Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Accepting Payments Securely Securely -- Online and off Online and off

advertisement 
Accepting Payments
Securely - Online and off
Presented by Bryan Boutz
October 2009 IT Security Training


The p
problem
ob
– collecting
o
g payments,
pay
s,
especially electronically
Credit Cards and PCI-DSS
◦ What is it?
◦ Why bother?
◦ Where do we start?



Other payment methods
Solutions and examples
Discussion
Agenda

Rules
u s for
o securing
s u g cardholder
a d o d data
da a that
a is
s
stored, processed, and/or transmitted by
merchants and other organizations.

Apply to EVERYONE that touches the data.

Set by the Payment Card Industry
Sec it Standards
Security
Standa ds Council,
Co ncil which
hich
represents major credit card networks.
https://www pcisecuritystandards org
https://www.pcisecuritystandards.org
What is PCI
PCI--DSS?

12 requirements in 6 sections
Build and Maintain a
Secure Network
• Install and maintain a firewall configuration to protect cardholder data
• Do not use vendor-supplied defaults for system passwords and other
security parameters
Protect
P
t t Cardholder
C dh ld
Data
• Protect
P t t stored
t d cardholder
dh ld d
data
t
• Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability
Management Program
• Use and regularly update anti-virus software
• Develop and maintain secure systems and applications
Implement Strong
Access Control
Measures
• Restrict access to cardholder data by business need-to-know
• Assign a unique ID to each person with computer access
• Restrict physical access to cardholder data
Regularly
R
l l M
Monitor
it and
d
Test Networks
•Track
T k and
d monitor
it allll access tto network
t
k resources and
d cardholder
dh ld
data
• Regularly test security systems and processes
Maintain an Information
S
Security
it P
Policy
li
•Maintain a policy that addresses information security
The standards

4 levels
s of
o certification
a o
1
Any merchant-regardless of acceptance channel-processing over 6,000,000
transactions per year.
Any merchant that has suffered a hack or an attack that resulted in an account
data compromise.
Any merchant that Visa, at its sole discretion, determines should meet the Level 1
merchant requirements to minimize risk to the Visa system.
2
Any merchant-regardless
An
merchant regardless of acceptance channel-processing
channel processing 1,000,000
1 000 000 to
6,000,000 transactions per year.
3
Any merchant processing 20,000 to 1,000,000 e-commerce transactions per year.
4
Any merchant processing fewer than 20,000 e-commerce transactions per year,
and all other merchants-regardless of acceptance channel-processing up to
1,000,000 Visa transactions per year.
Merchant certification
In the event of the a breach,, the acquirer
q
CAN
make the merchant responsible for:
• Fines of up to $500,000 per incident
• Cost to notify victims
• Cost to replace cards (about $10/card)
y fraudulent transactions
• Cost for any
• Forensics from a Qualified Security Assessor
• Level 1 certification from a QSA
Cost of non
non--compliance

Large, complex networks with many devices
and interconnections with other networks

Large community with complicated mix of
backgrounds, skills, and requirements

E t
Extremely
l ““open”” b
by ttradition
diti
and
d culture
lt

Departments
p
control local technology
gy and act
independently

Understaffed IT departments
Challenges in Higher Education

Training
a
g

Qualified Security
Q
y Assessor

Make a plan and prioritize
Where do we start?

Cash and
Cas
a d physical
p ys a checks
s
◦ Keep it secure
◦ Good accounting practices and controls

E-Checks, direct payments, etc
◦ Generally lower cost but higher risk
◦ Rules set by National Automated Clearinghouse
(NACHA) now Electronic Payments Association
◦ Work with your bank
◦ Build a relationship with the customer
Other payment methods

Do
o it yourself
you s
◦ PCI requirements are available and QSA are
willing to help.
◦ Works
W k best
b t if hi
highly
hl centralized
t li d or already
l
d fairly
f i l
secure.

Contract with a service provider
◦ Examples include PayPal, Google Checkout,
Authorize.net, and Cashnet.
Solutions and examples

Requirements
qu
s and
a d features
au s
◦ API or website
◦ Recurring payments
◦ Integration with existing applications

Costs
◦ Setup costs
◦ Transaction fees
◦ Support
Selecting a provider

Level 1 PCI-DSS
C
SS compliant
o p a

Integrates
g
with student and financials
systems

E-Commerce module has 3 modes
◦ Storefront – Testing Center
◦ Checkout – Admissions
◦ Gateway – Continuing Education
Cashnet at K
K--State

What
a are
a you doing
do g to
o secure
s u payments
pay
s
now?

What problems have you had?

What is your biggest concern?

Anything else?
Discussion





https://www.pcisecuritystandards.org
ps //
p s u ys a da ds o g
Dennis Reedy, Walter Conway. Cards at
School. AFP Exchange, March 2007
USF / FAU PCI Training Guide, April 2008
VISA risk Management
Bob Gentile, David King. 2007 CACUBO
presentation: “PCI Compliance/The
Gate a to Pa
Gateway
Paradise”
adise”
Sources and more information
Related documents
Credit Card Authorization form
Credit Card Authorization form
100 Visa Gift Card - Christian Chamber Of Commerce
100 Visa Gift Card - Christian Chamber Of Commerce
unsIGneD CreDIt CArDs
unsIGneD CreDIt CArDs
PCI DSS Primer
PCI DSS Primer
Credit Card Merchant On-Site Assessment
Credit Card Merchant On-Site Assessment
NUMBER: 3.3101 DIVISION: Finance & Administration
NUMBER: 3.3101 DIVISION: Finance & Administration
Download
advertisement