1 / 19

PCI Compliance Information

PCI Compliance Information. Chris Hobbs State of Nebraska Information Security Officer Office of the CIO. Agenda:. What is PCI / DSS? What are the definitions I need to be concerned with? How is Nebraska setup? What do I need to submit? Resources. PCI / DSS.

sol
Download Presentation

PCI Compliance Information

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PCI Compliance Information Chris Hobbs State of Nebraska Information Security Officer Office of the CIO

  2. Agenda: What is PCI / DSS? What are the definitions I need to be concerned with? How is Nebraska setup? What do I need to submit? Resources

  3. PCI / DSS Payment Card Industry / Data Security Standard A framework of specifications, tools, measurements, and support resources to help agencies ensure the safe handling of cardholder information.

  4. PCI / DSS Who makes up the PCI Security Standards Council? The Security Standards Council is a global forum, started in 2006 and is made up of five payment brands including: American Express Discover JCB International MasterCard Visa

  5. Definitions

  6. Definitions Merchant: Any entity that accepts payment cards of the five members of the PCI Security Standards Council, as payment for goods or services. Examples: DMV Revenue Game and Parks

  7. Definitions Service Provider: Any entity that is directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. Examples: Treasurer’s Office Office of the Chief Information Officer Nebraska.Gov

  8. State of Nebraska Organization The Treasurer’s Office holds a contract with First National Bank and TSYS to process credit cards and are responsible for reporting PCI Compliance The Office of the Chief Information Officer is responsible for ensuring and verifying PCI Compliance on the State’s Network

  9. Requirements of PCI Compliance Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks

  10. Requirements of PCI Compliance Requirement 5: Use and regularly update anti-virus software or programs Requirement 6: Develop and maintain secure systems and applications Requirement 7: Restrict access to cardholder data by business need to know Requirement 8: Assign a unique ID to each person with computer access

  11. Requirements of PCI Compliance Requirement 9: Restrict physical access to cardholder data Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes. Requirement 12: Maintain a policy that addresses information security for all personnel.

  12. What do I need to Submit? The following should be submitted to the Treasurer’s Office: Specific Self Assessment Questionnaire (SAQ) Signed Certification Letter Signed Attestation

  13. What do I need to Submit? Fill out Self Assessment Questionnaire A (SAQ A) IF: The Payment Card is not present: Agencies have no physical acceptance of credit cards from cardholders, only ecommerce transactions, phone call transactions or Interactive Voice Response Units (IVR) transactions. All cardholder data does not touch or access the agencies systems, the cardholder data is handled and processed by parties like Nebraska.gov, PayPal Host Based Gateway, Official Payments or Trust Commerce Host Based Gateway.

  14. What do I need to Submit? Fill out Self Assessment Questionnaire B (SAQ B) IF: Agencies that only imprint the physical card with a “knuckle buster” or imprinter with only imprinted card receipts as records. Agencies that only use the credit card terminal or “reader” to process card swiped or key entered credit card sales. There is no electronic storage of credit card data on computers or the agency network. The copies of sales slips and the credit card machine batch reports are saved in a secure location.

  15. What do I need to Submit? Fill out Self Assessment Questionnaire C (SAQ C) IF: Agencies that have a payment application connected to the internet that processes credit card data for sales. The payment application does not retain any credit card data after the credit card transaction is processed.

  16. What do I need to Submit? Fill out Self Assessment Questionnaire C-VT (SAQ C-VT) IF: The Agency uses a web/internet virtual terminal(s) to process credit card sales. Examples of a web/internet virtual terminal would include the PayPal Gateway, PayFuse Gateway, Trust Commerce Gateway and other web/internet gateways.

  17. What do I need to Submit? Fill out Self Assessment Questionnaire D(SAQ D) IF: Any Agency that does not fit into one of the previous categories for A, B, C, or C-VT will need to fill out an SAQ D.

  18. More Information PCI Website: www.pcisecuritystandards.org Chris Hobbs: chris.hobbs@nebraska.gov Charles Luginbill: charles.luginbill@nebraska.gov Char Scott: char.scott@nebraska.gov

  19. Questions? Chris Hobbs chris.hobbs@nebraska.gov

More Related