Merchant Card Processing(PCI Compliance for Supervisors)

Sponsored by UW-Platteville’sFinancial Services and

The Office of Information Security

Introductions

• Cathy Riedl-Farrey – Controller, Financial Services

• Anna Pulver– Information Security Officer

• Patrick Fitzsimons– Internal Auditor

2

Agenda

• What is PCI Compliance?

• What is expected of you?

• Time lines

3

Why we are here

PCI 12.6.1 (c) Have employees completed awareness training and are they aware of the importance of cardholder data security?

4

Modern-day data security risks

• Over the past couple decades– Increase in payment card usage– Increase in e-commerce– Great convenience

• Unfortunately…– Security has not kept pace– The criminals have noticed

5

Therefore…

• UW-Platteville is concerned.• UWPLT adopted a policy regarding storage,

transmission, processing of payment card data– Credit Card Handling Policy, currently being revised– http://www.uwplatt.edu/financial/credit-card-compliance

• UWPLT must be “PCI Compliant”6

We Need You

• We need your help to achieve compliance!

7

Does compliance apply to you?• If you take branded credit card information…

PCI applies to you– Major brands: VISA, MC, AmEx, Discover– Whether

• The actual physical card is present, or• You receive the data via phone, web, or mail• You contract with a hosted provider or in-house dept

– If you “store, transmit or process” cardholder data

8

What is PCI Compliance?

Who/What is PCI? PCI DSS – 6 Goals, 12 Requirements The PCI Compliance process PCI Compliance questionnaires What are the implications of compliance?

9

Payment Card Industry

• “PCI” = Payment Card Industry– Major brands: VISA, MC, Discover, AmEx

• Established a Data Security Standard– PCI DSS

• Thus, “PCI Compliant”• Current version 3.0

Logo from https://www.pcisecuritystandards.org/10

What is PCI Compliance?

Who/What is PCI? PCI DSS – 6 Goals, 12 Requirements The PCI Compliance process PCI Compliance questionnaires What are the implications of compliance?

11

PCI DSS

• Payment Card Industry Data Security Standard• 12 general principles/requirements• Establishes a baseline of secure practices

– Will help mitigate costs, in case of a breach.– Not a 100% guarantee to prevent a breach

12

PCI DSS: 6 goals, 12 requirementsGoals PCI DSS Requirements

I. Build and Maintain a Secure Network

1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

II. Protect Cardholder Data 3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks

III. Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus software or programs

6. Develop and maintain secure systems and applications

IV. Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need-to-know

8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data

V. Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes Maintain an Information

VI. Security Policy 12. Maintain a policy that addresses information security for employees and contractors

Handout

13

Why should you care?

• The number of Requirements that apply to you will determine how involved the compliance process will be for you.

The simpler your business process,the simpler your compliance process.

14

What is PCI Compliance?

Who/What is PCI? PCI DSS – 6 Goals, 12 Requirements The PCI Compliance process PCI Compliance questionnaires What are the implications of compliance?

15

University compliance means…

• For the University to be “PCI Compliant”,– all of its CC business units need to be compliant.

• Merchant IDs, applications, operations, etc• Infrastructure: terminals, networks, fax/copy• Personnel

• “If it stores, transmits or processes credit carddata, it must be PCI compliant.”

16

PCI Compliance entails…

1. Training2. Review of business processes3. Annual service level agreements (SLA) and

self-assessment questionnaires (SAQ)

17

PCI Compliance - Training• Supervisor Training: August 8 & August 12

• Operators: on-line training module

18

Operator training

• On-line training module– Go Live 8/12/14– Approx 30 minute video

• Broken into three modules

– Will cover general “operator” material– Individual Departments may need to develop

additional training material to cover their unique processes.

19

Operator training modules

https://www.uwplatt.edu/financial/pci-training

20

The Three Modules

1. Card Security Basics (general)2. Card Present Transactions3. Card Not Present Transactions

21

Annually renewed and tracked

• All training must be renewed annually• All training must be tracked• Identify operators who need to be trained

– Operators must be trained by 10/15/2014• Watch for turn-over, new hires

• Training checklist should be completed• Submit worksheets to riedlfac@uwplatt.edu

22

The Compliance Process

2. Review of business processes– May need to review in light of PCI DSS 3.0

23

The Compliance Process

3. SLA & SAQ– Most SLA’s expire 12/31– SAQ’s will be completed this Fall

24

What is PCI Compliance?

Who/What is PCI? PCI DSS – 6 Goals, 12 Requirements The PCI Compliance process PCI Compliance questionnaires What are the implications of compliance?

25

PCI Compliance - Questionnaires

• Provided by PCI• Has been expanded from four variants to eight

– A, A-EP, B, B-IP, C, C-VT, D, P2PE-HW– In order of increasing complexity– Required for PCI Compliance

• Self-Assessment Questionnaires (SAQ)• Which SAQ applies to a given merchant ID or

application depends upon the business model.26

SAQ Highlight

27

What is PCI Compliance?

Who/What is PCI? PCI DSS – 6 Goals, 12 Requirements The PCI Compliance process PCI Compliance questionnaires What are the implications of compliance?

28

Business Processes to Consider - 1

• Never send (receive) CC#s in e-mail• Don’t store CC#s in database or spreadsheet• Destroy CC# documentation ASAP (cross-cut)

– Redesign forms, so you can cut off CC#s• Receipts that show more than last four digits

are out of compliance• Make workstations “dedicated”

29

Business Processes to Consider - 2

• If you copy, scan, or image CC#s…• Remove fax machines from public locations• Old carbon-copy devices are out of

compliance• Do you have integrated workstations?

– Units that have built-in card-readers• Other ideas?

30

Miscellaneous Point #1

• Beware the “maverick”– Well-intending faculty or staff– Sets up a business unit without authorization– Beware solicitations– There are no PCI approved mobile devices (i.e.

Square)

31

Miscellaneous Points #2

• You don’t HAVE to become PCI Compliant.• However, if you choose not to comply…

– You will no longer be able to accept credit cards.

32

Changes in personnel?

• Are you leaving?• New Supervisor?

• Notify riedlfac@uwplatt.edu with an updated SLA within 5 business days of change.– Need to track training to remain compliant

33

Time Line - Summary

• Supervisor Training

8/8 or 8/12/14

• Employees complete on-line training modules

Sept 2014 • All training complete. • Submit training

spreadsheet to Controller

October 15, 2014

34

Thank you!

Questions?

35