Presentation on theme: "Payment Card Industry Data Security Standard (PCI) Presentation EITAC Jan 2014 Les McDermid January 16, 2014."— Presentation transcript:
Payment Card Industry Data Security Standard (PCI) Presentation EITAC Jan 2014 Les McDermid January 16, 2014
Overview What is PCI and Why Compliance - Risks and Benefits Queens - Credit Card Acceptance Payment Card Industry (PCI) Compliance Implementation Working Group o Terms o Work Started Thoughts NCI – Secured Intelligence 2
What is PCI and Why Payment Card Industry Data Security Standard (PCI DSS) Created by The PCI Council PCI Is a comprehensive set of mandated international security requirements developed to protect personal information and ensure security when transactions are processed using a payment All members of the payment card industry (financial institutions, credit card companies and merchants) must comply with these standards if they want to accept credit cards. Level of compliance is based on the volume of transactions not $$ 3
The PCI standards require two types of controls that work in tandem to address payment card security vulnerabilities: 1. Policies and Processes Specific operational policies and procedures that a merchant uses to implement, manage, and maintain the security of card information 2. Technology The devices (applications) such as software, hardware, and third- party services that are configured to deliver secure payment card processing, transmission and storage What is PCI and Why 4
Based on a preliminary, high-level review of these 12 standards by Queens IT, we are not in compliance.
The University must be in compliance with PCI DSS as a condition of its continued acceptance of credit cards Current agreement with Chase Paymentech, states: Each party shall comply with all laws and regulations and Payment Brand Rules applicable to the operation of its business. Queens is classified as a merchant since it qualifies under the PCI DSS definition as an entity that accepts payment cards bearing the logos of any of the five members of the PCI Security Standards Council (AMEX, Discover, JCB, Mastercard or VISA) as payment for goods and services. What is PCI and Why 6
Increased consumer confidence (including donors) Reduced risk of security breaches Safe Harbour from punitive fines from selected payment brands if a breach occurs at a certified PCI compliant organization Opportunity to better understand and improve the wider internal control environment (i.e., enhanced corporate security strategy) Compliance - Risks and Benefits 7
Reputational damage Loss of credit card acceptance privileges Fines o Up to $500,000 per incident Lost revenue and downtime for systems that are breached Forensic investigation costs Reimbursement of fraudulent purchases Costs to remedy the problem, including card re-issuance costs which are borne by the merchant that had the breach Requirement to demonstrate a much higher standard of compliance to PCI standards going forward Compliance - Risks and Benefits 8
Two acquirers being used: o Chase Paymentech o Global Payments Range of credit card acceptance methods o E-commerce, point-of-sale, paper forms, telephone, e-mail, etc. Internal Audit report of February 2013 o Control environment varies by department / merchant o Minimal awareness of PCI requirements at the local level o Incidences of insecure storage of cardholder data o Current University policies and procedures do not address PCI requirements Queens - Credit Card Acceptance 9
10 Number of Transactions Reported (12 months ending October 31, 2012) Department / UnitChaseGlobalAMEXTotals Underground Parking Garage27,942 Queens Registrar15,4107515,485 Queens Advancement13,4331,15314,586 Queens Athletics and Recreation13,76737514,142 Queens Pay & Display12,1891,31213,501 Queens CTE and PLS8,353 Queens Univ / Computing Serv.5,4462155,661 Queens Graduate Studies4,66974,676 Physical Therapy Clinic3,40813,409 Queens Univ / Donald Gordon Ctr.2,4792892,768 Source: Chase Paymentech, Global Payments, and American Express. Does not include refund transactions. Total transactions ~ 92,000. E-commerce transactions ~ 67,000.
Queens - Credit Card Acceptance Nature of Revenue Collected Using Payment Cards
PCI Compliance Implementation Working Group Payment Card Industry Compliance Implementation Working Group Objective: To ensure that there are policies and procedures in place that enables the University to comply with the Payment Card Industry Data Security Standards (PCI DSS).
