Transcript PCI Power Point Presentation

Complying With
Payment Card Industry Data
Security Standards (PCI DSS)
We live and work in a global
community. Most of us give
very little thought to handing
over our credit or debit card
to complete strangers or
entering our card data into a
website.
We do this in good faith,
expecting that our information
will be protected. Yet, each year
millions of Americans are
affected by credit card theft.
With confidence their data is safe,
individuals engage in payment card
activity with Longwood University daily.
They depend on us to protect their cardholder and other
personal information. We must maintain a secure data
environment; loss of consumer confidence can have
serious repercussions for our institution.
As a University employee, temporary
hire, student or volunteer who
processes payment card transactions,
you are responsible for protecting and
securing cardholder data at all times.
Education is at risk: While many departments want to accept credit
cards, they have different needs and some have little or no
knowledge of credit card security requirements.
Data Security Breaches – Past 3 Years
Government
Source: Privacy Rights Clearinghouse
6%
Healthcare
8%
Higher
Financial
Education
Services
33%
Other
17%
14%
Retailers
22%
Payment Card Industry Data Security Standards (PCI DSS) are
administered by the PCI Security Standards Council, which was
founded by VISA, MC, AMEX, DISCOVER, and JCB.
PCI DSS applies to all entities that store, process or transmit
credit card data. If you are a merchant who accepts or
processes payment cards, you MUST comply with PCI DSS!
Entities in the Payment Card “Ecosystem”:




PCI Security Standards Council (PCI SSC)
Founded by card associations and responsible for administering PCI DSS
PCI Data Security Standards (PCI DSS)
Technical and operational requirements set by PCI SSC to protect
cardholder data
Cardholder
Person holding a credit or debit card
Card Associations (Brands) – VISA,MC, AMEX,Discover,JCB
Enforce compliance with the PCI DSS
Entities in the Payment Card “Ecosystem”:




Issuing Bank
Bank that issues payment cards to consumers (cardholders)
Acquiring Bank
Contracts for payment services with merchant; merchant must validate
PCI DSS compliance with its “acquirer”; acquirer reports compliance
status to card associations
Merchant
Entity that sells goods/services and accepts cards; responsible for
safeguarding credit card data and complying with the PCI DSS
Service Provider
Entity that provides all or some of the payment services for the
merchant; responsible for safeguarding credit card data and complying
with the PCI DSS
The goal of PCI DSS is to protect cardholder data whenever it is
processed, stored or transmitted. Sensitive authentication data
(magnetic stripe data, chip data, CAV2/CID/CVC2/CVV2) must NEVER
be stored after authorization.
The Self-Assessment Questionnaire (SAQ) is a tool by which eligible
merchants and service providers can validate their PCI DSS compliance
through self-assessment.
SAQ A
SAQ B
SAQ C-VT
SAQ C
SAQ D
(13 questions)
(29 questions)
(51 questions)
(80 questions)
(286 questions)
All cardholder data Imprint machines or Web-based virtual Payment application All other methods
functions
standalone dial-out
terminal; No
connected to
outsourced; No
terminals only; No electronic cardholder
internet; No
electronic storage, electronic cardholder
data storage
electronic cardholder
processing or
data storage
data storage
transmission of
cardholder data
Goals
PCI DSS Requirements
1. Build and maintain a
secure network
1. Install and maintain a firewall configuration to protect data
2. Change vendor-supplied defaults for system passwords and
other security parameters
2. Protect cardholder data
3. Protect stored data
4. Encrypt transmission of cardholder magnetic-stripe data and
sensitive information across public networks
3. Maintain a vulnerability
management program
5. Use and regularly update antivirus software
6. Develop and maintain secure systems and applications
4. Implement strong access
control measures
7. Restrict access to data to a need-to-know basis
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
5. Regularly monitor and test
networks
10. Track and monitor all access to network resources and
cardholder data
11. Regularly test security systems and processes
6. Maintain an information
security policy
12. Maintain a policy that addresses information security
PCI DSS applies to you if you store, process or
transmit cardholder data (in person, by mail, fax
or phone, or online) or you use a system that
processes or stores credit card data. You must…


Evaluate your credit card acceptance activities and
determine validation requirements (based on
merchant level, card acceptance and processing
methods)
Validate PCI compliance with our “Acquirer”
annually using Self-Assessment Questionnaire



Participate in annual credit card security awareness
training
Develop and comply with payment card acceptance
policies/procedures
Maintain appropriate technical system security and
network controls
ASSESS:
Examine
Cardholder
Environment
REPORT:
Submit
Compliance
Reports
REMEDIATE:
Resolve
Vulnerabilities
Consequences of
noncompliance
with PCI data
security standards
include:
 Loss
of reputation
and customers
 Financial fees and
fines
 Litigation or
sanctions
 Termination of
credit card payment
acceptance

All merchants must adhere to PCI standards and certify compliance
with applicable standards annually.

Merchants will abide by University policy and procedures.



Departments may not negotiate contracts with credit card
processing companies or companies accepting credit card
payments. All merchant accounts for accepting credit cards must
be approved by Financial Operations.
Do not store credit card data unless required to conduct
departmental business.
Never store credit card numbers
electronically in a database or spreadsheet, on portable media or
on share drives.
Do not store full cardholder account numbers (PAN) with expiration
dates. Mask all but the last 4 digits of the credit card number.



Never store sensitive authentication data - magnetic stripe data, chip
data, the CAV2/CVC2/CVV2/CID, or the PIN/PIN block - under any
circumstances.
Always protect cardholder data against unauthorized access.
credit card information locked in a secure location.
Keep
Do not allow unauthorized persons access to areas where credit card
data is stored. Restrict physical access to computer workstations and
other equipment used in credit card payment processing.

Permit only those employees with a legitimate “need to know” access to
cardholder data.

Destroy documentation containing credit card information when no
longer needed for business or legal reasons.




Each employee with access to payment card
information via computer should have a unique login
or password. Log out of computer when unattended.
Never share passwords or user IDs.
Limit user access to specified privileges.
Never use vendor supplied default passwords.
Passwords should be changed regularly – at least
every 90 days.
Ensure computers handling credit card data possess
updated versions of University recommended
antivirus and spyware detection software.

Do NOT request, send or accept payment card information by
email. If you receive cardholder data via email, do NOT process
the transaction. Make the sender aware that, for their safety,
they should never email credit card information. Remove the
cardholder data when responding and direct them to an
approved processing method.
Delete the email containing
cardholder data completely from your email account.

Maintain up-to-date policies and
departmental desktop procedures.
procedures,

Complete annual credit card security training upon hire and at
least annually.

Any confirmed or suspected breach should
immediately to the Information Security Office.
be
including
reported