PCI Compliance The Gateway to Paradise Agenda I

  • Slides: 16
Download presentation
PCI Compliance: The Gateway to Paradise

PCI Compliance: The Gateway to Paradise

Agenda I. Background II. What is PCI-DSS? III. Who must comply? IV. Cost of

Agenda I. Background II. What is PCI-DSS? III. Who must comply? IV. Cost of non-compliance V. Digital Dozen VI. Higher Education Challenges VII. Centralize Compliance

Background ? ? ? Cardholder Information Security Program (CISP) Site Data Protection Program (SDP)

Background ? ? ? Cardholder Information Security Program (CISP) Site Data Protection Program (SDP) Confused Merchants Discover Information Security Compliance (DISC) Data Security Standard (DSS)

What is PCC-DSS? • Payment Card Industry Data Security Standard (PCI-DSS) • Card Associations

What is PCC-DSS? • Payment Card Industry Data Security Standard (PCI-DSS) • Card Associations founded an LLC https: //www. pcisecuritystandards. org • One program now • Mission: Enhance payment account data security by fostering a broad adoption of PCI-DSS

What is PCC-DSS? Policy decisions made by Executive Committee Participating organizations provide feedback on

What is PCC-DSS? Policy decisions made by Executive Committee Participating organizations provide feedback on evolution of PCI

Who Must Comply? “Payment Card Industry (PCI) Data security requirements apply to all Members,

Who Must Comply? “Payment Card Industry (PCI) Data security requirements apply to all Members, merchants, and service providers that store, process or transmit cardholder data. ” *Payment Card Industry Data Security Standard

Who Must Comply? Merchant Compliance 1 Any merchant-regardless of acceptance channel-processing over 6, 000

Who Must Comply? Merchant Compliance 1 Any merchant-regardless of acceptance channel-processing over 6, 000 transactions per year. Any merchant that has suffered a hack or an attack that resulted in an account data compromise. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system. 2 Any merchant-regardless of acceptance channel-processing 1, 000 to 6, 000 transactions per year. 3 Any merchant processing 20, 000 to 1, 000 e-commerce transactions per year. 4 Any merchant processing fewer than 20, 000 e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1, 000 Visa transactions per year.

Cost of Non-Compliance In the event of the a breach the acquirer CAN make

Cost of Non-Compliance In the event of the a breach the acquirer CAN make the merchant responsible for: • Any fines from PCI-Co • Up to $500, 000 per incident • Cost to notify victims • Cost to replace cards (about $10/card) • Cost for any fraudulent transactions • Forensics from a QDSC • Level 1 certification from a QDSC

Cost of Non-Compliance • Example: 50, 000 credit cards stolen – PCI Penalty -

Cost of Non-Compliance • Example: 50, 000 credit cards stolen – PCI Penalty - $100, 000 per incident • $500, 000 if you do not have a selfassessment – Card Replacement - $500, 000 – Fraudulent Transaction – $61, 750, 000 • $1, 235 - 2004 average fraudulent transaction – Bad Publicity – Priceless!

Digital Dozen Build and Maritain a Secure Network • Install and maintain a firewall

Digital Dozen Build and Maritain a Secure Network • Install and maintain a firewall configuration to protect cardholder data • Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data • Protect stored cardholder data • Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program • Use and regularly update anti-virus software • Develop and maintain secure systems and applications Implement Strong Access Control Measures • Restrict access to cardholder data by business need-to-know • Assign a unique ID to each person with computer access • Restrict physical access to cardholder data Regularly Monitor and Test Networks • Track and monitor all access to network resources and cardholder data • Regularly test security systems and processes Maintain an Information Security Policy • Maintain a policy that addresses information security

Higher Education Challenge • Higher education networks comprise an estimated 15% of the total

Higher Education Challenge • Higher education networks comprise an estimated 15% of the total advertised Internet address space* • Extremely “open” by tradition and culture • Highly connected networks to commercial internet, regional, national, and international research networks • Communities range from 1, 000 to 200, 000 people • Thousands of networked devices • Departments control local technology and act independently • Understaffed IT department * University of Indiana

Centralize Compliance • Get executive buy-in • Define a commerce committee – IT –

Centralize Compliance • Get executive buy-in • Define a commerce committee – IT – Security – Internal Audit – Treasury – CFO

Centralize Compliance Define and publish credit card handling policy • Acceptable payment channels •

Centralize Compliance Define and publish credit card handling policy • Acceptable payment channels • Handling of PII (Personally Identifiable Information) • Requesting merchant IDs • Applicability to University employees, work study… • Background and credit checks for employees handling credit cards • Training and acknowledgement • Use of vendors

Centralize Compliance • Gap analysis – Review all existing merchants and their procedures –

Centralize Compliance • Gap analysis – Review all existing merchants and their procedures – Identify “urgent improvements” – Operational remediation plan – Technical remediation plan • Compliance maintenance – Rules will change – Systems will change

Centralize Compliance Consider outsourcing • Get as many credit card numbers off campus as

Centralize Compliance Consider outsourcing • Get as many credit card numbers off campus as possible • Use a service provider to process credit card transactions • Approved scanning vendors • Approved hosting centers

Questions? David R. King President Nelnet Business Solutions dking@infinet-inc. com

Questions? David R. King President Nelnet Business Solutions dking@infinet-inc. com

PCI Tutorial Agenda PCI Fundamentals w PCI LocalPCI Tutorial Agenda PCI Fundamentals w PCI Local
PCIPeripheral Component Interconnect n PCI AGP PCI PCIPCIPeripheral Component Interconnect n PCI AGP PCI PCI
Facilitated PCI rescue PCI Dolly mathew Primary PCIFacilitated PCI rescue PCI Dolly mathew Primary PCI
PCI Boot Camp Presented by the PCI CompliancePCI Boot Camp Presented by the PCI Compliance
PCI Compliance Roundtable Update Presented by the PCIPCI Compliance Roundtable Update Presented by the PCI
GATEWAY i INTERFEJS GATEWAY Gateway mreni prolaz jeGATEWAY i INTERFEJS GATEWAY Gateway mreni prolaz je
PCI COMPLIANCE Compliance is mandatory for all organizationsPCI COMPLIANCE Compliance is mandatory for all organizations
Data Compliance Gateway SDF Gateway Public Access SiteData Compliance Gateway SDF Gateway Public Access Site
Paradise Lost Satan Sin and Death Paradise LostParadise Lost Satan Sin and Death Paradise Lost
ITCS 6010 VUI Evaluation Paradise SUM PARADISE ParadigmITCS 6010 VUI Evaluation Paradise SUM PARADISE Paradigm
Paradise Lost John Milton Paradise Lost Milton tookParadise Lost John Milton Paradise Lost Milton took
Paradise Lost John Milton Paradise Lost Standard conventionsParadise Lost John Milton Paradise Lost Standard conventions
Paradise Hotel 2011 Seersuksessen Paradise Hotel lever videreParadise Hotel 2011 Seersuksessen Paradise Hotel lever videre
Evia Paradise Resort Evia Paradise Resort International InvestmentEvia Paradise Resort Evia Paradise Resort International Investment
Pavlovian Paradise by Lexi Balam Pavlovian Paradise ThisPavlovian Paradise by Lexi Balam Pavlovian Paradise This