Transcript of 1 Northern KY University Merchant Training. 2 Discussion Topics What is PCI-DSS? Credit Card...
- Slide 1
- 1 Northern KY University Merchant Training
- Slide 2
- 2 Discussion Topics What is PCI-DSS? Credit Card Processing Two
specific facets (Technical & Functional) Penalties for
non-compliance Risks Plan of Action
- Slide 3
- 3 What is PCI-DSS? Payment Card Industry Data Security
Standards (DSS) initially created by Visa and MasterCard
(officially in 2006) now includes Discover, Amex and JCB. All
credit card companies in the U.S. have endorsed the Standard
PCI-DSS created so there would be common industry security
requirements
- Slide 4
- 4 Purpose Mandated by credit card companies If you accept our
credit card(s), you must follow these rules. Protect customers
against fraud and identity theft. To avoid breaches and fraud
resulting in lost revenue.
- Slide 5
- What PCI is NOT PCI is NOT something we can ignore. PCI is NOT
a project -- It is an ongoing program. It is NOT a silver bullet.
It is NOT an option -- If we accept credit cards as a source of
payment, we must comply. It is not static 5
- Slide 6
- Twelve Requirements There are Twelve seemingly simple
requirements.however Approximately 230 subsets of requirements
depending on the Merchant Level and SAQ required to complete.
6
- Slide 7
- PCI DSS Requirements Goal: Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect
cardholder data1. Install and maintain a firewall configuration to
protect cardholder data 2. Do not use vendor-supplied defaults for
system passwords and other2. Do not use vendor-supplied defaults
for system passwords and other security parameterssecurity
parameters Goal: Protect Cardholder Data 3. Protect stored
cardholder data3. Protect stored cardholder data 4. Encrypt
transmission of cardholder data across open, public networks4.
Encrypt transmission of cardholder data across open, public
networks Goal: Maintain a Vulnerability Management Program 5. Use
and regularly update anti-virus software or programs5. Use and
regularly update anti-virus software or programs 6. Develop and
maintain secure systems and applications6. Develop and maintain
secure systems and applications Goal: Implement Strong Access
Control Measures 7. Restrict access to cardholder data by business
need to know7. Restrict access to cardholder data by business need
to know 8. Assign a unique ID to each person with computer access8.
Assign a unique ID to each person with computer access 9. Restrict
physical access to cardholder data9. Restrict physical access to
cardholder data Goal: Regularly Monitor and Test Networks 10. Track
and monitor all access to network resources and cardholder data10.
Track and monitor all access to network resources and cardholder
data 11. Regularly test security systems and processes11. Regularly
test security systems and processes Goal: Maintain an Information
Security Policy 12. Maintain a policy that addresses information
security for all personnel12. Maintain a policy that addresses
information security for all personnel 7
- Slide 8
- SAQs Attestations of Compliance are included as part of each
SAQ. 8 SAQ A Card-not-present Merchants, All Cardholder Data
Functions Outsourced SAQ B Merchants with Only Imprint Machines or
Only Standalone, Dial-Out Terminals. No Electronic Cardholder Data
Storage SAQ C-VT Merchants with Web-Based Virtual Terminals, No
Electronic Cardholder Data Storage SAQ C Merchants with Payment
Application Systems Connected to the Internet, No Electronic
Cardholder Data Storage SAQ D All Other Merchants and All Service
Providers Defined by a Payment Brand as Eligible to Complete an
SAQ
- Slide 9
- Scope 9 Any network component, server, or application that is
included in or connected to the cardholder data environment
- Slide 10
- Scope 10 Map network(s) and cardholder data flow Use an
automated tool to find your data Interview each campus merchant
Understand business and data needs Determine actual business
processes Identify third-party service providers Get details on all
payment applications Logs, traces Vendors can be frustrating
- Slide 11
- Penalties Fines up to $500,000 from each credit card company +
$197 per account holder Forensic Investigation by QSA (Qualified
Security Assessor) begins at $10,000. Increased auditing
requirements Negative Public Relations Losing the ability to
process credit card transactions completely Websites:
www.privacyrights.org/ and
www.pcisecuritystandards.org/www.privacyrights.org/www.pcisecuritystandards.org/
11
- Slide 12
- 12 College & University Breaches University breaches have
increased exponentially since 2005 Open vulnerable networks
Numerous merchants across campuses Payment processes spread over
large geographical area
- Slide 13
- Security Breaches Approximately 600,000,000 records breached
since 2005. The running represents the approximate number of
*records* that have been compromised due to security breaches, not
necessarily the number of *individuals* affected. Some individuals
may be the victims of more than one breach, which would affect the
totals. Since 2010 there have been 88 breaches (mostly
universities, a few high schools) 98% of hacking successes are as
the result of using default passwords. Always change default
passwords. 13
- Slide 14
- 14 Universities Are At Risk Network penetration, server
hacking, SQL injections, stolen laptop computers, desktop
computers, unlocked offices/desks, unsecured USB portable drives,
CDs, DVDs, containing sensitive information; particularly PAN
numbers, ssn, names, addresses, birthdates.
- Slide 15
- 15
- Slide 16
- Credit Card Processing 16
- Slide 17
- Dial-Up Terminal 17 Authorization Request Authorization
Confirmation Settlement $$$ $ Merchant Processor Card Owners Bank
Issued Card Merchants Bank Discount Fees Services Fees ACH Fees
Banking Fees Interchange
- Slide 18
- SSL Terminal 18 Authorization Request Authorization
Confirmation Settlement $$$ $ Merchant Processor Card Owners Bank
Issued Card Merchants Bank Interchange
- Slide 19
- Internet Processing 19 Authorization Request Authorization
Confirmation Settlement $$$ $ Processor Card Owners Bank Issued
Card Merchants Bank Gateway Interchange
- Slide 20
- Mobile Processing 20 $ Merchants Bank Cellular Network
Authorization Request Authorization Confirmation Settlement $$$
Processor Card Owners Bank Issued Card Interchange
- Slide 21
- Cost Comparison 21 Mobile Pay Website Omni VX570 Notes $75 for
Encrypted Card Reader (additional readers $65) $150 Initial Setup
Fee (PNC) $600 for terminal purchase (Dual Comm) One-Time Fees $12
Monthly Access Fee $15 Monthly Fee These fees are applied whether
you process during the month or not..10 per transaction So if you
run 10 transactions, that will cost you $1..06% Discount Fee This
is applied to your gross $ processed $99 setup fee $50 per month
Authorize.Net secure gateway or other PCI DSS/PA DSS compliant
application. Authorize.Net Secure Gateway is preferred by NKU and
PNC Merchant Services.
- Slide 22
- Spectrum of Risk Equipment/Point of Sale System 22
LowModerateSevere Cash Dial Terminals Mobile (Encrypted Reader)
Wireless Terminals (using cell phone networks) SSL Terminals
Website Redirected Payments Virtual Terminals Web-based
Applications Wi-Fi Terminals WEP/WPA Encrypted Wireless Networks-
must be WPA2 Any system storing Card Holder Data (prohibited by
PCI) Manual Imprinters
- Slide 23
- In the future 23 EMV- Europay Visa Mastercard October 2015
P2PE- Point to Point Encryption
- Slide 24
- 24 Questions?