LRCCD Roadmap to PCI Compliance - theccia.org · LRCCD Roadmap to PCI Compliance-FALL 2018-CCIA...

LRCCDRoadmap to PCI Compliance

- F A L L 2 0 1 8 -

C C I A C O N F E R E N C E

E M M I E O E S T E R M A N , C I S A

O C T O B E R 4 , 2 0 1 8

CCIA Conference – Fall 2018

Agenda

Gain an understanding of PCI DSS?

Who has to comply?

How to comply?


What is the PCI DSS?

PCI DSS =

Payment Card Industry Data Security Standard The result of a collaboration between Visa, MasterCard,

American Express, Discover, and JCB to create common industry security requirements.

Provides a baseline of technical and operational requirements designed to protect cardholder data.

Compliance is mandated for all organizations handling creditcard data.


Who Does What?

1. Develops Standards

2. Establishes compliance requirements

3. Enforces requirements on merchants

4. Merchant


Visa – Defined Merchant Levels


PCI Requirements


Annual Self-Assessment Questionnaire (SAQ):


COMPLIANCE IN HIGHER EDUCATION

LRCCD, like all colleges, have unique challenges in maintaining PCI compliance.

Network are usually wide-open – Academic Freedom

The colleges/departments within LRCCD are not located in a central location and vary greatly in their procedures:

Methods of payment card acceptance

Different procedures in place

Methods of fund collection

In person, over the phone, online, via the mail


Why do we need to care?

If one of your payment system is breached and cardholder data is compromised, and you were found not to be PCI DSS compliant, the following may happen:

Fines of $50,000 to $500,000 per violation

Recurring monthly fines of $5000 or more

Loss of credit card services for the entire district

Costs to notify and remedy services for impacted cardholders (average $202* each)

Repayment of fraudulent charges that result from data breach

Requires onsite forensics audit (between $8,000 to $20,000*)

Receives bad publicity

Loss of reputation/trust of staff and students

Requires Level 1 Merchant certification *http://www.pcicomplianceguide.org/merchants-20090416-cost-data-breach.php


The Plan - LRCCD

Form a Team Principal Information Systems Auditor – Project Lead Network Security Administrator – IT Expert

Gather Information Survey where/how credit cards are taken Evaluate risks and what have to be changed Determine applicable SAQ

Obtain Expert Guidance Hire QSA Consultant– Security Metrics

Become PCI Compliant Create PCI Network Create PCI Awareness Training Create Business Process to Maintain PCI


What we found in 2010!

Credit cards were stored in our ERP systems.

Credit cards processing were connected to our network.

Credit cards information were collected on forms and scanned into our databases.

Credit cards information were email to our Business Services Office.

And so much more…..


IT Security Implemented

Created a PCI Network

Implemented quarterly newtork scans (vulnerability, rouge access point, etc.)

Implemented logging and detections (tripwire)

Implemented 2-factor authentication

Adopted security standards (CIS Benchmarks)

And so much more…


Business Process Implemented

LRCCD do not stored credit card information electronically

Credit cards will not be processed or transmitted on a non PCI Network

All new credit cards processing requests must be reviewed and approved by the Principal Information Systems Auditor and Senior Network Security Analyst.

PCI awareness training

And so much more…..


Compliant!


And here we go again…..

LRCCD Roadmap to PCI Compliance - theccia.org · LRCCD Roadmap to PCI Compliance-FALL 2018-CCIA...

Documents

Transcript of LRCCD Roadmap to PCI Compliance - theccia.org · LRCCD Roadmap to PCI Compliance-FALL 2018-CCIA...