payment card industry data security standards annual refresher training n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Payment Card Industry Data Security Standards Annual Refresher Training PowerPoint Presentation
Download Presentation
Payment Card Industry Data Security Standards Annual Refresher Training

Loading in 2 Seconds...

play fullscreen
1 / 15

Payment Card Industry Data Security Standards Annual Refresher Training - PowerPoint PPT Presentation


  • 142 Views
  • Uploaded on

Payment Card Industry Data Security Standards Annual Refresher Training. This refresher course will:. Review of the PCI Data Security Standards PCIDSS in a nutshell Payment Card Protection Team Compliance basics Data breach review 2013 Change to How the University’s Compliance is Measured

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Payment Card Industry Data Security Standards Annual Refresher Training' - amos


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
this refresher course will
This refresher course will:
  • Review of the PCI Data Security Standards
    • PCIDSS in a nutshell
    • Payment Card Protection Team
    • Compliance basics
    • Data breach review
  • 2013 Change to How the University’s Compliance is Measured
  • 2013 New Technology: Online SAQ Portal
  • Update of PCIDSS compliance roles at the University
  • Contact information
the purpose for pci dss
The Purpose forPCI DSS

“The PCI DSS was developed

to encourage and enhance

cardholder data security

and facilitate the broad adoption

of consistent

data security measures

globally.”

PCI DSS Requirements and Security Assessment Procedures, October 2010, pg. 5

payment card protection team
Payment Card Protection ‘Team’
  • Employees, contractors or students involved in accepting credit or debit cards (or who touch the cardholder data environment)
    • Merchant Managers & staff (including student workers)
    • Support units: ARS, IT, Purchasing, OGC, third party vendors

2. Credit card brands

    • Visa
    • MasterCard
    • American Express
    • Discover

3. Acquiring bank(Wells Fargo)

slide6

Complying with PCI Standards at the University

  • Standards are established & updated by the PCI Council and card issuers
  • Standards are enforced primarily through the University’s contract with Wells Fargo which is managed by Accounts Receivable Services (ARS)
  • ARS oversees PCI compliance through
    • Policy & procedures
    • Merchant Manager training & support
    • Coordination with related units such as University Information Security
    • Facilitation of the annual merchant account compliance review process

Accounts Receivable Services

Merchant Manager

Employees & student workers

OIT

UIS

Dept IT

slide7

What is a data breach?

Broadly speaking…a breach is:

An unauthorized acquisition of protected data that compromises the security, confidentiality, or integrity of the protected information.

leading causes of a data breach
Leading Causes of a Data Breach
  • Malicious attack
    • Targeted attack with the intent to commit data theft or otherwise inflict harm
  • Negligent employee or contractor
    • Failure to follow established standards
    • Lack of training
  • System glitch
    • IT or business process failures
cost of a breach
Cost of a Breach
  • $5.5 million: the average total organizational cost of a data breach*
    • 39% of incidents involved a negligent employee or contractor
    • 37% concerned a malicious or criminal attack
    • 24% involved system glitches including IT and business process failures
  • $222: The average cost per compromised record for detection, escalation, notification, and remediation (doesn’t include costs associated with damaged reputation)*
  • 1,506,900 records: the number of private records exposed in data breaches at 59 US higher education institutions in 2012**
    • 1.5M X $222 = $333,000,000)/59 = $5,644,068 estimated cost per HE breach
  • *2011 Cost of Data Breach Study, Ponemon Institute **http://www.privacyrights.org/data-breach
slide10

The University at Risk

http://bits.blogs.nytimes.com/2012/10/03/hackers-breach-53-universities-dump-thousands-of-personal-records-online/?smid=tw-share

the university as data gold mine
The University as Data “Gold Mine”

But, it isn’t always about the money.

Hacktivism

change in 2013
Change in 2013
  • Wells Fargo and Visa raised the University’s compliance demonstration requirements. This change was based on the annual number of Visa transactions. This means:
    • Compliance is now measured by a security assessor
      • For 2013 we will use a Qualified Security Assessor (QSA) from CampusGuard, a firm specializing in higher education security
    • Individual merchants must continue to complete the annual Self-Assessment Questionnaires (SAQ), and…
    • The University will only be considered PCI compliant if all accounts are deemed compliant by the assessor
new technology
New Technology
  • Rolled out an online portal for SAQ completion & document collection
    • The portal provides merchant managers with 24/7 access to complete their SAQs
    • Managers can ask the assessor questions directly through the portal
    • A secure ‘document locker’ provides each merchant with a dedicated area to store PCI-related documents
updated contacts for 2013
Updated Contacts for 2013
  • Accounts Receivable Services pmtcard@umn.edu
    • General inquiries

Darla Schroeder, Cash Application Manager (612-626-7215), schro077@umn.edu

    • Terminal issues
    • Account set-up, close, modify
    • Reconciliation, chartstring or other accounting issues
  • University Information Security abuse@umn.edu
  • Your IT professionals _______
  • Laura Gilbert, PCI-DSS Compliance Analyst (612-624-7892)
  • gilbert7@umn.edu
    • Manager training
    • CampusGuard portal
    • Annual assessment :
      • SAQ &UMN form completion
      • ROC assessment
      • Remediation plan oversight
    • Policy questions
    • Vendor relationship support (e.g., pen testing, 3rd party outsourcing)
resources
Resources
  • Be familiar with University policy & procedures
    • Accepting Revenue Via Payment Cards
    • Obtaining Approval to Accept Credit Cards
    • Managing Payment Card Acceptance
  • Your IT professionals
  • Applicable University Forms
    • UM 1624 Payment Card Manager Form
    • UM 1623 Employee Non-Disclosure Form
    • UM 1705 Desktop Usage Agreement (only required for SAQ-A e-commerce solutions)
  • Controller’s Office Website: General and SAQ-specific training materials & guidance documents
  • PCI Security Standards Website: SAQ forms, guidance docs
  • PCI Glossary
  • Look for emails throughout the year from the Controller’s Office and partner departments about program changes, new issues, annual deadlines and training.

Allow time in your schedule to fully manage your account.