1. PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise

2. I.Background II.What is PCI-DSS? III.Who must comply? IV.Cost of non-compliance V.Digital Dozen VI.Higher Education Challenges VII.Centralize Compliance Agenda

3. Cardholder Information Security Program (CISP) Site Data Protection Program (SDP) Discover Information Security Compliance (DISC) Data Security Standard (DSS) Confused Merchants Background ???

4. Payment Card Industry Data Security Standard (PCI-DSS) Card Associations founded an LLC https://www.pcisecuritystandards.org https://www.pcisecuritystandards.org One program now Mission: Enhance payment account data security by fostering a broad adoption of PCI-DSS What is PCC-DSS?

5. Policy decisions made by Executive Committee Participating organizations provide feedback on evolution of PCI What is PCC-DSS?

6. “Payment Card Industry (PCI) Data security requirements apply to all Members, merchants, and service providers that store, process or transmit cardholder data.” *Payment Card Industry Data Security Standard Who Must Comply?

7. Merchant Compliance 1Any merchant-regardless of acceptance channel-processing over 6,000,000 transactions per year. Any merchant that has suffered a hack or an attack that resulted in an account data compromise. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system. 2Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 transactions per year. 3Any merchant processing 20,000 to 1,000,000 e-commerce transactions per year. 4Any merchant processing fewer than 20,000 e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year. Who Must Comply?

8. In the event of the a breach the acquirer CAN make the merchant responsible for: Any fines from PCI-Co Up to $500,000 per incident Cost to notify victims Cost to replace cards (about $10/card) Cost for any fraudulent transactions Forensics from a QDSC Level 1 certification from a QDSC Cost of Non-Compliance

9. Example: 50,000 credit cards stolen –PCI Penalty - $100,000 per incident $500,000 if you do not have a self- assessment –Card Replacement - $500,000 –Fraudulent Transaction – $61,750,000 $1,235 - 2004 average fraudulent transaction –Bad Publicity – Priceless! Cost of Non-Compliance

10. Build and Maritain a Secure Network Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Use and regularly update anti-virus software Develop and maintain secure systems and applications Implement Strong Access Control Measures Restrict access to cardholder data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to cardholder data Regularly Monitor and Test Networks Track and monitor all access to network resources and cardholder data Regularly test security systems and processes Maintain an Information Security Policy Maintain a policy that addresses information security Digital Dozen

11. Higher education networks comprise an estimated 15% of the total advertised Internet address space* Extremely “open” by tradition and culture Highly connected networks to commercial internet, regional, national, and international research networks Communities range from 1,000 to 200,000 people Thousands of networked devices Departments control local technology and act independently Understaffed IT department * University of Indiana Higher Education Challenge

12. Get executive buy-in Define a commerce committee –IT –Security –Internal Audit –Treasury –CFO Centralize Compliance

13. Define and publish credit card handling policy Acceptable payment channels Handling of PII (Personally Identifiable Information) Requesting merchant IDs Applicability to University employees, work study… Background and credit checks for employees handling credit cards Training and acknowledgement Use of vendors Centralize Compliance

14. Gap analysis –Review all existing merchants and their procedures –Identify “urgent improvements” –Operational remediation plan –Technical remediation plan Compliance maintenance –Rules will change –Systems will change Centralize Compliance

15. Consider outsourcing Get as many credit card numbers off campus as possible Use a service provider to process credit card transactions Approved scanning vendors Approved hosting centers Centralize Compliance

16. David R. King President Nelnet Business Solutions dking@infinet-inc.com Questions?