1 / 91

PCI-DSS Compliance Awareness Training

PCI-DSS Compliance Awareness Training. Cathy Freeman Cash and Treasury Services Payment Card Coordinator. What is PCI-DSS? .

bthelma
Download Presentation

PCI-DSS Compliance Awareness Training

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PCI-DSS Compliance Awareness Training Cathy Freeman Cash and Treasury Services Payment Card Coordinator

  2. What is PCI-DSS? • The Payment Card Industry Data Security Standard (PCI DSS) is a widely accepted set of policies and procedures intended to optimize the security of credit, debit and cash card transactions and protect cardholders against misuse of their personal information. • The major credit card companies (VISA, MasterCard, Discover, and American Express) came together and published a uniform set of data security standards that ALL merchants must comply with in connection with the acceptance of payment cards. These new standards are called Payment Card Industry Data Security Standards or PCI DSS. These standards have placed additional responsibilities on CU departments in connection with acceptance of payment cards.

  3. Brief History of PCI DSS 1999 Internet era begins; payment card fraud begins. Visa becomes first card brand to develop security standards. Online fraud grows. Reports show online revenue lost due to fraud reached 1.5 billon. That amount would nearly triple throughout the course of the decade. 2000 2001 Card brands struggle to enforce security policies. Few companies are able to meet Visa’s compliance because of disparities between Visa North America and international guidelines. 2004 Web infrastructure attacks become rampant. December 15, 2004 – PCI DSS 1.0 debuts. 2005 All merchants processing at least 20,000 payment card transactions annually must be PCI-DSS Compliant. 2006 September 6, 2006 – PCI DSS Version 1.1 released.

  4. Why is PCI Compliance Important?

  5. Why is PCI Compliance Important? You don’t want to make the headlines!

  6. Why is PCI Compliance Important? • Good business practice. • PCI compliance is like insurance. • Large monetary fines assessed to your department and/or Clemson University. • Loss of merchant status for department. • Loss of merchant status for Clemson University. • Loss of faith in Clemson University name. • You are vulnerable!

  7. Why is PCI Compliance Important? Because they are after us! Sou Source: NBC News

  8. Why is PCI Compliance Important? Because they are after us! • Universities are prime targets for hackers with their vast stores of personal data and research. • From 2006 to 2013, 550 universities reported some kind of data breach. • In 2014, 10 percent of reported security breaches involved the education sector. That trails only health care and retail. • In May, a large University revealed that hackers had breached computers in its engineering department. They were notified of the breach by the FBI. • Over 18,000 students, faculty and 500 research partners were possibly affected by the breach. Source: NBC News, Symantec’s Internet Security Threat Report.

  9. Why is PCI Compliance Important? Because they are after us! Source: Symantec

  10. Why is PCI Compliance Important? Cost to US Merchants and Consumers • Annual fraud costs reached $32 billion in 2014, a 38 percent increase over 2013. Fraudulent payments account for 0.68 percent of retail revenue, up from 0.51 percent in 2013. • The Federal Bureau of Investigation’s Internet Crime Complaint Center tallied 269,422 complaints in 2014. costing Americans over 800 million in losses. The center has received over 3 million complaints since its establishment in May 2000. Source: PYMNTS.com, Newsweek

  11. Why is PCI Compliance Important? Costs of Non-Compliance Noncompliance Fines- The consequences of not being PCI compliant range from $5,000 to $500,000, which is levied by banks and credit card institutions. Banks may fine based on forensic research they must perform to remediate noncompliance. Credit card institutions may levy fines as a punishment for noncompliance and propose a timeline of increasing fines. Breach Consequences- Even if a company is 100% PCI compliant and validated, a breach in cardholder data may still occur. Cardholder Breaches can result in the following losses for a merchant. • $50-$90 fine per cardholder data compromised. Source: Focus On PCI

  12. Self Assessment Questionnaire (SAQ) What is the PCI DSS Self-Assessment Questionnaire? • The PCI Data Security Standard Self-Assessment Questionnaire is a validation tool intended to assist merchants and service providers who are permitted by the payment brands to self-evaluate their compliance with the Payment Card Industry Data Security Standard (PCI DSS). There are four versions of the PCI DSS SAQ to choose from to meet your business need. • The SAQ is completed by the Merchant or Service Provider. • The SAQ is made up of Yes and No answers. • The SAQ is broken up into 12 requirements • Clemson University currently fills out the SAQ C: Merchants with Payment Application Systems Connected to the Internet

  13. Network Security Scanning What is Network Security Scanning? • PCI DSS requires that merchants perform both internal and external vulnerability scans on a regular basis to ensure that your cardholder data environment meets current security standards. • Scans are performed on a quarterly basis and supplement those quarterly scans with additional scans whenever there are significant changes to your cardholder data environment.

