1 / 35

Merchant Card Processing (PCI Compliance for Supervisors)

Merchant Card Processing (PCI Compliance for Supervisors). Sponsored by UW-Platteville’s Financial Services and The Office of Information Security. Introductions. Cathy Riedl-Farrey Controller, Financial Services Anna Pulver Information Security Officer Patrick Fitzsimons

zelda
Download Presentation

Merchant Card Processing (PCI Compliance for Supervisors)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Merchant Card Processing(PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security

  2. Introductions • Cathy Riedl-Farrey • Controller, Financial Services • Anna Pulver • Information Security Officer • Patrick Fitzsimons • Internal Auditor

  3. Agenda What is PCI Compliance? What is expected of you? Time lines

  4. Why we are here PCI 12.6.1 (c) Have employees completed awareness training and are they aware of the importance of cardholder data security?

  5. Modern-day data security risks • Over the past couple decades • Increase in payment card usage • Increase in e-commerce • Great convenience • Unfortunately… • Security has not kept pace • The criminals have noticed

  6. Therefore… • UW-Platteville is concerned. • UWPLT adopted a policy regarding storage, transmission, processing of payment card data • Credit Card Handling Policy, currently being revised • http://www.uwplatt.edu/financial/credit-card-compliance • UWPLT must be “PCI Compliant”

  7. We Need You We need your help to achieve compliance!

  8. Does compliance apply to you? • If you take branded credit card information…PCI applies to you • Major brands: VISA, MC, AmEx, Discover • Whether • The actual physical card is present, or • You receive the data via phone, web, or mail • You contract with a hosted provider or in-house dept • If you “store, transmit or process” cardholder data

  9. What is PCI Compliance? • Who/What is PCI? • PCI DSS – 6 Goals, 12 Requirements • The PCI Compliance process • PCI Compliance questionnaires • What are the implications of compliance?

  10. Payment Card Industry Logo from https://www.pcisecuritystandards.org/ • “PCI” = Payment Card Industry • Major brands: VISA, MC, Discover, AmEx • Established a Data Security Standard • PCI DSS • Thus, “PCI Compliant” • Current version 3.0

  11. What is PCI Compliance? • Who/What is PCI? • PCI DSS – 6 Goals, 12 Requirements • The PCI Compliance process • PCI Compliance questionnaires • What are the implications of compliance?

  12. PCI DSS • Payment Card Industry Data Security Standard • 12 general principles/requirements • Establishes a baseline of secure practices • Will help mitigate costs, in case of a breach. • Not a 100% guarantee to prevent a breach

  13. PCI DSS: 6 goals, 12 requirements Handout

  14. Why should you care? The number of Requirements that apply to you will determine how involved the compliance process will be for you. The simpler your business process, the simpler your compliance process.

  15. What is PCI Compliance? • Who/What is PCI? • PCI DSS – 6 Goals, 12 Requirements • The PCI Compliance process • PCI Compliance questionnaires • What are the implications of compliance?

  16. University compliance means… • For the University to be “PCI Compliant”, • all of its CC business units need to be compliant. • Merchant IDs, applications, operations, etc • Infrastructure: terminals, networks, fax/copy • Personnel • “If it stores, transmits or processes credit carddata, it must be PCI compliant.”

  17. PCI Compliance entails… Training Review of business processes Annual service level agreements (SLA) and self-assessment questionnaires (SAQ)

  18. PCI Compliance - Training Supervisor Training: August 8 & August 12 Operators: on-line training module

  19. Operator training • On-line training module • Go Live 8/12/14 • Approx 30 minute video • Broken into three modules • Will cover general “operator” material • Individual Departments may need to develop additional training material to cover their unique processes.

  20. Operator training modules https://www.uwplatt.edu/financial/pci-training

  21. The Three Modules Card Security Basics (general) Card Present Transactions Card Not Present Transactions

  22. Annually renewed and tracked • All training must be renewed annually • All training must be tracked • Identify operators who need to be trained • Operators must be trained by 10/15/2014 • Watch for turn-over, new hires • Training checklist should be completed • Submit worksheets to riedlfac@uwplatt.edu

  23. The Compliance Process 2. Review of business processes • May need to review in light of PCI DSS 3.0

  24. The Compliance Process 3. SLA & SAQ • Most SLA’s expire 12/31 • SAQ’s will be completed this Fall

  25. What is PCI Compliance? • Who/What is PCI? • PCI DSS – 6 Goals, 12 Requirements • The PCI Compliance process • PCI Compliance questionnaires • What are the implications of compliance?

  26. PCI Compliance - Questionnaires • Provided by PCI • Has been expanded from four variants to eight • A, A-EP, B, B-IP, C, C-VT, D, P2PE-HW • In order of increasing complexity • Required for PCI Compliance • Self-Assessment Questionnaires (SAQ) • Which SAQ applies to a given merchant ID or application depends upon the business model.

  27. SAQ Highlight

  28. What is PCI Compliance? • Who/What is PCI? • PCI DSS – 6 Goals, 12 Requirements • The PCI Compliance process • PCI Compliance questionnaires • What are the implications of compliance?

  29. Business Processes to Consider - 1 • Never send (receive) CC#s in e-mail • Don’t store CC#s in database or spreadsheet • Destroy CC# documentation ASAP (cross-cut) • Redesign forms, so you can cut off CC#s • Receipts that show more than last four digits are out of compliance • Make workstations “dedicated”

  30. Business Processes to Consider - 2 • If you copy, scan, or image CC#s… • Remove fax machines from public locations • Old carbon-copy devices are out of compliance • Do you have integrated workstations? • Units that have built-in card-readers • Other ideas?

  31. Miscellaneous Point #1 • Beware the “maverick” • Well-intending faculty or staff • Sets up a business unit without authorization • Beware solicitations • There are no PCI approved mobile devices (i.e. Square)

  32. Miscellaneous Points #2 • You don’t HAVE to become PCI Compliant. • However, if you choose not to comply… • You will no longer be able to accept credit cards.

  33. Changes in personnel? • Are you leaving? • New Supervisor? • Notify riedlfac@uwplatt.edu with an updated SLA within 5 business days of change. • Need to track training to remain compliant

  34. Time Line - Summary

  35. Questions? Thank you!

More Related