SAQ-A - Enterprise Financial System

Download Report

Transcript SAQ-A - Enterprise Financial System

Payment Card
PCI DSS Compliance
SAQ-D Training
Accounts Receivable Services, Controller’s Office
7/1/2012
SAQ Training
At the conclusion of this training, merchant
managers should be able to do the following:
– Understand the scope of your cardholder data environment
– Understand how to complete the SAQ
– Understand what the Attestation means
– Understand how to accurately answer the SAQ questions
– Understand what to do if you are not PCI DSS compliant
– Understand resources available for assistance
– Complete your SAQ
What is PCI DSS?
The PCI Data Security Standard represents a common set of industry tools
and measurements to help ensure the safe handling of sensitive information.
The standard provides an actionable framework for developing a robust
account data security process - including preventing, detecting and reacting
to security incidents. (https://www.pcisecuritystandards.org/merchants/)
PCI security standards are technical and operational requirements set by the
PCI Security Standards Council (PCI SSC) to protect cardholder data.
The standards apply to all entities that store, process or transmit cardholder
data. (PCI DSS Quick Reference Guide; Understanding the Payment Card
Industry Data Security Standard version 2.0, page 6)
Why is PCI DSS important?
A breach or compromise of payment card data has
far-reaching consequences, such as:
Regulatory notification requirements,
Loss of reputation,
Loss of customers,
Potential financial liabilities (fees and fines),
Litigation, and
Denial of the University’s privilege to accept
certain cards (Visa, MasterCard, American Express,
Discover)
What is an SAQ?
The PCI DSS Self-Assessment Questionnaire (SAQ) is a validation tool to allow
merchants to self-evaluate compliance with the Payment Card Industry Data
Security Standards (PCI DSS).
The SAQ consists of two primary components:
1. Questions about your account that correlate with the 12 PCI DSS
requirements.
2. An Attestation of Compliance; your self-certification that you have
assessed your unit’s compliance as required in your SAQ form and
identified action plans to address areas of non-compliance.
SAQs come in several forms based on how a merchant processes, transmits and
stores cardholder data. Most University accounts use an SAQ-A, B or D.
SAQ completion is required annually by our acquiring bank and card brands.
The Standards:
6 Sections; 12 Requirements
Build and Maintain
a Secure Network
Implement Strong
Access Control Measures
1: Install and maintain a firewall
2: Do not use vendor defaults
7: Business need-to-know
8: Assign a unique ID to each person
9: Restrict physical access
Protect Cardholder Data
3: Protect stored data
4: Encrypt transmission of data
Maintain a Vulnerability
Management Program
5: Use anti-virus software
6: Secure systems and applications
Regularly Monitor &Test Networks
10: Track and monitor access
11: Regularly test security
Information Security Policy
12: Maintain a policy
SAQ-A: 13 questions from Requirements 9 & 12
SAQ-B: 29 questions from Requirements 3,4,7,9, & 12
SAQ-D : 240+ questions across all 12 Requirements
Annual SAQ Process
1. Determine the scope of the review. Go over your department operations
and systems with regard to accepting payment cards. This assessment of
your “cardholder data environment” helps you to accurately identify the
appropriate scope for your review. Document your process to determine
scope. Consider, for example:
• Where do you take cards? (e.g., multiple locations, front desk, internet)
• How do you take cards? (e.g., swipe terminal, Authorize.net, fax, phone, inperson)
• Who touches cards and cardholder data?
• Is the data recorded anywhere?
• Where does it go?
2. Review unit payment card policy & procedures– take a look at your
business process involving payment cards.
•
•
Has your business process changed in the last year?
Are your policies in agreement with PCI DSS and/or University policy?
Annual SAQ Process
(continued)
3. Complete Annually-Required University Forms
 Merchant manager (Form UM 1624)
Required for all departments that have a University of Minnesota Payment Card Account.
 Employee Non-disclosure (Form UM 1623)
Required for all employees involved in payment transactions who may have access to
confidential cardholder data including card numbers, expiration dates or demographic
cardholder information.
 Hosted Payment Card Account Desktop Usage Agreement
(Form UM 1705) – SAQ-A only
Required for departments that outsource all cardholder data functions to an approved University of
Minnesota on-line, hosted payment gateway that the department manages through a passwordprotected website provided by the payment gateway service provider. This annual agreement sets
out the requirements that allow the department to access the password-protected website without
establishing a secure desktop.
4. Completion of the SAQ & Attestation
SAQ-D
SPECIAL INSTRUCTIONS
In 2012 you are required to complete an
SAQ-D…
1. …Unless you qualify to complete the 13-question SAQ-A because you
outsource all cardholder data functions to a third party service provider (e.g.
Authorize.net). Note: If you use Authorize.net but also take credit cards in
person, via fax, phone, mail, or any other means, and process via the
Authorize.net virtual terminal, no matter how infrequently, you must complete an
SAQ-D.*
2. …Unless you qualify to complete the 29-question SAQ-B because you only
process credit cards using a standalone dial-out terminal that is connected to a
phone line or cellular line. If the standalone terminal is connected to the
Internet, you must complete an SAQ-D.
*Note: If most of your transactions go through Authorize.net but you accept a small number of
fax or telephone orders, one option is to open a second merchant account and use a
swipe terminal for those transactions. You would then have one SAQ-A account (fully
outsourced to Authorize.net) and one SAQ-B account (swipe terminal).
Completing Your SAQ
1. Answer each question in your SAQ and SAVE it (the form does not autosave responses)


