Complying With Payment Card Industry Data Security Standards (PCI DSS) We live and work in a global community. Most of us give very little thought to handing over our credit or debit card to complete strangers or entering our card data into a website. We do this in good faith, expecting that our information will be protected. Yet, each year millions of Americans are affected by credit card theft. With confidence their data is safe, individuals engage in payment card activity with Longwood University daily. They depend on us to protect their cardholder and other personal information. We must maintain a secure data environment; loss of consumer confidence can have serious repercussions for our institution. As a University employee, temporary hire, student or volunteer who processes payment card transactions, you are responsible for protecting and securing cardholder data at all times. Education is at risk: While many departments want to accept credit cards, they have different needs and some have little or no knowledge of credit card security requirements. Data Security Breaches – Past 3 Years Government Source: Privacy Rights Clearinghouse 6% Healthcare 8% Higher Financial Education Services 33% Other 17% 14% Retailers 22% Payment Card Industry Data Security Standards (PCI DSS) are administered by the PCI Security Standards Council, which was founded by VISA, MC, AMEX, DISCOVER, and JCB. PCI DSS applies to all entities that store, process or transmit credit card data. If you are a merchant who accepts or processes payment cards, you MUST comply with PCI DSS! Entities in the Payment Card “Ecosystem”: PCI Security Standards Council (PCI SSC) Founded by card associations and responsible for administering PCI DSS PCI Data Security Standards (PCI DSS) Technical and operational requirements set by PCI SSC to protect cardholder data Cardholder Person holding a credit or debit card Card Associations (Brands) – VISA,MC, AMEX,Discover,JCB Enforce compliance with the PCI DSS Entities in the Payment Card “Ecosystem”: Issuing Bank Bank that issues payment cards to consumers (cardholders) Acquiring Bank Contracts for payment services with merchant; merchant must validate PCI DSS compliance with its “acquirer”; acquirer reports compliance status to card associations Merchant Entity that sells goods/services and accepts cards; responsible for safeguarding credit card data and complying with the PCI DSS Service Provider Entity that provides all or some of the payment services for the merchant; responsible for safeguarding credit card data and complying with the PCI DSS The goal of PCI DSS is to protect cardholder data whenever it is processed, stored or transmitted. Sensitive authentication data (magnetic stripe data, chip data, CAV2/CID/CVC2/CVV2) must NEVER be stored after authorization. The Self-Assessment Questionnaire (SAQ) is a tool by which eligible merchants and service providers can validate their PCI DSS compliance through self-assessment. SAQ A SAQ B SAQ C-VT SAQ C SAQ D (13 questions) (29 questions) (51 questions) (80 questions) (286 questions) All cardholder data Imprint machines or Web-based virtual Payment application All other methods functions standalone dial-out terminal; No connected to outsourced; No terminals only; No electronic cardholder internet; No electronic storage, electronic cardholder data storage electronic cardholder processing or data storage data storage transmission of cardholder data Goals PCI DSS Requirements 1. Build and maintain a secure network 1. Install and maintain a firewall configuration to protect data 2. Change vendor-supplied defaults for system passwords and other security parameters 2. Protect cardholder data 3. Protect stored data 4. Encrypt transmission of cardholder magnetic-stripe data and sensitive information across public networks 3. Maintain a vulnerability management program 5. Use and regularly update antivirus software 6. Develop and maintain secure systems and applications 4. Implement strong access control measures 7. Restrict access to data to a need-to-know basis 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 5. Regularly monitor and test networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 6. Maintain an information security policy 12. Maintain a policy that addresses information security PCI DSS applies to you if you store, process or transmit cardholder data (in person, by mail, fax or phone, or online) or you use a system that processes or stores credit card data. You must… Evaluate your credit card acceptance activities and determine validation requirements (based on merchant level, card acceptance and processing methods) Validate PCI compliance with our “Acquirer” annually using Self-Assessment Questionnaire Participate in annual credit card security awareness training Develop and comply with payment card acceptance policies/procedures Maintain appropriate technical system security and network controls ASSESS: Examine Cardholder Environment REPORT: Submit Compliance Reports REMEDIATE: Resolve Vulnerabilities Consequences of noncompliance with PCI data security standards include: Loss of reputation and customers Financial fees and fines Litigation or sanctions Termination of credit card payment acceptance All merchants must adhere to PCI standards and certify compliance with applicable standards annually. Merchants will abide by University policy and procedures. Departments may not negotiate contracts with credit card processing companies or companies accepting credit card payments. All merchant accounts for accepting credit cards must be approved by Financial Operations. Do not store credit card data unless required to conduct departmental business. Never store credit card numbers electronically in a database or spreadsheet, on portable media or on share drives. Do not store full cardholder account numbers (PAN) with expiration dates. Mask all but the last 4 digits of the credit card number. Never store sensitive authentication data - magnetic stripe data, chip data, the CAV2/CVC2/CVV2/CID, or the PIN/PIN block - under any circumstances. Always protect cardholder data against unauthorized access. credit card information locked in a secure location. Keep Do not allow unauthorized persons access to areas where credit card data is stored. Restrict physical access to computer workstations and other equipment used in credit card payment processing. Permit only those employees with a legitimate “need to know” access to cardholder data. Destroy documentation containing credit card information when no longer needed for business or legal reasons. Each employee with access to payment card information via computer should have a unique login or password. Log out of computer when unattended. Never share passwords or user IDs. Limit user access to specified privileges. Never use vendor supplied default passwords. Passwords should be changed regularly – at least every 90 days. Ensure computers handling credit card data possess updated versions of University recommended antivirus and spyware detection software. Do NOT request, send or accept payment card information by email. If you receive cardholder data via email, do NOT process the transaction. Make the sender aware that, for their safety, they should never email credit card information. Remove the cardholder data when responding and direct them to an approved processing method. Delete the email containing cardholder data completely from your email account. Maintain up-to-date policies and departmental desktop procedures. procedures, Complete annual credit card security training upon hire and at least annually. Any confirmed or suspected breach should immediately to the Information Security Office. be including reported