Presentation is loading. Please wait.

Presentation is loading. Please wait.

PCI-DSS Compliance and Payment Card Acceptance Cathy Freeman Cash and Treasury Services Phone: 864-656-0530

Similar presentations


Presentation on theme: "PCI-DSS Compliance and Payment Card Acceptance Cathy Freeman Cash and Treasury Services Phone: 864-656-0530"— Presentation transcript:

1 PCI-DSS Compliance and Payment Card Acceptance Cathy Freeman Cash and Treasury Services Phone: Website: sh-treasury/ sh-treasury/

2 Agenda PCI-DSS Defined Brief History Why is PCI-DSS Compliance Important? Merchant Levels and Requirements CU PCI-Best Practices PCI Compliance Responsibilities Virtual Terminals Credit Card Payment Information Who Gets Overlooked Accepting Credit Card on Campus Questions

3 PCI-DSS Defined Payment Card Industry Data Security Standards A collaborative effort to achieve a common set of security standards for use by entities that process, store or transport payment card data. Multiple Credit Card organizations participating in PCI efforts Members include Visa, MasterCard, American Express, Diners Club, Discover Card and JCB.

4 PCI-DSS Definitions CardholderCustomer to whom a card is issued or individual authorized to use the card Cardholder DataFull magnetic stripe or the Primary Account Number (PAN) plus any of the following Cardholder name Expiration date Service Code Cardholder Validation Value or Code Data element on a cards magnetic stripe that uses secure cryptographic process to protect data integrity on the stripe, and reveals any alteration or counterfeiting. CompromiseIntrusion into computer system where unauthorized disclosure, modification, or destruction of cardholder data is suspected. EncryptionProcess of converting information into an unintelligible form except to holders of a specific cryptographic key. Use of encryption protects information between the encryption process and the decryption process against unauthorized disclosure

5 PCI-DSS Definitions FirewallHardware, software, or both that protect resources of one network from intruders from other networks. Information Security Protection of information to insure confidentiality, integrity and availability. Magnetic StripeData encoded in the magnetic stripe used for authorization during transactions when the card is presented. MerchantAny person/business that accepts payments by debit or credit cards. It is an agreement between a retailer, a merchant bank and payment processor for the settlement of credit card and/or debit card transactions.

6 PCI-DSS Definitions PANPrimary Account Number is the payment card number (credit or debit) that identifies the issuer and the particular cardholder account. Also called Account Number. POSPoint of Sale. Hardware and/or software used to process payment card transactions at merchant locations. Service CodeThree or four digit number on the magnetic stripe that specifies acceptance requirements and limitations for a magnetic stripe read transaction. Vulnerability ScanScans used to identify vulnerabilities in operating systems, services and devices that could be used by hackers to target the companys private network.

7 Brief History The Payment Card Industry Security Standards Council (PCI SSC) was launched on September 7, 2006 to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with focus on improving payment account security throughout the transaction process. The major credit card companies (VISA, MasterCard, Discover, and American Express) came together and published a uniform set of data security standards that ALL merchants must comply with in connection with the acceptance of payment cards. These new standards are called Payment Card Industry Data Security Standards or PCI DSS. These standards have placed additional responsibilities on CU departments in connection with acceptance of payment cards.

8 Why is PCI Compliance Important ?

9 Good business practice. PCI compliance is like insurance. Large monetary fines assessed to your department and/or Clemson University. Loss of merchant status for department. Loss of merchant status for Clemson University. Loss of faith in Clemson University name. You are vulnerable!

10 Why is PCI Compliance Important? Because they are after us! Since 2008 educational institutions have experienced a staggering 158 data breaches resulting in over 2.3 million reported records compromised. Higher ed institutions have become a predominant target for cyber criminals because of the substantial amount of distinct type of data they possess. Databases at colleges include names, addresses, financial information, credit card numbers, SSN and healthcare records of employees, students and parents. Source: Application Security, Inc.

