Merchant Card Processing
(PCI Compliance for Supervisors)
Sponsored by UW-Platteville’s
Financial Services and
The Office of Information Security
Introductions
• Cathy Riedl-Farrey
– Controller, Financial Services
• Anna Pulver
– Information Security Officer
• Patrick Fitzsimons
– Internal Auditor
2
Agenda
• What is PCI Compliance?
• What is expected of you?
• Time lines
3
Why we are here
PCI 12.6.1 (c) Have employees completed
awareness training and are they aware of the
importance of cardholder data security?
4
Modern-day data security risks
• Over the past couple decades
– Increase in payment card usage
– Increase in e-commerce
– Great convenience
• Unfortunately…
– Security has not kept pace
– The criminals have noticed
5
Therefore…
• UW-Platteville is concerned.
• UWPLT adopted a policy regarding storage,
transmission, processing of payment card data
– Credit Card Handling Policy, currently being revised
– http://www.uwplatt.edu/financial/credit-card-compliance
• UWPLT must be “PCI Compliant”
6
We Need You
• We need your help to achieve compliance!
7
Does compliance apply to you?
• If you take branded credit card information…
PCI applies to you
– Major brands: VISA, MC, AmEx, Discover
– Whether
• The actual physical card is present, or
• You receive the data via phone, web, or mail
• You contract with a hosted provider or in-house dept
– If you “store, transmit or process” cardholder data
8
What is PCI Compliance?





Who/What is PCI?
PCI DSS – 6 Goals, 12 Requirements
The PCI Compliance process
PCI Compliance questionnaires
What are the implications of compliance?
9
Payment Card Industry
• “PCI” = Payment Card Industry
– Major brands: VISA, MC, Discover, AmEx
• Established a Data Security Standard
– PCI DSS
• Thus, “PCI Compliant”
• Current version 3.0
Logo from https://www.pcisecuritystandards.org/ 10
What is PCI Compliance?





Who/What is PCI?
PCI DSS – 6 Goals, 12 Requirements
The PCI Compliance process
PCI Compliance questionnaires
What are the implications of compliance?
11
PCI DSS
• Payment Card Industry Data Security Standard
• 12 general principles/requirements
• Establishes a baseline of secure practices
– Will help mitigate costs, in case of a breach.
– Not a 100% guarantee to prevent a breach
12
PCI DSS: 6 goals, 12 requirements
Goals
PCI DSS Requirements
I. Build and Maintain a Secure
Network
1. Install and maintain a firewall configuration to protect cardholder data
II. Protect Cardholder Data
3. Protect stored cardholder data
2. Do not use vendor-supplied defaults for system passwords and other
security parameters
4. Encrypt transmission of cardholder data across open, public networks
III. Maintain a Vulnerability
Management Program
5. Use and regularly update anti-virus software or programs
IV. Implement Strong Access Control
Measures
7. Restrict access to cardholder data by business need-to-know
6. Develop and maintain secure systems and applications
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
V. Regularly Monitor and Test
Networks
10. Track and monitor all access to network resources and cardholder data
VI. Security Policy
12. Maintain a policy that addresses information security for employees and
contractors
13
11. Regularly test security systems and processes Maintain an Information
Why should you care?
• The number of Requirements that apply to
you will determine how involved the
compliance process will be for you.
The simpler your business process,
the simpler your compliance process.
14
What is PCI Compliance?





Who/What is PCI?
PCI DSS – 6 Goals, 12 Requirements
The PCI Compliance process
PCI Compliance questionnaires
What are the implications of compliance?
15
University compliance means…
• For the University to be “PCI Compliant”,
– all of its CC business units need to be compliant.
• Merchant IDs, applications, operations, etc
• Infrastructure: terminals, networks, fax/copy
• Personnel
• “If it stores, transmits or processes credit card
data, it must be PCI compliant.”
16
PCI Compliance entails…
1. Training
2. Review of business processes
3. Annual service level agreements (SLA) and
self-assessment questionnaires (SAQ)
17
PCI Compliance - Training
• Supervisor Training: August 8 & August 12
• Operators: on-line training module
18
Operator training
• On-line training module
– Go Live 8/12/14
– Approx 30 minute video
• Broken into three modules
– Will cover general “operator” material
– Individual Departments may need to develop
additional training material to cover their unique
processes.
19
Operator training modules
https://www.uwplatt.edu/financial
/pci-training
20
The Three Modules
1. Card Security Basics (general)
2. Card Present Transactions
3. Card Not Present Transactions
21
Annually renewed and tracked
• All training must be renewed annually
• All training must be tracked
• Identify operators who need to be trained
– Operators must be trained by 10/15/2014
• Watch for turn-over, new hires
• Training checklist should be completed
• Submit worksheets to riedlfac@uwplatt.edu
22
The Compliance Process
2. Review of business processes
– May need to review in light of PCI DSS 3.0
23
The Compliance Process
3. SLA & SAQ
– Most SLA’s expire 12/31
– SAQ’s will be completed this Fall
24
What is PCI Compliance?





Who/What is PCI?
PCI DSS – 6 Goals, 12 Requirements
The PCI Compliance process
PCI Compliance questionnaires
What are the implications of compliance?
25
PCI Compliance - Questionnaires
• Provided by PCI
• Has been expanded from four variants to eight
– A, A-EP, B, B-IP, C, C-VT, D, P2PE-HW
– In order of increasing complexity
– Required for PCI Compliance
• Self-Assessment Questionnaires (SAQ)
• Which SAQ applies to a given merchant ID or
application depends upon the business model.
26
SAQ Highlight
27
What is PCI Compliance?





Who/What is PCI?
PCI DSS – 6 Goals, 12 Requirements
The PCI Compliance process
PCI Compliance questionnaires
What are the implications of compliance?
28
Business Processes to Consider - 1
• Never send (receive) CC#s in e-mail
• Don’t store CC#s in database or spreadsheet
• Destroy CC# documentation ASAP (cross-cut)
– Redesign forms, so you can cut off CC#s
• Receipts that show more than last four digits
are out of compliance
• Make workstations “dedicated”
29
Business Processes to Consider - 2
• If you copy, scan, or image CC#s…
• Remove fax machines from public locations
• Old carbon-copy devices are out of
compliance
• Do you have integrated workstations?
– Units that have built-in card-readers
• Other ideas?
30
Miscellaneous Point #1
• Beware the “maverick”
– Well-intending faculty or staff
– Sets up a business unit without authorization
– Beware solicitations
– There are no PCI approved mobile devices (i.e.
Square)
31
Miscellaneous Points #2
• You don’t HAVE to become PCI Compliant.
• However, if you choose not to comply…
– You will no longer be able to accept credit cards.
32
Changes in personnel?
• Are you leaving?
• New Supervisor?
• Notify riedlfac@uwplatt.edu with an updated
SLA within 5 business days of change.
– Need to track training to remain compliant
33
Time Line - Summary
• Supervisor Training
Sept 2014
• Employees complete
on-line training
modules
8/8 or 8/12/14
• All training complete.
Submit training
spreadsheet to
Controller
October 15,
2014
34
Questions?
Thank you!
35