Presentation is loading. Please wait.

Presentation is loading. Please wait.

Payment Card Industry Data Security Compliance

Published byYandi Kartawijaya Modified over 5 years ago

Similar presentations

Presentation on theme: "Payment Card Industry Data Security Compliance"— Presentation transcript:

1 Payment Card Industry Data Security Compliance
Working Group Project Kickoff March 2006

2 Agenda Objective Background Project goals Scope Visa Standards
Payment Gateways (Verisign) Network Configuration Remediation Strategies Approach Milestones 9/22/2018 PCI Project

3 PCI Background December VISA and MasterCard joined forces to expand their security standards, calling them the Payment Card Industry Data Security Standards (PCIDSS) and releasing version 1.0 of the combined standard 12 technical requirements Impact to policies and procedures, application software, hardware, firewall, network infrastructure and authentication methods Requirement for annual and quarterly audits and networks scanning by certified PCI assessor depending on transaction volume Fines up to $500,000 per incident if credit cards are disclosed and you are not compliant Original compliance date was June 2005 which was unreasonable for most institutions to meet. Our new self-imposed compliance date is December 2006. 9/22/2018 PCI Project

4 Project Scope Planning Assumptions
Leverage existing investment in current 3rd party credit card processor (Verisign) Minimize cost of compliance Cost of compliance will be born by the school/center owning the merchant account This project will be fast tracked to minimize risk and cost Project Organization (see appendix A for org chart) The project will be jointly sponsored by Treasurer’s Office in the Division of Finance, Information Systems and Computing (ISC) and Office of General Council under the leadership of Scott Douglass, Robin Beck and Wendy White. The project will be managed jointly by Michael Harris of the Office of the Executive Vice President and Bill Kasenchar from ISC. A core team from Treasurer’s, EVP, OGC and ISC will work to identify and recommend options to meet compliance and establish policy. A working team represented by schools and centers will vet remediation strategies and aid in the creation and implementation of the recommended solution Every school or center who owns a merchant account must have a representative on the working team UPHS is performing a parallel effort under the direction of Andrew DeVoe (UPHS Treasurer and CFO) 9/22/2018 PCI Project

5 Visa’s Categorization of Merchants
We are currently out of compliance 9/22/2018 PCI Project

6 Project Goals Achieve PCI compliance across all schools and centers for all of Penn’s active merchant accounts Consolidate or retire low volume merchant accounts Coordinate with Business Services to determine feasibility and project direction for a centralized events/conference service Establish central compliance strategy to reduce cost of compliance and exposure to the University. Create/Edit policies required to support data security standards and PCI compliance Coordinate with Schools or Centers to identify third party business affiliates using Penn merchant accounts (Verisign, Apply Yourself, JSA, etc.) to validate their PCI compliance Validate that any third party payment processor, used in conjunction with online transactions, are PCI compliant 9/22/2018 PCI Project

7 Scope of Standards These Payment Card Industry (PCI) Data Security Requirements apply to all Members, merchants, and service providers that store, process or transmit cardholder data. These security requirements apply to all “system components” which is defined as any Network component include, but are not limited to, firewalls, switches, routers, wireless access points, network appliances, and other security appliances Server include, but are not limited to, web, database, authentication, DNS, mail, proxy, and NTP Application included in, or connected to, the cardholder data environment. include all purchased and custom applications, including internal and external (web) applications. 9/22/2018 PCI Project

8 Data Security Standards
Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Requirement 3: Protect stored data Requirement 4: Encrypt transmission of cardholder data and sensitive information across public networks Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications Implement Strong Access Control Measures Requirement 7: Restrict access to data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes. Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security 9/22/2018 PCI Project

9 Payment Gateway The payment gateway stores, processes and/or transmits cardholder data Verisign is Penn’s gateway vendor Two basic architectures External from the application Verisign Payflow Link The burden of a secure environment is placed on the gateway vendor Our PCI initiative must ensure that the vendor maintains compliance Integral to the application Verisign Payflow Pro The burden of secure environment is placed on the hosting provider Our PCI initiative must ensure that the hosting facility maintains compliance Reference - Protect Cardholder Data Requirement 3: Protect stored data Requirement 4: Encrypt transmission of cardholder data and sensitive information across public networks 9/22/2018 PCI Project

