Presentation on theme: "University of Utah Financial and Business Services"— Presentation transcript:
1 University of Utah Financial and Business Services Income Accounting and Student Loan ServicesKim Stringham
2 Objectives Understand PCI requirements. Identify the roles and responsibilities of the many players.Identify what needs to be done to reach & maintain compliance.Introduce new technologies.
3 Payment Card Industry Data Security Standard What is PCI DSS?PCI DSS stands for Payment Card Industry Data Security Standard. This standard is a set of controls to protect cardholder data by mitigating data breaches and preventing cardholder data fraud.Defined by the Payment Card Industry Security Standards Council (PCI SSC) , the standard was created to increase controls around cardholder data to reduce credit card fraud.All merchants, processors, acquirers, issuers, service providers, and other entities that store, process or transmit cardholder information are required to comply with the PCI DSS.PA-DSS vs. PCI DSS?The Payment Application Data Security Standard (PA-DSS) requires vendors who supply payment application software to validate the application with the PCI Council. The validated application must be placed or used in a PCI DSS compliant environment for full compliance to be achieved. The merchant is responsible for the compliant environment..
5 PCI DSS Merchant Levels For Visa, MasterCard and Discover Network PCI levelsMerchant levelsCompliance validation requirements1Over 6 million Visa, MasterCard or Discover transactions per year (all channels)Global merchants meeting the Level 1 criteria of another payment card brandAnnual Report on Compliance (ROC) completed by a Qualified Security Assessor (QSA) or internal auditor if signed by officer of the company*Quarterly network scan by an Approved Scan Vendor (ASV)Attestation of Compliance Form21 million to 6 million Visa, MasterCard or Discover transactions per year (all channels)Annual Self-Assessment Questionnaire (SAQ) completed by an Internal Security Assessor (ISA) or a Report on Compliance (ROC) must be completed by a Qualified Security Assessor (QSA)320,000 to 1 million e-commerce Visa, MasterCard or Discover transactions per yearAnnual SAQQuarterly network security scan by an ASVAnnual signed Attestation of Compliance Form4All other businessesLess than 20,000 e-commerce Visa, MasterCard or Discover transactions per yearAnnual SAQ recommendedQuarterly network security scan by an ASV if applicableCompliance validation requirements set by acquirerMore information available at the PCI Security Council website:Abbreviations: ROC = Report on Compliance, QSA = Qualified Security Assessor, ASV = Approved Scanning Vendor, SAQ = Self Assessment Questionnaire, PCI SSC = Payment Card Industry Security Standards Council*For non-compliant businesses only, an annual signed “Attestation of non-storage of non-compliant data” is required
6 Self-Assessment Questionnaires V 3.0 A – Card-not-Present, All Cardholder Data Functions Fully OutsourcedA-EP – Partially Outsourced E-Commerce Merchants Using a Third-Party Website for Payment ProcessingB – Only Imprint Machines or Only Standalone, Dial-out Terminals. No Electronic Cardholder Data StorageB-IP – Standalone, IP-Connected Terminals. No Electronic Cardholder Data StorageC – Payment Application Connected to Internet, No Electronic Cardholder Data StorageC-VT – Web-Based Virtual Payment Terminals, NECDS (key: no payment applicationD – Full Standard for all other SAQ-Eligible Merchants
7 Roles and Responsibilities MerchantAdhere to the PCI DSS standard.Create a corporate security strategy to become and stay PCI compliant.Create and maintain a compliant infrastructure.Acquiring BankProvide support, advice, and general guidance on PCI.Ensure any products, software, or gateways added or in use are certified as PCI compliant.Quarterly reporting to the card brands on a merchant’s compliance status.This reporting reflects date and status of the SAQ/ROC, scan date(s) and results, information from the merchant completed Prioritized Approach containing the areas of non-compliance with current percentage completed and expected completion dates for full compliance.Card Networks/BrandsEnforcement of compliance with the PCI DSS and determination of any non-compliance penalties are carried out by the individual payment brands and not by the Council or WFMS.PCI Data Security CouncilAn open global forum, launched in 2006, is responsible for the development, management, education, and awareness of the PCI Security Standards, including the Data Security Standard (PCI DSS), Payment Application Data Security Standard (PA-DSS), and PIN Transaction Security (PTS) requirements.The Council's five founding global payment brands -- American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. -- have agreed to incorporate the PCI DSS as the technical requirements of each of their data security compliance programs and have equal input. Each founding member also recognizes the QSAs, PA-QSAs and ASVs certified by the PCI Security Standards Council.Website,
8 Don’t Delegate Compliance Never assume your software vendor or service provider is maintaining your PCI ComplianceYou should be able to answer the following questions:What equipment, software, and services do we use for processing and where are they located?Do we have a complete inventory?Do we have a hardware based firewall?What anti-virus software do we use and who updates it?Do we have remote access software on our system?Is it always turned on?Is 2 factor authentication used?Is there one id and password per individual user?Are passwords changed regularly?Who reviews our log files?Who trains the employees to follow guidelines & how?Can we document everything PCI related?
