applications

12 PTS Formerly PCI PED Set of security requirements focused on characteristics and management of devices used in the protection of cardholder PINs and other payment processing related activities Requirements are for manufacturers to follow in the design, manufacture and transport of a device to the entity that implements it Merchants should only use PIN entry devices that are tested and approved by the PCI SSC

13 Approved PIN Transaction Security

14 What you don’t know CAN hurt you……
Why Comply? We are all merchants Agreed to comply Agreed to fines and fees No one can relieve us of our obligations What you don’t know CAN hurt you…… Why Are You Vulnerable? Business vs Faculty vs Vendor Historical Data that Hasn’t Gone Away People trying to “be helpful” Bad Business Practice Phone Payments Alumni Lists Mailing Lists

15 Cost of Not Complying Recarding
Fines from Bank, Visa and card companies Insurance Costs Cost to University’s Image

16

17 Changes & Deadlines NOW – PCI-DSS compliance – should be performing self-audits July 1, 2010 – PA-DSS & PTS More Changes Coming !!! Lifecycle Process for Changes to PCI DSS

18 What To Do Embrace PCI DSS Objectives as a Reality of Doing Business
Educate Campus Merchants about PCI Security Standards Find the Needles, not the Haystacks Start in Business Office Expand to the Campus Enforce PCI Requirements Campus-Wide Have a Procedure Understand the Risks Leverage a Strategy that Minimizes the Number of Systems on Campus which Touch Sensitive Payment Data Architect Big, Implement Small Replace Out-Dated POS equipment with PTS-Compliant Devices Download PCI Security Council Quick Reference Guide - Become familiar with NC OSC PCI Security Compliance Program website

19 OSC PCI Compliance Website
Understanding PCI Data Security PCI Security Standards Overview Understanding PCI Data Security Presentation Applicability of PCI Data Security Standard (PCI DSS) to Card Capture Methods Policy for Security Incident Plan PCI Related Memorandums Common Payment Services - Report of Compliance PCI Data Security Resources State E-Commerce Program PCI Security Standards Council, LLC PCI Data Security Standard (v. 1.2) PCI Self-Assessment Questionnaire (v. 1.2) PCI Penetration Testing Requirement 11.3 VISA's Cardholder Information Security Program (CISP) MasterCard's Site Data Protection Program (SDP) Glossary of Terms List of Compliant Service Providers Payment Application Data Security Standard Visa's List of Validated Payment Applications PCI Council's List of Validated Payment Applications Sample Addendum for Requirement 12.8 TrustWave TrustKeeper Validation Service Compliance with PCI Data Security Standards Validation of PCI Compliance Requirements Trustwave Validation Enrollment Trustkeeper Portal Login Responding to Notice of Non-Compliance PCI Validation for Service Providers

20 OSC PCI Compliance Website

21 Things to Look For “Rogue” Departments Miscellaneous Revenue
Mailers with credit card information mailed back to university Receipting – type of payments should be monitored Point of Sale (POS) Analog line Make sure model does not retain card information; should be truncated Web-Based Applications Processor – FirstData, VisaNet, Nashville, etc. Payment Gateway – CPS, PayPoint Gateway, 3rd party with OSC approval 3rd party applications – PCI certificate of compliancy if using 3rd party credit card, ensure they remit on daily basis

22 The Clock is Ticking…

23 PCI References PCI Council: OSC PCI: Useful Info:

24 Cost of Non-Compliance
Did you know: A breach with any one merchant on our campus could mean that ALL credit card transactions for the University may cease. We each have ONE chain number for each campus Each chain has all our merchants attached to it. The cut off comes at the chain level – not the merchant

25 Cost of Non-Compliance
In 2008 millions personal credit card records of Americans were compromised.

26 Cost of Non-Compliance
If your credit card processing system is breached/compromised Your credit card system is stopped You pay fines You pay for forensics audit (from $10,000-$100,000) You lose the right to process credit cards until compliance is achieved and verified. You pay for replacement cost of cards that were compromised (about $200 per card) You pay more fines based on if any of the credit cards were used fraudulently (up to $500,000 per incident)

27 What ECU is Doing Currently all Credit Card Transactions, except athletics are using Touchnet Athletics use Paciolan System Students use Bill Payment Suite Statements Banner Balances Banner payment/charge history

28 What ECU is Doing Touchnet U-PAY Sites Parking & Traffic (T2)
Alumni (Imodules) Continuing Education (AceWare) Housing (CBORD) Orientation (In-house written) On-Line Giving (In-house written)

29 What ECU is Doing Touchnet Payment Point Touchnet
Graduate School Applications (Banner) Touchnet eCheck – In process of implementing Convenience Fees – In process of implementing (along with stopping the use of VISA credit cards)

30 What ECU is Doing Touchnet U-Store
(works as a “shopping cart type application) Evaluating for small campus divisions that would like to do credit card processing: Library – Membership, special events College of Education – camp fees College of Business – tests/ events

