1 PCI Compliance & Credit Card Processing What Does It Mean & How Do We Get There?
2 Agenda 1. PCI / PA-DSS / PTS 2. Changes & Deadlines 3. Watch Out For…… 4. University Strategies
3 Payment Card Industry Evolution Focus on Banks, Processors, GatewaysCISPPEDFocus on MerchantPCIFocus on Application & PIN TransactionsPAPTSPhase 1Phase 2Phase 3
4 Who? You Who are the major players? University Compliance PCI Security StandardsCouncilTrustWaveor otherASVUniversity ComplianceTouchNetCashNetNelNet3rd PartyApps
5 Why PCI? https://www.pcisecuritystandards.org We are all merchants Agreed to complyAgreed to fines and feesNo one can relieve us of our obligationsPCI-DSSApplies to all merchantsRequires an annual self-assessment for each method of paymentRequires quarterly network scan by approved scanning vendor (ASV)https://www.pcisecuritystandards.org
9 PA-DSSApplies to software vendors and others who develop and sell payment applicationsApplies to storing, processing and transmitting dataIn house payment applications that are not sold to a 3rd party are not subject to PA-DSS but must still be secured in accordance with PCI-DSSVendor – responsible for certification processMerchant – verify application is listed by the PCI_Security Standards Council as a PA-DSS certified payment application (specific to its release number)https://www.pcisecuritystandards.org/security_standards/vpa
10 PA-DSS Process Review end-to-end functions All input and output Where stored, who has access to PC, where data goesError ConditionsCached information, notificationsInterfaces/Connections to Other SystemsData FlowEncryption MechanismsAuthentication Mechanisms
12 PTSFormerly PCI PEDSet of security requirements focused on characteristics and management of devices used in the protection of cardholder PINs and other payment processing related activities Requirements are for manufacturers to follow in the design, manufacture and transport of a device to the entity that implements itMerchants should only use PIN entry devices that are tested and approved by the PCI SSChttps://www.pcisecuritystandards.org/security_standards/ped/pedapprovallist.html
14 What you don’t know CAN hurt you…… Why Comply?We are all merchantsAgreed to complyAgreed to fines and feesNo one can relieve us of our obligationsWhat you don’t know CAN hurt you……Why Are You Vulnerable?Business vs Faculty vs VendorHistorical Data that Hasn’t Gone AwayPeople trying to “be helpful”Bad Business PracticePhone PaymentsAlumni ListsMailing Lists
15 Cost of Not Complying Recarding Fines from Bank, Visa and card companiesInsurance CostsCost to University’s Image
17 Changes & DeadlinesNOW – PCI-DSS compliance – should be performing self-auditsJuly 1, 2010 – PA-DSS & PTSMore Changes Coming !!!Lifecycle Process for Changes to PCI DSS
18 What To Do Embrace PCI DSS Objectives as a Reality of Doing Business Educate Campus Merchants about PCI Security StandardsFind the Needles, not the HaystacksStart in Business OfficeExpand to the CampusEnforce PCI Requirements Campus-WideHave a ProcedureUnderstand the RisksLeverage a Strategy that Minimizes the Number of Systems on Campus which Touch Sensitive Payment DataArchitect Big, Implement SmallReplace Out-Dated POS equipment with PTS-Compliant DevicesDownload PCI Security Council Quick Reference Guide - https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdfBecome familiar with NC OSC PCI Security Compliance Program website
19 OSC PCI Compliance Website Understanding PCI Data SecurityPCI Security Standards OverviewUnderstanding PCI Data Security PresentationApplicability of PCI Data Security Standard (PCI DSS) to Card Capture MethodsPolicy for Security Incident PlanPCI Related MemorandumsCommon Payment Services - Report of CompliancePCI Data Security ResourcesState E-Commerce ProgramPCI Security Standards Council, LLCPCI Data Security Standard (v. 1.2)PCI Self-Assessment Questionnaire(v. 1.2)PCI Penetration Testing Requirement 11.3VISA's Cardholder Information Security Program (CISP)MasterCard's Site Data Protection Program (SDP)Glossary of TermsList of Compliant Service ProvidersPayment Application Data Security StandardVisa's List of Validated Payment ApplicationsPCI Council's List of Validated Payment ApplicationsSample Addendum for Requirement 12.8TrustWaveTrustKeeper Validation ServiceCompliance with PCI Data Security StandardsValidation of PCI Compliance RequirementsTrustwave Validation EnrollmentTrustkeeper Portal LoginResponding to Notice of Non-CompliancePCI Validation for Service Providers
21 Things to Look For “Rogue” Departments Miscellaneous Revenue Mailers with credit card information mailed back to universityReceipting – type of payments should be monitoredPoint of Sale (POS)Analog lineMake sure model does not retain card information; should be truncatedWeb-Based ApplicationsProcessor – FirstData, VisaNet, Nashville, etc.Payment Gateway – CPS, PayPoint Gateway, 3rd party with OSC approval3rd party applications – PCI certificate of compliancyif using 3rd party credit card, ensure they remit on daily basis
24 Cost of Non-Compliance Did you know:A breach with any one merchant on our campus could mean that ALL credit card transactions for the University may cease.We each have ONE chain number for each campusEach chain has all our merchants attached to it.The cut off comes at the chain level – not the merchant
