PCI Compliance: The Gateway to Paradise Agenda I. Background II. What is PCI-DSS? III. Who must comply? IV.
Download ReportTranscript PCI Compliance: The Gateway to Paradise Agenda I. Background II. What is PCI-DSS? III. Who must comply? IV.
PCI Compliance: The Gateway to Paradise Agenda I. Background II. What is PCI-DSS? III. Who must comply? IV. Cost of non-compliance V. Digital Dozen VI. Higher Education Challenges VII. Centralize Compliance Background ??? Cardholder Information Security Program (CISP) Site Data Protection Program (SDP) Confused Merchants Discover Information Security Compliance (DISC) Data Security Standard (DSS) What is PCI-DSS? • Payment Card Industry Data Security Standard (PCI-DSS) • Card Associations founded an LLC in 2006 http://www.pcisecuritystandards.org • One program now • Mission: Enhance payment account data security by fostering a broad adoption of PCI-DSS What is PCC-DSS? Policy decisions made by Executive Committee Participating organizations provide feedback on evolution of PCI Who Must Comply? “Payment Card Industry (PCI) Data security requirements apply to all Members, merchants, and service providers that store, process or transmit cardholder data.” *Payment Card Industry Data Security Standard Who Must Comply? Merchant Compliance 1 Any merchant-regardless of acceptance channel-processing over 6,000,000 transactions per year. Any merchant that has suffered a hack or an attack that resulted in an account data compromise. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system. 2 Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 transactions per year. 3 Any merchant processing 20,000 to 1,000,000 e-commerce transactions per year. 4 Any merchant processing fewer than 20,000 e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year. Cost of Non-Compliance In the event of the a breach the acquirer CAN make the merchant responsible for: • Any fines from PCI-Co • Up to $500,000 per incident • Cost to notify victims • Cost to replace cards (about $10/card) • Cost for any fraudulent transactions • Forensics from a QDSC • Level 1 certification from a QDSC Cost of Non-Compliance • Example: 50,000 credit cards stolen – PCI Penalty - $100,000 per incident • $500,000 if you do not have a selfassessment – Card Replacement - $500,000 – Fraudulent Transaction – $61,750,000 • $1,235 - 2004 average fraudulent transaction – Bad Publicity – Priceless! Cost of Non-Compliance • States are making PCI law and adding to the cost of compliance – Minnesota passed the state bill 1574 which makes PCI a law • Anyone processing more than 20,000 transactions is subject to fines if a breach occurs – Texas is working on a similar bill – Other states are likely to follow Digital Dozen Build and Maritain a Secure Network • Install and maintain a firewall configuration to protect cardholder data • Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data • Protect stored cardholder data • Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program • Use and regularly update anti-virus software • Develop and maintain secure systems and applications Implement Strong Access Control Measures • Restrict access to cardholder data by business need-to-know • Assign a unique ID to each person with computer access • Restrict physical access to cardholder data Regularly Monitor and Test Networks •Track and monitor all access to network resources and cardholder data • Regularly test security systems and processes Maintain an Information Security Policy •Maintain a policy that addresses information security Higher Education Challenge • Higher education networks comprise an estimated 15% of the total advertised Internet address space* • Extremely “open” by tradition and culture • Highly connected networks to commercial internet, regional, national, and international research networks • Communities range from 1,000 to 200,000 people • Thousands of networked devices • Departments control local technology and act independently • Understaffed IT department * University of Indiana Higher Education Challenge • Higher education accounted for over 26% of the breaches in 2006. • 68% of schools have 0-1 FTE dedicated to PCI • 36% of schools have an incident response plan * Survey data from Walt Conway Associates, LLC Centralize Compliance • Get executive buy-in – President – Treasurer/CFO – CIO • Define a commerce committee – IT – Security – Internal Audit – Treasury Centralize Compliance Define and publish credit card handling policy • Acceptable payment channels • Handling of PII (Personally Identifiable Information) • Requesting merchant IDs • Applicability to University employees, work study… • Background and credit checks for employees handling credit cards • Training and acknowledgement • Use of vendors Centralize Compliance • Gap analysis – Review all existing merchants and their procedures – Identify “urgent improvements” – Operational remediation plan – Technical remediation plan • Compliance maintenance – Rules will change – Systems will change – PCI is a journey – not a destination Centralize Compliance Consider outsourcing • Get as many credit card numbers off campus as possible • Use a service provider to process credit card transactions • Approved scanning vendors • Approved hosting centers Questions? David R. King President Nelnet Business Solutions [email protected]