Transcript Payment Card Industry (PCI) Compliance

Jay Baucom, Chief Information Officer
Arthur Hohnsbehn, Director of Information Technology
Jason Godfrey, Security Manager
North Carolina Community College System
The PCI Security Standards Council is
an open global forum for the ongoing
development, enhancement, storage,
dissemination and implementation of
security standards for account
data protection.
The PCI Security Standards Council’s
mission is to enhance payment
account data security by driving
education and awareness of the PCI
Security Standards. The organization
was founded by American Express,
Discover Financial Services, JCB
International, MasterCard Worldwide,
and Visa, Inc.
PCI Documentation
Payment Card Industry (PCI) Data Security Standard
(DSS) Navigating PCI DSS – Understanding the Intent of
the Requirements (version 1.1, February 2008)
Payment Card Industry (PCI) Data Security Standard
(DSS) Self–Assessment Questionnaire – Instructions and
Guidelines (version 1.1, February 2008)
Payment Card Industry (PCI) Data Security Standard
(DSS) Self–Assessment Questionnaire D and Attestation of
Compliance All other Merchants and all SAQ-Eligible
Service Providers (version 1.1, February 2008)
Payment Card Industry (PCI) Data Security Standard
(DSS) Glossary, Abbreviations and Acronyms
Common Terms
Account Number or PAN (Primary Account Number):
payment card number that identifies the issuer
and card holder.
Acquirer: Bankcard association member that
initiates and maintains relationships with the
merchants that accept payment cards.
Cardholder data: Full magnetic strip or the PAN plus
any of the following:
Cardholder name
Expiration date
Service Code
Common Terms - Continued
DSS: Data Security Standard
Penetration Test: Security-oriented probing of
computer system or network to seek out
vulnerabilities that an attacker could exploit.
Threat: Condition that may cause information or
information processing resources to be
intentionally or accidentally lost, modified,
exposed, made inaccessible, or otherwise
affected to the detriment of the organization.
Common Terms - Continued
Vulnerability: Weakness in system security procedures,
system design, implementation, or internal controls
that could be exploited to violate system security
policy.
Vulnerability Scan: Scans used to identify vulnerabilities
in operating systems, services, and devices that could
be used by hackers to target the company’s private
network.
Payment Provider: PayPal (Verisign) or Official Payments
(OPC).
Trustwave Services
The Office of State Controller (OSC) has a master
service agreement with Trustwave to perform
vulnerability scans, online SAQ and answer general
questions.
30 of the 58 colleges participate in the OSC’s master
agreement. Colleges work directly with the OSC for
portal access, service delivery, and remediation. The
acquirer (bank) is SunTrust.
The remaining 28 colleges are offered services through
a supplemental agreement under the OSC master
agreement. Colleges work directly with the NCCCS for
portal access, service delivery, and remediation. The
acquirer (bank) is selected by the college.
Basic Steps to Compliance
Compliance (Process\Procedures)
Validation (SAQ\ Vulnerability Scans)
Attestation
Datatel Colleague e-Commerce
Datatel defines any payment card
transaction processed via Colleague to a
payment provider (PayPal\OPC) as an eCommerce transaction. Payment card
information is processed and transmitted,
but never stored.
Datatel defines any payment card
information entered into Colleague (CREN) as
a Non e-Commerce transaction. This
information is encrypted.
Datatel Colleague e-Commerce
Datatel e-Commerce requires:
Licensing e-Commerce
Installing e-Commerce (InstallShield)
Enabling e-Commerce
CORE – ECS (e-Commerce Setup)
ECPR – e-Commerce Providers
ECPA – e-Commerce Provider Account
EPAM - e-Comm Provider Acct Mapping
ST – FIWP (Financial Web Parameters)
e-Commerce Documentation
e-Commerce 3.7 Release Highlights
(Release18.0) (September 18, 2006)
e-Commerce Installation and Administration
(August 5, 2008)
Validation Type
Validation Types
Validation Types - Continued
Impact of Validation Type D
Datatel Colleague Environment
CC
Clearing
House
Payment
Verification
Internet
EPOS (TREG)
Server
Colleague
Server via DMI
Accepting Payment via Telephone (TREG)
Datatel Colleague Environment
CC
Clearing
House
Payment
Verification
Internet
WA Server
Colleague
Server via DMI
Accepting Payment via WebAdvisor (WA)
Datatel Colleague Environment
Payment
Verification
CC
Clearing
House
Internet
Side Terminal (CC
entered via CREN)
Colleague
Server via DMI
Accepting Payment via Colleague (CREN)
Datatel Best Practices
Develop a policy for maintaining payment card data.
Non e-Commerce should be purged via COCD.
Purge payment card information in Production before
cloning the Production environment to Test using COCD.
If troubleshooting e-Commerce with the DMI listener in
debug ( -t –v options), remove the log immediately after
the debug information has been obtained. You are not
compliant with debug turned on.
Work with your Bookstore provider to determine
compliance.
Additional Information
PCI Security Standards Council
https://www.pcisecuritystandards.org/
https://www.pcisecuritystandards.org/educa
tion/webinars.shtml (webinars)
Datatel AnswerNet Document #4397 - How
to remove sensitive credit card data for PCI
Compliance http://www.datatel.com
NC Office of the State Controller
http://www.ncosc.net/programs/risk_mitigat
ion_pci.html
Contact Information
NC Office of State Controller
http://www.ncosc.net/SECP/SECP_PCIOverview.html
NCCCS System Office
Jay Baucom - (919) 807-6988
[email protected]
Jason Godfrey - (919) 807-7054
[email protected]
Kim Van Metre - (919) 807-7071
[email protected]
Trustwave
General Questions – (800) 363-1621
[email protected]
Additional Information