Presentation on theme: "This refresher course will:"— Presentation transcript:
1 Payment Card Industry Data Security Standards Annual Refresher Training
2 This refresher course will: Review of the PCI Data Security StandardsPCIDSS in a nutshellPayment Card Protection TeamCompliance basicsData breach review2013 Change to How the University’s Compliance is Measured2013 New Technology: Online SAQ PortalUpdate of PCIDSS compliance roles at the UniversityContact information
3 The Purpose for PCI DSS “The PCI DSS was developed to encourage and enhancecardholder data securityand facilitate the broad adoptionof consistentdata security measuresglobally.”PCI DSS Requirements and Security Assessment Procedures, October 2010, pg. 5Say:PCI DSS was designed on common sense steps that mirror security best practices.The intent of PCI DSS was “to create an additional level of protection for card issuers by ensuring that merchants meet minimum levels of security when they store, process and transmit cardholder data”3) December 15, 2004: release of the first PCI DSS.Updates in 2006, 2008, 2010, 2013.
4 The twelve Requirements are grouped into six Goals. PCI DSS Quick Reference Guide, slide 8
5 Payment Card Protection ‘Team’ Employees, contractors or students involved in accepting credit or debit cards (or who touch the cardholder data environment)Merchant Managers & staff (including student workers)Support units: ARS, IT, Purchasing, OGC, third party vendors2. Credit card brandsVisaMasterCardAmerican ExpressDiscover3. Acquiring bank (Wells Fargo)Ask:Who makes up the PCI DSS team?Answer: Everyone on the slideAsk/say:Why are account managers on the team?Front line (accept cards; hire, train, oversee staff; implement or create policy & practices)Closest to IT professionals associated with the accountWhat is the role of the credit card issuing companies?Oversight of compliance effortsProtect brand and bottom lineWhy is the bank there?Must also comply with PCI DSS as vendor/third-party service provider to each merchant manager’s account.Store, process, or transfer cardholder dataWho else can protect cardholder data? [Answer: the card holder – by using credit cards only with reputable & trustworthy merchants]
6 Complying with PCI Standards at the University Standards are established & updated by the PCI Council and card issuersStandards are enforced primarily through the University’s contract with Wells Fargo which is managed by Accounts Receivable Services (ARS)ARS oversees PCI compliance throughPolicy & proceduresMerchant Manager training & supportCoordination with related units such as University Information SecurityFacilitation of the annual merchant account compliance review processPCI Council Visa MasterCard AmEx DiscoverWells FargoUMNAccounts Receivable ServicesMerchant ManagerEmployees & student workersStarting at the far left, this slide shows the where the PCI Standards begin (PCI Council and card brands) and how the responsibility for compliance flows from their origin all the way to our student cashiers.OITUISDept IT
7 Broadly speaking…a breach is: What is a data breach?Broadly speaking…a breach is:An unauthorized acquisition of protected data that compromises the security, confidentiality, or integrity of the protected information.One major concern that the PCI Data Security Standards address is how an organization can best protect data from a data breach.A breach can harm the customers whose data is stolen, but it can also harm the institution where the breach occurred. About 47 states now have laws that require an institution to notify customers whose data is breached. This is a costly process – both in terms of money and reputation; but more on that later.What is considered a breach?The definition in this slide is found in some version in each of the state data breach notification laws. The University’s attorneys and University Information Security will consider each word to determine if an incident raises to the level of a data breach.If you believe a breach may have occurred in your area contact
8 Leading Causes of a Data Breach Malicious attackTargeted attack with the intent to commit data theft or otherwise inflict harmNegligent employee or contractorFailure to follow established standardsLack of trainingSystem glitchIT or business process failuresMany requirements of PCI DSS help the University protect itself from data breaches caused by malicious attacks (physical or electronic).At first glance PCI DSS “feels” very technical. However PCI DSS requirements also address the second leading cause of data breaches: employee (or contractor) failure to follow established standards, or employees (or contractors) who innocently do the wrong thing simply because they have not been trained in proper standards or unit data procedures.
