Presentation is loading. Please wait.

Presentation is loading. Please wait.

PCI Compliance & Credit Card Processing

Similar presentations


Presentation on theme: "PCI Compliance & Credit Card Processing"— Presentation transcript:

1 PCI Compliance & Credit Card Processing
What Does It Mean & How Do We Get There?

2 Agenda 1. PCI / PA-DSS / PTS 2. Changes & Deadlines 3. Watch Out For……
4. University Strategies

3 Payment Card Industry Evolution
Focus on Banks, Processors, Gateways CISP PED Focus on Merchant PCI Focus on Application & PIN Transactions PA PTS Phase 1 Phase 2 Phase 3

4 Who? You Who are the major players? University Compliance PCI Security
Standards Council TrustWave or other ASV University Compliance TouchNet CashNet NelNet 3rd Party Apps

5 Why PCI? https://www.pcisecuritystandards.org We are all merchants
Agreed to comply Agreed to fines and fees No one can relieve us of our obligations PCI-DSS Applies to all merchants Requires an annual self-assessment for each method of payment Requires quarterly network scan by approved scanning vendor (ASV) https://www.pcisecuritystandards.org

6 PCI – Getting Started https://www.pcisecuritystandards.org/pdfs/pcissc_getting_started_with_pcidss.pdf

7 PCI Standard Requirements
https://www.pcisecuritystandards.org/pdfs/pcissc_getting_started_with_pcidss.pdf

8 PCI

9 PA-DSS Applies to software vendors and others who develop and sell payment applications Applies to storing, processing and transmitting data In house payment applications that are not sold to a 3rd party are not subject to PA-DSS but must still be secured in accordance with PCI-DSS Vendor – responsible for certification process Merchant – verify application is listed by the PCI_Security Standards Council as a PA-DSS certified payment application (specific to its release number) https://www.pcisecuritystandards.org/security_standards/vpa

10 PA-DSS Process Review end-to-end functions All input and output
Where stored, who has access to PC, where data goes Error Conditions Cached information, notifications Interfaces/Connections to Other Systems Data Flow Encryption Mechanisms Authentication Mechanisms

11 Validated Payment Applications

12 PTS Formerly PCI PED Set of security requirements focused on characteristics and management of devices used in the protection of cardholder PINs and other payment processing related activities Requirements are for manufacturers to follow in the design, manufacture and transport of a device to the entity that implements it Merchants should only use PIN entry devices that are tested and approved by the PCI SSC https://www.pcisecuritystandards.org/security_standards/ped/pedapprovallist.html

13 Approved PIN Transaction Security

14 What you don’t know CAN hurt you……
Why Comply? We are all merchants Agreed to comply Agreed to fines and fees No one can relieve us of our obligations What you don’t know CAN hurt you…… Why Are You Vulnerable? Business vs Faculty vs Vendor Historical Data that Hasn’t Gone Away People trying to “be helpful” Bad Business Practice Phone Payments Alumni Lists Mailing Lists

15 Cost of Not Complying Recarding
Fines from Bank, Visa and card companies Insurance Costs Cost to University’s Image

16

17 Changes & Deadlines NOW – PCI-DSS compliance – should be performing self-audits July 1, 2010 – PA-DSS & PTS More Changes Coming !!! Lifecycle Process for Changes to PCI DSS

18 What To Do Embrace PCI DSS Objectives as a Reality of Doing Business
Educate Campus Merchants about PCI Security Standards Find the Needles, not the Haystacks Start in Business Office Expand to the Campus Enforce PCI Requirements Campus-Wide Have a Procedure Understand the Risks Leverage a Strategy that Minimizes the Number of Systems on Campus which Touch Sensitive Payment Data Architect Big, Implement Small Replace Out-Dated POS equipment with PTS-Compliant Devices Download PCI Security Council Quick Reference Guide - https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf Become familiar with NC OSC PCI Security Compliance Program website

19 OSC PCI Compliance Website
Understanding PCI Data Security PCI Security Standards Overview Understanding PCI Data Security Presentation Applicability of PCI Data Security Standard (PCI DSS) to Card Capture Methods Policy for Security Incident Plan PCI Related Memorandums Common Payment Services - Report of Compliance PCI Data Security Resources State E-Commerce Program PCI Security Standards Council, LLC PCI Data Security Standard (v. 1.2) PCI Self-Assessment Questionnaire (v. 1.2) PCI Penetration Testing Requirement 11.3 VISA's Cardholder Information Security Program (CISP) MasterCard's Site Data Protection Program (SDP) Glossary of Terms List of Compliant Service Providers Payment Application Data Security Standard Visa's List of Validated Payment Applications PCI Council's List of Validated Payment Applications Sample Addendum for Requirement 12.8 TrustWave TrustKeeper Validation Service Compliance with PCI Data Security Standards Validation of PCI Compliance Requirements Trustwave Validation Enrollment Trustkeeper Portal Login Responding to Notice of Non-Compliance PCI Validation for Service Providers

