Presentation is loading. Please wait.

Presentation is loading. Please wait.

Credit Card Data Security Compliance Achieving PCI Compliance July 2009 Kim Ray Billing and Payment Services Campus Credit Card Coordinator Karen Eft IT.

Similar presentations


Presentation on theme: "Credit Card Data Security Compliance Achieving PCI Compliance July 2009 Kim Ray Billing and Payment Services Campus Credit Card Coordinator Karen Eft IT."— Presentation transcript:

1 Credit Card Data Security Compliance Achieving PCI Compliance July 2009 Kim Ray Billing and Payment Services Campus Credit Card Coordinator Karen Eft IT Policy Manager Office of the CIO Kate Riley IT Security Analyst Information System Technology

2 Who Accepts Credit Cards? Departments with a business need for: Departments with a business need for: –Tickets Sales –Enrollment/Registration/Conference Hosting –Donations/Gifts –Gift Shops/Admission Desks/Memberships –Publication Sales –Public Services (e.g., Library, Optometry, Parking, Cal Overstock)

3 Who Accepts Credit Cards? Over 130+ merchant accounts with annual sales exceeding $103 million/year Over 130+ merchant accounts with annual sales exceeding $103 million/year $43 million/2003

4 Obtain Credit Card Number How we Accept Credit Cards UCs Acquiring Bank: Issues Merchant Account NumbersIssues Merchant Account Numbers Processes authorizations, sales, creditsProcesses authorizations, sales, credits System Application Database – On-campus or Hosted by Vendor Internet Gateways

5 Customers making purchases in-person –Gifts at the Berkeley Art Museum store –Services at the Optometry Clinic –Admission to the Botanical Gardens –Parking pass at Parking and Transportation How to Accept Credit Cards Card Present

6 How to Accept Credit Cards Card Not Present Customers making purchases by phone or mail requests –Conference registration by mail –Publication purchases over the phone

7 Prohibited in University Cash-Handling Policy (BUS 49) –Violation of the intent of section 4(a) in the Uniform Commercial Code The Campus Controller may grant a variance –Such a request must provide detail of the compensating controls in place to secure the data Accepting Credit Card Data by Fax

8 Obtain Credit Card Number How we Accept Credit Cards UCs Acquiring Bank: Issues Merchant Account NumbersIssues Merchant Account Numbers Processes authorizations, sales, creditsProcesses authorizations, sales, credits System Application Database – On-campus or Hosted by Vendor Internet Gateways

9 Customers making purchases online through a departments web application that interfaces with an Internet Gateway –Enroll in a course with University Extension –Purchase a ticket for an Athletics game –Pay a student intent to register fee –Pay a Visiting Scholars fee How we Accept Credit Cards Card Not Present

10 Department Web Application The department has a business need to collect and store personally identifiable information The department has a business need to collect and store personally identifiable information –Hosted: On-campus or by Vendor Must comply with Campus Minimum Security Standards: Must comply with Campus Minimum Security Standards: –https://security.berkeley.edu/MinStds/ https://security.berkeley.edu/MinStds/ Networked Devises Networked Devises Electronic Information Electronic Information

11 Campus Minimum Security Standards Karen Eft IT Policy Manager Office of the Chief Information Officer

12 Campus IT Security Policy Each member of the campus community is responsible for the security and protection of electronic information resources over which he or she has control. Resources to be protected include networks, computers, software, and data. The physical and logical integrity of these resources must be protected against threats such as unauthorized intrusions, malicious misuse, or inadvertent compromise.

13 UC-wide Business & Finance Bulletins, IS series Oversight of Electronic Information: IS-2, Inventory, Classification, and Release of University Electronic Information IS-2, Inventory, Classification, and Release of University Electronic Information IS-2, Inventory, Classification, and Release of University Electronic Information IS-3, Electronic Information Security IS-3, Electronic Information Security IS-11, Identity and Access Management IS-11, Identity and Access Management IS-12, Continuity Planning and Disaster Recovery IS-12, Continuity Planning and Disaster Recovery(http://www.ucop.edu/irc/itsec/uc/mgt_guide/guide.html)

14 Minimum Security Standards Minimum minimal Why do we put you through this?

15 Prevent Identity Theft Horrible consequences for victims of identity theft. When un-encrypted data of specific types is breached we have to notify the subjects. Incredible waste of time and effort responding to security incidents. Notifications can cost Millions of dollars. Damage to reputation / good will. Reduced level of donations or research funding.

