Payment Card PCI DSS Compliance SAQ-B Training Accounts Receivable Services, Controller’s Office 7/1/2012 SAQ Training At the conclusion of this training, merchant managers should be able to do the following: – Understand the scope of your cardholder data environment – Understand how to complete the SAQ – Understand what the Attestation means – Understand how to accurately answer the SAQ questions – Understand what to do if you are not PCI DSS compliant – Understand resources available for assistance – Complete your SAQ What is PCI DSS? The PCI Data Security Standard represents a common set of industry tools and measurements to help ensure the safe handling of sensitive information. The standard provides an actionable framework for developing a robust account data security process - including preventing, detecting and reacting to security incidents. (https://www.pcisecuritystandards.org/merchants/) PCI security standards are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. The standards apply to all entities that store, process or transmit cardholder data. (PCI DSS Quick Reference Guide; Understanding the Payment Card Industry Data Security Standard version 2.0, page 6) Why is PCI DSS important? A breach or compromise of payment card data has far-reaching consequences, such as: Regulatory notification requirements, Loss of reputation, Loss of customers, Potential financial liabilities (fees and fines), Litigation, and Denial of the University’s privilege to accept certain cards (Visa, MasterCard, American Express, Discover) What is an SAQ? The PCI DSS Self-Assessment Questionnaire (SAQ) is a validation tool to allow merchants to self-evaluate compliance with the Payment Card Industry Data Security Standards (PCI DSS). The SAQ consists of two primary components: 1. Questions about your account that correlate with the 12 PCI DSS requirements. 2. An Attestation of Compliance; your self-certification that you have assessed your unit’s compliance as required in your SAQ form and identified action plans to address areas of non-compliance. SAQs come in several forms based on how a merchant processes, transmits and stores cardholder data. Most University accounts use an SAQ-A, B or D. SAQ completion is required annually by our acquiring bank and card brands. The Standards: 6 Sections; 12 Requirements Build and Maintain a Secure Network Implement Strong Access Control Measures 1: Install and maintain a firewall 2: Do not use vendor defaults 7: Business need-to-know 8: Assign a unique ID to each person 9: Restrict physical access Protect Cardholder Data 3: Protect stored data 4: Encrypt transmission of data Maintain a Vulnerability Management Program 5: Use anti-virus software 6: Secure systems and applications Regularly Monitor &Test Networks 10: Track and monitor access 11: Regularly test security Information Security Policy 12: Maintain a policy The SAQ-A addresses Requirements 9 & 12 The SAQ-B addresses Requirements 3,4,7,9, & 12 The SAQ-D addresses all 12 Requirements Annual SAQ Process 1. Determine the scope of the review. Go over your department operations and systems with regard to accepting payment cards. This assessment of your “cardholder data environment” helps you to accurately identify the appropriate scope for your review. Document your process to determine scope. Consider, for example: • Where do you take cards? (e.g., multiple locations, front desk, internet) • How do you take cards? (e.g., swipe terminal, Authorize.net, fax, phone, inperson) • Who touches cards and cardholder data? • Is the data recorded anywhere? • Where does it go? 2. Review unit payment card policy & procedures– take a look at your business process involving payment cards. • • Has your business process changed in the last year? Are your policies in agreement with PCI DSS and/or University policy? Annual SAQ Process (continued) 3. Complete Annually-Required University Forms Merchant manager (Form UM 1624) Required for all departments that have a University of Minnesota Payment Card Account. Employee Non-disclosure (Form UM 1623) Required for all employees involved in payment transactions who may have access to confidential cardholder data including card numbers, expiration dates or demographic cardholder information. Hosted Payment Card Account Desktop Usage Agreement (Form UM 1705) – SAQ-A only Required for departments that outsource all cardholder data functions to an approved University of Minnesota on-line, hosted payment gateway that the department manages through a passwordprotected website provided by the payment gateway service provider. This annual agreement sets out the requirements that allow the department to access the password-protected website without establishing a secure desktop. 