Transcript SAQ-A only - Enterprise Financial System

Payment Card
PCI DSS Compliance
SAQ-B Training
Accounts Receivable Services, Controller’s Office
7/1/2012
SAQ Training
At the conclusion of this training, merchant
managers should be able to do the following:
– Understand the scope of your cardholder data environment
– Understand how to complete the SAQ
– Understand what the Attestation means
– Understand how to accurately answer the SAQ questions
– Understand what to do if you are not PCI DSS compliant
– Understand resources available for assistance
– Complete your SAQ
What is PCI DSS?
The PCI Data Security Standard represents a common set of industry tools
and measurements to help ensure the safe handling of sensitive information.
The standard provides an actionable framework for developing a robust
account data security process - including preventing, detecting and reacting
to security incidents. (https://www.pcisecuritystandards.org/merchants/)
PCI security standards are technical and operational requirements set by the
PCI Security Standards Council (PCI SSC) to protect cardholder data.
The standards apply to all entities that store, process or transmit cardholder
data. (PCI DSS Quick Reference Guide; Understanding the Payment Card
Industry Data Security Standard version 2.0, page 6)
Why is PCI DSS important?
A breach or compromise of payment card data has
far-reaching consequences, such as:
Regulatory notification requirements,
Loss of reputation,
Loss of customers,
Potential financial liabilities (fees and fines),
Litigation, and
Denial of the University’s privilege to accept
certain cards (Visa, MasterCard, American Express,
Discover)
What is an SAQ?
The PCI DSS Self-Assessment Questionnaire (SAQ) is a validation tool to allow
merchants to self-evaluate compliance with the Payment Card Industry Data
Security Standards (PCI DSS).
The SAQ consists of two primary components:
1. Questions about your account that correlate with the 12 PCI DSS
requirements.
2. An Attestation of Compliance; your self-certification that you have
assessed your unit’s compliance as required in your SAQ form and
identified action plans to address areas of non-compliance.
SAQs come in several forms based on how a merchant processes, transmits and
stores cardholder data. Most University accounts use an SAQ-A, B or D.
SAQ completion is required annually by our acquiring bank and card brands.
The Standards:
6 Sections; 12 Requirements
Build and Maintain
a Secure Network
Implement Strong
Access Control Measures
1: Install and maintain a firewall
2: Do not use vendor defaults
7: Business need-to-know
8: Assign a unique ID to each person
9: Restrict physical access
Protect Cardholder Data
3: Protect stored data
4: Encrypt transmission of data
Maintain a Vulnerability
Management Program
5: Use anti-virus software
6: Secure systems and applications
Regularly Monitor &Test Networks
10: Track and monitor access
11: Regularly test security
Information Security Policy
12: Maintain a policy
The SAQ-A addresses Requirements 9 & 12
The SAQ-B addresses Requirements 3,4,7,9, & 12
The SAQ-D addresses all 12 Requirements
Annual SAQ Process
1. Determine the scope of the review. Go over your department operations
and systems with regard to accepting payment cards. This assessment of
your “cardholder data environment” helps you to accurately identify the
appropriate scope for your review. Document your process to determine
scope. Consider, for example:
• Where do you take cards? (e.g., multiple locations, front desk, internet)
• How do you take cards? (e.g., swipe terminal, Authorize.net, fax, phone, inperson)
• Who touches cards and cardholder data?
• Is the data recorded anywhere?
• Where does it go?
2. Review unit payment card policy & procedures– take a look at your
business process involving payment cards.
•
•
Has your business process changed in the last year?
Are your policies in agreement with PCI DSS and/or University policy?
Annual SAQ Process
(continued)
3. Complete Annually-Required University Forms
 Merchant manager (Form UM 1624)
Required for all departments that have a University of Minnesota Payment Card Account.
 Employee Non-disclosure (Form UM 1623)
Required for all employees involved in payment transactions who may have access to
confidential cardholder data including card numbers, expiration dates or demographic
cardholder information.
 Hosted Payment Card Account Desktop Usage Agreement
(Form UM 1705) – SAQ-A only
Required for departments that outsource all cardholder data functions to an approved University of
Minnesota on-line, hosted payment gateway that the department manages through a passwordprotected website provided by the payment gateway service provider. This annual agreement sets
out the requirements that allow the department to access the password-protected website without
establishing a secure desktop.
4. Completion of the SAQ & Attestation
SAQ-B
SPECIAL INSTRUCTIONS
You are eligible to use the SAQ B if:
• You only use standalone dial-out terminals connected to phone lines,
and
• The standalone dial-out terminals are not connected to the Internet or
any other systems within your environment, and
• You do not receive or store cardholder data in electronic form, and
• Any cardholder data that is stored is only in paper reports or copies of
paper receipts and is not received electronically.
If you meet all four requirements you are eligible to complete the
29 question SAQ-B form.
Completing Your SAQ
1. Answer each question in your SAQ and SAVE it (the form does not autosave responses)


