PCI 3.0 Boot Camp - Treasury management•Implement additional security features for any required...
Transcript of PCI 3.0 Boot Camp - Treasury management•Implement additional security features for any required...
![Page 1: PCI 3.0 Boot Camp - Treasury management•Implement additional security features for any required services, protocols, or daemons that are considered to be insecure Requirement 2.3](https://reader034.fdocuments.us/reader034/viewer/2022042221/5ec7e9b3eab61f50f12970aa/html5/thumbnails/1.jpg)
PCI 3.2Annual 2018 Training
PCI 3.2 Training - 2018 1
![Page 2: PCI 3.0 Boot Camp - Treasury management•Implement additional security features for any required services, protocols, or daemons that are considered to be insecure Requirement 2.3](https://reader034.fdocuments.us/reader034/viewer/2022042221/5ec7e9b3eab61f50f12970aa/html5/thumbnails/2.jpg)
Agenda
• PCI Overview• What’s New in Harvard’s Program• What’s New in PCI DSS 3.2• SAQ Review• Questions
PCI 3.2 Training - 2018 2
![Page 3: PCI 3.0 Boot Camp - Treasury management•Implement additional security features for any required services, protocols, or daemons that are considered to be insecure Requirement 2.3](https://reader034.fdocuments.us/reader034/viewer/2022042221/5ec7e9b3eab61f50f12970aa/html5/thumbnails/3.jpg)
PCI Compliance Reset
Self Assessment Questionnaire
Start early
Complete accurately
Cash Management-central POC
Use IT Support and Vendors
Use HUIT Sec/NOC/SOC/EndPoint Support
Answer N/A or No with compensating controls
Keep supporting documentation on file
PCI 3.2 Training - 2018 3
![Page 4: PCI 3.0 Boot Camp - Treasury management•Implement additional security features for any required services, protocols, or daemons that are considered to be insecure Requirement 2.3](https://reader034.fdocuments.us/reader034/viewer/2022042221/5ec7e9b3eab61f50f12970aa/html5/thumbnails/4.jpg)
Answering the SAQ
• Yes
– The expected testing has been performed, and all elements of the requirement have been met as stated.
PCI 3.2 Training - 2018 4
![Page 5: PCI 3.0 Boot Camp - Treasury management•Implement additional security features for any required services, protocols, or daemons that are considered to be insecure Requirement 2.3](https://reader034.fdocuments.us/reader034/viewer/2022042221/5ec7e9b3eab61f50f12970aa/html5/thumbnails/5.jpg)
Answering the SAQ
• Yes with CCW (Compensating Control Worksheet)
– The expected testing has been performed, and the requirement has been met with the assistance of a compensating control.
– All responses in this column require completion of a Compensating Control Worksheet (CCW) in Appendix B of the SAQ.
– Information on the use of compensating controls and guidance on how to complete the worksheet is provided in the PCI DSS.
PCI 3.2 Training - 2018 5
![Page 6: PCI 3.0 Boot Camp - Treasury management•Implement additional security features for any required services, protocols, or daemons that are considered to be insecure Requirement 2.3](https://reader034.fdocuments.us/reader034/viewer/2022042221/5ec7e9b3eab61f50f12970aa/html5/thumbnails/6.jpg)
How to Answer an SAQ
• No – Some or all elements of the requirement have not
been met, or are in the process of being implemented, or require further testing before it will be known if they are in place.
• N/A (Not Applicable) – The requirement does not apply to the organization’s
environment. (See Guidance for Non-Applicability of Certain, Specific Requirements below for examples.)
– All responses in this column require a supporting explanation in Appendix C of the SAQ.
PCI 3.2 Training - 2018 6
![Page 7: PCI 3.0 Boot Camp - Treasury management•Implement additional security features for any required services, protocols, or daemons that are considered to be insecure Requirement 2.3](https://reader034.fdocuments.us/reader034/viewer/2022042221/5ec7e9b3eab61f50f12970aa/html5/thumbnails/7.jpg)
PCI Compliance Reset
• Documented local Business Policies
– Document current business processes
– Updated/reviewed annually
– Comply with latest PCI standards
– Annual PCI Awareness Training for all staff
• Hr.harvard.edu training portal (type “pci…” in search bar and link will appear)
PCI 3.2 Training - 2018 7
![Page 8: PCI 3.0 Boot Camp - Treasury management•Implement additional security features for any required services, protocols, or daemons that are considered to be insecure Requirement 2.3](https://reader034.fdocuments.us/reader034/viewer/2022042221/5ec7e9b3eab61f50f12970aa/html5/thumbnails/8.jpg)
PCI Compliance Reset
• Vendor Service Agreements
– Document which PCI DSS requirements are managed by each service provider, and which are managed by merchant.
– Do not engage in online service agreements.
– PCI Rider is required.
– Vendor Risk Assessment if collecting Level 4 data
– Procurement Office should negotiate agreement.
