Presentation is loading. Please wait.

Presentation is loading. Please wait.

2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.

Published byMia Rumsey Modified over 9 years ago

Similar presentations

Presentation on theme: "2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014."— Presentation transcript:

1 2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014

2 Today’s Presentation  What do you have to do?  What is PCI DSS?  Who Needs to Comply with PCI DSS?  Why PCI DSS?  Compliance Life Cycle  Cardholder Data/Storage  Goals & Requirements  What do you have to do?  Coming in 2015: PCI 3.0  Resources  Questions 2

3 Your to do list by December 12: 1.Verify credit card merchant information with Business Affairs 2.Obtain 3rd Party PCI DSS Certificate of Compliance (if applicable) 3.Merchant managers complete and sign the Cover Page & SAQ  Annual PCI DSS Assessment must be completed for all Merchants 4.Business Center Manager or FAM must review and sign 5.Send to Robin Whitlock and Dan Hough 3

4 What is PCI DSS?  Payment Card Industry Data Security Standards  “Common set of industry tools and measurements to help ensure the safe handling of sensitive information  Provides an actionable framework for developing a robust account data security process – including preventing, detecting and reacting to security incidents” (https://www.pcisecuritystandards.org/merchants/index.php)https://www.pcisecuritystandards.org/merchants/index.php  Administered by the PCI Security Standards Council, which was founded by the major credit card companies (VISA, MC, Disc…) 4

5 Who Needs to Comply with PCI DSS?  Applies to all entities that store, process or transmit cardholder data (merchants, payment card issuing banks, processors, developers…)  That means you!  Compliance is mandatory (eCommerce Policy, Oregon State Treasury,PCI DSS). 5

6 Why PCI DSS ?  241 breaches of sensitive information to date in 2014 (affecting >64 million records) 1  Notable retail breaches since November 2013 2 1 Privacy Rights Clearinghouse, https://www.privacyrights.org, 10/28/14 https://www.privacyrights.org 2 ”Cyber Attacks on US Companies in 2014,” by Riley Walters, http://www.heritage.org/research/reports/2014/10/cyber-attacks-on-us-companies-in-2014 http://www.heritage.org/research/reports/2014/10/cyber-attacks-on-us-companies-in-2014 6

7 Compliance Life Cycle 7 Pre- Assessment / Gap Analysis Implement / Remediate PCI:DSS Validation Ongoing Compliance Monitoring

8 8 Primary Account Number (PAN) Expiration Date Chip/Magnetic Strip Data CAV2/CVC2/CVV2 What is Cardholder Data? Cardholder Name

9 1.These data elements must be protected if stored in conjunction with the PAN. 2.Sensitive authentication data must not be stored after authorization (even if encrypted). 3.Magnetic stripe or chip. 9 PCI Data Storage

10 PCI DSS Goals & Requirements Build and Maintain a Secure Network (2) 1.Install and maintain a firewall configuration to protect cardholder data 2.Do not use vendor-supplied defaults for system passwords and other parameters Protect Cardholder Data (2) 3.Protect stored cardholder data 4.Encrypt transmission of cardholder data across open, public networks 10 (digital dozen)

11 PCI DSS Goals & Requirements Maintain a Vulnerability Management Program (2) 5.Use and regularly update anti-virus software 6.Develop and maintain secure systems and applications Implement Strong Access Control Measures (3) 7.Restrict access to cardholder data by business need- to-know 8.Assign a unique ID to each person with computer access 9.Restrict physical access to cardholder data 11

12 PCI DSS Goals & Requirements Regularly Monitor and Test Networks (2) 10.Track and monitor all access to network resources and cardholder data 11.Regularly test security systems and processes Maintain an Information Security Policy (1) 12.Maintain a policy that addresses information security 12

13 Misconceptions  Self assessment means you’re compliant  Compliance means you won’t suffer a breach  Outsourcing takes away your need for compliance  PCI:DSS is just about IT  A single product can make you compliant  Compliance can be automated 13

14 What do we have to do? 14

15 Annual PCI DSS Assessment Documents Documents due by December 12, 2014: 1.OSU Cover Page 2.Self Assessment Questionnaire (SAQ A-D Appropriate to merchant) 3.3 rd Party PCI DSS Certificate of Compliance (if applicable) Resources  Copies of your last assessment can be emailed to you on request  Website: http://fa.oregonstate.edu/business-affairs/annual-pci-compliance-osu-credit-card-merchants http://fa.oregonstate.edu/business-affairs/annual-pci-compliance-osu-credit-card-merchants  Status Report by Business Center  SAQ Forms, Instructions, and guidelines  Navigating the PCI DSS  Glossary 15

16 Self Assessment Questionnaire (SAQ)  Completed by the merchant manager  Subset of full requirements  Broken down by Goals & Requirements  Made up of Yes / No / Not Applicable responses  NA or “Compensating Control”- must be explained  No- Must have Remediation Date and Actions  Attestation Section  Fill out the Merchant Version  Do not complete the Service Provider Version 16

17 Which SAQ?  See PCI DSS Status Report 17 FormDescription SAQ A Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants. SAQ B Imprint-only merchants with no electronic cardholder data storage, or standalone, dial-out terminal merchants with no electronic cardholder data storage SAQ C Merchants with payment application systems connected to the Internet, no electronic cardholder data storage SAQ D All other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by a payment brand as eligible to complete an SAQ.

