Presentation is loading. Please wait.

Presentation is loading. Please wait.

Northern KY University Merchant Training

Published byCuthbert Evans Modified over 8 years ago

Similar presentations

Presentation on theme: "Northern KY University Merchant Training"— Presentation transcript:

1 Northern KY University Merchant Training

2 Discussion Topics What is PCI-DSS? Credit Card Processing
Two specific facets (Technical & Functional) Penalties for non-compliance Risks Plan of Action

3 What is PCI-DSS? Payment Card Industry Data Security Standards (DSS) initially created by Visa and MasterCard (officially in 2006) now includes Discover, Amex and JCB. All credit card companies in the U.S. have endorsed the Standard PCI-DSS created so there would be common industry security requirements

4 Purpose Mandated by credit card companies – “If you accept our credit card(s), you must follow these rules.” Protect customers against fraud and identity theft. To avoid breaches and fraud resulting in lost revenue.

5 What PCI is NOT PCI is NOT something we can ignore.
PCI is NOT a project -- It is an ongoing program. It is NOT a silver bullet. It is NOT an option -- If we accept credit cards as a source of payment, we must comply. It is not static

6 Twelve Requirements There are Twelve seemingly simple requirements….however Approximately 230 subsets of requirements depending on the Merchant Level and SAQ required to complete.

7 PCI DSS Requirements Goal: Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Goal: Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Goal: Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications Goal: Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need to know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Goal: Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Goal: Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel

8 SAQs Attestations of Compliance are included as part of each SAQ.
SAQ A Card-not-present Merchants, All Cardholder Data Functions Outsourced SAQ B Merchants with Only Imprint Machines or Only Standalone, Dial-Out Terminals. No Electronic Cardholder Data Storage SAQ C-VT Merchants with Web-Based Virtual Terminals, No Electronic Cardholder Data Storage SAQ C Merchants with Payment Application Systems Connected to the Internet, No Electronic Cardholder Data Storage SAQ D All Other Merchants and All Service Providers Defined by a Payment Brand as Eligible to Complete an SAQ

9 Scope “Any network component, server, or application that is included in or connected to the cardholder data environment”

10 Scope Map network(s) and cardholder data flow
Use an automated tool to find your data Interview each campus merchant Understand business and data needs Determine actual business processes Identify third-party service providers Get details on all payment applications Logs, traces Vendors can be frustrating

11 Penalties Fines up to $500,000 from each credit card company + $197 per account holder Forensic Investigation by QSA (Qualified Security Assessor) begins at $10,000. Increased auditing requirements Negative Public Relations Losing the ability to process credit card transactions completely Websites: and According to Dr Larry Poneman, an inaugural member of the Unisys Security Leadership Institute, an Adjunct Professor of Ethics & Privacy at Carnegie Mellon University’s CIO Institute, a former CEO of the Privacy Council and a former Global Managing Partner for Compliance Risk Management at PricewaterhouseCoopers, conducts independent research, educates leaders from both the private and public sectors and reports on privacy and data practices spanning a variety of industries….In his most recent survey results….The total avg cost of a data breach : in 2007 = per compromised record; up from in 2006, and from in An increase in lost business due to data breach: lost business due to a data breach accounts for 65% of data breach costs compared to 54% in An increase in third-party data breaches….2007, 40% of survey respondents reported breaches by third party companies (software vendors, outsources, business partners)….i.e. the AceWare/pc charge/iModule software and payment applications being used on campus today……and lastly the increase in legal defense and public relations in respnse to a breach…..grew to 8% up from 3 percent in Can we afford it?

12 College & University Breaches
University breaches have increased exponentially since 2005 Open vulnerable networks Numerous merchants across campuses Payment processes spread over large geographical area

13 Security Breaches Approximately 600,000,000 records breached since 2005. The running represents the approximate number of *records* that have been compromised due to security breaches, not necessarily the number of *individuals* affected. Some individuals may be the victims of more than one breach, which would affect the totals.  Since 2010 there have been 88 breaches (mostly universities, a few high schools) 98% of hacking successes are as the result of using default passwords. Always change default passwords.