  14. Merchant Requirements – Six Goals, Twelve Requirements

  15. Merchant Requirements – Six Goals, Twelve Requirements

  16. Clemson University Requirements • It is against University Policy to store cardholder data electronically or in paper format. • Treat payment card receipts like you would cash. • Keep payment card data secure and confidential. • Limit access to system components and cardholder data to only those individuals whose job requires such access. • Assign all users a unique ID before allowing them to access system components or cardholder data. • Documents containing cardholder data should be kept in a secure environment (i.e. safe, locked file cabinet, etc.). • Never send cardholder information via email. Credit card numbers must not be transmitted in an insecure manner, such as email, unsecured fax or through campus mail.

  17. Clemson University Requirements Cont. • Fax transmittal of cardholder data is permissible only if the receiving fax is located in a secure environment. • Render sensitive cardholder data unreadable anywhere it is stored. • Cardholder data should be destroyed when it is no longer needed so that account information is unreadable and cannot be reconstructed. • Manual swipes or imprinters are not authorized for use. • Technology changes that affect payment card systems are required to be approved by the Cash and Treasury office prior to being implemented. • Any new systems/software that process payment cards are required to be approved by the Cash and Treasury office prior to being purchased. • Any computer system hosting a credit card application must be housed in CCIT’s data centers due to security requirements.

  18. Clemson University Requirements Cont. • Computer systems that process payment cards must be behind a firewall. • Use and regularly update anti-virus software. • Do not use vendor-supplied defaults for systems passwords and other security parameters. • Computer systems that process payment cards must have the ability to monitor and track access to network resources and cardholder data. • Report all suspected or known security breaches to Cash and Treasury Services and CCIT’s Information Security and Privacy.

  19. Clemson University Cardholder Data Storage Merchants cannot store cardholder data electronically or in paper format.

  20. PCI Compliance Responsibilities Merchant Responsibilities • Complete Clemson University Credit Card Security Self-Assessment Questionnaire annually. • Each merchant is responsible for their own PCI DSS Compliance • Implementation of all data security controls necessary to comply with PCI DSS requirements. • Attendance to an annual PCI DSS Compliance Training conducted by the Cash and Treasury Services Department. • Merchants who have access to cardholder data will read the Payment Cardholder Data Processing and Handling Policy and complete an e-signature annually. The e-signature indicates that you have read the policy and completed the required PCI training.

  21. PCI Compliance Responsibilities – Point of Sale Merchants. In addition to the PCI Compliance Responsibilities on the previous slide Point of Sale merchants will complete the following. • Complete the POS Device Control Form annually located at http://media.clemson.edu/cfo/cash-treasury/POS-Device-Control-Form.pdf. • Inspect the POS Device and the surrounding area weekly.

  22. PCI Compliance Responsibilities Cash and Treasury Services • Provide guidance and support to the merchants PCI DSS Compliance efforts. • Make recommendations on how to lower a merchants risk of exposure to breaches. • Coordinate and assist in the completion and submission of SAQ’s by all merchants. • Serve as Liaison between merchant and the Credit Card Processer. • Assist merchants in responding to a possible breach.

  23. PCI Compliance Responsibilities CCIT Information Security & Privacy • Completes and coordinates with Cash and Treasury Services a single Security Assessment Questionnaire (SAQ) for the University. • Provide guidance and support to the merchants PCI DSS Compliance efforts from a technical perspective. • Make recommendations on how to implement Compensating Controls that will meet particular PCI DSS requirements. • Provide Application and Website Vulnerability Scanning. This can also be done at the system level. • Assist Merchants/Cash and Treasury Services to a possible breach and breach investigation.

  24. PCI Compliance & Point of Sale Software Best Practices PC Based software terminals must be segmented and secure. Merchant must restrict access to the Internet and Email. Merchants should never browse the internet or check email on any PC connected to your POS Software system. All it takes is one misguided click to infect your system with malware that can steal your data.  To prevent this, it is best to have a separate computer outside of your payment processing network available to browse the internet and check your emails.

  25. Payment Cardholder Data Processing and Handling Clemson University must take all appropriate measures to secure cardholder data when accepting credit card payments to the University. Credit card transactions have become the preferred method for making payments to the University. All departments that accept American Express, Discover, MasterCard and Visa payments are required to comply with the Payment Card Industry Data Security Standards (PCI-DSS). Cardholder Access • All merchants must be authorized by Cash and Treasury Services. • University employees must be trained in the proper handling of credit card information. Individuals who are new to the role must be trained in PCI-DSS Compliance prior to processing cardholder data. • Access to cardholder data must be restricted appropriately based on job function.

