2 Discussion Topics What is PCI-DSS? Credit Card Processing Two specific facets(Technical & Functional)Penalties for non-complianceRisksPlan of Action
3 What is PCI-DSS?Payment Card Industry Data Security Standards (DSS) initially created by Visa and MasterCard (officially in 2006) now includes Discover, Amex and JCB.All credit card companies in the U.S. have endorsed the StandardPCI-DSS created so there would be common industry security requirements
4 PurposeMandated by credit card companies – “If you accept our credit card(s), you must follow these rules.”Protect customers against fraud and identity theft.To avoid breaches and fraud resulting in lost revenue.
5 What PCI is NOT PCI is NOT something we can ignore. PCI is NOT a project -- It is an ongoing program.It is NOT a silver bullet.It is NOT an option -- If we accept credit cards as a source of payment, we must comply.It is not static
6 Twelve RequirementsThere are Twelve seemingly simple requirements….however Approximately 230 subsets of requirements depending on the Merchant Level and SAQ required to complete.
7 PCI DSS Requirements Goal: Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data2. Do not use vendor-supplied defaults for system passwords and othersecurity parametersGoal: Protect Cardholder Data3. Protect stored cardholder data4. Encrypt transmission of cardholder data across open, public networksGoal: Maintain a Vulnerability Management Program5. Use and regularly update anti-virus software or programs6. Develop and maintain secure systems and applicationsGoal: Implement Strong Access Control Measures7. Restrict access to cardholder data by business need to know8. Assign a unique ID to each person with computer access9. Restrict physical access to cardholder dataGoal: Regularly Monitor and Test Networks10. Track and monitor all access to network resources and cardholder data11. Regularly test security systems and processesGoal: Maintain an Information Security Policy12. Maintain a policy that addresses information security for all personnel
8 SAQs Attestations of Compliance are included as part of each SAQ. SAQ ACard-not-present Merchants, All Cardholder Data Functions OutsourcedSAQ BMerchants with Only Imprint Machines or Only Standalone, Dial-Out Terminals. No Electronic Cardholder Data StorageSAQ C-VTMerchants with Web-Based Virtual Terminals, No Electronic Cardholder Data StorageSAQ CMerchants with Payment Application Systems Connected to the Internet, No Electronic Cardholder Data StorageSAQ DAll Other Merchants and All Service Providers Defined by a Payment Brand as Eligible to Complete an SAQ
9 Scope“Any network component, server, or application that is included in or connected to the cardholder data environment”
10 Scope Map network(s) and cardholder data flow Use an automated tool to find your dataInterview each campus merchantUnderstand business and data needsDetermine actual business processesIdentify third-party service providersGet details on all payment applications Logs, tracesVendors can be frustrating
11 PenaltiesFines up to $500,000 from each credit card company + $197 per account holderForensic Investigation by QSA (Qualified Security Assessor) begins at $10,000.Increased auditing requirementsNegative Public RelationsLosing the ability to process credit card transactions completelyWebsites: andAccording to Dr Larry Poneman, an inaugural member of the Unisys Security Leadership Institute, an Adjunct Professor of Ethics & Privacy at Carnegie Mellon University’s CIO Institute, a former CEO of the Privacy Council and a former Global Managing Partner for Compliance Risk Management at PricewaterhouseCoopers, conducts independent research, educates leaders from both the private and public sectors and reports on privacy and data practices spanning a variety of industries….In his most recent survey results….The total avg cost of a data breach : in 2007 = per compromised record; up from in 2006, and from in An increase in lost business due to data breach: lost business due to a data breach accounts for 65% of data breach costs compared to 54% in An increase in third-party data breaches….2007, 40% of survey respondents reported breaches by third party companies (software vendors, outsources, business partners)….i.e. the AceWare/pc charge/iModule software and payment applications being used on campus today……and lastly the increase in legal defense and public relations in respnse to a breach…..grew to 8% up from 3 percent in Can we afford it?
12 College & University Breaches University breaches have increased exponentially since 2005Open vulnerable networksNumerous merchants across campusesPayment processes spread over large geographical area
13 Security BreachesApproximately 600,000,000 records breached since 2005.The running represents the approximate number of *records* that have been compromised due to security breaches, not necessarily the number of *individuals* affected. Some individuals may be the victims of more than one breach, which would affect the totals. Since 2010 there have been 88 breaches (mostly universities, a few high schools)98% of hacking successes are as the result of using default passwords. Always change default passwords.
14 Universities Are At Risk Network penetration, server hacking, SQL injections, stolen laptop computers, desktop computers, unlocked offices/desks, unsecured USB portable drives, CD’s, DVD’s, containing sensitive information; particularly PAN numbers, ssn, names, addresses, birthdates.
18 SSL Terminal $ Interchange $$$ Merchant Processor Authorization RequestMerchantSettlementAuthorization ConfirmationProcessorCard Owner’s Bank Issued Card$$$$Merchant’s Bank
19 Internet Processing $ Interchange $$$ Gateway Processor Authorization RequestSettlementAuthorization ConfirmationGatewayProcessorCard Owner’s Bank Issued Card$$$$Merchant’s Bank
20 Mobile Processing $ Interchange Cellular Network $$$ Processor Authorization RequestCellular NetworkAuthorization ConfirmationSettlement$$$ProcessorCard Owner’s Bank Issued Card$Merchant’s Bank
21 Cost Comparison Mobile Pay Website Omni VX570 Notes $75 for Encrypted Card Reader (additional readers $65)$150 Initial Setup Fee (PNC)$600 for terminal purchase(Dual Comm)One-Time Fees$12 Monthly Access Fee$15 Monthly FeeThese fees are applied whether you process during the month or not..10 per transactionSo if you run 10 transactions, that will cost you $1..06% Discount FeeThis is applied to your gross $ processed$99 setup fee$50 per month Authorize.Net secure gateway or other PCI DSS/PA DSS compliant application.Authorize.Net Secure Gateway is preferred by NKU and PNC Merchant Services.
22 Equipment/Point of Sale System Spectrum of RiskEquipment/Point of Sale SystemCashDial TerminalsMobile (Encrypted Reader)Wireless Terminals (using cell phone networks)SSL TerminalsWebsite Redirected PaymentsVirtual TerminalsWeb-based ApplicationsWi-Fi TerminalsWEP/WPA Encrypted Wireless Networks- must be WPA2Any system storing Card Holder Data (prohibited by PCI)Manual ImprintersLowModerateSevere
23 In the future… EMV- Europay Visa Mastercard October 2015 P2PE- Point to Point Encryption