4. Completion of the SAQ & Attestation SAQ-B SPECIAL INSTRUCTIONS You are eligible to use the SAQ B if: • You only use standalone dial-out terminals connected to phone lines, and • The standalone dial-out terminals are not connected to the Internet or any other systems within your environment, and • You do not receive or store cardholder data in electronic form, and • Any cardholder data that is stored is only in paper reports or copies of paper receipts and is not received electronically. If you meet all four requirements you are eligible to complete the 29 question SAQ-B form. Completing Your SAQ 1. Answer each question in your SAQ and SAVE it (the form does not autosave responses) “Yes” means you are fully compliant with this item “No” indicates your are not compliant with this item. Each “no” must have a corresponding entry in either: Part 4 “Action Plan for Non-Compliance” to describe your remediation plan for compliance, or Appendix C “Compensating Controls” to describe how you meet the requirement in a different way “NA” means the item does not apply in your situation. Use Appendix D to describe why each “NA” item is non-applicable (required). 2. Complete, print and sign the Attestation page; scan and save an electronic copy. 3. Email the completed SAQ and Attestation to pmtcard@umn.edu Action Plan • For each area of non-compliance there MUST be a corresponding Action Plan to to meet the requirement. – – – • Describe the next steps you will take on the path to compliance. Summarize the Action Plan. Include a target date to achieve remediation. Examples: – – – We do not have a cross-cut shredder but will use the one in the office down the hall until we buy our own. We will purchase and install cross-cut shredder, and train staff on use and handling of payment cards and disposal of sensitive information by September 30, 2012. Compliance remediation is in process; expect completion by July 31, 2012 Will review current practices to identify & address gaps; will design and deliver training on new procedures by October 31, 2012 Compensating Controls • Wherever you comply with the requirements through a means different from the method described in the SAQ, you MUST describe the “compensating control” in Appendix C. • Use one page for each requirement for which you use a compensating control. • Compensating controls must meet the intent of the specific Requirement. Thus another SAQ Requirement may not be used as a compensating control. Compensating controls are infrequently used at the University. Non-Applicability • For each NA response you mark in your SAQ, you MUST provide a descriptive reason why the requirement does not apply to your account. • The description may be as simple as: – – – • Data is not shared with service providers. Containers are not used to temporarily store paper to be shredded. Cross-cut shredder is used to immediately shred documents no longer needed. No media is sent via courier. Use additional pages if necessary. SAQ-B Requirement #12.8 • If you use a standalone dial-up terminal it is unlikely that you are sharing data with a service provider. If that is the case for you, the appropriate response is “NA” (be sure to add an explanation in Appendix D: Explanation of Non-Applicability) • Contact Accounts Receivable Services if you have a question. What is an Attestation? • An attestation clause is frequently found in legal documents that must be witnessed to be valid, such as signatures by those who “bear witness to the authenticity” of a will or a deed. • When a merchant makes an Attestation of Compliance they are, in essence, "bearing witness to the authenticity" of the SAQ - in other words the merchant is affirming the SAQ was completed to the best of the merchant’s ability or in collaboration with colleagues who the merchant reasonably believes responded to the best of their ability. • It means the merchant thought through each requirement, when needed sought assistance to understand and accurately respond, and believes the SAQ accurately reflects their account. The merchant didn't just check the boxes. Attestation • Complete ALL sections EXCEPT Part 1b • Part 2 use only – Retailer – E-commerce – Mail order/phone order • Part 2a – If you use Authorize.net or a similar gateway they are a 3rd party. – Most of the University uses Wells Fargo as the acquirer. Contact Accounts Receivable Services if you believe you work with more than one acquirer. Attestation – A only Page 2 • Part 2b – You must be able to check each item • Part 3 - PCI DSS Validation – If you check ‘Non-Compliant’ be sure to include remediation Action Plans in Part 4 (following your signature) • Part 3a – You must mark all three. • Part 3b – Print, sign, scan, email Attestation SAQ-B • Part 2b – Transaction Processing: Not Applicable for University SAQ-B merchants. • Part 2c – You must be able to check each item • Part 3 - PCI DSS Validation – If you check ‘Non-Compliant’ be sure to include remediation Action Plans in Part 4 (following your signature) • Part 3a – You must confirm and attest to all five statements. • Part 3b – Print, sign, scan, email Resources Controller’s Office website : Training presentations & links to resources Accounts Receivable Services for process or general form questions – pmtcard@umn.edu or 612-625-2392 OITSEC: Send technical questions to abuse@umn.edu University’s Payment Card Policy Two helpful documents provided by the PCI Security Standards Council: Navigating PCI DSS: Understanding the Intent of the Requirements describes how & why the requirements are relevant to your payment card process. Requirements & Security Assessment Procedures provides guidance to determine if you have met a requirement.