Download - 2014 PCI DSS Meeting
![Page 1: 2014 PCI DSS Meeting](https://reader031.vdocuments.us/reader031/viewer/2022032206/5681315c550346895d97d2c5/html5/thumbnails/1.jpg)
2014 PCI DSS Meeting
OSU Business AffairsProcess Improvement Team (PIT)Robin Whitlock & Dan Hough
10/28/2014
![Page 2: 2014 PCI DSS Meeting](https://reader031.vdocuments.us/reader031/viewer/2022032206/5681315c550346895d97d2c5/html5/thumbnails/2.jpg)
2
Today’s Presentation
What do you have to do?What is PCI DSS?Who Needs to Comply with PCI DSS?Why PCI DSS?Compliance Life CycleCardholder Data/StorageGoals & RequirementsWhat do you have to do?Coming in 2015: PCI 3.0ResourcesQuestions
![Page 3: 2014 PCI DSS Meeting](https://reader031.vdocuments.us/reader031/viewer/2022032206/5681315c550346895d97d2c5/html5/thumbnails/3.jpg)
3
Your to do list by December 12:
1. Verify credit card merchant information with Business Affairs
2. Obtain 3rd Party PCI DSS Certificate of Compliance (if applicable)
3. Merchant managers complete and sign the Cover Page & SAQ
Annual PCI DSS Assessment must be completed for all Merchants
4. Business Center Manager or FAM must review and sign
5. Send to Robin Whitlock and Dan Hough
![Page 4: 2014 PCI DSS Meeting](https://reader031.vdocuments.us/reader031/viewer/2022032206/5681315c550346895d97d2c5/html5/thumbnails/4.jpg)
4
What is PCI DSS?
Payment Card Industry Data Security Standards “Common set of industry tools and measurements to help ensure
the safe handling of sensitive information Provides an actionable framework for developing a robust
account data security process – including preventing, detecting and reacting to security incidents” (https://www.pcisecuritystandards.org/merchants/index.php)
Administered by the PCI Security Standards Council, which was founded by the major credit card companies (VISA, MC, Disc…)
![Page 5: 2014 PCI DSS Meeting](https://reader031.vdocuments.us/reader031/viewer/2022032206/5681315c550346895d97d2c5/html5/thumbnails/5.jpg)
5
Who Needs to Comply with PCI DSS?
Applies to all entities that store, process or transmit cardholder data (merchants, payment card issuing banks, processors, developers…) That means you!
Compliance is mandatory(eCommerce Policy, Oregon State Treasury,PCI DSS).
![Page 6: 2014 PCI DSS Meeting](https://reader031.vdocuments.us/reader031/viewer/2022032206/5681315c550346895d97d2c5/html5/thumbnails/6.jpg)
6
Why PCI DSS ?
241 breaches of sensitive information to date in 2014 (affecting >64 million records)1
Notable retail breaches since November 20132
1 Privacy Rights Clearinghouse, https://www.privacyrights.org, 10/28/142”Cyber Attacks on US Companies in 2014,” by Riley Walters, http://www.heritage.org/research/reports/2014/10/cyber-attacks-on-us-companies-in-2014
• Target • Home Depot • Staples • Kmart
• Albertsons • Michaels • Neiman Marcus • eBay
• PF Changs • UPS Stores • Aaron Brothers • Goodwill
• Supervalu • Dairy Queen
![Page 7: 2014 PCI DSS Meeting](https://reader031.vdocuments.us/reader031/viewer/2022032206/5681315c550346895d97d2c5/html5/thumbnails/7.jpg)
7
Compliance Life Cycle
Pre-Assessment / Gap Analysis
Implement / Remediate
PCI:DSS Validation
Ongoing Compliance Monitoring
![Page 8: 2014 PCI DSS Meeting](https://reader031.vdocuments.us/reader031/viewer/2022032206/5681315c550346895d97d2c5/html5/thumbnails/8.jpg)
8
Primary Account Number (PAN)
Expiration Date
Chip/Magnetic Strip Data CAV2/CVC2/CVV2
What is Cardholder Data?
Cardholder Name
![Page 9: 2014 PCI DSS Meeting](https://reader031.vdocuments.us/reader031/viewer/2022032206/5681315c550346895d97d2c5/html5/thumbnails/9.jpg)
1.These data elements must be protected if stored in conjunction with the PAN.
2.Sensitive authentication data must not be stored after authorization (even if encrypted).
3.Magnetic stripe or chip.
