Property of CampusGuard Compliance With The PCI DSS.

Slides:



Advertisements
Similar presentations
Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Advertisements

Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.
Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.
.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.
PCI DSS for Retail Industry
Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security.
PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.
Complying With Payment Card Industry Data Security Standards (PCI DSS)
2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
University of Utah Financial and Business Services
Smart Payment Processing ™ Protecting Your Business from Card Data Theft Presenter: Lucas Zaichkowsky.
Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.
Payment Card PCI DSS Compliance SAQ-D Training Accounts Receivable Services, Controller’s Office 7/1/2012.
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?
Jeff Williams Information Security Officer CSU, Sacramento
Property of the University of Notre Dame Navigating the Regulatory Maze: Notre Dame’s PCI DSS Solution EDUCAUSE Midwest Regional Conference March 17, 2008.
Visa Cemea Account Information Security (AIS) Programme
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
PCI DSS and MasterCard Site Data Protection Program Payment System Integrity September 2008.
GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Why Comply with PCI Security Standards?
Introduction to PCI DSS
Northern KY University Merchant Training
Payment Card Industry (PCI) Data Security Standard
Disclaimer Copyright Michael Chapple and Jane Drews, This work is the intellectual property of the authors. Permission is granted for this material.
Web Advisory Committee June 17,  Implementing E-commerce at UW  Current Status and Future Plans  PCI Data Security Standard  Questions.
Payment Card Industry Data Security Standard (PCI DSS) By Roni Argetsinger
The ABC’s of PCI DSS Eric Beschinski Relationship Manager Utility Payment Conference Kay Limbaugh Specialist, Electronic Bills & Payments &
PCI DSS Managed Service Solution October 18, 2011.
Protecting Your Credit Card Security Environment (PCI) September 26, 2012 Jacob Arthur, CPA, QSA, CEH Timothy Agee, CISA, CGEIT, QSA FDH Consulting Frasier,
The influence of PCI upon retail payment design and architectures Ian White QSA Head of UK&I and ME PCI Team September 4, 2013 Weekend Conference 7 & 8.
An Introduction to PCI Compliance. Data Breach Trends About PCI-SSC 12 Requirements of PCI-DSS Establishing Your Validation Level PCI Basics Benefits.
NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
The Payment Card Industry (PCI) Data Security Standard: What it is and why you might find it useful Fred Hopper, CISSP TASK - 27 March 2007.
PCI requirements in business language What can happen with the cardholder data?
Brian Cloud August 06, Overall Digital Security  What is Digital Security  Murphy’s Law Since 2005, over 263M records breeched (privacyreports.com)
PCI: As complicated as it sounds? Gerry Lawrence CTO
Credit Card Processing Gail “Montreal” Shoffey Keeler August 14, 2007.
PCI DSS Readiness Presented By: Paul Grégoire, CISSP, QSA, PA-QSA
Introduction to Payment Card Industry Data Security Standard
Introduction To Plastic Card Industry (PCI) Data Security Standards (DSS) April 28,2012 Cathy Pettis, SVP ICUL Service Corporation.
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
Data Security and Payment Card Acceptance Presented by: Brian Ridder Senior Vice President First National September 10, 2009.
Information Security 2013 Roadshow - PCI. Roadshow Outline  What IS PCI  Why we Care about PCI  What PCI Means to You and Me.
Payment Card PCI DSS Compliance SAQ-B Training Accounts Receivable Services, Controller’s Office 7/1/2012.
ThankQ Solutions Pty Ltd Tech Forum 2013 PCI Compliance.
1 Payment Card Industry (PCI) Security Standard Developed by the PCI Security Council formed by major card issuers: Visa, MasterCard, American Express,
Jon Bonham, CISA, QSA Director, ERC
Standards in Use. EMV June 16Caribbean Electronic Payments LLC2.
July 2015…... Michigan Community Colleges Performance with NBS Thru October, 2015.
By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit.
MARTA’s Road to PCI Compliance
Payment Card Industry Data Security Standards
Performing Risk Analysis and Testing: Outsource or In-house
PCI-DSS Security Awareness
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Internet Payment.
Session 11 Other Assurance Services
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
MARTA’s Road to PCI Compliance
Utility Payment Conference
Presented by: Jeff Soukup
Presentation transcript:

Property of CampusGuard Compliance With The PCI DSS

Property of CampusGuard Today’s Agenda PCI DSS Introduction How are Colleges and Universities Affected? How Do You Validate Compliance? Best Practices Q&A

Property of CampusGuard CampusGuard Full-Service QSA/ASV Firm We Know Security Focused Solely on Higher Education

Property of CampusGuard The Target Breach 40 million customers Insider ? POS was the vector Lessons for all…

Property of CampusGuard PCI… SOFTWARE DEVELOPERS PCI PA-DSS Payment Application Vendors MANUFACTURERS PCI PTS PIN Transaction Security Ecosystem of payment devices, applications, infrastructure and users MERCHANTS & PROCESSORS PCI DSS Data Security Standard PCI Security & Compliance

Property of CampusGuard PCI Relationships Bank Communicates and educates merchants on PCI DSS and reports compliance status to Card Associations Merchant Responsible for safeguarding credit card data and complying with the PCI DSS CREDIT CARD SECURITY Responsible for enforcing and monitoring merchant compliance with the PCI DSS Responsible for managing the PCI DSS and certifying QSAs and ASVs

Property of CampusGuard Penalties can be Huge In the event of a breach the bank can make the merchant responsible for: Fines from card associations Up to $500,000 + Cost to notify victims + Cost to replace cards + Cost for any fraudulent transactions + Forensics + Level 1 certification Bad Publicity – Priceless!

