Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security Introductions • Cathy Riedl-Farrey – Controller, Financial Services • Anna Pulver – Information Security Officer • Patrick Fitzsimons – Internal Auditor 2 Agenda • What is PCI Compliance? • What is expected of you? • Time lines 3 Why we are here PCI 12.6.1 (c) Have employees completed awareness training and are they aware of the importance of cardholder data security? 4 Modern-day data security risks • Over the past couple decades – Increase in payment card usage – Increase in e-commerce – Great convenience • Unfortunately… – Security has not kept pace – The criminals have noticed 5 Therefore… • UW-Platteville is concerned. • UWPLT adopted a policy regarding storage, transmission, processing of payment card data – Credit Card Handling Policy, currently being revised – http://www.uwplatt.edu/financial/credit-card-compliance • UWPLT must be “PCI Compliant” 6 We Need You • We need your help to achieve compliance! 7 Does compliance apply to you? • If you take branded credit card information… PCI applies to you – Major brands: VISA, MC, AmEx, Discover – Whether • The actual physical card is present, or • You receive the data via phone, web, or mail • You contract with a hosted provider or in-house dept – If you “store, transmit or process” cardholder data 8 What is PCI Compliance? Who/What is PCI? PCI DSS – 6 Goals, 12 Requirements The PCI Compliance process PCI Compliance questionnaires What are the implications of compliance? 9 Payment Card Industry • “PCI” = Payment Card Industry – Major brands: VISA, MC, Discover, AmEx • Established a Data Security Standard – PCI DSS • Thus, “PCI Compliant” • Current version 3.0 Logo from https://www.pcisecuritystandards.org/ 10 What is PCI Compliance? Who/What is PCI? PCI DSS – 6 Goals, 12 Requirements The PCI Compliance process PCI Compliance questionnaires What are the implications of compliance? 11 PCI DSS • Payment Card Industry Data Security Standard • 12 general principles/requirements • Establishes a baseline of secure practices – Will help mitigate costs, in case of a breach. – Not a 100% guarantee to prevent a breach 12 PCI DSS: 6 goals, 12 requirements Goals PCI DSS Requirements I. Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data II. Protect Cardholder Data 3. Protect stored cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 4. Encrypt transmission of cardholder data across open, public networks III. Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software or programs IV. Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know 6. Develop and maintain secure systems and applications 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data V. Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data VI. Security Policy 12. Maintain a policy that addresses information security for employees and contractors 13 11. Regularly test security systems and processes Maintain an Information Why should you care? • The number of Requirements that apply to you will determine how involved the compliance process will be for you. The simpler your business process, the simpler your compliance process. 14 What is PCI Compliance? Who/What is PCI? PCI DSS – 6 Goals, 12 Requirements The PCI Compliance process PCI Compliance questionnaires What are the implications of compliance? 15 University compliance means… • For the University to be “PCI Compliant”, – all of its CC business units need to be compliant. • Merchant IDs, applications, operations, etc • Infrastructure: terminals, networks, fax/copy • Personnel • “If it stores, transmits or processes credit card data, it must be PCI compliant.” 16 PCI Compliance entails… 1. Training 2. Review of business processes 3. Annual service level agreements (SLA) and self-assessment questionnaires (SAQ) 17 PCI Compliance - Training • Supervisor Training: August 8 & August 12 • Operators: on-line training module 18 Operator training • On-line training module – Go Live 8/12/14 – Approx 30 minute video • Broken into three modules – Will cover general “operator” material – Individual Departments may need to develop additional training material to cover their unique processes. 19 Operator training modules https://www.uwplatt.edu/financial /pci-training 20 The Three Modules 1. Card Security Basics (general) 2. Card Present Transactions 3. Card Not Present Transactions 21 Annually renewed and tracked • All training must be renewed annually • All training must be tracked • Identify operators who need to be trained – Operators must be trained by 10/15/2014 • Watch for turn-over, new hires • Training checklist should be completed • Submit worksheets to riedlfac@uwplatt.edu 22 The Compliance Process 2. Review of business processes – May need to review in light of PCI DSS 3.0 23 The Compliance Process 3. SLA & SAQ – Most SLA’s expire 12/31 – SAQ’s will be completed this Fall 24 What is PCI Compliance? Who/What is PCI? PCI DSS – 6 Goals, 12 Requirements The PCI Compliance process PCI Compliance questionnaires What are the implications of compliance? 25 PCI Compliance - Questionnaires • Provided by PCI • Has been expanded from four variants to eight – A, A-EP, B, B-IP, C, C-VT, D, P2PE-HW – In order of increasing complexity – Required for PCI Compliance • Self-Assessment Questionnaires (SAQ) • Which SAQ applies to a given merchant ID or application depends upon the business model. 26 SAQ Highlight 27 What is PCI Compliance? Who/What is PCI? PCI DSS – 6 Goals, 12 Requirements The PCI Compliance process PCI Compliance questionnaires What are the implications of compliance? 28 Business Processes to Consider - 1 • Never send (receive) CC#s in e-mail • Don’t store CC#s in database or spreadsheet • Destroy CC# documentation ASAP (cross-cut) – Redesign forms, so you can cut off CC#s • Receipts that show more than last four digits are out of compliance • Make workstations “dedicated” 29 Business Processes to Consider - 2 • If you copy, scan, or image CC#s… • Remove fax machines from public locations • Old carbon-copy devices are out of compliance • Do you have integrated workstations? – Units that have built-in card-readers • Other ideas? 30 Miscellaneous Point #1 • Beware the “maverick” – Well-intending faculty or staff – Sets up a business unit without authorization – Beware solicitations – There are no PCI approved mobile devices (i.e. Square) 31 Miscellaneous Points #2 • You don’t HAVE to become PCI Compliant. • However, if you choose not to comply… – You will no longer be able to accept credit cards. 32 Changes in personnel? • Are you leaving? • New Supervisor? • Notify riedlfac@uwplatt.edu with an updated SLA within 5 business days of change. – Need to track training to remain compliant 33 Time Line - Summary • Supervisor Training Sept 2014 • Employees complete on-line training modules 8/8 or 8/12/14 • All training complete. Submit training spreadsheet to Controller October 15, 2014 34 Questions? Thank you! 35