14 Universities Are At Risk
Network penetration, server hacking, SQL injections, stolen laptop computers, desktop computers, unlocked offices/desks, unsecured USB portable drives, CD’s, DVD’s, containing sensitive information; particularly PAN numbers, ssn, names, addresses, birthdates.

15

16 Credit Card Processing

17 Dial-Up Terminal $ Interchange $$$ Discount Fees Services Fees
Authorization Request Authorization Confirmation Settlement $$$ Processor Merchant Card Owner’s Bank Issued Card Discount Fees Services Fees $ ACH Fees Banking Fees Merchant’s Bank

18 SSL Terminal $ Interchange $$$ Merchant Processor
Authorization Request Merchant Settlement Authorization Confirmation Processor Card Owner’s Bank Issued Card $$$ $ Merchant’s Bank

19 Internet Processing $ Interchange $$$ Gateway Processor
Authorization Request Settlement Authorization Confirmation Gateway Processor Card Owner’s Bank Issued Card $$$ $ Merchant’s Bank

20 Mobile Processing $ Interchange Cellular Network $$$ Processor
Authorization Request Cellular Network Authorization Confirmation Settlement $$$ Processor Card Owner’s Bank Issued Card $ Merchant’s Bank

21 Cost Comparison Mobile Pay Website Omni VX570 Notes
$75 for Encrypted Card Reader    (additional readers $65) $150 Initial Setup Fee (PNC) $600 for terminal purchase (Dual Comm) One-Time Fees $12 Monthly Access Fee $15 Monthly Fee These fees are applied whether you process during the month or not. .10 per transaction So if you run 10 transactions, that will cost you $1. .06% Discount Fee This is applied to your gross $ processed $99 setup fee $50 per month Authorize.Net secure gateway or other PCI DSS/PA DSS compliant application. Authorize.Net Secure Gateway is preferred by NKU and PNC Merchant Services.

22 Equipment/Point of Sale System
Spectrum of Risk Equipment/Point of Sale System Cash Dial Terminals Mobile (Encrypted Reader) Wireless Terminals (using cell phone networks) SSL Terminals Website Redirected Payments Virtual Terminals Web-based Applications Wi-Fi Terminals WEP/WPA Encrypted Wireless Networks- must be WPA2 Any system storing Card Holder Data (prohibited by PCI) Manual Imprinters Low Moderate Severe

23 In the future… EMV- Europay Visa Mastercard October 2015
P2PE- Point to Point Encryption

24 Questions?

Download ppt "Northern KY University Merchant Training"

Similar presentations

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.

Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.
Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.

Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.
.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.

.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.
PCI DSS for Retail Industry

PCI DSS for Retail Industry
Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.

Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.
UCSB Credit Card Processing and PCI Compliance

UCSB Credit Card Processing and PCI Compliance
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.

PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.

PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.
Complying With Payment Card Industry Data Security Standards (PCI DSS)

Complying With Payment Card Industry Data Security Standards (PCI DSS)
2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.

2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
University of Utah Financial and Business Services

University of Utah Financial and Business Services
Property of CampusGuard Compliance With The PCI DSS.

Property of CampusGuard Compliance With The PCI DSS.
Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.

Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.
Payment Card PCI DSS Compliance SAQ-D Training Accounts Receivable Services, Controller’s Office 7/1/2012.

Payment Card PCI DSS Compliance SAQ-D Training Accounts Receivable Services, Controller’s Office 7/1/2012.
© Vendor Safe Technologies 2008 B REACHES BY M ERCHANT T YPE 70% 1% 9% 20% Data provided by Visa Approved QIRA November 2008 from 475 Forensic Audits.

© Vendor Safe Technologies 2008 B REACHES BY M ERCHANT T YPE 70% 1% 9% 20% Data provided by Visa Approved QIRA November 2008 from 475 Forensic Audits.
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?

Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?
Jeff Williams Information Security Officer CSU, Sacramento

Jeff Williams Information Security Officer CSU, Sacramento

Similar presentations

Ads by Google