Slide 1

Download Report

Transcript Slide 1 

Penn’s Compliance with Payment
Card Industry (PCI) Standards
February 7, 2007
PCI Overview
• Data Security
–
Gregory Tausz, Sr. Director of Finance, Office of the EVP
• PCI Best Practices and Policy
– Bill Kasenchar, Sr. IT Project Leader, ISC
• Background Checks
– Gary Truhlar, Exec.Director, HR
• Conferences Services On-Line Registration
– Jeff Barta, Director of Sales and Marketing, Business Services
Information Security
Types of Data
–
–
–
–
–
–
–
–
Social Security Number
Credit Card Data
Health Information
Credit Information
Student Records
Employee Records
Alumni Information
Email / Other Electronic Data
More than 80 data-theft incidents at colleges
and universities over the past two years (1)
•
Ohio University - holds the record in higher education for sheer number of
files that were compromised. Vast computer-security breach of social
security data. 367,000 files on students, staff, and alumni exposed to
hackers over a 13-month period.
•
University of Southern California - whose applications database containing
files on 270,000 people was hacked in July 2005.
•
University of Texas at Austin - electronic break-in at the business school in
April exposed 197,000 files containing biographical information on students,
alumni, and staff members.
•
University of Kentucky - disclosed that Social Security numbers of 6,500
current or former students were stored on a portable device, called a thumb
drive, that had been stolen from a faculty member.
•
Western Illinois University - hacker may have copied Social Security or
credit-card numbers of 200,000 to 240,000 current or former students. The
credit cards had been used to purchase textbooks online or for stays in a
university hotel.
(1) Source: Chronicle for Higher Education, 9/29/06
Select Actions Taken to
Reduce Theft of Data
• ISC
– Monitors virus activity, installs security patches.
– PennKey: Ensures that passwords no longer pass over the
network in clear text (reducing their likelihood to be comprised);
reduce the visibility of social security numbers in core
administrative systems and applications.
• Records clean up
• SPIA – Security and Privacy Risk Assessment - evaluation of
electronic information risk in business systems
• Payment Card Industry Compliance Initiative
Under what circumstances does
Penn accept credit cards?
•
•
•
•
•
•
•
Annenberg – performances
Athletics – ticket sales
Retail – BSD (e.g. Computer Connection)
Services – Dental and Veterinary Services
Student related – tuition and fee payments
Executive Education – course enrollment
Fund raising – annual fund
Risks associated with
accepting credit cards?
Theft of credit card number
• Reputational risk
• Legal actions
• Future revenue impact
Payment Card Industry Data
Security Compliance
Best Practices, Processes and Policy
Payment Card Industry Initiative
• University’s security compliance initiative to minimize
credit card fraud risks.
• Effort led by ISC and the Treasurer, along with HR,
Office of the General Counsel and the Schools and
Centers affected.
• Regulated by an industry body that includes all major
credit card companies (e.g. Visa, Mastercard, American
Express, etc).
• Policies apply to any company that transmits or
processes credit or debit card information. Scope
includes credit card collected both on-line (online card
services) and in-person at point-of-sale (POS) terminals.
Timeline
• January 2005
– Visa and Master Card announce the Payment Card Industry
Data Security Standard, also endorsed by Amex, Diners Club
and Discover
• Requirements include firewalls, encryption, two-factor authentication, antivirus software, and regular audits by independent, certified vendors (e.g.
PwC, Verisign, etc.)
• June 2005
– Original Compliance date
• Penalties for non-compliance: According to VISA/MC: if we are
compromised and not compliant, then fines up to $500,000 per incident
• March 1, 2007
– Penn Compliance date
Schools/Centers Affected
• 125 merchant accounts across 26 schools and centers
• Remediation Summary
– The university currently is 89% compliant (111 of 125).
– Our report on compliance is required (by Paymentech) to be an
aggregate self-assessment that includes all university and UPHS
merchant accounts
• Our goal it to provide our report on compliance to Paymentech in
February
• UPHS has contacted all their account holders and is completing
their remediation effort. It is unclear at this time if they will be able to
meet our goal.
– Treasurer’s web site has been modified to reflect compliant
processes and best practices.
Merchant Accounts by School/Center
Business Services
Wharton
SAS
SOM
Vet
VPUL
Dental
DOF - Updated
Law
Museum
Express App
Development
Library
DRIA
Nursing
Pres Office
Provost Office
SEAS
Social Policy and Pract
Annenburg Cntr Perf Arts
Annenburg School
Design
GSE
ICA
ISC Penntrax
Totals
17
13
11
10
10
10
6
6
6
6
6
3
3
2
2
2
2
2
2
1
1
1
1
1
1
125
14%
10%
9%
8%
8%
8%
5%
5%
5%
5%
5%
2%
2%
2%
2%
2%
2%
2%
2%
1%
1%
1%
1%
1%
1%
100%
Go to Penn website – External party
makes credit card payment
Penn website moves purchases to
PayPal website and takes credit card
information. Credit card information
retained on PayPal server
PayPay transmits sales info to
Paymentech
Paymentech processes credit card
transaction and remits account in
Wachovia
Sales automatically credited to
School/Center account
Best Practices - Don’ts
• Do not send credit card data via e-mail
• Do not store track data from credit cards
• Do not use any wireless network to
transmit or view credit card data
• Do not store credit card data
• Do not use a POS terminal on a VOIP
telephone line
Best Practices – Do’s
