Transcript Document
Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services What is PCI-DSS? • PCI-DSS is an acronym for the Payment Card Industry-Data Security Standard • PCI DSS is the global data security standard that any business of any size must adhere to in order to accept payment cards, and to store, process, and/or transmit cardholder data. About the Council • The Payment Card Industry Security Standards Council, or PCI SSC – often termed simply “the Council” – is an open global forum, launched in 2006, that develops, maintains and manages the PCI Security Standards, which include the Data Security Standard (DSS), Payment Application Data Security Standard (PADSS), and PIN Transaction Security (PTS) Requirements. • The Council’s five founding global payment brands -- American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc. • The Council does NOT validate or enforce any organization’s compliance with its PCI Security Standards, nor does it impose penalties for non-compliance. These areas are governed by the payment brands and their partners. PCI-DSS Requirements Merchant Levels LEVEL 1 MERCHANT CRITERIA VALIDATION REQUIREMENTS Merchants processing over 6 million Visa transactions annually • • Annual Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”) or Internal Auditor if signed by officer of the company o The internal auditor is highly recommended to obtain the PCI SSC Internal Security Assessor (“ISA”) certification Quarterly network scan by Approved Scan Vendor (“ASV”) Attestation of Compliance Form • 2 Merchants processing 1 million to 6 million Visa transactions annually • • • Annual Self-Assessment Questionnaire (“SAQ”) Quarterly network scan by ASV Attestation of Compliance Form 3 Merchants processing 20,000 to 1 million Visa e-commerce transactions annually • • • Annual SAQ Quarterly network scan by ASV Attestation of Compliance Form 4 Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually • • • Annual SAQ recommended Quarterly network scan by ASV if applicable Compliance validation requirements set by merchant bank Report on Compliance • The Report on Compliance (ROC) is produced during onsite PCI DSS assessments as part of an entity’s validation process. • The ROC provides details about the entity’s environment and the assessment methodology, and documents the entity’s compliance status for each PCI DSS Requirement. UCD/UCDHS Level 2 Merchant • 2,508,716 combined transactions processed 2013 • $129,479,579.00 in sales processed in 2013 • UCD is the 2nd Largest in UC System – UCLA and UCSD are also Level 2 Merchants • 203 Merchants must comply collectively with the PCI-DSS PCI Merchant Types and SAQ (Self Assessment Questionnaire) 5 Different SAQ Forms; each drives to higher levels of validation complexity UCD/UCDHS have a combined 203 merchants • • • • • SAQ SAQ SAQ SAQ SAQ “A” Fully Outsourced Merchant (47) “B” Dial-Out Terminal, Card Imprint Merchant (146) “C” Internet Connected Payment Application Merchant (3) “C-VT” Internet Connected Virtual Terminal Merchant (4) “D” All Others (POS Point of Sale System) (3) PCI NON-Compliance • The fines can vary based on level of non-compliance • Visa/MC have the discretion to determine those fines • Visa/MC have indicated that UCD could be required to pay $5000.00 per month in fines for every month of non-compliance UCD Credit Card Breach Impact • Average cost per credit card compromised is $188.00 • Significant fees, fines, and penalties • Cost of Forensic Audit • Litigation • Regulatory notification requirements • Negative image for UC Davis brand Campus Compliance Efforts • Sylvia Montgomery (University Cashier & Credit Card Coordinator) is leading our compliance efforts. • Coalfire, our QSA, is working with our largest merchants on gap analysis reports. • Merchants are addressing risks and preparing for the ROC. • The ROC is scheduled for early October.