Payment Card Industry Data
Security Standards
Annual Refresher Training
This refresher course will:
• Review of the PCI Data Security Standards
–
–
–
–
PCIDSS in a nutshell
Payment Card Protection Team
Compliance basics
Data breach review
• 2013 Change to How the University’s Compliance is Measured
• 2013 New Technology: Online SAQ Portal
• Update of PCIDSS compliance roles at the University
• Contact information
The Purpose for
PCI DSS
“The PCI DSS was developed
to encourage and enhance
cardholder data security
and facilitate the broad adoption
of consistent
data security measures
globally.”
PCI DSS Requirements and Security Assessment Procedures, October 2010, pg. 5
PCI DSS Quick Reference Guide, slide 8
Payment Card Protection ‘Team’
1. Employees, contractors or students involved
in accepting credit or debit cards (or who touch the
cardholder data environment)

Merchant Managers & staff (including student workers)

Support units: ARS, IT, Purchasing, OGC, third party vendors
2. Credit card brands




Visa
MasterCard
American Express
Discover
3. Acquiring bank
(Wells Fargo)
Complying with PCI Standards at the University
• Standards are established & updated by the PCI Council and card issuers
• Standards are enforced primarily through the University’s contract with Wells Fargo
which is managed by Accounts Receivable Services (ARS)
• ARS oversees PCI compliance through
 Policy & procedures
Merchant Manager training & support
Coordination with related units such as University Information Security
Facilitation of the annual merchant account compliance review process
PCI Council
Visa
MasterCard
AmEx Discover
Wells Fargo
UMN
Accounts
Receivable
Services
OIT
UIS
Dept IT
Merchant
Manager
Employees &
student workers
What is a data breach?
Broadly speaking…a breach is:
An unauthorized acquisition of
protected data that compromises the
security, confidentiality, or integrity of
the protected information.
Leading Causes of a Data Breach
1. Malicious attack
– Targeted attack with the intent to commit
data theft or otherwise inflict harm
2. Negligent employee or contractor
– Failure to follow established standards
– Lack of training
3. System glitch
– IT or business process failures
Cost of a Breach
•
$5.5 million: the average total organizational cost of a data breach*
– 39% of incidents involved a negligent employee or contractor
– 37% concerned a malicious or criminal attack
– 24% involved system glitches including IT and business
process failures
•
$222: The average cost per compromised record for detection,
escalation, notification, and remediation (doesn’t include costs
associated with damaged reputation)*
•
1,506,900 records: the number of private records exposed in data
breaches at 59 US higher education institutions in 2012**

1.5M X $222 = $333,000,000)/59 = $5,644,068 estimated cost per HE breach
*2011 Cost of Data Breach Study, Ponemon Institute
**http://www.privacyrights.org/data-breach
The University at Risk
http://bits.blogs.nytimes.com/2012/10/03/hackers-breach-53-universities-dumpthousands-of-personal-records-online/?smid=tw-share
The University as Data
“Gold Mine”
But, it isn’t always about the money.
Hacktivism
Change in 2013
•
Wells Fargo and Visa raised the University’s compliance
demonstration requirements. This change was based on the
annual number of Visa transactions. This means:
– Compliance is now measured by a security assessor
•
–
–
For 2013 we will use a Qualified Security Assessor (QSA) from
CampusGuard, a firm specializing in higher education security
Individual merchants must continue to complete the annual
Self-Assessment Questionnaires (SAQ), and…
The University will only be considered PCI compliant if all
accounts are deemed compliant by the assessor
New Technology
• Rolled out an online portal for SAQ
completion & document collection
– The portal provides merchant managers
with 24/7 access to complete their SAQs
– Managers can ask the assessor questions
directly through the portal
– A secure ‘document locker’ provides each
merchant with a dedicated area to store
PCI-related documents
Updated Contacts for 2013
• Accounts Receivable Services
pmtcard@umn.edu
–
General inquiries
Darla Schroeder, Cash Application
Manager (612-626-7215),
schro077@umn.edu
 Terminal issues
 Account set-up, close, modify
 Reconciliation, chartstring or other
accounting issues
• University Information Security
abuse@umn.edu
• Your IT professionals _______
Laura Gilbert, PCI-DSS Compliance
Analyst (612-624-7892)
gilbert7@umn.edu
 Manager training
 CampusGuard portal
 Annual assessment :
 SAQ &UMN form completion
 ROC assessment
 Remediation plan oversight
 Policy questions
 Vendor relationship support (e.g., pen
testing, 3rd party outsourcing)
Resources
• Be familiar with University policy & procedures
– Accepting Revenue Via Payment Cards
– Obtaining Approval to Accept Credit Cards
– Managing Payment Card Acceptance
• Your IT professionals
• Applicable University Forms
–
–
–
UM 1624 Payment Card Manager Form
UM 1623 Employee Non-Disclosure Form
UM 1705 Desktop Usage Agreement (only required for SAQ-A e-commerce solutions)
• Controller’s Office Website: General and SAQ-specific training
materials & guidance documents
• PCI Security Standards Website: SAQ forms, guidance docs
• PCI Glossary
•
Look for emails throughout the year from the Controller’s Office and
partner departments about program changes, new issues, annual
deadlines and training.
Allow time in your schedule to fully
manage your account.