Data Security Standard

advertisement
Data Security Standard
• What Is PCI ?
• Who Does It Apply To ?
• Who Is Involved With the Compliance Process ?
• How We Can Stay Compliant ?
PCI (Payment Card Industry)Standards Council
Responsible for the development, management, education, and
awareness of the PCI Security Standards, including the Data
Security Standard (PCI DSS) requirements.
•
•
•
•
Manage risk associated with credit card activity
Protect card data
Avoid Punitive measures/damages
Minimize cost for non-compliance
Standard applies to:
- Merchants (Departments)
- Service Providers (3rd Party, Gateways)
 Applies if you:
- Store Cardholder Data
- Transmit Cardholder Data
- Process Cardholder Data
 Applies to:
- Electronic Transactions
- Paper Transactions
Complete the PCI Self- Assessment Questionnaire (SAQ)

Ensures Cardholder Data Is protected
- Encrypt Transmission of data

Implements Strong Access Controls
- Restrict physical access to data

Maintain Security Policy
- Policy that addresses information security for all personnel
UT Merchants and Usage
- UT has over 125 merchants University Wide
- Over 960,000 transactions
- $165 Million in revenue
Potential Fee Assessments
 $500,000 per data security incident
 $50,000 per day for non-compliance with PCI
 Liability for all fraud losses incurred from compromised account
numbers
 Liability for the cost of re-issuing cards associated with a
compromise of data
 Suspension of Merchant Account
• UT System Administration (UTSA) – Information Security Office
• I.T. (System & Campus)
• Chief Business Office (CBO)
• Treasurer’s Office
• Merchant (Departments)
UTSA (University of TN System Administration)
Information Security Office
- Consulting, guidance, and oversight related to PCI
compliance and IT Security controls
- Review technical implementations related to PCI
- Incident response coordination
- Quarterly security scan coordination
- Validate SAQs annually
IT Position of Authority
- Provide compliance support & consulting
- Identify & review systems in PCI scope
- Provide technical guidance
- Ensure a segmented cardholder data environment exists
Chief Business Officer
- Approve the business need for Merchant ID’s
- Attest to SAQ (signature of CBO)
- Monitor PCI compliance
Treasurer’s Office
- Oversee credit card accounting for approved merchant
- Manage the Merchant ID approval process
- Maintain the relationship with the University’s credit card
processor
Merchant (Departments)
- Complete SAQ annually
- Have internal procedures in place
- Update terminal software every 18 months
- Notify UTSA in the event of a data breach
- Financially responsible for cost associated with compliance
(Fees, fines, remediation)
All completed forms due
in Bursar’s by the close of
th
business, April, 15 , 2014
• Byron Porter 448-4847 [email protected]
• Nadia Hussey 448-2914 [email protected]
Bursar’s Office
Hyman Building
62 S. Dunlap Rm. 103
Download