9 Cost of a Breach$5.5 million: the average total organizational cost of a data breach*39% of incidents involved a negligent employee or contractor37% concerned a malicious or criminal attack24% involved system glitches including IT and business process failures$222: The average cost per compromised record for detection, escalation, notification, and remediation (doesn’t include costs associated with damaged reputation)*1,506,900 records: the number of private records exposed in data breaches at 59 US higher education institutions in 2012**1.5M X $222 = $333,000,000)/59 = $5,644,068 estimated cost per HE breachSay: Now let’s take a look at some recent numbers.Note also: (1) Monterey Institute of Int’l Studies (Middlebury College), CA; laptop stole in home burglary with unknown # of student SSNs & names. (2) 53-college hack: unknown # of records.DO: READ THE SLIDEASK: Why might higher ed be an attractive target for data thieves?Higher ed is a target because (a) accounts may not be protected as thoroughly as at large corporate entities, (b) lots of personal data is collected. [ASK FOR EXAMPLES…e.g., student, parent, customer, faculty, ee, visitor data](2) The $5.5M & $222 figures do not include (1) the opportunity cost associated with loss of current or potential customers, (2) the cost to the card company, (3) the cost to the bank, and (4) the cost to each consumer whose data has been breached (whether or not their identity has been stolen)(3) Banks and credit card brands also may incur millions of dollars in costs when a merchant experiences a data breach, even though the card brand and bank had nothing to do with breach. [Example: cancelling and re-issuing cards and accounts.] ASK: If you were CEO of one of these banks or card brands, what might be your reaction? (note: held full liability for bad security without control)(4) A few years ago several credit card issuing organizations decided to establish data protection and security requirements for any merchant wishing to use their card brand. Originally each card brand had their own set of standards. Differences in requirements as well as the sheer magnitude of these requirements made it virtually impossible for merchants to comply.The answer: create one overarching set of data security standards that could be agreed upon by the major credit card brands. (alternative: legislation – only MN Plastic Card Security Act)The result: Payment Card Industry Data Security Standards (PCIDSS)*2011 Cost of Data Breach Study, Ponemon Institute **
10 The University at RiskTGS targeted their self-identified list of 100 top universities in the world. Included: Princeton, Stanford, Harvard, Johns Hopkins, Cornell, Duke, Purdue, Boston University, Texas A&M, University of Texas, University of Colorado, Penn State, University of Pittsburgh, University of Florida, Ohio State, University of Maryland, University of Wisconsin, University of Michigan.
11 The University as Data “Gold Mine” But, it isn’t always about the money.HacktivismIn their own words: “As a wise man once said: "Those who cannot remember the past are condemned to repeat it."Updates* We wanted to bring to your attention different examples from Europe, how the laws change so often that even the teachers have a hard time adjusting to them, let alone, the students, to the US, where tuition fees have spiked up so much that by the time you finish any sort of degree, you will be in more debt than you can handle and with no certainty that you will get a job, to Asia, where strict & limited teachings still persist and never seem to catch up with the times and most of the time fail to prep you up for a world where foreign affairs are crucial in this day and age.Even so, we figured, how hypocrites we'd have to be to enforce our own beliefs in this release, that's why, this turned out into an open debate where you are all welcome to participate. You don't have to talk about it with us, what's important is that you bring up the subject "today's education" in day-to-day conversations with your family, friends, people close to you and try to understand the system better, together. How it works, how a certain type of diploma can or cannot help you in your road to the career you want to pursue.As for us, we have taken the time to gather opinions and points of views from different anonymous members, all around the globe. On behalf of Team GhostShell, I would like to respectfully thank all those that have contributed to this release. It has been a unique experience.”
12 Change in 2013Wells Fargo and Visa raised the University’s compliance demonstration requirements. This change was based on the annual number of Visa transactions. This means:Compliance is now measured by a security assessorFor 2013 we will use a Qualified Security Assessor (QSA) from CampusGuard, a firm specializing in higher education securityIndividual merchants must continue to complete the annual Self-Assessment Questionnaires (SAQ), and…The University will only be considered PCI compliant if all accounts are deemed compliant by the assessor
13 New TechnologyRolled out an online portal for SAQ completion & document collectionThe portal provides merchant managers with 24/7 access to complete their SAQsManagers can ask the assessor questions directly through the portalA secure ‘document locker’ provides each merchant with a dedicated area to store PCI-related documents
14 Updated Contacts for 2013 Accounts Receivable Services firstname.lastname@example.org General inquiriesDarla Schroeder, Cash Application Manager ( ),Terminal issuesAccount set-up, close, modifyReconciliation, chartstring or other accounting issuesUniversity Information SecurityYour IT professionals _______Laura Gilbert, PCI-DSS Compliance Analyst ( )Manager trainingCampusGuard portalAnnual assessment :SAQ &UMN form completionROC assessmentRemediation plan oversightPolicy questionsVendor relationship support (e.g., pen testing, 3rd party outsourcing)Say:If you have any questions, here are some first contacts and resources that can help.Thanks for coming today!Please complete an evaluation and let us know what was good, what was missing, and what we might present in a different way.
15 Allow time in your schedule to fully manage your account. ResourcesBe familiar with University policy & proceduresAccepting Revenue Via Payment CardsObtaining Approval to Accept Credit CardsManaging Payment Card AcceptanceYour IT professionalsApplicable University FormsUM Payment Card Manager FormUM Employee Non-Disclosure FormUM Desktop Usage Agreement (only required for SAQ-A e-commerce solutions)Controller’s Office Website: General and SAQ-specific training materials & guidance documentsPCI Security Standards Website: SAQ forms, guidance docsPCI GlossaryLook for s throughout the year from the Controller’s Office and partner departments about program changes, new issues, annual deadlines and training.Allow time in your schedule to fully manage your account.