  26. Payment Cardholder Data Processing and Handling Cont. • A copy of the policy must be read and an e-signature completed by authorized individuals annually. Transmission of Cardholder Data • Cardholder data must not be transmitted in an unsecure manner.  For example:  unencrypted email, electronic messaging, public fax machines, and inter-office mail. Storage of Cardholder Data • Do not store cardholder data in electronic format.  Electronic formats include files on computers, smart phones, flash drives, and other similar devices. • Do not store cardholder data in paper format. Once the cardholder information has been processed destroy with a crosscut shredder.

  27. Payment Cardholder Data Processing and Handling Cont. Telephone Payments-Cardholder not Present Transactions The use of a point of sale device will not be permitted to process card not present transactions. Please contact the office of Cash and Treasury Services to transition to a TouchNet Marketplace Online Store. Fax Payments The use of a point of sale device will not be permitted to process card not present transactions. Please contact the Office of Cash and Treasury Services to transition to a TouchNet Marketplace Online Store.

  28. Payment Cardholder Data Processing and Handling Cont. Card Present Transactions (Point of Sale Device) Credit card processing devices must be configured to display only the last four digits of the credit card number on printed receipts. • Picture ID required if the card is not signed • Provide receipt to cardholder • Store settlement and merchant copies in a secure area. Receipt of Cardholder Information in Email • Any unencrypted credit card information received by email will not be processed. • The recipient of cardholder data will notify the sender that the transaction cannot be processed. Other acceptable methods for processing the credit card transaction will be offered. An email response template is provided in the Payment Cardholder Data Processing and Handling procedure. See next slide for link.

  29. Payment Cardholder Data Processing and Handling Cont. Retention and Destruction of Cardholder Data • Cardholder data will be destroyed once the transaction has been processed. Paper will be crosscut shredded. The policy and procedure can be found at the web site below. http://www.clemson.edu/finance/business-manual/cts06proc.html

  30. Credit Card Security Incident Response Plan No organization is safe from suffering a security incident. Guideline 12.10 v3 PCI DSS requires that merchants create a security incident response team and document an incident response plan. The Clemson University Credit Card Security Incident Response Team (Response Team) is comprised of CCIT Security and Privacy and Cash and Treasury Services. The Chief Information Security Officer (CISO) and the Office of Cash and Treasury Services lead the response team when an incident occurs. The CISO will determine if other University staff should be notified of the breach. The team also includes representatives from: Controller’s Office, CU Media Relations, Internal Audit, Office of General Council & Risk Management.

  31. Credit Card Security Incident Response Plan Cont. All merchants should review the Clemson University Credit Card Security Incident Response Plan at: http://media.clemson.edu/cfo/cash-treasury/Credit-Card-Security-Incident-Response-Plan.pdf

  32. PCI-DSS Requirement 9.9 9.9 Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution. Note: These requirements apply to card-reading devices used in card-present transactions (that is, card swipe or dip) at the point of sale. This requirement is not intended to apply to manual key-entry components such as computer keyboards and POS keypads. Note: Requirement 9.9 is a best practice until June 30, 2015, after which it becomes a requirement.

  33. Protecting Your Swipe Devices from Illegal Tampering The threat to Point of Sale (POS) terminal tampering is serious and worldwide. Every day criminals install skimmers, keyKatchers, and other devices which grab cardholder data. The cardholder data is used to create cloned cards or to break into bank accounts to steal money. Point of Sale Device Protection Watch your POS Equipment • Examine your POS device that accepts credit and debit cards, look for anything abnormal. Examples-Skimmers, Keykatchers, missing or broken seals, damage to the device, damage to external cable or broken port or other materials that could mask damage or tampering. • The Office of Cash and Treasury Services requires that you inspect your POS device and PIN-entry devices (PED) weekly. Check for the following:

  34. Protecting Your Swipe Devices from Illegal Tampering Cont. • Is the POS device and PED (pin entry device) in its designated location? • Is the POS device’s manufacturer name, model and serial number correct? • Each merchant must maintain a record of the model and serial numbers for reference. The Office of Cash and Treasury Services maintains a record of all POS devices as well. • Is the color and condition of the POS device as expected with no additional marks, or scratches, especially around the seams of the terminal window display • Are the manufacturer’s security seals and labels present with no signs of peeling or tampering? • Is the number of connections to the POS device as expected, with the same type of color of cables, and with no loose wires or broken connector?

  35. Protecting Your Swipe Devices from Illegal Tampering Cont. Physical Security Safeguard Your POS Equipment and Surrounding Areas • All POS devices will be locked up in a secure area at the end of each business day to prevent any unauthorized removal attempts from your merchant location. • Check your POS environment for hidden cameras or recording devices. Merchants should: • Verify there are no additional or unauthorized displays where a camera could be hidden. Examples-adjacent walls, plaques or signs, brochure containers or personal items. • Inspect the ceiling area above the POS device.