11 Why is PCI Compliance Important? Estimated $3.4 Billion Lost to Online Fraud The $700 million increase in estimated total fraud loss (vs. 2010)was driven by the overall growth in ecommerce in Source: CyberSource Online Fraud Report Countries With The Most Card Fraud: U.S. and Mexico One recent survey finds that 27% of cardholders (debit, credit and prepaid) around the world have experienced fraud in the past five years. Rates of fraud vary across countries but in Mexico and the United States are more prone to fraud with 44% and 42% of respondents there saying theyve experienced card fraud. The report from Aite Group and ACI Worldwide, which surveyed over 5000 consumers in 17 countries, notes that U.S. consumers are heavy card users-more card use means greater likelihood for card fraud. Source: Forbes

12 Why is Compliance Important? You dont want to make the headlines!

13 Why is PCI Compliance Important? Costs of Non-Compliance. The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine on downstream till it eventually hits the merchant. Furthermore, the bank will also most likely either terminate your relationship or increase transaction fees. Penalties are not openly discussed nor widely publicized, but they can be catastrophic to a small business.

14 Why is PCI Compliance Important? Breach Trends and The Facts Main causes of a data breach-Hacking in now #1 Data Breaches Will Likely Affect Your Reputation. 76% of organizations surveyed acknowledged that their reputation was impacted as a result of the loss or theft of customer information. Type of Data Most Often Stolen Password/pin Credit card or bank payment information Credit or payment history Drivers license/SSN

15 Why is PCI Compliance Important? Breach Trends and The Facts It Can Be A Long Road To Recovery 64% of organizations say they are concerned that data compromised in a data breach will be used to commit other types of fraud. Breaches Can Strike Twice or Even Three Times 85% of recent survey respondents indicated that their organization had more than one breach involving customer data in the last 24 months. Your Reputation Doesnt Bounce Back Immediately To restore an organizations reputation after a breach that involved customer information takes about a year (11.8 months).

16 Definition of Merchant Levels All merchants will fall into one of the four merchant levels based on Visa transaction volume over a 12-month period. Transaction volume is based on the aggregate number of Visa transactions (inclusive of credit, debit and prepaid) from a merchant Doing Business As (DBA). In cases where a merchant corporation has more than one DBA, Visa acquirers must consider the aggregate volume of transactions stored, processed or transmitted by the corporate entity to determine the validation level. If data is not aggregated, such that the corporate entity does not store, process or transmit cardholder data on behalf of multiple DBAs, acquirers will continue to consider the DBAs individual transaction volume to determine the validation level. Merchant levels as defined by Visa:

17 Merchant Levels Merchant Level 1 Any merchant -- regardless of acceptance channel -- processing over 6M Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system. Merchant Level 2 Any merchant -- regardless of acceptance channel -- processing 1M to 6M Visa transactions per year.

18 Merchant Levels Merchant Level 3 Any merchant processing 20,000 to 1M Visa e-commerce transactions per year Merchant Level 4 Any merchant processing fewer than 20,000 Visa e- commerce transactions per year, and all other merchants -- regardless of acceptance channel -- processing up to 1M Visa transactions per year.

19 Merchant Requirements

20 QSA Onsite Review Is a detailed audit against the PCI Data Security Standard Potentially targets all systems and networks that store, process and/or transmit cardholder information Includes review of contractual relationships, but not assessment of the Third Party themselves. Must be performed using an offering from a Visa certified provider (QSA) Biggest difficulties in having onsite reviews are the initial scoping and the subsequent cost of correction to compliant levels.

21 Self Assessment Questionnaire Is a selected subset of the full Onsite Audit Criteria Is completed by the Merchant or Service Provider Is submitted to Acquirer(s) Is made up mainly of Yes/No/Not Applicable responses Is broken into five of the six sections from PCI DSS Build and Maintain a Secure Network Protect Cardholder Data Implement Strong Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy

22 Network Security Scanning Targets Internet facing devices, systems and applications including Routers and firewalls Servers and hosts (including virtual) Applications Must be performed using an offering from MasterCard certified provider May not have any Severity 3 or greater issues: 5 (Urgent): Trojan Horses, file read and write exploits, remote command execution 4 (Critical): Potential Trojan Horses, file read exploit 3 (High): Limited exploit of read, directory browsing and denial of service.