PCI Compliance Implementation Working Group Responsibilities: 1.To oversee and coordinate the Universitys PCI DSS compliance efforts. 2.Provide guidance to the University on payment card best practices and permissible arrangements for payment card acceptance. 3.Develop policies and procedures to ensure that all departments and units of the University adopt and comply with the PCI DSS standards which will allow the University to continue to utilize payment cards (e.g. credit card, debit card, e- commerce transactions). 4.Develop and recommend policies and procedures to enhance the security or service levels for payment cards transactions across the University. 5.Develop a policy to address the Universitys response to any breaches or potential breaches of cardholder data. 6.Develop a communications strategy to facilitate awareness about the Universitys PCI compliance obligations, and ensure that any policies, procedures and best practices are widely disseminated across the University.
PCI Compliance Implementation Working Group PCI Implementation Committee Members Gordon Lee - Project Chair, Office of the Treasurer Heather Woermke - Co-Chair, Financial Services Bo Wandschneider - Co-Chair, ITS Beth Readman - Secretary, Office of the AVP (Finance) Kellie Hart, Internal Audit Tony Overvelde, Financial Services Ginette Denford, Student Affairs Donna Stover, Parking Julie Anne Matias, Faculty of Education Les McDermid, Advancement George Farah, ITS Stacy Shane, Engineering Katie McGrath, ITS Ray Pengelly, Observer
PCI Group - Work Started RFP - CONSULTING SERVICES FOR PCI DSS COMPLIANCE PROGRAM Deliverables include: Queens expects the Selected Proponent to address the following areas of work during the Term of the Agreement: Phase One – Scope Survey Surveying the overall current state of PCI DSS compliance at Queens; Information gathering of design documentation and interviewing of relevant Queens departments that accept payment cards; Scope assessment of each identified application in terms of PCI compliance, from which Queens can determine the ideal strategy to achieve and/or validate compliance; and Identifying and exploring the feasibility of scope minimization solutions for compliance. Phase Two – Applications Assessment - Compliance approach for the selected applications: Vulnerability and penetration testing; Assessment, gap analysis of policy, procedures, network and system design, application design, logs and monitoring; and Report of findings with recommendations and plans for remediation, if necessary.
PCI Group - Work Started Phase Three - Remediation Assistance - Remediation approach for the selected applications: Lead presentation and description of remediation plan to relevant technical group(s) and departments; and Assistance of an advisory nature with regards to best practices and industry standard approaches to technical groups and departments overseeing a remediation project. Phase Four – Validation and Certification - Compliance approach for the selected applications: Upon completion of the assessment and remediation phases, perform validation tests as a certified QSA and ASV (Approved Scanning Vendor) that may be required for compliance, such as vulnerability scanning and penetration testing; and Assistance for application owners with initial Self Assessment Questionnaires (SAQs) and related sign-offs as necessary. Phase Five – Ongoing PCI DSS Program Establishment – Contributions to the overall PCI compliance program at Queens, including: Assistance with the development of policies, procedures and standards; Knowledge transfer to the internal staff at Queens as required; and Ability to proceed with other phases concurrently.
PCI compliance is part of an overall policy on the usage of payment cards for payment of goods and services Standing Committee to ensure ongoing PCI compliance and merchant oversight Responsibility for compliance and associated costs Approval process for obtaining new merchant IDs PCI training Usage of payment applications Treatment of third-parties and affiliated entities Policies and procedures for records retention and destruction PCI Group - Work Started Policy & Procedures Common Themes 18
Incidence Response Plans Consequences of non-compliance Overall Responsibilities of: o PCI Steering Committee o Financial Services / Treasury o Information Technology o Merchants, Departments, Units o Internal Audit o Procurement Services PCI Group - Work Started Policy & Procedures Common Themes 19
Thoughts Paypal non compliant – use will be banned Move everything that involves credit card information to secure environment One server for credit card applications More rigor when setting up merchant ids including training on PCI compliance