nc financial systems conference 2010 pci compliance & credit card processing what does it mean...
TRANSCRIPT
NC Financial Systems Conference 2010
PCI Compliance & Credit Card Processing
What Does It Mean & How Do We Get There?
Agenda
1. PCI / PA-DSS / PTS1. PCI / PA-DSS / PTS
2. Changes & Deadlines2. Changes & Deadlines
3. Watch Out For……3. Watch Out For……
4. University Strategies4. University Strategies
Payment Card Industry EvolutionFocus on Application & PIN Transactions
PAPTS
Focus on Application & PIN Transactions
PAPTS
Focus on Merchant
PCI
Focus on Merchant
PCIFocus on Banks, Processors, Gateways
CISPPED
Focus on Banks, Processors, Gateways
CISPPED
Phase 1Phase 1 Phase 2Phase 2 Phase 3Phase 3
Who?
TrustWave or other
ASV
You
TouchNet CashNetNelNet
3rd PartyApps
Who are the major players?
University Compliance
PCI SecurityStandards
Council
Why PCI?
We are all merchantsAgreed to complyAgreed to fines and feesNo one can relieve us of our obligations
PCI-DSSApplies to all merchantsRequires an annual self-assessment for each method of paymentRequires quarterly network scan by approved scanning vendor (ASV)
https://www.pcisecuritystandards.org
PCI – Getting Started
https://www.pcisecuritystandards.org/pdfs/pcissc_getting_started_with_pcidss.pdf
PCI Standard Requirements
https://www.pcisecuritystandards.org/pdfs/pcissc_getting_started_with_pcidss.pdf
PCI
PA-DSS
• Applies to software vendors and others who develop and sell payment applications
• Applies to storing, processing and transmitting data
• In house payment applications that are not sold to a 3rd party are not subject to PA-DSS but must still be secured in accordance with PCI-DSS
Vendor – responsible for certification processMerchant – verify application is listed by the PCI_Security Standards Council as a PA-DSS certified payment application (specific to its release number)
https://www.pcisecuritystandards.org/security_standards/vpa
PA-DSS Process
• Review end-to-end functions• All input and output
Where stored, who has access to PC, where data goes• Error Conditions
Cached information, notifications• Interfaces/Connections to Other Systems• Data Flow• Encryption Mechanisms• Authentication Mechanisms
Validated Payment Applications
PTS
• Formerly PCI PED• Set of security requirements focused on
characteristics and management of devices used in the protection of cardholder PINs and other payment processing related activities Requirements are for manufacturers to follow in the design, manufacture and transport of a device to the entity that implements it
• Merchants should only use PIN entry devices that are tested and approved by the PCI SSC
https://www.pcisecuritystandards.org/security_standards/ped/pedapprovallist.html
Approved PIN Transaction Security
Why Comply?
We are all merchantsAgreed to complyAgreed to fines and feesNo one can relieve us of our obligations
Why Are You Vulnerable?Business vs Faculty vs VendorHistorical Data that Hasn’t Gone AwayPeople trying to “be helpful”Bad Business Practice
Phone Payments Alumni ListsMailing Lists
What you don’t know CAN hurt you……
Cost of Not Complying
•Recarding•Fines from Bank, Visa and card companies
• Insurance Costs•Cost to University’s Image
www.adamdodge.com/esi
Changes & Deadlines
NOW – PCI-DSS compliance – should be performing self-auditsJuly 1, 2010 – PA-DSS & PTSMore Changes Coming !!!
Lifecycle Process for Changes to PCI DSS
What To Do
• Embrace PCI DSS Objectives as a Reality of Doing Business• Educate Campus Merchants about PCI Security Standards
• Find the Needles, not the Haystacks• Start in Business Office• Expand to the Campus
• Enforce PCI Requirements Campus-Wide• Have a Procedure• Understand the Risks
• Leverage a Strategy that Minimizes the Number of Systems on Campus which Touch Sensitive Payment Data• Architect Big, Implement Small
• Replace Out-Dated POS equipment with PTS-Compliant Devices
• Download PCI Security Council Quick Reference Guide - https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf
• Become familiar with NC OSC PCI Security Compliance Program website
http://www.osc.nc.gov/programs/risk_mitigation_pci.html
OSC PCI Compliance WebsiteUnderstanding PCI Data Security
• PCI Security Standards Overview• Understanding PCI Data Security Pr
esentation • Applicability of PCI Data Security St
andard (PCI DSS) to Card Capture Methods
• Policy for Security Incident Plan• PCI Related Memorandums• Common Payment Services - Repor
t of Compliance
PCI Data Security Resources • State E-Commerce Program• PCI Security Standards Council, LLC• PCI Data Security Standard (v. 1.2)• PCI Self-Assessment Questionnaire
(v. 1.2)• PCI Penetration Testing Requirement
11.3• VISA's Cardholder Information Secur
ity Program (CISP)• MasterCard's Site Data Protection Pr
ogram (SDP)• Glossary of Terms • List of Compliant Service Providers• Payment Application Data Security St
andard• Visa's List of Validated Payment Appl
ications • PCI Council's List of Validated Paym
ent Applications• Sample Addendum for Requirement
12.8• TrustWave
TrustKeeper Validation Service • Compliance with PCI Data Secur
ity Standards• Validation of PCI Compliance Re
quirements• Trustwave Validation Enrollment• Trustkeeper Portal Login• Responding to Notice of Non-Co
mpliance• PCI Validation for Service Provid
ers
OSC PCI Compliance Website
Things to Look For
“Rogue” DepartmentsMiscellaneous RevenueMailers with credit card information mailed back to universityReceipting – type of payments should be monitored
Point of Sale (POS)Analog lineMake sure model does not retain card information; should be
truncatedWeb-Based Applications
Processor – FirstData, VisaNet, Nashville, etc.Payment Gateway – CPS, PayPoint Gateway, 3rd party with OSC
approval3rd party applications – PCI certificate of compliancy
if using 3rd party credit card, ensure they remit on daily basis
The Clock is Ticking…
PCI References
• PCI Council: https://www.pcisecuritystandards.org/index.shtml
• OSC PCI: http://www.osc.nc.gov/programs/risk_mitigation_pci.html
• Useful Info:
http://www.pciknowledgebase.com/
Cost of Non-Compliance
• Did you know: – A breach with any one merchant on our
campus could mean that ALL credit card transactions for the University may cease. • We each have ONE chain number for each
campus • Each chain has all our merchants attached to it. • The cut off comes at the chain level – not the
merchant
Cost of Non-Compliance
In 2008 millions personal credit card records of Americans were compromised.