16 Minimum Security Standards MSS for Networked Devices MSS for Networked Devices MSS for Electronic Information MSS for Electronic Information

17 Minimum Security Standards for Networked Devices 1.Keep software patches current 2.Run approved anti-virus software 3.Run approved host-based firewall software 4.Use secure passwords 5.No unencrypted authentication 6.No unauthenticated relays 7.No unauthenticated proxy services 8.Ensure physical security 9.Dont run unnecessary services

18 Minimum Security Standards for Electronic Information ( MSSEI ) 1. Notice-triggering information High Confidentiality - apply all protective measures listed in Attachment A 2. Payment Card Industry Data May not be stored without explicit approval from UC Berkeley Billing and Payment Services

19 1) MSSEI notice-triggering information: First name OR first initial AND last name in combination with one or more of the following: –Social Security Number, –driver's license number, –California Identification Number, –financial account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account, –medical information, –health insurance information.

20 Protective Measures for high confidentiality information: more …

21 Protective Measures for high confidentiality information (contd): more...

22 Protective Measures for high confidentiality information (contd):

23 2) Payment Card Industry Data Security Standard (PCI DSS): Primary Account Number (PAN) (credit card number) AND any of the following if stored, processed, or transmitted with the PAN: –Cardholder Name, –Service Code, –Expiration Date.

24 MSSEI: 1. Notice-triggering information High Confidentiality - apply all protective measures listed in Attachment A 2. Payment Card Industry Data May not be stored without explicit approval from UC Berkeley Billing and Payment Services

25 Compliance: Departmental Security Contact Policy Departmental Security Contact Policy Guidelines and Procedures for Blocking Network Access Guidelines and Procedures for Blocking Network Access Security Incident Response Procedures Security Incident Response Procedures

26 Departmental Security Contact Policy To implement this policy, each department needs to appoint a security contact and one or more backup contacts. Departments may agree to share contacts for efficiency. … Contacts need to have some familiarity with the computers in their department and be able to determine who a responsible technical person is; it is not necessary for the contact to have extensive security expertise.

27 Guidelines and Procedures for Blocking Network Access When computers pose a serious risk to campus information system resources or the Internet, their network connection may be blocked. If the threat is immediate, the offending computer(s) will be blocked immediately and notification will be sent to the departmental security contact(s) via that the block has occurred.

28 Security Incident Response Procedures Berkeley Campus Plan Implementing UC Requirements for Protection of Computerized Personal Information 1. Definitions 2. Responsibilities 3. Incident Response Process 4. Notification Procedures 5. Reporting Requirements Attachment AAttachment A: Information Practices Act: Sections , , Attachment A Attachment BAttachment B: Revision to IS-3 to Cover SB 1386 Requirements Attachment B Attachment CAttachment C: Draft notification text for a 1386 breach Attachment C

29 Security Incident Response Procedures Remove the threat. Preserve evidence. Maybe re-build the environment to resume operations. Determine whether a breach, then whether notification is required.

30 Security Incident Repercussions Very costly Very costly Very intrusive upon regular operations Very intrusive upon regular operations Damaging to the department or project, to the Berkeley Campus, to the University of California, to faculty, to staff Damaging to the department or project, to the Berkeley Campus, to the University of California, to faculty, to staff

31 Assistance: Technical services and tools Technical services and tools Implementing Guidelines Implementing Guidelines Requests for Exception Requests for Exception

32 Implementing Guidelines: 1. Software patch updates: See the Software patch updates FAQ page, which includes examples of "non- compliant" operating systems. Also see instructions for: Software patch updates FAQ pageSoftware patch updates FAQ page * Microsoft Windows Operating System * Microsoft Windows Operating SystemMicrosoft Windows Operating SystemMicrosoft Windows Operating System * Linux/UNIX Operating System * Linux/UNIX Operating SystemLinux/UNIX Operating SystemLinux/UNIX Operating System * Macintosh Operating System * Macintosh Operating SystemMacintosh Operating SystemMacintosh Operating System 2. Anti-virus software * Updating Firewall/Antivirus * Updating Firewall/AntivirusUpdating Firewall/AntivirusUpdating Firewall/Antivirus 3. Host-based firewall software etc., etc. etc., etc. Campus Minimum Security Standards

33 Requests for Exception: Departments, units, or individuals who believe their environments require configurations that do not comply with the Minimum Standards may request exceptions to the Policies. Departments, units, or individuals who believe their environments require configurations that do not comply with the Minimum Standards may request exceptions to the Policies. Campus Minimum Security Standards

