payment card industry pci compliance n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Payment Card Industry (PCI) Compliance PowerPoint Presentation
Download Presentation
Payment Card Industry (PCI) Compliance

Loading in 2 Seconds...

play fullscreen
1 / 23

Payment Card Industry (PCI) Compliance - PowerPoint PPT Presentation


  • 138 Views
  • Uploaded on

Payment Card Industry (PCI) Compliance. Jay Baucom, Chief Information Officer Arthur Hohnsbehn, Director of Information Technology Jason Godfrey, Security Manager North Carolina Community College System. Payment Card Industry (PCI) Compliance. The PCI Security Standards Council is

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Payment Card Industry (PCI) Compliance' - damisi


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
payment card industry pci compliance

Payment Card Industry (PCI) Compliance

Jay Baucom, Chief Information Officer

Arthur Hohnsbehn, Director of Information Technology

Jason Godfrey, Security Manager

North Carolina Community College System

payment card industry pci compliance1
Payment Card Industry (PCI) Compliance

The PCI Security Standards Council is

an open global forum for the ongoing

development, enhancement, storage,

dissemination and implementation of

security standards for account

data protection.

payment card industry pci compliance2
Payment Card Industry (PCI) Compliance

The PCI Security Standards Council’s

mission is to enhance payment

account data security by driving

education and awareness of the PCI

Security Standards. The organization

was founded by American Express,

Discover Financial Services, JCB

International, MasterCard Worldwide,

and Visa, Inc.

payment card industry pci compliance pci documentation
Payment Card Industry (PCI) CompliancePCI Documentation
  • Payment Card Industry (PCI) Data Security Standard (DSS) Navigating PCI DSS – Understanding the Intent of the Requirements (version 1.1, February 2008)
  • Payment Card Industry (PCI) Data Security Standard (DSS) Self–Assessment Questionnaire – Instructions and Guidelines (version 1.1, February 2008)
  • Payment Card Industry (PCI) Data Security Standard (DSS) Self–Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers (version 1.1, February 2008)
  • Payment Card Industry (PCI) Data Security Standard (DSS) Glossary, Abbreviations and Acronyms
payment card industry pci compliance common terms
Payment Card Industry (PCI) ComplianceCommon Terms
  • Account Number or PAN (Primary Account Number): payment card number that identifies the issuer and card holder.
  • Acquirer: Bankcard association member that initiates and maintains relationships with the merchants that accept payment cards.
  • Cardholder data: Full magnetic strip or the PAN plus any of the following:
    • Cardholder name
    • Expiration date
    • Service Code
payment card industry pci compliance common terms continued
Payment Card Industry (PCI) ComplianceCommon Terms - Continued
  • DSS: Data Security Standard
  • Penetration Test: Security-oriented probing of computer system or network to seek out vulnerabilities that an attacker could exploit.
  • Threat:Condition that may cause information or information processing resources to be intentionally or accidentally lost, modified, exposed, made inaccessible, or otherwise affected to the detriment of the organization.
payment card industry pci compliance common terms continued1
Payment Card Industry (PCI) ComplianceCommon Terms - Continued
  • Vulnerability: Weakness in system security procedures, system design, implementation, or internal controls that could be exploited to violate system security policy.
  • Vulnerability Scan: Scans used to identify vulnerabilities in operating systems, services, and devices that could be used by hackers to target the company’s private network.
  • Payment Provider: PayPal (Verisign) or Official Payments (OPC).
payment card industry pci compliance trustwave services
Payment Card Industry (PCI) ComplianceTrustwave Services
  • The Office of State Controller (OSC) has a master service agreement with Trustwave to perform vulnerability scans, online SAQ and answer general questions.
  • 30 of the 58 colleges participate in the OSC’s master agreement. Colleges work directly with the OSC for portal access, service delivery, and remediation. The acquirer (bank) is SunTrust.
  • The remaining 28 colleges are offered services through a supplemental agreement under the OSC master agreement. Colleges work directly with the NCCCS for portal access, service delivery, and remediation. The acquirer (bank) is selected by the college.
payment card industry pci compliance basic steps to compliance
Payment Card Industry (PCI) ComplianceBasic Steps to Compliance

Compliance (Process\Procedures)

  • Validation (SAQ\ Vulnerability Scans)