23 Merchant Requirements Six Goals, Twelve Requirements Build and Maintain a Secure Network 1.Install and maintain a firewall configuration to protect cardholder data. 2.Do not use vendor supplied defaults for system passwords and other security parameters Protect Cardholder Data 3.Protect stored cardholder data 4.Encrypt transmissions of cardholder data across open, public networks. Maintain a Vulnerability Management Program 5.Use and regularly update anti-virus software 6.Develop and maintain secure systems and applications

24 Merchant Requirements Six Goals, Twelve Requirements Implement Strong Access Control Measures 7.Restrict access to cardholder data by business need-to-know 8.Assign a unique ID to each person with computer access 9.Restrict physical access to cardholder data Regularly Monitor and Test Networks 10.Track and monitor all access to network resources and cardholder data 11.Regularly test security systems and processes Maintain an Information Security Policy 12.Maintain a policy that addresses information security

25 CU PCI Compliance Best Practices 1. Merchants should discontinue to store credit card numbers and the security code on any computer, server, or database. This includes Excel spreadsheets. 2. Treat payment card receipts like you would cash. 3. Keep payment card data secure and confidential. 4. Limit access to system components and cardholder data to only those individuals whose job requires such access. 5. Assign all users a unique ID before allowing them to access system components or cardholder data.

26 CU PCI Compliance Best Practices 7. Documents containing cardholder data should be kept in a secure environment (i.e. safe, locked file cabinet, etc.). 8. Never send cardholder information via . Credit card numbers must not be transmitted in an insecure manner, such as , unsecured fax or through campus mail. 9. Fax transmittal of cardholder data is permissible only if the receiving fax is located in a secure environment. 10. Render sensitive cardholder data unreadable anywhere it is stored.

27 CU PCI Compliance Best Practices 11. Manual swipes or imprinters are not authorized for use. 12. Any new systems/software that process payment cards are required to be approved by the Cash and Treasury Office prior to being purchased. 13. Any computer system hosting a credit card application must be housed in CCITs data centers due to security requirements. 14. Computer systems that process payment cards must be behind a firewall. 15. Use and regularly update anti-virus software.

28 CU PCI Compliance Best Practices 16. Do not use vendor-supplied defaults for systems passwords and other security parameters. 17. Computer systems that process payment cards must have the ability to monitor and track access to network resources and cardholder data. 18. Report all suspected or known security breaches to Cash and Treasury Services and CCITs Information Security & Privacy.

29 Credit Card Data Storage Motto If you dont need it, DONT KEEP IT!

30 CU PCI Compliance Responsibilities Merchant Complete and submit Security Assessment Questionnaire (SAQ) annually. Each merchant is responsible for their own PCI DSS Compliance. Development of a departmental credit card data information security policy, procedures or plan. Implementation of all data security controls necessary to comply with PCI DSS requirements. Attendance to an annual PCI DSS Compliance Training conducted by the Cash and Treasury Services Department.

31 CU PCI Compliance Responsibilities Cash and Treasury Services Provide guidance and support to the merchants PCI DSS Compliance efforts. Make recommendations on how to lower a merchants risk of exposure to breaches. Coordinate and assist in the completion and submission of SAQs by all merchants. Serve as Liaison between merchant and the Credit Card Processer. Assist merchants in responding to a possible breach.

32 CU PCI Compliance Responsibilities CCIT Information Security & Privacy Completes and coordinates with Cash and Treasury Services a single Security Assessment Questionnaire (SAQ) for the University. Provide guidance and support to the merchants PCI DSS Compliance efforts from a technical perspective. Make recommendations on how to implement Compensating Controls that will meet particular PCI DSS requirements. Provide Application and Website Vulnerability Scanning. This can also be done at the system level. Assist Merchants/Cash and Treasury Services to a possible breach and breach investigation.

33 Virtual Terminals and PCI Compliance A virtual terminal is a web-based application that allows merchants to accept credit card payments using their Internet connected computers. Like the traditional credit card terminals that you see at most retail stores, virtual terminals can accept both swiped and keyed transactions. Virtual terminal workstations must be segmented and secured. A merchant must meet the following criteria: Merchants only payment processing is via a virtual terminal accessed by an Internet-connected web browser

34 Virtual Terminals and PCI Compliance Merchant accesses the virtual terminal via a computer that is isolated in a single location, and is not connected to other locations or systems within your environment Merchants virtual terminal solution is provided and hosted by a PCI DSS validated third party service provider Merchants computer does not have software installed that causes cardholder data to be stored (for example, there is no software for batch processing or store-and-forward) Merchants computer does not have any attached hardware devices that are used to capture or store cardholder data (for example, there are no card readers attached)

35 Virtual Terminals and PCI Compliance Merchant does not otherwise receive or transmit cardholder data electronically through any channels (for example, via an internal network or the Internet) Merchant does not store cardholder data in electronic format If merchant does store cardholder data, such data is only in paper reports or copies of paper receipts and is not received electronically.

