Welcome to the 2nd Annual Campus

Merchant Awareness Training

Meeting

Agenda

• Introductions• Merchant Account Basics• FAQ’s• What Have We Learned… In this case, left is

always better!• PCI Compliance Changes• PCI Compliance Overview• Resources

Merchant Accounts Updates• System down?- Voice Authorization-

1.800.936.2632 – Need MID.• Questions on Accounts?

– DST 1.800.228.5882- 24/7 service– Statement issues– Authorization Problems– Supplies

• Bursar Support Services– Dial Pay– Wireless Terminal– POS Terminals

Merchant Accounts Updates• Account /Statement Review

– Review Monthly for errors & charges• Jul VS zero floor limit fee

– Analyze yearly for cost/service assessment– Minimum Charges on Statements– Visa EIRF’s 2.30%- manually entered cards

• Plastic bag around card• Clean terminal• Rub card magnetic strip

– Debit pin pads

Merchant Accounts Updates• Sales Calls• Bank of America Merchant Contact

– Upgrading Pin Devices

• Fraud Control- http://usa.visa.com/merchants/risk_management/index.html

• American Express Rate Change-All campus 2.05% consumer card; Discover 1.75%

• Staff Training Resources- Many options for the front line staff as well as IT and MRP’s.

Merchant Accounts Updates• Phishing Alert-  Bank of America temporarily suspended your account.

– Reason: Billing failure.– We need you to complete an account update so we can unlock your account.– To start the update process follow the link below : – http://www.secureyouraccountnow.com – Once you have completed the process, we will send you an email notifying that

your account is available again. After that you can access your account at any time.

– The information provided will be treated in confidence and stored in our secure database.

– If you fail to provide required information your account will be automatically deleted from Bank of America database.

Frequently Asked Questions• Service Charges –

– No- Varied rules between Visa and other card brands. Flat fee versus %.

– May be some legislation changes– No service charge encourages prompt payment

customer response

• Establishing minimum charge amount-– Card organizations forbid you from establishing any

transaction dollar limits.

More FAQ’s

• Requiring pictured identification– Card organizations state the credit card sale cannot

be turned down due to lack of picture id.• Phone authorization• Card not signed• Suspected counterfeit card

• Fax Machines & Laptops• MOTO’s - Virtual Terminals & Dial Pay

Still More FAQ’s

• Self Assessment Questionnaire– Annual– A great % of merchants have completed

• Security Policies/Procedures– Departmental– Campus

• Network Configuration– Abraham Kuo- UITS Security Operations

What Have We Learned?- That in

this case-Left is always better!• Merchant Compromise

– Paper and fax machines– SAQ C Merchants

• Compliance Failures– Shopping Cart, Operating Systems and Other

Patches– Firewall Rule Review

• Segmentation /flat networks– Look for an alternative (“Move to the left”)– Keep MOTO to Dial Pay or Point of Sale Terminal

Compliance Changes

• New Annual third party assessment– MasterCard Notification of Level 2 Merchants

• Report on Compliance (ROC) assessment & documentation– SAQ Specific– You are not alone, we are right beside you.

• SAQ C Training

Questions?

Sylvia Johnson, University Information Security OfficerKelley Bogart, Senior Information Security Specialist

October 23, 2009

Role of the Information Security OfficePCI OverviewInfoSec PCI Web Page – Compliance RoadmapPayment Methods & Validation RequirementsOngoing Compliance

Information Security Policy: Access to UA data, computers and network is subject to policies and laws.PCI compliance is mandated by:

contract with Bank of AmericaFRS Policy 8.14.

Info Security Policy: InfoSec will issue guidance to assist units in implementing information security related policies.

PCI security requirements apply to all merchants who store, process or transmit card

holder dataall system components in or connected to the card

holder data environmentnetwork componentsserversapplications

225 specifics

Some technical

Some operational

Consequences: Monetary fines

Restrictions on merchant processing

Loss of privilege

Merchant Responsible Persons are responsible for ALL of them

PCI DSS Requirements Testing ProceduresIn Place

Not inPlace

Target Date/ Comments

1.1 Establish firewall and router configuration standards that include the following:

1.1 Obtain and inspect the firewall and router configuration standards and other documentation specified below to verify that standards are complete. Complete the following:

1.1.1 A formal process for approving and testing all network connections and changes to the firewall and router configurations

1.1.1 Verify that there is a formal process for testing and approval of all network connections and changes to firewall and router configurations.