Cost of Non-Compliance
If your credit card processing system is breached/compromised
• Your credit card system is stopped• You pay fines • You pay for forensics audit (from $10,000-$100,000)• You lose the right to process credit cards until
compliance is achieved and verified. • You pay for replacement cost of cards that were
compromised (about $200 per card)• You pay more fines based on if any of the credit cards
were used fraudulently (up to $500,000 per incident)
What ECU is Doing
• Currently all Credit Card Transactions, except athletics are using Touchnet
• Athletics use Paciolan System• Students use Bill Payment Suite
– Statements – Banner Balances – Banner payment/charge history
What ECU is Doing
Touchnet U-PAY Sites
• Parking & Traffic (T2)• Alumni (Imodules)• Continuing Education (AceWare)• Housing (CBORD)• Orientation (In-house written) • On-Line Giving (In-house written)
What ECU is Doing
Touchnet Payment Point – Graduate School Applications (Banner)
Touchnet
eCheck – In process of implementing
Convenience Fees – In process of implementing (along with stopping the use of VISA credit cards)
What ECU is Doing
Touchnet U-Store (works as a “shopping cart type application)
Evaluating for small campus divisions that would like to do credit card processing:
Library – Membership, special events
College of Education – camp fees
College of Business – tests/ events
What ECU is Doing
Security Department Changes that are coming to ECU
• Locking down any PC that does credit card transactions (athletics & box office & staff computers) – No adobe– No administrative privileges– No software updates– No profile changes– Static IP for credit card processing only – Staff doing credit card processing with other tasks will have two
computers – one dedicated to Credit Card processing
What ECU is Doing
• No electronic storage of Credit Card numbers is allowed
• Financial Services is responsible for credit card compliance – IT advices.
• Paper copies with credit card numbers are securely locked up and only kept during the time that the card number is needed. It is destroyed when not needed anymore.
• All credit card requests go through IT, Cash Management Director and Finance
What UNCW is Doing
• No electronic storage of Credit Card numbers is allowed
• Controller’s Office is responsible for credit card compliance – IT advices.
• Paper copies with credit card numbers are securely locked up and only kept during the time that the card number is needed. It is destroyed when not needed anymore.
• All credit card requests go through Controller’s Office, Director of Student Accounts/Cashier’s Office and Financial Systems
What UNCW is Doing
• Currently all new Credit Card Transactionsare using Touchnet
• Students use Bill Payment Suite – Statements – Banner Balances – Banner payment/charge history – eRefunds
What UNCW is Doing
Touchnet U-PAY Sites• Athletics (JumpTV & In-house written)• Graduate School (Apply Yourself)• Public Service (AceWare)• Housing (In-house written)• Orientation (In-house written) • Annual Giving (RuffaloCody)• Alumni Association (In-house written)• Creative Writing Ecotone (One Cow Standing)• Admissions (AdmissionsPro)• Box Office (eTix)
What UNCW is Doing
Touchnet Payment Point – Registrar Office Reenrollment Fees (Banner)
Touchnet
PayPath –Implementing July 1, 2010
Convenience Fees – In process of implementing (along with stopping the use of VISA credit cards) for student payments only
University Strategies
Round Table Discussion of How Universities are Handling PCI Compliance and e-Commerce
Back-to-Basics List for PCI Compliance (All of these items are doable, but require focused effort and attention to detail.)
• Identify all campus merchants and pay points
• Verify all payment software is PA-DSS certified
• Verify PIN data collection devices are PTS compliant
• Verify that any hosting centers in use are PCI DSS certified
• Complete and submit annual compliance reports
• Perform regular PCI training for campus merchants
• Scan campus computers for unprotected card data
How and What are WE Doing?