18 Multiple Merchant Consolidation Multiple merchants can be can be combined into a single submittal if: 1.The merchant IDs (MIDs) are of the same type (i.e. all POS, Web…) 2.All merchants are managed by same merchant manager 3.The same policies and procedures apply to all merchants 4.Strictest SAQ will apply (the one with the most questions) 5.List all merchants on cover page. 18

19 SAQ Example-Requirements 19

20 Compliance Summary 20

21 SAQ Example- Explanation of Non-Applicability 21

22 SAQ Example-Compensating Controls 22

23  Complete “Merchant” version not Qualified Security Assessor Company version (if avail).  OSU does not use a Qualified Security Assessor Company 23 SAQ Example-Attestation

24 Tips and Hints  These focus on SAQ A and SAQ B since most merchants use these forms  SAQ A  SAQ B 24

25 Your to do list by December 12: 1.Verify credit card merchant information with Business Affairs 2.Obtain 3rd Party PCI DSS Certificate of Compliance (if applicable) 3.Merchant managers complete and sign the Cover Page & SAQ (Annual PCI DSS Assessment must be completed for all Merchants). 4.Business Center Manager or FAM must review and sign. 5.Send to Robin Whitlock and Dan Hough  Electronic submission is preferred. 25

26 Coming in 2015: PCI 3.0  December 2015 validation will be to PCI 3.0  How PCI 3.0 requirements will be addressed by OSU merchants is still to be determined  We will keep you posted as information specific to OSU merchants becomes available 26

27 Resources  PCI Compliance for OSU Credit Card Merchants (instructions & forms)  http://fa.oregonstate.edu/business-affairs/annual-pci-compliance-osu-credit-card- merchants http://fa.oregonstate.edu/business-affairs/annual-pci-compliance-osu-credit-card- merchants  OSU FIS Manual  http://oregonstate.edu/fa/manuals/fis/1401-06 http://oregonstate.edu/fa/manuals/fis/1401-06  OUS Policy Guideline for Electronic Commerce  http://www.ous.edu/dept/cont-div/fpm/elec-40-005 http://www.ous.edu/dept/cont-div/fpm/elec-40-005  Oregon Accounting Manual - Credit Card Acceptance for Payment  http://www.oregon.gov/DAS/CFO/SARS/policies/oam/10.35.00.pr.pdf http://www.oregon.gov/DAS/CFO/SARS/policies/oam/10.35.00.pr.pdf  Oregon State Treasury Cash Management Policy  http://www.oregon.gov/treasury/Divisions/Finance/StateAgencies/Pages/Cash- Management-Manual.aspx http://www.oregon.gov/treasury/Divisions/Finance/StateAgencies/Pages/Cash- Management-Manual.aspx  Payment Card Industry Data Security Standards  https://www.pcisecuritystandards.org/merchants/ https://www.pcisecuritystandards.org/merchants/ 27

28 Thank You Business Affairs Contacts  Robin Whitlock  Robin.Whitlock@OregonState.edu, 541-737-0622  Dan Hough  Dan.Hough@OregonState.edu, 541-737-2935 28

Download ppt "2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014."

Similar presentations

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.

Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.
ISACA January 8, 2013. IT Auditor at Cintas Corporation Internal Audit Department Internal Security Assessor (ISA) Certification September 2010 Annual.

ISACA January 8, IT Auditor at Cintas Corporation Internal Audit Department Internal Security Assessor (ISA) Certification September 2010 Annual.
Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.

Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.
.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.

.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.
The Payment Card Industry Data Security Standard (PCI DSS)

The Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS for Retail Industry

PCI DSS for Retail Industry
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.

PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
PCI:DSS What is it, and what does it mean to you? Dale Pearson 17 th November 2009.

PCI:DSS What is it, and what does it mean to you? Dale Pearson 17 th November 2009.
Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security.

Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security.
Complying With Payment Card Industry Data Security Standards (PCI DSS)

Complying With Payment Card Industry Data Security Standards (PCI DSS)
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Property of CampusGuard Compliance With The PCI DSS.

Property of CampusGuard Compliance With The PCI DSS.
Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.

Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.
Payment Card PCI DSS Compliance SAQ-D Training Accounts Receivable Services, Controller’s Office 7/1/2012.

Payment Card PCI DSS Compliance SAQ-D Training Accounts Receivable Services, Controller’s Office 7/1/2012.
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?

Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?
Jeff Williams Information Security Officer CSU, Sacramento

Jeff Williams Information Security Officer CSU, Sacramento
Visa Cemea Account Information Security (AIS) Programme

Visa Cemea Account Information Security (AIS) Programme
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

Similar presentations

Ads by Google