PCI 3.2 Training - 2018 8
![Page 9: PCI 3.0 Boot Camp - Treasury management•Implement additional security features for any required services, protocols, or daemons that are considered to be insecure Requirement 2.3](https://reader034.fdocuments.us/reader034/viewer/2022042221/5ec7e9b3eab61f50f12970aa/html5/thumbnails/9.jpg)
New Scanning Requirements
PCI 3.2 Training - 2018 9
Network Diagrams and
Data Flow Diagram of CDE
must be submitted to
Cash Management
Submit Document
Internal Vulnerability
Scans or Applications
must be done if required
Internal Scans
Only required for hosting vendors
not listed on Visa’s Registry of
Approved Vendors
Must be run on a monthly basis
Must be run after any significant change in the
network
External Scans
![Page 10: PCI 3.0 Boot Camp - Treasury management•Implement additional security features for any required services, protocols, or daemons that are considered to be insecure Requirement 2.3](https://reader034.fdocuments.us/reader034/viewer/2022042221/5ec7e9b3eab61f50f12970aa/html5/thumbnails/10.jpg)
What’s New in Harvard’s Program
PCI 3.2 Training - 2018 10
![Page 11: PCI 3.0 Boot Camp - Treasury management•Implement additional security features for any required services, protocols, or daemons that are considered to be insecure Requirement 2.3](https://reader034.fdocuments.us/reader034/viewer/2022042221/5ec7e9b3eab61f50f12970aa/html5/thumbnails/11.jpg)
TouchNet UStores
• Flexible, PCI-compliant eCommerce portal/website
• Created for non-student account payments
• Ability to brand store
• ERP integration to G/L
• Online stores
• Payment pages
• Mobile
• Robust reporting for merchant
• Enhanced detailed reporting across merchants for school administrators
PCI 3.2 Training - 2018 11
![Page 12: PCI 3.0 Boot Camp - Treasury management•Implement additional security features for any required services, protocols, or daemons that are considered to be insecure Requirement 2.3](https://reader034.fdocuments.us/reader034/viewer/2022042221/5ec7e9b3eab61f50f12970aa/html5/thumbnails/12.jpg)
![Page 13: PCI 3.0 Boot Camp - Treasury management•Implement additional security features for any required services, protocols, or daemons that are considered to be insecure Requirement 2.3](https://reader034.fdocuments.us/reader034/viewer/2022042221/5ec7e9b3eab61f50f12970aa/html5/thumbnails/13.jpg)
TouchNet uPay
• Secure interfaces for third-party applications (Technolutions, AudienceView, Cvent, Certain, Salesforce interface…)
• ERP integration to G/L
• Robust reporting for merchant
• Enhanced detailed reporting across merchants for school administrators
PCI 3.2 Training - 2018 13
![Page 14: PCI 3.0 Boot Camp - Treasury management•Implement additional security features for any required services, protocols, or daemons that are considered to be insecure Requirement 2.3](https://reader034.fdocuments.us/reader034/viewer/2022042221/5ec7e9b3eab61f50f12970aa/html5/thumbnails/14.jpg)
New Scanning Requirement
• Need Scanning
– Technolutions
– Hobsons
– Harvard-hosted
• No Scanning
– Cvent
– Certain
– AudienceView
– Rackspace
– AWS
– Salesforce
– TouchNet
– Tessitura
– T2
PCI 3.2 Training - 201814
![Page 15: PCI 3.0 Boot Camp - Treasury management•Implement additional security features for any required services, protocols, or daemons that are considered to be insecure Requirement 2.3](https://reader034.fdocuments.us/reader034/viewer/2022042221/5ec7e9b3eab61f50f12970aa/html5/thumbnails/15.jpg)
SSL/Early TLS
Requirement 2.2.3
• Implement additional security features for any required services, protocols, or daemons that are considered to be insecure
Requirement 2.3
• Encrypt all non-console administrative access using strong cryptography.
Requirement 4.1
• Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks.
PCI 3.2 Training - 2018 15
![Page 16: PCI 3.0 Boot Camp - Treasury management•Implement additional security features for any required services, protocols, or daemons that are considered to be insecure Requirement 2.3](https://reader034.fdocuments.us/reader034/viewer/2022042221/5ec7e9b3eab61f50f12970aa/html5/thumbnails/16.jpg)
SAQ Review
PCI 3.2 Training - 2018 16
![Page 17: PCI 3.0 Boot Camp - Treasury management•Implement additional security features for any required services, protocols, or daemons that are considered to be insecure Requirement 2.3](https://reader034.fdocuments.us/reader034/viewer/2022042221/5ec7e9b3eab61f50f12970aa/html5/thumbnails/17.jpg)
PCI 3.2 Training - 2018 17
![Page 18: PCI 3.0 Boot Camp - Treasury management•Implement additional security features for any required services, protocols, or daemons that are considered to be insecure Requirement 2.3](https://reader034.fdocuments.us/reader034/viewer/2022042221/5ec7e9b3eab61f50f12970aa/html5/thumbnails/18.jpg)
SAQ Review
PCI 3.2 Training - 2018 18
SAQ A
• All Processing of cardholder data is entirely outsourced to PCI DSS validated 3rd-party Service Provider
SAQ A-EP
• All processing of cardholder data, with the exception of the payment page, is entirely outsourced to a PCI DSS validated 3rd-party payment processor
When to use SAQ A vs SAQ A-EP
![Page 19: PCI 3.0 Boot Camp - Treasury management•Implement additional security features for any required services, protocols, or daemons that are considered to be insecure Requirement 2.3](https://reader034.fdocuments.us/reader034/viewer/2022042221/5ec7e9b3eab61f50f12970aa/html5/thumbnails/19.jpg)
Examples of SAQ A Merchant
PCI 3.2 Training - 2018 19
• Merchant has no access to their website, and website is entirely hosted and managed by compliant 3rd-party payment processor OR
• Merchant website provides an iFrame or URL link to PCI DSS compliant 3rd-party payment processor.