10 Secure Network Diagram
Reference - Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect data 9/22/2018 PCI Project

11 Proposed Remediation Strategies for Web Based Applications
Option 1 – Modify Penn Built or Custom Built Applications PayFlow Link Annual audit still required to maintain compliance Payflow Link provides a means for payment data to be collected outside of Penn Making a switch requires a code change and you have to validate that all historical data is purged Option 2 - Third Party Applications Secure Hosting by vendor Ensure that the vendor is PCI compliant Amend contracts to reflect continued compliance 9/22/2018 PCI Project

12 Remediation Strategies for Web Based Applications
Option 3 – Custom Compliant Hosting at Penn Expensive and forces the most strict adherence to the following requirements Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect data Protect Cardholder Data Requirement 3: Protect stored data Requirement 4: Encrypt transmission of cardholder data and sensitive information across public networks Requirement 9: Restrict physical access to cardholder data Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes. Explore alternative means/vendors to process transactions Determine need to have cardholder data pass through or be stored on a Penn Server Establish business need to host the application in-house Create logistical configuration of compliant hosting environment and estimate cost Relocate the hosted web application and database servers to the secure and compliant network configuration. 9/22/2018 PCI Project

13 Three Phased Approach Discovery phase Assessment Remediation
Identify and retain consulting expertise to provide guidance in the interpretation of the standards and validate our process Establish a working group of stakeholders from schools and centers with active merchant accounts Identify merchant accounts and perform gap/risk analysis to determine risk and priority of remediation efforts. Determine difference in compliance requirements between credit card information collected on-line (online card services) and at point-of-sale (POS) terminals. Develop remediation strategies Assessment Evaluate gaps against remediation strategies and determine course of action for each merchant account Establish infrastructure to execute remediation strategy Identify policies that have to be created or modified to support ongoing data security and PCI standards, including communication and training of personnel. Identify and review third party business affiliates contracts to ensure that they provide documentation of PCI compliance Finalize remediation schedule and milestones Remediation Evaluate and select an authorized PCI compliance auditor for the annual audits Monitor and facilitate remediation efforts across schools and centers per the established schedule Develop and implement data security and PCI standards policies. Create Report on Compliance (ROC) 9/22/2018 PCI Project

14 Proposed Milestones 9/22/2018 PCI Project

15 Next Steps Schedule monthly meetings Schools/centers
Proposed – last Tuesday of the month 2:30 -4:00 Schools/centers Perform self assessment/gap analysis Identify systems, hardware, infrastructure that is not in compliance across all merchant accounts Modify systems accordingly to ensure that each merchant account is compliant by 10/15 ISC, Treasurer, OGC Review and identify policies that need to be changed/created to support PCI compliance Work with schools/centers in creation of a specification and cost estimate for a custom compliant hosting environment Facilitate gap analysis across schools and centers Vendor Review third party contracts and amend with compliance language Letter to vendors requesting documentation of compliance 9/22/2018 PCI Project

16 Appendix A – Project Org Chart
9/22/2018 PCI Project

Download ppt "Payment Card Industry Data Security Compliance"

Similar presentations

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.

Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.
Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.

Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.

PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.

PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.
2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.

2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.
Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server 2008. Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),

Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.

Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?

Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?
Jeff Williams Information Security Officer CSU, Sacramento

Jeff Williams Information Security Officer CSU, Sacramento
Property of the University of Notre Dame Navigating the Regulatory Maze: Notre Dame’s PCI DSS Solution EDUCAUSE Midwest Regional Conference March 17, 2008.

Property of the University of Notre Dame Navigating the Regulatory Maze: Notre Dame’s PCI DSS Solution EDUCAUSE Midwest Regional Conference March 17, 2008.
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.

GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Kevin R Perry August 12, 2014. Part 1: High Level Changes & Clarifications.

Kevin R Perry August 12, Part 1: High Level Changes & Clarifications.
Why Comply with PCI Security Standards?

Why Comply with PCI Security Standards?
Northern KY University Merchant Training

Northern KY University Merchant Training
Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Similar presentations

Ads by Google