northern ky university merchant training
DESCRIPTION
Northern KY University Merchant Training. Discussion Topics. What is PCI-DSS? Credit Card Processing Two specific facets (Technical & Functional) Penalties for non-compliance Risks Plan of Action. What is PCI-DSS?. - PowerPoint PPT PresentationTRANSCRIPT
1
Northern KY UniversityMerchant Training
2
Discussion Topics• What is PCI-DSS?• Credit Card Processing • Two specific facets
– (Technical & Functional)• Penalties for non-compliance• Risks• Plan of Action
3
What is PCI-DSS?• Payment Card Industry Data Security
Standards (DSS) initially created by Visa and MasterCard (officially in 2006) now includes Discover, Amex and JCB.
• All credit card companies in the U.S. have endorsed the Standard
• PCI-DSS created so there would be common industry security requirements
4
Purpose• Mandated by credit card companies – “If
you accept our credit card(s), you must follow these rules.”
• Protect customers against fraud and identity theft.
• To avoid breaches and fraud resulting in lost revenue.
What PCI is NOT• PCI is NOT something we can ignore.• PCI is NOT a project -- It is an ongoing
program. • It is NOT a silver bullet.• It is NOT an option -- If we accept credit
cards as a source of payment, we must comply.
• It is not static
5
Twelve RequirementsThere are Twelve seemingly simple requirements….however
Approximately 230 subsets of requirements depending on the Merchant Level and SAQ required to complete.
6
PCI DSS RequirementsGoal: Build and Maintain a Secure Network• 1. Install and maintain a firewall configuration to protect cardholder data• 2. Do not use vendor-supplied defaults for system passwords and other• security parametersGoal: Protect Cardholder Data • 3. Protect stored cardholder data• 4. Encrypt transmission of cardholder data across open, public networksGoal: Maintain a Vulnerability Management Program• 5. Use and regularly update anti-virus software or programs• 6. Develop and maintain secure systems and applicationsGoal: Implement Strong Access Control Measures• 7. Restrict access to cardholder data by business need to know• 8. Assign a unique ID to each person with computer access• 9. Restrict physical access to cardholder dataGoal: Regularly Monitor and Test Networks• 10. Track and monitor all access to network resources and cardholder data• 11. Regularly test security systems and processesGoal: Maintain an Information Security Policy• 12. Maintain a policy that addresses information security for all personnel
7
SAQsAttestations of Compliance are included as part of each SAQ.
8
SAQ A Card-not-present Merchants, All Cardholder Data Functions Outsourced
SAQ BMerchants with Only Imprint Machines or Only Standalone, Dial-Out Terminals. No Electronic Cardholder Data Storage
SAQ C-VT Merchants with Web-Based Virtual Terminals, No Electronic Cardholder Data Storage
SAQ C Merchants with Payment Application Systems Connected to the Internet, No Electronic Cardholder Data Storage
SAQ DAll Other Merchants and All Service Providers Defined by a Payment Brand as Eligible to Complete an SAQ
Scope
9
“Any network component, server, or application that is included in or connected to the cardholder data environment”
Scope
10
• Map network(s) and cardholder data flow
• Use an automated tool to find your data • Interview each campus merchant• Understand business and data needs• Determine actual business processes • Identify third-party service providers• Get details on all payment applications
Logs, traces• Vendors can be frustrating
Penalties• Fines up to $500,000 from each credit card company +
$197 per account holder• Forensic Investigation by QSA (Qualified Security
Assessor) begins at $10,000. • Increased auditing requirements• Negative Public Relations• Losing the ability to process credit card transactions
completely
Websites: www.privacyrights.org/ and www.pcisecuritystandards.org/
11
12
College & University Breaches
• University breaches have increased exponentially since 2005
• Open vulnerable networks• Numerous merchants across campuses• Payment processes spread over large
geographical area
Security Breaches Approximately 600,000,000 records breached since 2005.
The running represents the approximate number of *records* that have been compromised due to security breaches, not necessarily the number of *individuals* affected. Some individuals may be the victims of more than one breach, which would affect the totals.
Since 2010 there have been 88 breaches (mostly universities, a few high schools)
98% of hacking successes are as the result of using default passwords. Always change default passwords.
13
14
Universities Are At Risk
• Network penetration, server hacking, SQL injections, stolen laptop computers, desktop computers, unlocked offices/desks, unsecured USB portable drives, CD’s, DVD’s, containing sensitive information; particularly PAN numbers, ssn, names, addresses, birthdates.
15
Credit Card Processing
16
Dial-Up Terminal
17
Authorization Request
Authorization Confirmation
Settlement
$$$
$
Merchant Processor Card Owner’s Bank Issued Card
Merchant’s Bank
Discount FeesServices Fees
ACH Fees Banking Fees
Interchange
SSL Terminal
18
Authorization Request
Authorization Confirmation
Settlement
$$$
$
Merchant
Processor Card Owner’s Bank Issued Card
Merchant’s Bank
Interchange
Internet Processing
19
Authorization Request
Authorization Confirmation
Settlement
$$$
$
Processor Card Owner’s Bank Issued Card
Merchant’s Bank
Gateway
Interchange
Mobile Processing
20
$
Merchant’s Bank
Cellular Network
Authorization Request
Authorization Confirmation
Settlement
$$$Processor Card Owner’s Bank
Issued Card
Interchange
Cost Comparison
21
Mobile Pay Website Omni VX570 Notes$75 for Encrypted
Card Reader
(additional readers $65)
$150 Initial Setup Fee (PNC)
$600 for terminal purchase
(Dual Comm)
One-Time Fees
$12 Monthly Access Fee
$15 Monthly Fee These fees are applied whether you process during the month
or not. .10 per transaction So if you run 10 transactions,
that will cost you $1..06% Discount Fee .06% Discount Fee .06% Discount Fee This is applied to your gross $
processed $99 setup fee
$50 per month Authorize.Net
secure gateway or other PCI DSS/PA
DSS compliant application.
Authorize.Net Secure Gateway is preferred by NKU and PNC
Merchant Services.
Spectrum of RiskEquipment/Point of Sale System
22
Low Moderate Severe
• Cash• Dial Terminals• Mobile (Encrypted Reader)• Wireless Terminals (using
cell phone networks)
• SSL Terminals• Website Redirected
Payments• Virtual Terminals
• Web-based Applications• Wi-Fi Terminals• WEP/WPA Encrypted Wireless
Networks- must be WPA2• Any system storing Card
Holder Data (prohibited by PCI)• Manual Imprinters
In the future…
23
EMV- Europay Visa MastercardOctober 2015
P2PE- Point to Point Encryption
24
Questions?