1 / 0

2013 PCI:DSS Meeting

2013 PCI:DSS Meeting. OSU Business Affairs Process Improvement Team (PIT) Dan Hough & Robin Whitlock. 12/31/2013. Today’s Presentation. What do you have to do? What is PCI DSS? Why is it important? Compliance Life Cycle Cardholder Data/Storage Goals & Requirements

quiana
Download Presentation

2013 PCI:DSS Meeting

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. 2013 PCI:DSS Meeting

    OSU Business Affairs Process Improvement Team (PIT) Dan Hough & Robin Whitlock 12/31/2013
  2. Today’s Presentation What do you have to do? What is PCI DSS? Why is it important? Compliance Life Cycle Cardholder Data/Storage Goals & Requirements What do you have to do? Resources Questions
  3. Your to do list by January 31st: Verify credit card merchant information with Business Affairs Obtain 3rd Party PCI DSS Certificate of Compliance (if applicable) Merchant managers complete and sign the Cover Page & SAQ (Annual PCI DSS Assessment must be completed for all Merchants). Business Center Manager or FAM must review and sign. Send to Dan Hough and Robin Whitlock
  4. What is PCI DSS? Payment Card Industry Data Security Standards Administered by the PCI Security Standards Council, which was founded by the major credit card companies (VISA, MC, Disc…) Mirror best security practices Applies to all entities that store, process or transmit cardholder data(merchants, payment card issuing banks, processors, developers…) That means you!
  5. Why Is Compliance Important? Reputation protection (customers, acquirers and payment brands, OST) Reduce potential legal liabilities Avoid fines and legal costs Avoid Investigative charges Data compromise may result in higher PCI DSS validation level Maintain MID Understanding of information & risks Continue accepting cards Compliance is mandatory (eCommerce Policy, Oregon State Treasury,PCI DSS).
  6. Why PCI:DSS ? 4,139 breaches of sensitive information (>662 million records) since 2005 (Ref: PrivacyRights.org 12/31/13) Educational institutions: 716 breaches (~17%)
  7. Target Data Breach
  8. Think it can’t happen here? It already has!!!
  9. Compliance Life Cycle PCI:DSS Validation Pre-Assessment / Gap Analysis Implement / Remediate
  10. What is Cardholder Data? Primary Account Number (PAN) Expiration Date Cardholder Name Chip/Magnetic Strip Data CAV2/CVC2/CVV2
  11. PCI Data Storage These data elements must be protected if stored in conjunction with the PAN. Sensitive authentication data must not be stored after authorization (even if encrypted). Magnetic stripe or chip.
  12. PCI DSS Goals & Requirements (digital dozen) Build and Maintain a Secure Network (2) Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other parameters Protect Cardholder Data (2) Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks
  13. PCI DSS Goals & Requirements Maintain a Vulnerability Management Program (2) Use and regularly update anti-virus software Develop and maintain secure systems and applications Implement Strong Access Control Measures (3) Restrict access to cardholder data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to cardholder data
  14. PCI DSS Goals & Requirements Regularly Monitor and Test Networks (2) Track and monitor all access to network resources and cardholder data Regularly test security systems and processes Maintain an Information Security Policy (1) Maintain a policy that addresses information security
  15. Misconceptions Self assessment means you’re compliant Compliance means you won’t suffer a breach Outsourcing takes away your need for compliance PCI:DSS is just about IT A single product can make you compliant Compliance can be automated
  16. What do we have to do?
  17. Changes from Last Year.. TouchNet merchants must complete the cover page and the SAQ-A
  18. Annual PCI DSS Assessment Documents Documents due by January 31st, 2014: OSU Cover Page Self Assessment Questionnaire (SAQ A-D Appropriate to merchant) 3rd Party PCI DSS Certificate of Compliance (if applicable) Resources available on our website: Status Report by Business Center SAQ Forms, Instructions, and guidelines Navigating the PCI DSS Glossary
  19. PCI DSS Assessment Cover Page
  20. Multiple Merchant Consolidation Multiple merchants can be can be combined into a single submittal if: The merchant IDs (MIDs) are of the same type (i.e. all POS, Web…) All merchants are managed by same merchant manager The same policies and procedures apply to all merchants Strictest SAQ will apply (the one with the most questions) List all merchants on cover page.
  21. Self Assessment Questionnaire (SAQ) Completed by the merchant manager Subset of full requirements Broken down by Goals & Requirements Made up of Yes / No / Not Applicable responses NA or “Compensating Control”- must be explained No- Must have Remediation Date and Actions Attestation Section Fill out the Merchant Version Do not complete the Service Provider Version
  22. SAQ Example-Requirements
  23. Compliance Summary
  24. SAQ Example- Explanation of Non-Applicability
  25. SAQ Example-Compensating Controls
  26. SAQ Example-Attestation Complete “Merchant” version not Qualified Security Assessor Company version (if avail). OSU does not use a Qualified Security Assessor Company
  27. Your to do list by January 31st: Verify credit card merchant information with Business Affairs Obtain 3rd Party PCI DSS Certificate of Compliance (if applicable) Merchant managers complete and sign the Cover Page & SAQ (Annual PCI DSS Assessment must be completed for all Merchants). Business Center Manager or FAM must review and sign. Send to Dan Hough and Robin Whitlock Electronic submission is preferred.
  28. Resources PCI Compliance for OSU Credit Card Merchants (instructions & forms) http://oregonstate.edu/fa/businessaffairs/staff/PCI OSU FIS Manual http://oregonstate.edu/fa/manuals/fis/1401-06 OUS Policy Guideline for Electronic Commerce http://www.ous.edu/dept/cont-div/fpm/elec-40-005 Oregon Accounting Manual - Credit Card Acceptance for Payment http://www.oregon.gov/DAS/CFO/SARS/policies/oam/10.35.00.pr.pdf Oregon State Treasury Cash Management Policy http://www.oregon.gov/treasury/Divisions/Finance/StateAgencies/Pages/Cash-Management-Manual.aspx Payment Card Industry Data Security Standards https://www.pcisecuritystandards.org/merchants/
  29. Thank You Business Affairs Contacts Robin Whitlock Robin.Whitlock@OregonState.edu, 541-737-0622 Dan Hough Dan.Hough@OregonState.edu, 541-737-2935
More Related