  36. Protecting Your Swipe Devices from Illegal Tampering Cont. Staff Communication and Education Train your staff on POS Equipment Tampering Prevention • As part of card acceptance all staff will be trained annually on how to recognize noticeable signs of equipment tampering by the Office of Cash and Treasury Services. It will be the responsibility of the POS custodian to train any new employees in their area to recognize signs of equipment tampering before they can process credit or debit cards. • Control POS device and PED access by service support representatives. Allow only validated and authorized service personnel to access POS devices and PED’s. Unauthorized or unexpected individuals should not be allowed access to the POS device.

  37. Protecting Your Swipe Devices from Illegal Tampering Cont. • The Office of Cash and Treasury Services is the only area who will provide support for your POS equipment. The Payment Card Coordinator will work directly with the POS custodian in your department on all equipment issues. • Any third-party persons claiming to be repair or maintenance personnel are prohibited from gaining access to your POS device. Report any personnel attempting to gain access to your POS device to the Payment Card Coordinator with the Office of Cash and Treasury Services. Do not accept any replacement POS devices from third-party personnel or company. • Ensure that only authorized support personnel are escorted and monitored at all times while attending the equipment.

  38. Protecting Your Swipe Devices from Illegal Tampering Cont. What to Do In the Event of POS Tampering • If you believe your merchant operation has been subject to device tampering, contact your Payment Card Coordinator 864-656-0530 with the Office of Cash and Treasury Services and the Campus Police Department. All merchants can review Protecting Your Swipe Devices from Illegal Tampering at: http://media.clemson.edu/cfo/cash-treasury/Protecting-Your-Swipe%20Devices-from-Illegal-Tampering.pdf

  39. Protecting Your Swipe Devices from Illegal Tampering Cont. - Checklist

  40. Credit Card Payment Methods Point of Sale Terminals & Wireless Terminals Mobile Devices E-commerce

  41. Accepting Credit Cards on Campus • Thinking of taking payment cards or changing your current process? Contact Cash and Treasury Services first. • Do not go it alone. The state of South Carolina mandates who we can use for credit card processing. PayPal Accounts and devices like Square cannot be used. • Our current credit card processing companies are FirstData and TouchNet. • Contact Cash and Treasury Services for current credit card rates charged by FirstData. • Clemson University accepts American Express, Discover, MasterCard and Visa.

  42. Just Remember… • Data Security is an ongoing process • Recognize the risks at all levels to your department. • Understand what you can do to be proactive. • Determine what behaviors and processes may have to change.

  43. Want to know more? Resources PCI Data Security https://www.pcisecuritystandards.org/ Cash and Treasury Services > Merchant Card Services > PCI Compliance http://www.clemson.edu/finance/cash-treasury/merchant-card/ Office of Information Security & Privacy http://www.clemson.edu/ccit/help_support/safe_computing/

  44. Points of Contact Cash and Treasury Services Banking and Payment Card Coordinator 864-656-0530 http://www.clemson.edu/cfo/cash-treasury/ And Office of Information Security and Privacy 864-656-7131 http://www.clemson.edu/ccit/help_support/safe_computing/

  45. Points of Contact A confidential Ethics Line and/or website is provided as a service to assist any member of the University community with reporting concerns or issues about questionable practices. These may include fraud, theft, conflicts of interest, abuse of assets or property, or violations of laws or regulations. Toll Free: 1-877-503-7283 (1-877-50FRAUD) orhttp://www.lighthouse-services.com/clemson  Available 24 hours a day, seven days a week.

  46. Questions

  47. PCI Compliance Training Questions • What does PCI-DSS stand for? • Protect Computer Identity-Data Security Standard • Payment Card Industry-Data Security Standard • Payment Card Industry-Data Safety Standard • Payment Card Identification-Develop Security Service

  48. PCI Compliance Training Questions • What does PCI-DSS stand for? • Protect Computer Identity-Data Security Standard • Payment Card Industry-Data Security Standard • Payment Card Industry-Data Safety Standard • Payment Card Identification-Develop Security Service Answer: B Incorrect Good try. PCI-DSS stands for Payment Card Industry-Data Security Standard. Next Question

  49. PCI Compliance Training Questions • What does PCI-DSS stand for? • Protect Computer Identity-Data Security Standard • Payment Card Industry-Data Security Standard • Payment Card Industry-Data Safety Standard • Payment Card Identification-Develop Security Service Answer: B Correct Good Job! PCI-DSS stands for Payment Card Industry-Data Security Standard. Next Question

  50. PCI Compliance Training Questions • What does PCI-DSS stand for? • Protect Computer Identity-Data Security Standard • Payment Card Industry-Data Security Standard • Payment Card Industry-Data Safety Standard • Payment Card Identification-Develop Security Service Answer: B Incorrect Good try. PCI-DSS stands for Payment Card Industry-Data Security Standard. Next Question

More Related