Attestation

payment card industry pci compliance datatel colleague e commerce
Payment Card Industry (PCI) ComplianceDatatel Colleague e-Commerce
  • Datatel defines any payment card transaction processed via Colleague to a payment provider (PayPal\OPC) as an e-Commerce transaction. Payment card information is processed and transmitted, but never stored.
  • Datatel defines any payment card information entered into Colleague (CREN) as a Non e-Commerce transaction. This information is encrypted.
payment card industry pci compliance datatel colleague e commerce1
Payment Card Industry (PCI) ComplianceDatatel Colleaguee-Commerce

Datatel e-Commerce requires:

  • Licensing e-Commerce
  • Installing e-Commerce (InstallShield)
  • Enabling e-Commerce
    • CORE – ECS (e-Commerce Setup)
      • ECPR – e-Commerce Providers
      • ECPA – e-Commerce Provider Account
      • EPAM - e-Comm Provider Acct Mapping
    • ST – FIWP (Financial Web Parameters)
payment card industry pci compliance e commerce documentation
Payment Card Industry (PCI) Compliancee-Commerce Documentation
  • e-Commerce 3.7 Release Highlights (Release18.0) (September 18, 2006)
  • e-Commerce Installation and Administration (August 5, 2008)
slide13

Payment Card Industry (PCI) ComplianceValidation Type

Determining My PCI Validation Type - SAQ

slide14

Payment Card Industry (PCI) ComplianceValidation Types

Type 1 (SAQ A) – All cardholder data is outsourced.

Type 2 (SAQ B) – Imprint only, no electronic cardholder data is stored.

Type 3 (SAQ B) – Standalone dial-out terminals only, no electronic cardholder data is stored.

Type 4 (SAQ C) – POS or payment system connected to the Internet, no electronic cardholder data is stored.

Type 5 (SAQ D) – All other merchants and all service providers.

slide15

Payment Card Industry (PCI) ComplianceValidation Types - Continued

Conclusion:

With exception of payment card transactions processed utilizing a stand alone dial-up terminal where paper receipts are kept for refund purposes; all other payment card transactions within Colleague (CREN) or utilizing Datatel’s e-Commerce would require a college to submit SAQ D.

slide16

Payment Card Industry (PCI) ComplianceImpact of Validation Type D

What is the impact to the colleges?

Arthur to provide some insight to what the colleges will be doing in addition to their normal processes.

accepting payment via telephone treg

Payment Card Industry (PCI) ComplianceDatatel Colleague Environment

CC Clearing

House

Payment Verification

Scenario 1

Internet

Accepting Payment via Telephone (TREG)

Colleague

Server via DMI

EPOS (TREG)

Server

accepting payment via webadvisor wa

Payment Card Industry (PCI) ComplianceDatatel Colleague Environment

CC Clearing

House

Payment Verification

Scenario 2

Internet

Accepting Payment via WebAdvisor (WA)

WA Server

Colleague

  • Server via DMI
accepting payment via colleague cren

Payment Card Industry (PCI) ComplianceDatatel Colleague Environment

CC Clearing

House

Payment Verification

Scenario 3

Internet

Accepting Payment via Colleague (CREN)

Side Terminal (CC entered via CREN)

Colleague

  • Server via DMI
slide20

Payment Card Industry (PCI) ComplianceDatatel Best Practices

Develop a policy for maintaining payment card data. Non e-Commerce should be purged via COCD.

Purge payment card information in Production before cloning the Production environment to Test using COCD.

If troubleshooting e-Commerce with the DMI listener in debug ( -t –v options), remove the log immediately after the debug information has been obtained. You are not compliant with debug turned on.

Work with your Bookstore provider to determine compliance.

slide21

Payment Card Industry (PCI) ComplianceAdditional Information

PCI Security Standards Council

https://www.pcisecuritystandards.org/

https://www.pcisecuritystandards.org/education/webinars.shtml (webinars)

Datatel AnswerNet Document #4397 - How to remove sensitive credit card data for PCI Compliance http://www.datatel.com

NC Office of the State Controller

http://www.ncosc.net/programs/risk_mitigation_pci.html

slide22

Payment Card Industry (PCI) ComplianceContact Information

NC Office of State Controller

http://www.ncosc.net/SECP/SECP_PCIOverview.html

NCCCS System Office

Jay Baucom - (919) 807-6988

baucomj@nccommunitycolleges.edu

Jason Godfrey - (919) 807-7054

godfreyj@nccommunitycolleges.edu

Kim Van Metre - (919) 807-7071

vanmetrek@nccommunitycolleges.edu

Trustwave

General Questions – (800) 363-1621

support@trustwave.com