31 What ECU is Doing Security Department Changes that are coming to ECU
Locking down any PC that does credit card transactions (athletics & box office & staff computers) No adobe No administrative privileges No software updates No profile changes Static IP for credit card processing only Staff doing credit card processing with other tasks will have two computers – one dedicated to Credit Card processing

32 What ECU is Doing No electronic storage of Credit Card numbers is allowed Financial Services is responsible for credit card compliance – IT advices. Paper copies with credit card numbers are securely locked up and only kept during the time that the card number is needed. It is destroyed when not needed anymore. All credit card requests go through IT, Cash Management Director and Finance

33 What UNCW is Doing No electronic storage of Credit Card numbers is allowed Controller’s Office is responsible for credit card compliance – IT advices. Paper copies with credit card numbers are securely locked up and only kept during the time that the card number is needed. It is destroyed when not needed anymore. All credit card requests go through Controller’s Office, Director of Student Accounts/Cashier’s Office and Financial Systems

34 What UNCW is Doing Currently all new Credit Card Transactionsare using Touchnet Students use Bill Payment Suite Statements Banner Balances Banner payment/charge history eRefunds

35 What UNCW is Doing Touchnet U-PAY Sites
Athletics (JumpTV & In-house written) Graduate School (Apply Yourself) Public Service (AceWare) Housing (In-house written) Orientation (In-house written) Annual Giving (RuffaloCody) Alumni Association (In-house written) Creative Writing Ecotone (One Cow Standing) Admissions (AdmissionsPro) Box Office (eTix)

36 What UNCW is Doing Touchnet Payment Point Touchnet
Registrar Office Reenrollment Fees (Banner) Touchnet PayPath –Implementing July 1, 2010 Convenience Fees – In process of implementing (along with stopping the use of VISA credit cards) for student payments only

37 University Strategies
Round Table Discussion of How Universities are Handling PCI Compliance and e-Commerce Back-to-Basics List for PCI Compliance (All of these items are doable, but require focused effort and attention to detail.) Identify all campus merchants and pay points Verify all payment software is PA-DSS certified Verify PIN data collection devices are PTS compliant Verify that any hosting centers in use are PCI DSS certified Complete and submit annual compliance reports Perform regular PCI training for campus merchants Scan campus computers for unprotected card data How and What are WE Doing?

Download ppt "PCI Compliance & Credit Card Processing"

Similar presentations

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
Weighing the Risks and Benefits of Online Financial Transactions

Weighing the Risks and Benefits of Online Financial Transactions
Photo by Karl Steinbrenner Purchase & Travel Card Programs Current Status and Future Trends Presented By Valerie J Smith, CPCP.

Photo by Karl Steinbrenner Purchase & Travel Card Programs Current Status and Future Trends Presented By Valerie J Smith, CPCP.
Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.

Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.
National Bank of Dominica Ltd. 2011 Merchant Seminar Facilitator: Janiere Frank Fraud & Compliance Analyst June 16, 2011.

National Bank of Dominica Ltd Merchant Seminar Facilitator: Janiere Frank Fraud & Compliance Analyst June 16, 2011.
Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.

Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.
.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.

.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.
PCI Compliance. PCI Compliance Introduction Scott Jerabek The CBORD Group Product Manager Founded in 1975 Foodservice, Campus Card and Security solutions.

PCI Compliance. PCI Compliance Introduction Scott Jerabek The CBORD Group Product Manager Founded in 1975 Foodservice, Campus Card and Security solutions.
Credit Card Data Security Compliance Achieving PCI Compliance July 2009 Kim Ray Billing and Payment Services Campus Credit Card Coordinator Karen Eft IT.

Credit Card Data Security Compliance Achieving PCI Compliance July 2009 Kim Ray Billing and Payment Services Campus Credit Card Coordinator Karen Eft IT.
The Payment Card Industry Data Security Standard (PCI DSS)

The Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS for Retail Industry

PCI DSS for Retail Industry
LESSONS LEARNED ON THE WAY TO PCI COMPLIANCE

LESSONS LEARNED ON THE WAY TO PCI COMPLIANCE
Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.

Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.
UCSB Credit Card Processing and PCI Compliance

UCSB Credit Card Processing and PCI Compliance
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.

PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.

Troy Leach April 2012 The PCI Security Standards Council.

Troy Leach April 2012 The PCI Security Standards Council.
MARTAs Road to PCI Compliance 1 Presenter: Yolanda Curtis, PMP AFC Project Manager.

MARTAs Road to PCI Compliance 1 Presenter: Yolanda Curtis, PMP AFC Project Manager.
Navigating the New SAQs (Helping the 99% validate PCI compliance)

Navigating the New SAQs (Helping the 99% validate PCI compliance)

Similar presentations

Ads by Google