Presentation is loading. Please wait.

Presentation is loading. Please wait.

2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.

Similar presentations


Presentation on theme: "2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014."— Presentation transcript:

1 2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014

2 Today’s Presentation  What do you have to do?  What is PCI DSS?  Who Needs to Comply with PCI DSS?  Why PCI DSS?  Compliance Life Cycle  Cardholder Data/Storage  Goals & Requirements  What do you have to do?  Coming in 2015: PCI 3.0  Resources  Questions 2

3 Your to do list by December 12: 1.Verify credit card merchant information with Business Affairs 2.Obtain 3rd Party PCI DSS Certificate of Compliance (if applicable) 3.Merchant managers complete and sign the Cover Page & SAQ  Annual PCI DSS Assessment must be completed for all Merchants 4.Business Center Manager or FAM must review and sign 5.Send to Robin Whitlock and Dan Hough 3

4 What is PCI DSS?  Payment Card Industry Data Security Standards  “Common set of industry tools and measurements to help ensure the safe handling of sensitive information  Provides an actionable framework for developing a robust account data security process – including preventing, detecting and reacting to security incidents” (https://www.pcisecuritystandards.org/merchants/index.php)https://www.pcisecuritystandards.org/merchants/index.php  Administered by the PCI Security Standards Council, which was founded by the major credit card companies (VISA, MC, Disc…) 4

5 Who Needs to Comply with PCI DSS?  Applies to all entities that store, process or transmit cardholder data (merchants, payment card issuing banks, processors, developers…)  That means you!  Compliance is mandatory (eCommerce Policy, Oregon State Treasury,PCI DSS). 5

6 Why PCI DSS ?  241 breaches of sensitive information to date in 2014 (affecting >64 million records) 1  Notable retail breaches since November Privacy Rights Clearinghouse, https://www.privacyrights.org, 10/28/14 https://www.privacyrights.org 2 ”Cyber Attacks on US Companies in 2014,” by Riley Walters, 6

7 Compliance Life Cycle 7 Pre- Assessment / Gap Analysis Implement / Remediate PCI:DSS Validation Ongoing Compliance Monitoring

8 8 Primary Account Number (PAN) Expiration Date Chip/Magnetic Strip Data CAV2/CVC2/CVV2 What is Cardholder Data? Cardholder Name

9 1.These data elements must be protected if stored in conjunction with the PAN. 2.Sensitive authentication data must not be stored after authorization (even if encrypted). 3.Magnetic stripe or chip. 9 PCI Data Storage

10 PCI DSS Goals & Requirements Build and Maintain a Secure Network (2) 1.Install and maintain a firewall configuration to protect cardholder data 2.Do not use vendor-supplied defaults for system passwords and other parameters Protect Cardholder Data (2) 3.Protect stored cardholder data 4.Encrypt transmission of cardholder data across open, public networks 10 (digital dozen)

11 PCI DSS Goals & Requirements Maintain a Vulnerability Management Program (2) 5.Use and regularly update anti-virus software 6.Develop and maintain secure systems and applications Implement Strong Access Control Measures (3) 7.Restrict access to cardholder data by business need- to-know 8.Assign a unique ID to each person with computer access 9.Restrict physical access to cardholder data 11

12 PCI DSS Goals & Requirements Regularly Monitor and Test Networks (2) 10.Track and monitor all access to network resources and cardholder data 11.Regularly test security systems and processes Maintain an Information Security Policy (1) 12.Maintain a policy that addresses information security 12

13 Misconceptions  Self assessment means you’re compliant  Compliance means you won’t suffer a breach  Outsourcing takes away your need for compliance  PCI:DSS is just about IT  A single product can make you compliant  Compliance can be automated 13

14 What do we have to do? 14

15 Annual PCI DSS Assessment Documents Documents due by December 12, 2014: 1.OSU Cover Page 2.Self Assessment Questionnaire (SAQ A-D Appropriate to merchant) 3.3 rd Party PCI DSS Certificate of Compliance (if applicable) Resources  Copies of your last assessment can be ed to you on request  Website:  Status Report by Business Center  SAQ Forms, Instructions, and guidelines  Navigating the PCI DSS  Glossary 15

16 Self Assessment Questionnaire (SAQ)  Completed by the merchant manager  Subset of full requirements  Broken down by Goals & Requirements  Made up of Yes / No / Not Applicable responses  NA or “Compensating Control”- must be explained  No- Must have Remediation Date and Actions  Attestation Section  Fill out the Merchant Version  Do not complete the Service Provider Version 16

17 Which SAQ?  See PCI DSS Status Report 17 FormDescription SAQ A Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants. SAQ B Imprint-only merchants with no electronic cardholder data storage, or standalone, dial-out terminal merchants with no electronic cardholder data storage SAQ C Merchants with payment application systems connected to the Internet, no electronic cardholder data storage SAQ D All other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by a payment brand as eligible to complete an SAQ.

18 Multiple Merchant Consolidation Multiple merchants can be can be combined into a single submittal if: 1.The merchant IDs (MIDs) are of the same type (i.e. all POS, Web…) 2.All merchants are managed by same merchant manager 3.The same policies and procedures apply to all merchants 4.Strictest SAQ will apply (the one with the most questions) 5.List all merchants on cover page. 18

19 SAQ Example-Requirements 19

20 Compliance Summary 20

21 SAQ Example- Explanation of Non-Applicability 21

22 SAQ Example-Compensating Controls 22

23  Complete “Merchant” version not Qualified Security Assessor Company version (if avail).  OSU does not use a Qualified Security Assessor Company 23 SAQ Example-Attestation

24 Tips and Hints  These focus on SAQ A and SAQ B since most merchants use these forms  SAQ A  SAQ B 24

25 Your to do list by December 12: 1.Verify credit card merchant information with Business Affairs 2.Obtain 3rd Party PCI DSS Certificate of Compliance (if applicable) 3.Merchant managers complete and sign the Cover Page & SAQ (Annual PCI DSS Assessment must be completed for all Merchants). 4.Business Center Manager or FAM must review and sign. 5.Send to Robin Whitlock and Dan Hough  Electronic submission is preferred. 25

26 Coming in 2015: PCI 3.0  December 2015 validation will be to PCI 3.0  How PCI 3.0 requirements will be addressed by OSU merchants is still to be determined  We will keep you posted as information specific to OSU merchants becomes available 26

27 Resources  PCI Compliance for OSU Credit Card Merchants (instructions & forms)  merchants merchants  OSU FIS Manual   OUS Policy Guideline for Electronic Commerce   Oregon Accounting Manual - Credit Card Acceptance for Payment   Oregon State Treasury Cash Management Policy  Management-Manual.aspx Management-Manual.aspx  Payment Card Industry Data Security Standards  https://www.pcisecuritystandards.org/merchants/ https://www.pcisecuritystandards.org/merchants/ 27

28 Thank You Business Affairs Contacts  Robin Whitlock   Dan Hough 


Download ppt "2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014."

Similar presentations


Ads by Google