Property of CampusGuard How Much Time Left?  You are assumed to be compliant NOW!  Banks will be requiring your validation SOON!

Property of CampusGuard Higher Ed Is Vulnerable Higher Education 33% Government Healthcare Other 6% 8% 17% Financial Services Retailers 14% 22% Source: Privacy Rights Clearinghouse Past 3 Years

Property of CampusGuard Colleges and Universities are like Cities…

Property of CampusGuard A Campus Is A “City" Challenges for PCI Compliance:  Open networks and systems  Scope conversations complex  Overloaded staff  Fiscal constraints

Property of CampusGuard PCI in Higher Education Source: 2012 Treasury Institute PCI Workshop

Property of CampusGuard PCI in Higher Education Source: 2012 Treasury Institute PCI Workshop

Property of CampusGuard PCI in Higher Education Source: 2012 Treasury Institute PCI Workshop

Property of CampusGuard PCI in Higher Education Source: 2012 Treasury Institute PCI Workshop

Property of CampusGuard PCI DSS: 6 Goals, 12 Requirements 1.Build and maintain a secure network 1.Install and maintain a firewall configuration to protect data 2.Change vendor-supplied defaults for system passwords and other security parameters 2.Protect cardholder data 3.Protect stored data 4.Encrypt transmission of cardholder magnetic-stripe data and sensitive information across public networks 3.Maintain a vulnerability management program 5.Use and regularly update antivirus software 6.Develop and maintain secure systems and applications 4.Implement strong access control measures 7.Restrict access to data to a need-to-know basis 8.Assign a unique ID to each person with computer access 9.Restrict physical access to cardholder data 5.Regularly monitor and test networks 10.Track and monitor all access to network resources and cardholder data 11.Regularly test security systems and processes 6.Maintain an information security policy 12.Maintain a policy that addresses information security Control ObjectiveRequirements

Property of CampusGuard Merchant Levels Level 1 > 6 million Visa/MC txns/yr > 2.5 million transactions/yr 2 1 to 6 million Visa/MC txns/yr 50,000 to 2.5 million txns/yr 3 20,000 to 1 million Visa/MC ecommerce txns/yr All other Amex Merchants 4 All other Visa/MC merchants N/A Most Colleges and Universities

Property of CampusGuard Level 1 Annual on-site assessment (QSA) Quarterly network scan (ASV) Annual penetration test (ASV) Annual on-site assessment (QSA) Quarterly network scan (ASV) Annual penetration test (ASV) 2 Annual on-site assessment (QSA) Quarterly network scan (ASV) Annual penetration test (ASV) Quarterly network scan (ASV) Annual penetration test (ASV) 3 Annual Self-Assessment Questionnaire (SAQ) Quarterly network scan (ASV) Annual penetration test (ASV) Quarterly network scan (ASV) Annual penetration test (ASV) 4 At discretion of acquirer Annual SAQ Quarterly network scan (ASV) Annual penetration test (ASV)  N/A Validation Requirements

Property of CampusGuard Self-Assessment Questionnaires Card-Not Present, All Cardholder Data Functions Outsourced Imprint Only, No Cardholder Data Storage Standalone Dial Out Terminal, No Cardholder Data Storage Payment Application Systems Connected to the Internet All other methods SAQ A (11 questions) SAQ B (29 questions) SAQ B (29 questions) SAQ C / VT (80/51 questions) SAQ D (286 questions) Move as far to the left as possible!

Property of CampusGuard Can I assess myself? Short answer: Maybe (but you probably don’t want to) Long answer: You can assess yourself, provided: You follow audit procedures Your acquirer agrees An approved officer (think President or CFO) signs on the “dotted line” (attesting to the veracity of the results) You’re absolutely sure you’re going to do it right

Property of CampusGuard What’s in PCI Scope? Card Swipe Machine? Office Workstations? Computer Lab? Student in dorm? Shopping Cart? Phone Transaction?

Property of CampusGuard PCI DSS Assessment Internet Payment Application PCI DSS SAQ Service Provider PCI DSS Level 1 ? PA-DSS ? A/B/C/D? Your Campus

Property of CampusGuard Case Study: The commercial software was PA-DSS certified, but 1 – Firewall configuration 7 – Access to system components and cardholder data 8 – Assign unique ID to each person with computer access 9 – Restrict physical access 11– Regularly test security systems and processes 12– Maintain a policy that addresses information security

Property of CampusGuard Managing Compliance

Property of CampusGuard Compliance Finish Line! ?

Property of CampusGuard PCI Compliance Re-Validate every 12 mos Discovery and Assessment Payments Analysis Merchant Discovery Documentation Preliminary Scanning Gap Analysis Remediation Correct Problems Compensating Controls Validation ROC or SAQ Submission Quarterly Scanning Penetration Testing

Property of CampusGuard Awareness Training PCI DSS Red Flags HIPAA FERPA GLBA General Info Security Identity Theft Clery Act Title IX

Property of CampusGuard Online Training: PCI DSS Topics  An overview of PCI DSS  PCI DSS objectives and requirements  Costs of non-compliance  Sensitive Authentication Data  Hard-copy storage  Protecting cardholder information  Payment card transactions  Remote access  Good work practices  Security incidents  Restricted computer access  Restricted physical access  Tracking and monitoring  Social engineering

Property of CampusGuard Online Training: Administration

Property of CampusGuard Closing Thoughts PCI is a journey PCI requires partnerships Requires perseverance Keep the faith

Property of CampusGuard Ron King, CampusGuard (972)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.