34 Minimum Security Standards MSS for Networked Devices MSS for Networked Devices MSS for Electronic Information MSS for Electronic Information

35 Data Security on Campus Kate Riley IT Security Analyst IST-Application Services

36 Attacks This campus receives millions attacks per day: –Attempts to exploit unpatched systems –Attacks specific to application software –Phishing attacks

37 Motivation for Attacks Defacement Defacement Denial of Service Denial of Service Data Theft Data Theft

38 Campus Offerings Restricted Data Management (RDM) Restricted Data Management (RDM) Scanning Tools Scanning Tools –AppScan –Nessus Aggressive IP Distribution (AID) Aggressive IP Distribution (AID) You You

39 Credit Card Data Security 2005: Visa and MasterCard released Payment Card Industry: Data Security Standards (PCI:DSS 1.0) 2005: Visa and MasterCard released Payment Card Industry: Data Security Standards (PCI:DSS 1.0) 2008: New Standards (PCI:DSS 1.1) made compliance with standards even more challenging 2008: New Standards (PCI:DSS 1.1) made compliance with standards even more challenging 2009: PCI:DSS 1.2 just released 2009: PCI:DSS 1.2 just released University Cash-Handling Policy (BUS 49) requires that all campus merchants comply with PCI:DSS University Cash-Handling Policy (BUS 49) requires that all campus merchants comply with PCI:DSS

40 Credit Card Data Security General rules: –Will not capture or transmit the credit card number on the campus network Includes s, spreadsheets, printers, etc. Includes s, spreadsheets, printers, etc. –Will not store credit card numbers electronically on campus in any device

41 Payment Card Industry Data Security Standards PCI:DSS defines requirements for: –Building and maintaining a secure network –Protecting cardholder data –Maintaining a vulnerability management program –Implementing strong access control measures –Regularly monitoring and testing networks –Maintaining an information security policy

42 Payment Card Industry Data Security Standards Payment Card Industry Data Security Standards PCI:DSS requires campus merchants to complete an annual self-assessment questionnaire to certify your compliance with security standards for your merchant type PCI:DSS requires campus merchants to complete an annual self-assessment questionnaire to certify your compliance with security standards for your merchant type

43 PCI Merchant Types There are four PCI:DSS Self Assessment Questionnaires depending on acceptance method

44 SAQ-B: Sample Compliance Total: 26 questions similar to: –Is the card number masked when displayed? –Are policies, procedures and practices in place to preclude sending unencrypted card numbers by end- user messaging technologies (e.g., , instant message, chat) –Is access to system components and cardholder data limited to individuals with business need? –Are all paper and electronic media with cardholder data physically secure?

45 SAQ-D: Sample Compliance Total: 226+ questions cover the topics of: –Install and maintain a firewall configuration to protect data –Do not use vendor supplied passwords for system defaults and other security parameters –Protect stored cardholder data –Encrypt transmission of cardholder data across open, public networks –Use and regularly update anti-virus software or programs –Develop and maintain secure systems and applications –Restrict access to cardholder data by business need-to-know –Perform penetration testing at least once a year and after any significant infrastructure or application upgrade or modification

46 3 rd Party Service Agreements –Service providers are contractually required to adhere to the PCI:DSS requirements –All campus credit card operations must have a written agreement that has been reviewed and approved by the campus business contract office –No click-on agreements!

47 PCI Data Security Standards PCI:DSS requirements at: PCI:DSS requirements at: –https://www.pcisecuritystandards.org/ https://www.pcisecuritystandards.org/ Merchants complying with SAQ-C or SAQ- D may need quarterly network scans Merchants complying with SAQ-C or SAQ- D may need quarterly network scans –The campus is working to limit the number of SAQ-C and SAQ-D merchants Reduces our exposure to risk Reduces our exposure to risk Less costly for the merchant Less costly for the merchant

48 Campus Certification Vendor The University contracted with Trustwave to host the questionnaires online and to conduct the scans The University contracted with Trustwave to host the questionnaires online and to conduct the scans –Via their online portal trustkeeper.net Each merchant department has a designated administrator who oversees PCI compliance for their merchant accounts Each merchant department has a designated administrator who oversees PCI compliance for their merchant accounts

49 Merchant Timeline July-August: 1. PCI:DSS Training PCI Administrators conduct PCI training with all staff handling credit card dataPCI Administrators conduct PCI training with all staff handling credit card data 2. Certify PCI:DSS Compliance PCI Administrators certify compliance via the trustkeeper.net portalPCI Administrators certify compliance via the trustkeeper.net portal