36 Credit Card Payments Nearly one-third (30%) of students put tuition on their credit card, an increase from 24 percent in the previous study. 84% of the student population overall have credit cards. 92% of undergraduate credit cardholders charged textbooks, school supplies, or other direct education expenses, up from 85% when the study was conducted in 2004 Source: Sallie Mae, How Undergraduate Students Use Credit Cards:, April 2009)

37 Credit Card Payments E-commerce & Online PaymentPoint of Sale Terminals Current credit card payment methods on campus

38 Credit Card Payments In FY 2012, Clemson University merchants processed: Total Transactions (Online and POS): 201,731 Total Revenue (Online and POS): $53,042, Number of Merchants: 110

39 What Gets Overlooked? Paper

40 What Gets Overlooked? People

41 What Gets Overlooked? Process PCI Compliance Cycle

42 Accepting Credit Cards on Campus Thinking of taking payment cards or changing your current process? Contact Cash and Treasury Services first. Do not go it alone. The state of South Carolina mandates who we can use for credit card processing. PayPal Accounts and devices like Square for your IPAD or IPhone cannot be used. Our current credit card processing companies are FirstData, TouchNet and Official Payments. Contact Cash and Treasury Services for current credit card rates charged by FirstData, TouchNet and Official Payments. Clemson University accepts American Express, Discover, MasterCard and Visa.

43 Just Remember… Data Security is an ongoing process Recognize the risks at all levels to your department. Understand what you can do to be proactive. Determine what behaviors and processes may have to change.

44 Want to know more? Resources PCI Data Security Standards PCI for Merchants https://www.pcisecuritystandards.org/merchants/index.php PCI Data Security Standards https://www.pcisecuritystandards.org/security_standards/ind ex.php CU Network Security Policy rity.html

45 Points of Contact Has data been compromised? The first 24 hours are critical! Contact: Office of Information Security and Privacy And Cash and Treasury Services Banking and Payment Card Coordinator

46 Points of Contact A confidential Ethics Line is provided as a service to assist any member of the University community with reporting concerns or issues about questionable practices. These may include fraud, theft, conflicts of interest, abuse of assets or property, or violations of laws or regulations. Toll Free: ( FRAUD) Available 24 hours a day, seven days a week. Leave a message. or

47 Questions

48 1) What Does PCI-DSS Stand For? a. Protect Computer Identity-Data Security Standard Protect Computer Identity-Data Security Standard b. Payment Card Industry-Data Security Standard Payment Card Industry-Data Security Standard c. Payment Card Industry-Data Safety Standard Payment Card Industry-Data Safety Standard d. Payment Card Identification-Develop Security Service Payment Card Identification-Develop Security Service PCI Compliance Training Questions

49 1) What Does PCI-DSS Stand For? a. Protect Computer Identity-Data Security Standard b. Payment Card Industry-Data Security Standard c. Payment Card Industry-Data Safety Standard d. Payment Card Identification-Develop Security Service PCI Compliance Training Questions Next Question

50 1) What Does PCI-DSS Stand For? a. Protect Computer Identity-Data Security Standard b. Payment Card Industry-Data Security Standard c. Payment Card Industry-Data Safety Standard d. Payment Card Identification-Develop Security Service PCI Compliance Training Questions Next Question

51 1) What Does PCI-DSS Stand For? a. Protect Computer Identity-Data Security Standards b. Payment Card Industry-Data Security Standards c. Payment Card Industry-Data Safety Standards d. Payment Card Identification-Develop Security Service PCI Compliance Training Questions Next Question

52 1) What Does PCI-DSS Stand For? a. Protect Computer Identity-Data Security Standards b. Payment Card Industry-Data Security Standards c. Payment Card Industry-Data Safety Standards d. Payment Card Identification-Develop Security Service PCI Compliance Training Questions Next Question

53 2) When was the Payment Card Industry Security Standards Council launched? a. September 7 th, 2003 September 7 th, 2003 b. September 7 th, 2004 September 7 th, 2004 c. September 7 th, 2005 September 7 th, 2005 d. September 7 th, 2006 September 7 th, 2006 PCI Compliance Training Questions