20 OSC PCI Compliance Website

21 Things to Look For “Rogue” Departments Miscellaneous Revenue
Mailers with credit card information mailed back to university Receipting – type of payments should be monitored Point of Sale (POS) Analog line Make sure model does not retain card information; should be truncated Web-Based Applications Processor – FirstData, VisaNet, Nashville, etc. Payment Gateway – CPS, PayPoint Gateway, 3rd party with OSC approval 3rd party applications – PCI certificate of compliancy if using 3rd party credit card, ensure they remit on daily basis

22 The Clock is Ticking…

23 PCI References PCI Council: https://www.pcisecuritystandards.org/index.shtml OSC PCI: Useful Info:

24 Cost of Non-Compliance
Did you know: A breach with any one merchant on our campus could mean that ALL credit card transactions for the University may cease. We each have ONE chain number for each campus Each chain has all our merchants attached to it. The cut off comes at the chain level – not the merchant

25 Cost of Non-Compliance
In 2008 millions personal credit card records of Americans were compromised.

26 Cost of Non-Compliance
If your credit card processing system is breached/compromised Your credit card system is stopped You pay fines You pay for forensics audit (from $10,000-$100,000) You lose the right to process credit cards until compliance is achieved and verified. You pay for replacement cost of cards that were compromised (about $200 per card) You pay more fines based on if any of the credit cards were used fraudulently (up to $500,000 per incident)

27 What ECU is Doing Currently all Credit Card Transactions, except athletics are using Touchnet Athletics use Paciolan System Students use Bill Payment Suite Statements Banner Balances Banner payment/charge history

28 What ECU is Doing Touchnet U-PAY Sites Parking & Traffic (T2)
Alumni (Imodules) Continuing Education (AceWare) Housing (CBORD) Orientation (In-house written) On-Line Giving (In-house written)

29 What ECU is Doing Touchnet Payment Point Touchnet
Graduate School Applications (Banner) Touchnet eCheck – In process of implementing Convenience Fees – In process of implementing (along with stopping the use of VISA credit cards)

30 What ECU is Doing Touchnet U-Store
(works as a “shopping cart type application) Evaluating for small campus divisions that would like to do credit card processing: Library – Membership, special events College of Education – camp fees College of Business – tests/ events

31 What ECU is Doing Security Department Changes that are coming to ECU
Locking down any PC that does credit card transactions (athletics & box office & staff computers) No adobe No administrative privileges No software updates No profile changes Static IP for credit card processing only Staff doing credit card processing with other tasks will have two computers – one dedicated to Credit Card processing

32 What ECU is Doing No electronic storage of Credit Card numbers is allowed Financial Services is responsible for credit card compliance – IT advices. Paper copies with credit card numbers are securely locked up and only kept during the time that the card number is needed. It is destroyed when not needed anymore. All credit card requests go through IT, Cash Management Director and Finance

33 What UNCW is Doing No electronic storage of Credit Card numbers is allowed Controller’s Office is responsible for credit card compliance – IT advices. Paper copies with credit card numbers are securely locked up and only kept during the time that the card number is needed. It is destroyed when not needed anymore. All credit card requests go through Controller’s Office, Director of Student Accounts/Cashier’s Office and Financial Systems

34 What UNCW is Doing Currently all new Credit Card Transactionsare using Touchnet Students use Bill Payment Suite Statements Banner Balances Banner payment/charge history eRefunds

35 What UNCW is Doing Touchnet U-PAY Sites
Athletics (JumpTV & In-house written) Graduate School (Apply Yourself) Public Service (AceWare) Housing (In-house written) Orientation (In-house written) Annual Giving (RuffaloCody) Alumni Association (In-house written) Creative Writing Ecotone (One Cow Standing) Admissions (AdmissionsPro) Box Office (eTix)

36 What UNCW is Doing Touchnet Payment Point Touchnet
Registrar Office Reenrollment Fees (Banner) Touchnet PayPath –Implementing July 1, 2010 Convenience Fees – In process of implementing (along with stopping the use of VISA credit cards) for student payments only

37 University Strategies
Round Table Discussion of How Universities are Handling PCI Compliance and e-Commerce Back-to-Basics List for PCI Compliance (All of these items are doable, but require focused effort and attention to detail.) Identify all campus merchants and pay points Verify all payment software is PA-DSS certified Verify PIN data collection devices are PTS compliant Verify that any hosting centers in use are PCI DSS certified Complete and submit annual compliance reports Perform regular PCI training for campus merchants Scan campus computers for unprotected card data How and What are WE Doing?


Download ppt "PCI Compliance & Credit Card Processing"

Similar presentations


Ads by Google