9 Know what you have... Possible components at point of sale
16 Maintenance is KeyData security is more than completing a SAQ every 12 monthsBegin SAQ at least three months before its dueStay up to datePCI council changesPayment network mandatesThe latest trends in data compromiseScanComplete a passing external scan at least quarterlyAnd every time changes are made to the systemUse internal scans to detect and correct vulnerabilitiesDaily review that Anti-Virus, File Integrity Monitoring, and Logging are running
17 Chip & PIN– a.k.a EMV Near Field Communication (NFC) Required vs. EncouragedLiability Shift in the U.S. effective October 1, 2015Merchants not using EMV will take the financial hit on fraudulent, card-present transactions.BenefitsPhysical Cards are less likely to be used fraudulently.ComplianceNo changes in compliance requirements.DisclaimerE-Commerce/Phone transactions not affected.
18 PCI Compliance Changes/Dates 2013OctoberPCI Council introduced PCI DSS 3.0 Standard*Release 3.0 will also include updated PIN Transaction Security v4.0You may validate to version 2.0 through the end of the year. Mandatory use of 3.0 for validations in 20152015U.S. Liability Shift for domestic and cross-border counterfeit card-present point of sale (POS) transactions to merchant.2017U.S. Liability Shift for domestic and cross-border counterfeit card-present Automated Fuel DispensersU.S. Liability Shift for counterfeit fraud ATM Transactions*Standards are updated due to the need for additional guidance, clarification, or evolving requirements for strong security standards.For more information on PCI updates, visit
19 End to End Encryption Point to Point Encryption ≠ E2EE PCI DSS terminologyMust be an approved hardware/software combinationScope ReductionSAQ D – most requirements are not applicableHardware Encryption is VITAL!Integration with Gateway, Software, HardwareAlways seek Acquiring Bank & QSA approval
20 Mobile Payments – PCI DSS Guidelines to ConsiderFebruary The PCI Security Standards Council has published the PCI Mobile Payment Acceptance Security Guidelines for Merchants as End Users. This guide educates merchants on the risk factors that need to be addressed in order to protect card data when using mobile devices to accept payments.Single purpose tablets, iPadsHot Spot vs WiFiReduced functionality (browsing)End to End Encryption DevicesAcquiring Bank productsBanking PolicyPlease visit: org/security_standards/documents .php?document=pcidss_mobile_pa yment_sec_guidelines.
21 Consequences and Penalties for Non-Compliance or Breach The consequences and costs of non-compliance and of a data compromise can be devastating and may include:Loss of the ability to process card payments.Loss of consumer confidence and brand reputation.Drop in revenues.Heavy fines, penalties and expenses.Up to $500,000 a month per violation (payment network imposed fines).Actual damages to cardholders.Attorneys’ fees.Potential state and federal fines.Notification and Remediation ProcessMerchant reports suspected or known breach to Bank upon findings and card brands are notified.Card brands notify Bank of Common Point of Purchase investigation.Remediation requires demonstration, documentation, and deadlines. Costly forensic investigation may be required.In some cases, you may be required to shut down all POS, gateways, or IP connected terminals and install “dial-up” terminals until the environment is remediated and deemed safe.Data breaches now cost$194 per compromised recordand averaged$5.5 million per data breach event.*.*From a March 2012 Ponemon Institute study (
23 Payment Card Industry Glossary ASV Acronym for “Approved Scanning Vendor.” Company approved by the PCI SSC to conduct external vulnerability scanning services.Cardholder Data At a minimum, cardholder data consists of the full PAN. Cardholder data may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date and/or service code See Sensitive Authentication Data for additional data elements that may be transmitted or processed (but not stored) as part of a payment transaction.Environment The people, processes and technology that store, process or transmit cardholder data or sensitive authentication data, including any connected system components.Compensating Controls Compensating controls may be considered when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other controls. Compensating controls must:(1) Meet the intent and rigor of the original PCI DSS requirement; (2) Provide a similar level of defense as the original PCI DSS requirement; (3) Be “above and beyond” other PCI DSS requirements (not simply in compliance with other PCI DSS requirements); and (4) Be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement.Network Segmentation Network segmentation isolates system components that store, process, or transmit cardholder data from systems that do not. Adequate network segmentation may reduce the scope of the cardholder data environment and thus reduce the scope of the PCI DSS assessment.P2PE Point to Point Encryption.Penetration Test Penetration tests attempt to exploit vulnerabilities to determine whether unauthorized access or other malicious activity is possible. Penetration testing includes network and application testing as well as controls and processes around the networks and applications, and occurs from both outside the network trying to come in (external testing) and from inside the network.QSA Acronym for “Qualified Security Assessor,” company approved by the PCI SSC to conduct PCI DSS on-site assessments.Sensitive Authentication Data Security-related information (including but not limited to card validation codes/values, full magnetic-stripe data, PINs, and PIN blocks) used to authenticate cardholders and/or authorize payment card transactions..