25 Cost of Non-Compliance In 2008 millions personal credit card records of Americans were compromised.
26 Cost of Non-Compliance If your credit card processing system is breached/compromisedYour credit card system is stoppedYou pay finesYou pay for forensics audit (from $10,000-$100,000)You lose the right to process credit cards until compliance is achieved and verified.You pay for replacement cost of cards that were compromised (about $200 per card)You pay more fines based on if any of the credit cards were used fraudulently (up to $500,000 per incident)
27 What ECU is DoingCurrently all Credit Card Transactions, except athletics are using TouchnetAthletics use Paciolan SystemStudents use Bill Payment SuiteStatementsBanner BalancesBanner payment/charge history
29 What ECU is Doing Touchnet Payment Point Touchnet Graduate School Applications (Banner)TouchneteCheck – In process of implementingConvenience Fees – In process of implementing (along with stopping the use of VISA credit cards)
30 What ECU is Doing Touchnet U-Store (works as a “shopping cart type application)Evaluating for small campus divisions that would like to do credit card processing:Library – Membership, special eventsCollege of Education – camp feesCollege of Business – tests/ events
31 What ECU is Doing Security Department Changes that are coming to ECU Locking down any PC that does credit card transactions (athletics & box office & staff computers)No adobeNo administrative privilegesNo software updatesNo profile changesStatic IP for credit card processing onlyStaff doing credit card processing with other tasks will have two computers – one dedicated to Credit Card processing
32 What ECU is DoingNo electronic storage of Credit Card numbers is allowedFinancial Services is responsible for credit card compliance – IT advices.Paper copies with credit card numbers are securely locked up and only kept during the time that the card number is needed. It is destroyed when not needed anymore.All credit card requests go through IT, Cash Management Director and Finance
33 What UNCW is DoingNo electronic storage of Credit Card numbers is allowedController’s Office is responsible for credit card compliance – IT advices.Paper copies with credit card numbers are securely locked up and only kept during the time that the card number is needed. It is destroyed when not needed anymore.All credit card requests go through Controller’s Office, Director of Student Accounts/Cashier’s Office and Financial Systems
34 What UNCW is DoingCurrently all new Credit Card Transactionsare using TouchnetStudents use Bill Payment SuiteStatementsBanner BalancesBanner payment/charge historyeRefunds
35 What UNCW is Doing Touchnet U-PAY Sites Athletics (JumpTV & In-house written)Graduate School (Apply Yourself)Public Service (AceWare)Housing (In-house written)Orientation (In-house written)Annual Giving (RuffaloCody)Alumni Association (In-house written)Creative Writing Ecotone (One Cow Standing)Admissions (AdmissionsPro)Box Office (eTix)
36 What UNCW is Doing Touchnet Payment Point Touchnet Registrar Office Reenrollment Fees (Banner)TouchnetPayPath –Implementing July 1, 2010Convenience Fees – In process of implementing (along with stopping the use of VISA credit cards) for student payments only
37 University Strategies Round Table Discussion of How Universities are Handling PCI Compliance and e-CommerceBack-to-Basics List for PCI Compliance(All of these items are doable, but require focused effort and attention to detail.)Identify all campus merchants and pay pointsVerify all payment software is PA-DSS certifiedVerify PIN data collection devices are PTS compliantVerify that any hosting centers in use are PCI DSS certifiedComplete and submit annual compliance reportsPerform regular PCI training for campus merchantsScan campus computers for unprotected card dataHow and What are WE Doing?
Your consent to our cookies if you continue to use this website.