“Yes” means you are fully compliant with this item
“No” indicates your are not compliant with this item. Each “no” must have a
corresponding entry in either:

Part 4 “Action Plan for Non-Compliance” to describe your remediation plan for compliance,
or


Appendix C “Compensating Controls” to describe how you meet the requirement in a different
way
“NA” means the item does not apply in your situation. Use Appendix D to describe why
each “NA” item is non-applicable (required).
2. Complete, print and sign the Attestation page; scan and save an
electronic copy.
3. Email the completed SAQ and Attestation to [email protected]
Action Plan
•
For each area of non-compliance there
MUST be a corresponding Action Plan to
to meet the requirement.
–
–
–
•
Describe the next steps you will take on the path
to compliance.
Summarize the Action Plan.
Include a target date to achieve remediation.
Examples:
–
–
–
We do not have a cross-cut shredder but will use
the one in the office down the hall until we buy
our own. We will purchase and install cross-cut
shredder, and train staff on use and handling of
payment cards and disposal of sensitive
information by September 30, 2012.
Compliance remediation is in process; expect
completion by July 31, 2012
Will review current practices to identify & address
gaps; will design and deliver training on new
procedures by October 31, 2012
Compensating Controls
•
Wherever you comply with the
requirements through a means
different from the method described in
the SAQ, you MUST describe the
“compensating control” in Appendix
C.
•
Use one page for each requirement
for which you use a compensating
control.
•
Compensating controls must meet the
intent of the specific Requirement.
Thus another SAQ Requirement may
not be used as a compensating
control. Compensating controls are
infrequently used at the University.
Non-Applicability
•
For each NA response you mark in
your SAQ, you MUST provide a
descriptive reason why the
requirement does not apply to your
account.
•
The description may be as simple
as:
–
–
–
•
Data is not shared with service providers.
Containers are not used to temporarily
store paper to be shredded. Cross-cut
shredder is used to immediately shred
documents no longer needed.
No media is sent via courier.
Use additional pages if necessary.
SAQ-B
Requirement #12.8
•
If you use a standalone dial-up
terminal it is unlikely that you are
sharing data with a service provider. If
that is the case for you, the appropriate
response is “NA” (be sure to add an
explanation in Appendix D:
Explanation of Non-Applicability)
•
Contact Accounts Receivable Services
if you have a question.
What is an Attestation?
• An attestation clause is frequently found in legal documents that must be
witnessed to be valid, such as signatures by those who “bear witness to
the authenticity” of a will or a deed.
• When a merchant makes an Attestation of Compliance they are, in
essence, "bearing witness to the authenticity" of the SAQ - in other
words the merchant is affirming the SAQ was completed to the best of
the merchant’s ability or in collaboration with colleagues who the
merchant reasonably believes responded to the best of their ability.
• It means the merchant thought through each requirement, when needed
sought assistance to understand and accurately respond, and believes
the SAQ accurately reflects their account. The merchant didn't just
check the boxes.
Attestation
•
Complete ALL sections
EXCEPT Part 1b
•
Part 2 use only
– Retailer
– E-commerce
– Mail order/phone order
•
Part 2a
– If you use Authorize.net
or a similar gateway they
are a 3rd party.
– Most of the University
uses Wells Fargo as the
acquirer. Contact
Accounts Receivable
Services if you believe
you work with more than
one acquirer.
Attestation – A only
Page 2
• Part 2b – You must be able to
check each item
• Part 3 - PCI DSS Validation – If
you check ‘Non-Compliant’ be sure
to include remediation Action Plans
in Part 4 (following your signature)
• Part 3a – You must mark all three.
• Part 3b – Print, sign, scan, email
Attestation
SAQ-B
• Part 2b – Transaction Processing: Not
Applicable for University SAQ-B merchants.
• Part 2c – You must be able to
check each item
• Part 3 - PCI DSS Validation – If
you check ‘Non-Compliant’ be sure
to include remediation Action Plans
in Part 4 (following your signature)
• Part 3a – You must confirm and
attest to all five statements.
• Part 3b – Print, sign, scan, email
Resources

Controller’s Office website : Training presentations & links to resources

Accounts Receivable Services for process or general form questions –
[email protected] or 612-625-2392

OITSEC: Send technical questions to [email protected]
 University’s Payment Card Policy
 Two helpful documents provided by the PCI Security Standards Council:
Navigating PCI DSS: Understanding the Intent of the Requirements describes how & why the requirements are relevant
to your payment card process.
Requirements & Security Assessment Procedures provides guidance to determine if you have met a requirement.