“Yes” means you are fully compliant with this item
“No” indicates your are not compliant with this item. Each “no” must have a
corresponding entry in either:

Part 4 “Action Plan for Non-Compliance” to describe your remediation plan for compliance,
or


Appendix C “Compensating Controls” to describe how you meet the requirement in a different
way
“NA” means the item does not apply in your situation. Use Appendix D to describe why
each “NA” item is non-applicable (required).
2. Complete, print and sign the Attestation page; scan and save an
electronic copy.
3. Email the completed SAQ and Attestation to [email protected]
Action Plan
•
For each area of non-compliance there
MUST be a corresponding Action Plan to
to meet the requirement.
–
–
–
•
Describe the next steps you will take on the path
to compliance.
Summarize the Action Plan.
Include a target date to achieve remediation.
Examples:
–
–
–
We do not have a cross-cut shredder but will use
the one in the office down the hall until we buy
our own. We will purchase and install cross-cut
shredder, and train staff on use and handling of
payment cards and disposal of sensitive
information by September 30, 2012.
Compliance remediation is in process; expect
completion by July 31, 2012
Will review current practices to identify & address
gaps; will design and deliver training on new
procedures by October 31, 2012
Compensating Controls
•
Wherever you comply with the
requirements through a means
different from the method described
in the SAQ, you MUST describe the
“compensating control” in Appendix
C.
•
Use one page for each requirement
for which you use a compensating
control.
•
Compensating controls must meet
the intent of the specific
Requirement. Thus another SAQ
Requirement may not be used as a
compensating control.
Compensating controls are
infrequently used at the University.
.
•
Non-Applicability
•
For each NA response you mark in
your SAQ, you MUST provide a
descriptive reason why the
requirement does not apply to your
account.
•
The description may be as simple
as:
–
–
–
•
Data is not shared with service providers.
Containers are not used to temporarily
store paper to be shredded. Cross-cut
shredder is used to immediately shred
documents no longer needed.
No media is sent via courier.
Use additional pages if necessary.
What is an Attestation?
• An attestation clause is frequently found in legal documents that must be
witnessed to be valid, such as signatures by those who “bear witness to
the authenticity” of a will or a deed.
• When a merchant makes an Attestation of Compliance they are, in
essence, "bearing witness to the authenticity" of the SAQ - in other
words the merchant is affirming the SAQ was completed to the best of
the merchant’s ability or in collaboration with colleagues who the
merchant reasonably believes responded to the best of their ability.
• It means the merchant thought through each requirement, when needed
sought assistance to understand and accurately respond, and believes
the SAQ accurately reflects their account. The merchant didn't just
check the boxes.
Attestation
•
Complete ALL sections, except
for 1b
•
Part 2 use only
– Retailer
– E-commerce
– Mail order/phone order
•
Part 2a
– If you use Authorize.net or a
similar gateway they are a
3rd party.
– Most of the University uses
Wells Fargo as the acquirer.
Contact Accounts
Receivable Services if you
believe you work with more
than one acquirer.
Part 2b – Complete as
applicable to your account
•
Attestation
• Part 3 - PCI DSS Validation – If
you check ‘Non-Compliant’ be sure
to include remediation Action Plans
in Part 4 (following your signature)
• Part 3a – You must confirm and
attest to all five statements.
• Part 3b – Print, sign, scan, email
Common PCI DSS violations:
•
•
•
•
•
•
•
•
•
Storage of magnetic stripe data (Req 3.2)
Inadequate access controls (Reqs 7.1, 7.2, 8.2 and 8.3)
Default system settings/passwords not changed (Req 2.1)
Unnecessary services not removed (Reqs 2.2.2 and 2.2.4)
Poorly coded web applications (Req 6.5)
Missing and outdated security patches (Req 6.1)
Lack of logging (Req 10)
Lack of monitoring (Reqs 10.6, 11.2, 11.4 and 11.5)
Poor network segmentation (Reqs 1.2, 1.3 and 1.4)
Resources

Controller’s Office website : Training presentations & links to resources

Accounts Receivable Services for process or general form questions –
[email protected] or 612-625-2392

OITSEC: Send technical questions to [email protected]
 University’s Payment Card Policy
 Two helpful documents provided by the PCI Security Standards Council:
Navigating PCI DSS: Understanding the Intent of the Requirements describes how & why the requirements are relevant
to your payment card process.
Requirements & Security Assessment Procedures provides guidance to determine if you have met a requirement.