9
PCI Data Storage
Data ElementStorage
PermittedProtectionRequired
Cardholder Data
Primary Account Number (PAN) Yes Yes
Cardholder Name[1] Yes Yes[1]
Expiration Date[1] Yes Yes[1]
Sensitive Authentication
Data[2]
Full Magnetic Strip Data[3] No N/A
CAV2/CVC2/CVV2 No N/A
![Page 10: 2014 PCI DSS Meeting](https://reader031.vdocuments.us/reader031/viewer/2022032206/5681315c550346895d97d2c5/html5/thumbnails/10.jpg)
10
PCI DSS Goals & Requirements
Build and Maintain a Secure Network (2)
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other parameters
Protect Cardholder Data (2)
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
(digital dozen)
![Page 11: 2014 PCI DSS Meeting](https://reader031.vdocuments.us/reader031/viewer/2022032206/5681315c550346895d97d2c5/html5/thumbnails/11.jpg)
11
PCI DSS Goals & Requirements
Maintain a Vulnerability Management Program (2)
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures (3)
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
![Page 12: 2014 PCI DSS Meeting](https://reader031.vdocuments.us/reader031/viewer/2022032206/5681315c550346895d97d2c5/html5/thumbnails/12.jpg)
12
PCI DSS Goals & Requirements
Regularly Monitor and Test Networks (2)
10.Track and monitor all access to network resources and cardholder data
11.Regularly test security systems and processes
Maintain an Information Security Policy (1)
12.Maintain a policy that addresses information security
![Page 13: 2014 PCI DSS Meeting](https://reader031.vdocuments.us/reader031/viewer/2022032206/5681315c550346895d97d2c5/html5/thumbnails/13.jpg)
13
Misconceptions
Self assessment means you’re compliantCompliance means you won’t suffer a breachOutsourcing takes away your need for compliancePCI:DSS is just about ITA single product can make you compliantCompliance can be automated
![Page 14: 2014 PCI DSS Meeting](https://reader031.vdocuments.us/reader031/viewer/2022032206/5681315c550346895d97d2c5/html5/thumbnails/14.jpg)
14
What do we have to do?
Level/Tier Merchant Criteria Validation Requirements
1 Merchants processing over 6 million Visa transactions annually (all channels)
•Annual Report on Compliance by Qualified Security Assessor (“QSA”)•Quarterly network scan by Approved Scan Vendor (“ASV”)•Attestation of Compliance Form
2 Merchants processing 1 million to 6 million Visa transactions annually (all channels)
•Annual Self-Assessment Questionnaire•Quarterly network scan by ASV•Attestation of Compliance Form
3 Merchants processing 20,000 to 1 million Visa e-commerce transactions annually
•Annual SAQ•Quarterly network scan by ASV•Attestation of Compliance Form
4 Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually
•Annual SAQ •Quarterly network scan by ASV if applicable•Requirements set by acquirer
![Page 15: 2014 PCI DSS Meeting](https://reader031.vdocuments.us/reader031/viewer/2022032206/5681315c550346895d97d2c5/html5/thumbnails/15.jpg)
15
Annual PCI DSS Assessment Documents
Documents due by December 12, 2014:1. OSU Cover Page
2. Self Assessment Questionnaire (SAQ A-D Appropriate to merchant)
3. 3rd Party PCI DSS Certificate of Compliance (if applicable)
Resources Copies of your last assessment can be emailed to you on request Website: http://fa.oregonstate.edu/business-affairs/annual-pci-compliance-osu-credit-card-merchants
Status Report by Business Center SAQ Forms, Instructions, and guidelines Navigating the PCI DSS Glossary
![Page 16: 2014 PCI DSS Meeting](https://reader031.vdocuments.us/reader031/viewer/2022032206/5681315c550346895d97d2c5/html5/thumbnails/16.jpg)
16
Self Assessment Questionnaire (SAQ)
Completed by the merchant manager Subset of full requirementsBroken down by Goals & RequirementsMade up of Yes / No / Not Applicable responses
NA or “Compensating Control”- must be explained No- Must have Remediation Date and Actions
Attestation Section Fill out the Merchant Version Do not complete the Service Provider Version
![Page 17: 2014 PCI DSS Meeting](https://reader031.vdocuments.us/reader031/viewer/2022032206/5681315c550346895d97d2c5/html5/thumbnails/17.jpg)
17
Which SAQ? See PCI DSS Status Report
Form Description
SAQ ACard-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants.
SAQ BImprint-only merchants with no electronic cardholder data storage, or standalone, dial-out terminal merchants with no electronic cardholder data storage
SAQ C Merchants with payment application systems connected to the Internet, no electronic cardholder data storage
SAQ DAll other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by a payment brand as eligible to complete an SAQ.