1.1.2 Current network diagram with all connections to cardholder data, including any wireless networks

1.1.2.b Verify that the diagram is kept current.

1.1.3 Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone

1.1.3 Verify that firewall configuration standards include requirements for a firewall at each Internet connection and between any DMZ and the internal network zone. Verify that the current network diagram is consistent with the firewall configuration standards.

1.1.4 Description of groups, roles, and responsibilities for logical management of network components

1.1.4 Verify that firewall and router configuration standards include a description of groups, roles, and responsibilities for logical management of network components.

1.1.5 Documentation and business justification for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure

1.1.5.a Verify that firewall and router configuration standards include a documented list of services, protocols and ports necessary for business—for example, hypertext transfer protocol (HTTP) and Secure Sockets Layer (SSL), Secure Shell (SSH), and Virtual Private Network (VPN) protocols.

A description of how the credit card information moves through the network

To which systems the data is passed/storedThrough which network devices the data passesWhich ports and protocols are used to pass dataWhich and when encryption algorithms are usedWhich data is stored, where and for how long (PAN, CVV2/CVC2, expiration date, etc.)

All inbound sources of CHD to the networkAll outbound flows of CHD (e.g., to a payment processor, 3rd parties)

“PCI DSS compliance is much more than a “project” with a beginning and end – it’s an ongoing process of assessment, remediation and reporting.”

“Implementing PCI DSS should be part of a sound, basic enterprise security strategy, which requires making this activity part of your ongoing business plan and budget.”

Electronic CHD

ReviewEmployee Training

Employee Training

Employee Training

Employee Training

Assessment Preparation

Merchant Agreement Acknowl.

Service Provider

Check ASSESSMENT

Hardcopy Retention

Review

Electronic CHD

Search ASSESSMENT

Security Policy

ReviewEmployee Training

Employee Training

Employee Training

Employee Training

Assessment Preparation

Merchant Agreement Acknowl.

Hardcopy Retention

Review

Service Provider

Check

Service Provider Listing

Wireless Access Point

Scan

Vulnerability Scans

Vulnerability Scans

Wireless Access Point

Scan

Employee Training

Service Provider

Check/Listing

Merchant AgreementAcknowl.

Employee Training

Electronic CHD

Search ASSESSMENTEmployee Training

Assessment Preparation

Employee Training

Hardcopy Retention

Review

Policy Review

Wireless Access Point

Scan

Vulnerability Scans

Wireless Access Point

Scan

Vulnerability Scans

Employee Training Inactive Account Disabling

User Password ChangeStored CHD Review

ASSESSMENTPolicy

Review

Assessment Preparation

Risk Assessment

.

Firewall Rule Review

Employee Training Inactive Account Disabling

User Password ChangeStored CHD Review

ElectronicCHD

Search

Back Up Media

Inventory

Employee Training Inactive Account Disabling

User Password ChangeStored CHD Review

Policy Acknowl.

Vulnerability Scans

Vulnerability Scans

Vulnerability Scans

Vulnerability Scans

Wireless Access Point

Scan

Wireless Access Point

Scan

Wireless Access Point

Scan

Wireless Access Point

Scan

Web Application

Scan

Penetration Test

Employee Training Inactive Account Disabling

User Password ChangeStored CHD Review

Firewall Rule Review

Incident Response Plan Test

Abraham Kuo- UITS - 626.9736 Kelley Bogart – ISO - 626.8232Robbyn Lennon – FSO-Bursar’s - 621.5781Security Metrics – Securitymetrics.com BankofAmerica.com/merchantsupporthttps://www.pcisecuritystandards.org/

Prioritized Approach for DSS 1.2 -https://www.pcisecuritystandards.org/education/prioritized.shtml

PCI Quick Reference Guidehttps://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf