PCI DSS IT Security Training for University of Tennessee Credit Card Merchants

1. PCI DSS IT Security Trainingfor University of Tennessee Credit Card Merchants UT System AdministrationInformation Security Office

2. UTSA Information Security Office • Chief Information Security Officer • A. J. Wright • IT Security Oversight Team • Jeremy Parrott • Nick Sweet • IT Security Compliance • Sandy Lindsey • IT Security Services • John Sturgis • Campus On-site Staff • UTC: David Bean

3. Agenda • Overview of PCI DSS and Compliance Requirements • Roles and Responsibilities • Security Awareness • Next Steps All materials available at: http://tiny.utk.edu/pci-training (and I’ll show that again on the last slide.)

4. Payment Card Industry - Data Security Standard • PCI DSS (2004) • Increase security protections • Reduce Fraud • Protect card holders

5. Where PCI Applies PCI DSS requirements are applicable to credit card Merchants. By itself, use of Cardholder Data (CDH) does not necessarily require PCI compliance. PCI applies to paper as well as electronic storage.

6. The Importance of PCI Compliance Why is PCI Important? Why comply with PCI? To manage your risk To protect yourdata To avoid punitive measures Potentially significant fines – incrementally increases To continue processing credit cards • To manage risk • To protect consumer data • Losses due to fraud • Negative publicity • Loss of consumer confidence • Threat of enforced regulation

7. Penalties for Non-Compliance • Fines can include the following: • Fines of $500,000 per data security incident • Fines of $50,000 per day for non-compliance with published standards • Liability for all fraud losses incurred from compromised account numbers • Liability for the cost of re-issuing cards associated with the compromise • Suspension of merchant accounts • Incident investigation must be performed by external company certified by PCI group (estimated $30k - $300k) • UT Fiscal Policy 311 states that: • “University Departments with Merchant IDs accepting credit/debit card payment for services or goods must cover all costs associated with PCI DSS compliance, as well as any fines, fees and remediation expenses associated with a security breach.”

8. Self Assessment Questionnaires (SAQs) You wish you were here Complexity and Risk • SAQ A • All cardholder data functions outsourced • SAQ B • Imprint-only or dial out terminals • SAQ C • Payment applications • SAQ C-VT • Web-based virtual terminals • SAQ D • All other types

10. UT Fiscal Policy FI0311 • Requirements and guidelines for credit card processing activities at UT • Process for obtaining a Merchant ID • Outlines roles, responsibilities, and approval process • UTSA ISO, ACS, IT POAs, CBOs,Treasurer’s Office, Merchant Depts. • Available on UT Policy website:http://tennessee.edu/policy

11. Roles & Responsibilities from FI0311 • UTSA Information Security Office: • Consulting, guidance, and oversight related toPCI compliance and IT Security controls • Review technical implementations related to PCI • Incident response coordination • Quarterly security scans coordination • Validate SAQs annually • Audit and Consulting Services: • Review departmental policies and procedures

12. Roles & Responsibilities from FI0311 IT Position of Authority(Campus/Institute): • Provide compliance support and consulting • Identify and review systems in PCI scope • Provide technical guidance • Ensure a segmented cardholder data environment exists

13. Roles & Responsibilities from FI0311 Campus/Institute Chief Business Officers: • Approve the business need for a Merchant ID • Attest to SAQ accuracy (with signature) • Monitor PCI compliance

14. Roles & Responsibilities from FI0311 Treasurer’s Office: • Oversee credit card accounting for approved merchants • Manage the Merchant ID approval process • Maintain the relationship with the University’s processor

15. Merchant Responsibilities from FI0311 • Complete Annual SAQ and maintain compliance • Notify Treasurer’s Office of any change in processing • Protect cardholder data and ensure appropriate security controls • Internal Procedures • Technical controls on computers that process PCI data • Update software on any terminals every 18 months. • Place computers in the segmented cardholder data environment (SAQ C, C-VT, D) • Immediately notify UTSA ISO in the event of a data breach • Financially responsible for costs associated with compliance: fines, fees, and remediation expenses

16. High-Level Compliance Requirements • Annual Self Assessment Questionnaire • Incomplete SAQ = Non-Compliant • Written security policies and procedures • Annual Scope Verification • What systems are required to be PCI compliant? • Quarterly Vulnerability Scans (SAQ C & D) • Segmented Cardholder Data Environment (SAQ C, C-VT, and D) • Full text available online:https://www.pcisecuritystandards.org/

17. Cardholder Data Storage Requirements • Card Security Code may not be stored after initial transaction approval. (CVC2, CVV2, CID) • Credit card numbers must only be stored in one location (except backups.) • Complete cardholder information may not be stored in an unprotectedmanner. • All computers that handle, process, or store card numbers must be registered. • Merchants may not use mobile phones for processing.

18. PCI Incident Response • Report Security Incidents to UTSA ISO • Computer, network, or paper-based activity • (May) result in • Misuse • Damage • Denial of service • Compromise of integrity • Loss of confidentiality • Need to demonstrate prompt response • Example Security Incidents: • Attacks launched on others • Compromise of user account • Compromise of computer systems • Viruses, Worms, and Trojan Horses • Disclosure of protected data • Unauthorized access • E-mail release • Inadvertent posting a web site

19. Primary Risk Area • Attacks on Users • Phishing & Social Engineering • Malicious websites • Unpatched systems • System & application vulnerabilities • Zero-day vulnerabilities • Limit exposure to emailand Internet sites

20. Phishing This email was forwarded to ABUSE@UTC.EDU from a customer at UTC: -----Original Message----- From: webmaster [mailto: ] Sent: Tue 5/5/2009 3:44 PM Subject: Mailbox Shutdown Notification You are expected to verify your email account to avoid mailbox shutdown by furnishing us with the following To avoid shutting down of your mailbox which could lead to loss of your important files on our server,you must send these details on receipt of this message. Thank you very much. Webmaster webmaster@iturnon.co.th detials: Login Username: Login password: **************

21. Malicious Websites

22. Protect Yourself • Log off • Lock up • Remember where you are • Do unto others • Healthy paranoia • You are the target • When in doubt…Ask

23. Next Steps • Complete Annual SAQ *Changes coming • Questions? Contact Treasurer’s Office or ISO • Clean house • The more you have documented the easier next year will be • Review Documentation • Policy FI0311 • SAQ Requirements Documents • Reduce PCI scope • Move information systems into the cardholder data environment • Reduce PCI risk • Outsource credit card processing • Minimize UT exposure to cardholder data • Reduce exposure to websites and email

24. Review • Overview of PCI DSS • PCI Requirements • Roles and Responsibilities • Next Steps

25. Thank you! Questions? This information is available on the PCI Training website: http://tiny.utk.edu/pci-training