1 / 28

2014 PCI DSS Meeting

2014 PCI DSS Meeting. OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough. 10/28/2014. Today’s Presentation. What do you have to do? What is PCI DSS? Who Needs to Comply with PCI DSS? Why PCI DSS? Compliance Life Cycle Cardholder Data/Storage

wynne-grimes
Download Presentation

2014 PCI DSS Meeting

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014

  2. Today’s Presentation • What do you have to do? • What is PCI DSS? • Who Needs to Comply with PCI DSS? • Why PCI DSS? • Compliance Life Cycle • Cardholder Data/Storage • Goals & Requirements • What do you have to do? • Coming in 2015: PCI 3.0 • Resources • Questions

  3. Your to do list by December 12: • Verify credit card merchant information with Business Affairs • Obtain 3rd Party PCI DSS Certificate of Compliance (if applicable) • Merchant managers complete and sign the Cover Page & SAQ • Annual PCI DSS Assessment must be completed for all Merchants • Business Center Manager or FAM must review and sign • Send to Robin Whitlock and Dan Hough

  4. What is PCI DSS? • Payment Card Industry Data Security Standards • “Common set of industry tools and measurements to help ensure the safe handling of sensitive information • Provides an actionable framework for developing a robust account data security process – including preventing, detecting and reacting to security incidents” (https://www.pcisecuritystandards.org/merchants/index.php) • Administered by the PCI Security Standards Council, which was founded by the major credit card companies (VISA, MC, Disc…)

  5. Who Needs to Comply with PCI DSS? • Applies to all entities that store, process or transmit cardholder data(merchants, payment card issuing banks, processors, developers…) • That means you! • Compliance is mandatory (eCommerce Policy, Oregon State Treasury,PCI DSS).

  6. Why PCI DSS ? • 241 breaches of sensitive information to date in 2014 (affecting >64 million records)1 • Notable retail breaches since November 20132 1 Privacy Rights Clearinghouse, https://www.privacyrights.org, 10/28/14 2”Cyber Attacks on US Companies in 2014,” by Riley Walters, http://www.heritage.org/research/reports/2014/10/cyber-attacks-on-us-companies-in-2014

  7. Compliance Life Cycle PCI:DSS Validation Pre-Assessment / Gap Analysis Implement / Remediate

  8. What is Cardholder Data? Primary Account Number (PAN) Expiration Date Cardholder Name Chip/Magnetic Strip Data CAV2/CVC2/CVV2

  9. PCI Data Storage • These data elements must be protected if stored in conjunction with the PAN. • Sensitive authentication data must not be stored after authorization (even if encrypted). • Magnetic stripe or chip.

  10. PCI DSS Goals & Requirements (digital dozen) Build and Maintain a Secure Network (2) • Install and maintain a firewall configuration to protect cardholder data • Do not use vendor-supplied defaults for system passwords and other parameters Protect Cardholder Data (2) • Protect stored cardholder data • Encrypt transmission of cardholder data across open, public networks

  11. PCI DSS Goals & Requirements Maintain a Vulnerability Management Program (2) • Use and regularly update anti-virus software • Develop and maintain secure systems and applications Implement Strong Access Control Measures (3) • Restrict access to cardholder data by business need-to-know • Assign a unique ID to each person with computer access • Restrict physical access to cardholder data

  12. PCI DSS Goals & Requirements Regularly Monitor and Test Networks (2) • Track and monitor all access to network resources and cardholder data • Regularly test security systems and processes Maintain an Information Security Policy (1) • Maintain a policy that addresses information security

  13. Misconceptions • Self assessment means you’re compliant • Compliance means you won’t suffer a breach • Outsourcing takes away your need for compliance • PCI:DSS is just about IT • A single product can make you compliant • Compliance can be automated

  14. What do we have to do?

  15. Annual PCI DSS Assessment Documents Documents due by December 12, 2014: • OSU Cover Page • Self Assessment Questionnaire (SAQ A-D Appropriate to merchant) • 3rd Party PCI DSS Certificate of Compliance (if applicable) Resources • Copies of your last assessment can be emailed to you on request • Website: http://fa.oregonstate.edu/business-affairs/annual-pci-compliance-osu-credit-card-merchants • Status Report by Business Center • SAQ Forms, Instructions, and guidelines • Navigating the PCI DSS • Glossary

  16. Self Assessment Questionnaire (SAQ) • Completed by the merchant manager • Subset of full requirements • Broken down by Goals & Requirements • Made up of Yes / No / Not Applicable responses • NA or “Compensating Control”- must be explained • No- Must have Remediation Date and Actions • Attestation Section • Fill out the Merchant Version • Do not complete the Service Provider Version

  17. Which SAQ? • See PCI DSS Status Report

  18. Multiple Merchant Consolidation Multiple merchants can be can be combined into a single submittal if: • The merchant IDs (MIDs) are of the same type (i.e. all POS, Web…) • All merchants are managed by same merchant manager • The same policies and procedures apply to all merchants • Strictest SAQ will apply (the one with the most questions) • List all merchants on cover page.

  19. SAQ Example-Requirements

  20. Compliance Summary

  21. SAQ Example- Explanation of Non-Applicability

  22. SAQ Example-Compensating Controls

  23. SAQ Example-Attestation • Complete “Merchant” version not Qualified Security Assessor Company version (if avail). • OSU does not use a Qualified Security Assessor Company

  24. Tips and Hints • These focus on SAQ A and SAQ B since most merchants use these forms • SAQ A • SAQ B

  25. Your to do list by December 12: • Verify credit card merchant information with Business Affairs • Obtain 3rd Party PCI DSS Certificate of Compliance (if applicable) • Merchant managers complete and sign the Cover Page & SAQ (Annual PCI DSS Assessment must be completed for all Merchants). • Business Center Manager or FAM must review and sign. • Send to Robin Whitlock and Dan Hough • Electronic submission is preferred.

  26. Coming in 2015: PCI 3.0 • December 2015 validation will be to PCI 3.0 • How PCI 3.0 requirements will be addressed by OSU merchants is still to be determined • We will keep you posted as information specific to OSU merchants becomes available

  27. Resources • PCI Compliance for OSU Credit Card Merchants (instructions & forms) • http://fa.oregonstate.edu/business-affairs/annual-pci-compliance-osu-credit-card-merchants • OSU FIS Manual • http://oregonstate.edu/fa/manuals/fis/1401-06 • OUS Policy Guideline for Electronic Commerce • http://www.ous.edu/dept/cont-div/fpm/elec-40-005 • Oregon Accounting Manual - Credit Card Acceptance for Payment • http://www.oregon.gov/DAS/CFO/SARS/policies/oam/10.35.00.pr.pdf • Oregon State Treasury Cash Management Policy • http://www.oregon.gov/treasury/Divisions/Finance/StateAgencies/Pages/Cash-Management-Manual.aspx • Payment Card Industry Data Security Standards • https://www.pcisecuritystandards.org/merchants/

  28. Thank You Business Affairs Contacts • Robin Whitlock • Robin.Whitlock@OregonState.edu, 541-737-0622 • Dan Hough • Dan.Hough@OregonState.edu, 541-737-2935

More Related