50 PCI:DSS Training PCI:DSS Requirement 12.6 Is a formal security awareness program in place to make all employees aware of the importance of cardholder data security? – Educate employees upon hire and at least annually – Require employees to acknowledge in writing that they have read and understood the companys security policy and procedures

51 Certify PCI:DSS Compliance PCI administrator logs into existing merchant profile in trustkeeper.net PCI administrator logs into existing merchant profile in trustkeeper.net –Contact Billing and Payment Services Office for PCI administrator changes Pays for the contract extension fee via departmental BluCard Pays for the contract extension fee via departmental BluCard Completes and passes the appropriate PCI:DSS Self-Assessment Questionnaire Completes and passes the appropriate PCI:DSS Self-Assessment Questionnaire

52 Consequences if not compliant Consequences if not compliant –Visa merchants are subject to fines, up to $500,000 per incident, for any merchant or service provider that is compromised and not compliant at the time of the incident –FDMS may also impose fines or penalties –The campus will no longer be able to self- certify; we will need to pay for qualified auditors to come on-site to document our compliance –Managed response to any breach of sensitive data

53 Campus PCI:DSS Compliance Compliance must be documented annually with FDMS and UCOP Compliance must be documented annually with FDMS and UCOP Based on our campus wide activity, the Controllers Office must file a formal Attestation of Compliance with First Data Merchant Services annually Based on our campus wide activity, the Controllers Office must file a formal Attestation of Compliance with First Data Merchant Services annually If one merchant answers No to one question, then the entire campus fails compliance

54 Campus Compliance Timeline September: –Controllers Office files an Attestation of Compliance with Universitys bank If one merchant answers No to one question, then the entire campus fails compliance

55 Other Credit Card Requirements Payment Application Data Security Standards (PA:DSS) applies to payment applications that are sold, distributed or licensed to third-parties Payment Application Data Security Standards (PA:DSS) applies to payment applications that are sold, distributed or licensed to third-parties –Designed to help software vendors and others develop secure payment applications that: Do not store prohibited data (e.g., full magnetic stripe, CVV2 or PIN data) Do not store prohibited data (e.g., full magnetic stripe, CVV2 or PIN data) Ensure the payment application supports compliance with the PCI DSS Ensure the payment application supports compliance with the PCI DSS Ensure software development processes for web- based applications follow secure coding practices Ensure software development processes for web- based applications follow secure coding practices

56 Other Credit Card Requirements University Cash-Handling Policy (BUS 49) requires that relationships with a third party vendor to manage credit card acceptance be approved by UCOP Banking Services University Cash-Handling Policy (BUS 49) requires that relationships with a third party vendor to manage credit card acceptance be approved by UCOP Banking Services –The third partys background, capabilities, financial condition and references are reviewed –Contract agreements are required to meet minimum levels of protection, regulatory compliance, insurance, bonding, and accurate/timely handling of credit card data as outlined in University policy BUS-49

57 Obtaining PCI Compliance If we control this connection is it PCI compliant? Is server PCI compliant? Is application PCI compliant? Is this connection PCI compliant? PCI compliant UCB Pre-Approved Gateways PCI compliant Is this connection PCI compliant? Are paper records PCI compliant? PCI compliant

58 PCI Compliance Timeline July-August: –Campus departments conduct PCI training with all staff handling credit card data –PCI Administrators obtain and document compliance via the trustkeeper.net portal September: –Controllers Office files an Attestation of Compliance with Universitys bank

59 Resources/References VISAs List of PCI:DSS Compliant Applications VISAs List of PCI:DSS Compliant Applications list-of-pcidss-compliant-service-providers.pdf list-of-pcidss-compliant-service-providers.pdf PA:DSS Qualified Applications PA:DSS Qualified Applications https://www.pcisecuritystandards.org/security_st andards/vpa/ https://www.pcisecuritystandards.org/security_st andards/vpa/ PCI:DSS PCI:DSS https://www.pcisecuritystandards.org

60 Resources/References UC Cash-Handling Policy: BUS 49 UC Cash-Handling Policy: BUS 49 UCB Minimum Security Standards UCB Minimum Security Standards https://security.berkeley.edu/MinStds/

61 Contacts Kim Ray Karen Eft Technical Questions


Download ppt "Credit Card Data Security Compliance Achieving PCI Compliance July 2009 Kim Ray Billing and Payment Services Campus Credit Card Coordinator Karen Eft IT."

Similar presentations


Ads by Google