![Page 18: 2014 PCI DSS Meeting](https://reader031.vdocuments.us/reader031/viewer/2022032206/5681315c550346895d97d2c5/html5/thumbnails/18.jpg)
18
Multiple Merchant Consolidation
Multiple merchants can be can be combined into a single submittal if:
1. The merchant IDs (MIDs) are of the same type (i.e. all POS, Web…)
2. All merchants are managed by same merchant manager
3. The same policies and procedures apply to all merchants
4. Strictest SAQ will apply (the one with the most questions)
5. List all merchants on cover page.
![Page 19: 2014 PCI DSS Meeting](https://reader031.vdocuments.us/reader031/viewer/2022032206/5681315c550346895d97d2c5/html5/thumbnails/19.jpg)
19
SAQ Example-Requirements
![Page 20: 2014 PCI DSS Meeting](https://reader031.vdocuments.us/reader031/viewer/2022032206/5681315c550346895d97d2c5/html5/thumbnails/20.jpg)
20
Compliance Summary
![Page 21: 2014 PCI DSS Meeting](https://reader031.vdocuments.us/reader031/viewer/2022032206/5681315c550346895d97d2c5/html5/thumbnails/21.jpg)
21
SAQ Example- Explanation of Non-Applicability
![Page 22: 2014 PCI DSS Meeting](https://reader031.vdocuments.us/reader031/viewer/2022032206/5681315c550346895d97d2c5/html5/thumbnails/22.jpg)
22
SAQ Example-Compensating Controls
![Page 23: 2014 PCI DSS Meeting](https://reader031.vdocuments.us/reader031/viewer/2022032206/5681315c550346895d97d2c5/html5/thumbnails/23.jpg)
23
Complete “Merchant” version not Qualified Security Assessor Company version (if avail). OSU does not use a Qualified Security Assessor Company
SAQ Example-Attestation
![Page 24: 2014 PCI DSS Meeting](https://reader031.vdocuments.us/reader031/viewer/2022032206/5681315c550346895d97d2c5/html5/thumbnails/24.jpg)
24
Tips and Hints
These focus on SAQ A and SAQ B since most merchants use these forms
SAQ ASAQ B
![Page 25: 2014 PCI DSS Meeting](https://reader031.vdocuments.us/reader031/viewer/2022032206/5681315c550346895d97d2c5/html5/thumbnails/25.jpg)
25
Your to do list by December 12:
1. Verify credit card merchant information with Business Affairs
2. Obtain 3rd Party PCI DSS Certificate of Compliance (if applicable)
3. Merchant managers complete and sign the Cover Page & SAQ (Annual PCI DSS Assessment must be completed for all Merchants).
4. Business Center Manager or FAM must review and sign.
5. Send to Robin Whitlock and Dan Hough Electronic submission is preferred.
![Page 26: 2014 PCI DSS Meeting](https://reader031.vdocuments.us/reader031/viewer/2022032206/5681315c550346895d97d2c5/html5/thumbnails/26.jpg)
26
Coming in 2015: PCI 3.0
December 2015 validation will be to PCI 3.0How PCI 3.0 requirements will be addressed by OSU merchants is still to be determined
We will keep you posted as information specific to OSU merchants becomes available
![Page 27: 2014 PCI DSS Meeting](https://reader031.vdocuments.us/reader031/viewer/2022032206/5681315c550346895d97d2c5/html5/thumbnails/27.jpg)
27
Resources PCI Compliance for OSU Credit Card Merchants (instructions & forms)
http://fa.oregonstate.edu/business-affairs/annual-pci-compliance-osu-credit-card-merchants
OSU FIS Manual http://oregonstate.edu/fa/manuals/fis/1401-06
OUS Policy Guideline for Electronic Commerce http://www.ous.edu/dept/cont-div/fpm/elec-40-005
Oregon Accounting Manual - Credit Card Acceptance for Payment http://www.oregon.gov/DAS/CFO/SARS/policies/oam/10.35.00.pr.pdf
Oregon State Treasury Cash Management Policy http://
www.oregon.gov/treasury/Divisions/Finance/StateAgencies/Pages/Cash-Management-Manual.aspx
Payment Card Industry Data Security Standards https://www.pcisecuritystandards.org/merchants/
![Page 28: 2014 PCI DSS Meeting](https://reader031.vdocuments.us/reader031/viewer/2022032206/5681315c550346895d97d2c5/html5/thumbnails/28.jpg)
28
Thank You
Business Affairs Contacts Robin Whitlock
[email protected], 541-737-0622
Dan Hough [email protected], 541-737-2935