• Train your staff in the appropriate security procedures for
handling credit card data
• Configure POS machines to not store credit card data. The full
16 digit credit card number shouldn’t appear on any receipt or
end of day summary
• Use payflow link for e-commerce transactions
– Transfer security risk to Verisign or a compliant third party
vendor
• Shred any paper containing credit card numbers immediately
following processing. Only the transaction id is required to
handle disputes or credits/refunds
• Structure any paper forms so that the credit card data can be
removed (perforation at bottom of page) and shredded
immediately following processing and then the other bio/demo
data can be retained for business purposes without restriction
Best Practices – Processes
• Make sure you read the treasurer’s web site at:
(http://www.finance.upenn.edu/treasurer/cashman/ccprocessing.shtml)
prior to requesting a merchant account
• Make sure that anyone that may want to set up a merchant account
goes through the proper channels within your organization prior to
contacting the treasurer’s office.
• Make sure that anyone that will come in contact with credit card data
has signed off that they read and understand Penn data security
policies.
• Make sure a background check is done for all new hires that will handle
credit card data (PIQ and HR Manager have been updated to reflect
this requirement)
• Contractually obligate vendors to accept compliance and liability
responsibility and vet the contract through OGC prior to signing
• Become familiar with Information Security’s ‘Incident Response Plan’
and all Information Security policies at
http://www.upenn.edu/computing/policy/index.html#security
• Be aware of the PCI standard at http://www.pcisecuritystandards.org/
Background Checks
Background Check History
• In January 2001, the University implemented a prototype criminal
background check program for new staff hired in the:
– Executive Vice President’s divisions
– Engineering & Applied Sciences
– University Museum
• Additional units participating:
–
–
–
–
–
School of Medicine
Wharton
College of Arts & Sciences
Units reporting to the Provost
Computing jobs across the University
• Approximately 66% of the academic staff positions are covered by
the current background check policy
Who Performs the Check?
• A Division of Automatic Data Processing (ADP)
– Why ADP?
– University’s sole source provider
• Federal law precludes University Police from
conducting routine background checks
• Background checks are initiated by Recruitment
& Staffing through the ADP web site
What checks will be run?
• Social security number check
• Criminal records search
– Criminal convictions only
– Arrests are blocked and not considered
• Credit Check
– For those handling cash or credit card data
PCI –
Background Check Guidelines
• “Screen potential employees to minimize the risk
of attacks from internal sources.”
• “Inquire of Human Resource department
management and verify that background checks
are conducted (within the constraints of local
laws) on potential employees who will have
access to cardholder data or the cardholder data
environment.” (Security Audit Procedures v 1.1)
PCI Background Checks
• Required under PCI Standards
– “The primary focus of the PCI Security Standards is to help
merchants improve the safekeeping of cardholder information by
tightening their overall security standards, which in turn reduces
their chances of experiencing security breaches, fraud, and
potential catastrophic financial losses.”
• Effective 1/01/2007 for new Penn hires
only (not existing staff, transfers, etc.)
HR Hiring Issues –
Credit Card Responsibilities
• Properly document job responsibilities in PIQ’s
• Job Posting must notify of Background Check
• Complete Background Check form, including
selecting “Credit Check”
• HR Manager will be modified to automate Credit
Card Posting Process
Conference Services On-line
Registration
Evolution
In collaboration with ISC’s PCI Team, Conference Services is compliant with PCI standards
developed for web-based transactions
-Setup, hosting, and maintenance is managed by Seattle Technology Group, Inc. on
their secure servers
-Payments are securely processed via a PayFlow Pro account
-Registrants enter their conference registration information and submit their payment
using 128bit SSL
Basic Features
-Require a payment in order to submit a registration for any or all conferences, or make
payment optional
-All registration and event charges are automatically calculated/displayed to the
registrants and payments are securely processed/immediately displayed on a
confirmation web page
-Registration and/or payment confirmations can be automatically emailed to registrants
Details
In January 2007, Conference Services made this application available to the entire
University community
-For schools/centers/departments who require occasional use merchant accounts
-A customizable web-based Event Management application that both facilitates
the collection of customer data relative to an event and supports processing of
web-based credit card payments
-Conference Services facilitates journaling payments to the general ledger and to
individual departmental accounts, thereby reducing time and expense of setting
up one-use merchant accounts
-Reduces the overall number of merchant accounts the University maintains
-Can be used as a stand alone web application or embedded into an existing web
application tailored to a specific conference offered.
Contact Jeff Barta in Conference Services for more information at 215-898-9319 or
[email protected]
Web site: www.destinationpenn.com/merchantaccount (work in progress)
Questions?