54 2) When was the Payment Card Industry Security Standards Council launched? a. September 7 th, 2003 b. September 7 th, 2004 c. September 7 th, 2005 d. September 7 th, 2006 PCI Compliance Training Questions Next Question

55 2) When was the Payment Card Industry Security Standards Council launched? a. September 7 th, 2003 b. September 7 th, 2004 c. September 7 th, 2005 d. September 7 th, 2006 PCI Compliance Training Questions Next Question

56 2) When was the Payment Card Industry Security Standards Council launched? a. September 7 th, 2003 b. September 7 th, 2004 c. September 7 th, 2005 d. September 7 th, 2006 PCI Compliance Training Questions Next Question

57 2) When was the Payment Card Industry Security Standards Council launched? a. September 7 th, 2003 b. September 7 th, 2004 c. September 7 th, 2005 d. September 7 th, 2006 PCI Compliance Training Questions Next Question

58 3) The Payment Card Industry Security Standards Council (PCI SSC) breaks merchants up into 4 compliance levels? a. True True b. False False PCI Compliance Training Questions

59 3) The Payment Card Industry Security Standards Council (PCI SSC) breaks merchants up into 4 compliance levels? a. True b. False PCI Compliance Training Questions Next Question

60 3) The Payment Card Industry Security Standards Council (PCI SSC) breaks merchants up into 4 compliance levels? a. True b. False PCI Compliance Training Questions Next Question

61 4) The Self-Assessment Questionnaire (SAQ) is filled out by the merchant? a. True True b. False False PCI Compliance Training Questions

62 4) The Self-Assessment Questionnaire (SAQ) is filled out by the merchant? a. True b. False PCI Compliance Training Questions Next Question

63 4) The Self-Assessment Questionnaire (SAQ) is filled out by the merchant? a. True b. False PCI Compliance Training Questions Next Question

64 5) There are 6 requirements for PCI-DSS compliance? a. True True b. False False PCI Compliance Training Questions

65 5) There are 6 requirements for PCI-DSS compliance? a. True b. False PCI Compliance Training Questions Next Question

66 5) There are 6 requirements for PCI-DSS compliance? a. True b. False PCI Compliance Training Questions Next Question

67 6) Which of the following is a Clemson University PCI Compliance best practice? a. Keep payment card data confidential Keep payment card data confidential b. Computer systems that process payment cards must be behind a firewall Computer systems that process payment cards must be behind a firewall c. Render sensitive cardholder data unreadable anywhere it is stored Render sensitive cardholder data unreadable anywhere it is stored d. All of the Above All of the Above PCI Compliance Training Questions

68 Next Question

69 PCI Compliance Training Questions Next Question

70 PCI Compliance Training Questions Next Question

71 PCI Compliance Training Questions Next Question

72 7) You can send cardholder information via ? a. True True b. False False PCI Compliance Training Questions

73 Next Question

74 PCI Compliance Training Questions Next Question

75 8) Which of the following is a PCI Compliance responsibility for the merchant? a. Complete the Self-Assessment Questionnaire Complete the Self-Assessment Questionnaire b. Development of a departmental credit card data information security policy, procedures or plan Development of a departmental credit card data information security policy, procedures or plan c. Attend annual PCI DSS Compliance Training Attend annual PCI DSS Compliance Training d. All of the Above All of the Above PCI Compliance Training Questions

76 Next Question

77 PCI Compliance Training Questions Next Question

78 PCI Compliance Training Questions Next Question

79 PCI Compliance Training Questions Next Question

80 9) A virtual terminal workstation can be located in an open area for anyone to use? a. True True b. False False PCI Compliance Training Questions

81 Next Question

82 PCI Compliance Training Questions Next Question

83 10) PayPal or devices like Square can be used to accept payments on campus? a. True True b. False False PCI Compliance Training Questions

84 Finish

85 PCI Compliance Training Questions Finish

86 Thank you for taking the PCI Compliance Training. Need More Help? Contact Cathy Freeman at

87 To acknowledge that you have read and completed the online PCI Compliance training, continue to the website below. Clemson.edu/esig


Download ppt "PCI-DSS Compliance and Payment Card Acceptance Cathy Freeman Cash and Treasury Services Phone: 864-656-0530"

Similar presentations


Ads by Google