SAQ A
• Merchant website creates the payment form, and Direct Post (SOAP) to payment processor
• Merchant website loads or delivers script that runs in consumers’ browser (eg. JavaScript) and provides functionality that supports creation
SAQ A-EP
![Page 20: PCI 3.0 Boot Camp - Treasury management•Implement additional security features for any required services, protocols, or daemons that are considered to be insecure Requirement 2.3](https://reader034.fdocuments.us/reader034/viewer/2022042221/5ec7e9b3eab61f50f12970aa/html5/thumbnails/20.jpg)
Network Penetration Tests
An annual penetration tests is required for all merchants who meet any of the following criteria's:
PCI 3.2 Training - 2018 20
Merchants accept CC’s on devices
that transmit over Harvard’s network
Merchants store CC #’s on a back-end
server
Some element of the payment page originates on the merchant website
• The local unit is responsible for the cost of the penetration test ($7500-$10,000)• Merchants are responsible for correcting any identified deficiencies during test• Annual Requirement
![Page 21: PCI 3.0 Boot Camp - Treasury management•Implement additional security features for any required services, protocols, or daemons that are considered to be insecure Requirement 2.3](https://reader034.fdocuments.us/reader034/viewer/2022042221/5ec7e9b3eab61f50f12970aa/html5/thumbnails/21.jpg)
Mitigate Penetration Testing
• Implement P2PE for SAQ A-EP, SAQ C and C-VT
– Vendor must be listed on PCI SSC website
– Removes CHD from merchant environment
– Reduces PCI Compliance Scope
– Abbreviated SAQ (SAQ C/C-VT to SAQ P2PE)
• Approximately 18 questions
PCI 3.2 Training - 2018 21
![Page 22: PCI 3.0 Boot Camp - Treasury management•Implement additional security features for any required services, protocols, or daemons that are considered to be insecure Requirement 2.3](https://reader034.fdocuments.us/reader034/viewer/2022042221/5ec7e9b3eab61f50f12970aa/html5/thumbnails/22.jpg)
Validating P2PE
• Solution Vendor must be listed with PCI SSC
• Remove all card data regardless of encryption format in current environment
• Vendor Implementation Guide should be on file at Cash Management
• Test VLAN between merchant and vendor
• Validate CDE does not enter merchant environment
PCI 3.2 Training - 2018 22
![Page 23: PCI 3.0 Boot Camp - Treasury management•Implement additional security features for any required services, protocols, or daemons that are considered to be insecure Requirement 2.3](https://reader034.fdocuments.us/reader034/viewer/2022042221/5ec7e9b3eab61f50f12970aa/html5/thumbnails/23.jpg)
SAQ Requirements
PCI 3.2 Training - 2018 23
![Page 24: PCI 3.0 Boot Camp - Treasury management•Implement additional security features for any required services, protocols, or daemons that are considered to be insecure Requirement 2.3](https://reader034.fdocuments.us/reader034/viewer/2022042221/5ec7e9b3eab61f50f12970aa/html5/thumbnails/24.jpg)
SAQ A Requirements
#2
• Changing vendor defaults and removing unnecessary default accounts
#8
• Uniquely identifying and authenticating users, requiring strong passwords, deactivating terminated user accounts
#12
• Requiring Merchants to have a n incident response plan
PCI 3.2 Training - 2018 24
![Page 25: PCI 3.0 Boot Camp - Treasury management•Implement additional security features for any required services, protocols, or daemons that are considered to be insecure Requirement 2.3](https://reader034.fdocuments.us/reader034/viewer/2022042221/5ec7e9b3eab61f50f12970aa/html5/thumbnails/25.jpg)
SAQ C Requirements
#6• Applying or
updating PCI DSS requirements significant when changes are made to in-scope networks or systems
#8• More robust user
identification and authentication management, expansion of existing multi-factor authentication to include non-console administrator access
#9• Basic measures for
physical security including use of entry controls appropriate to protect facilities and systems in the cardholder data environment, monitoring of individual physical access to and from sensitive areas using access control mechanisms
#11• Segmentation
testing penetration testing to be performed by a suitably qualified person
PCI 3.2 Training - 2018 25
![Page 26: PCI 3.0 Boot Camp - Treasury management•Implement additional security features for any required services, protocols, or daemons that are considered to be insecure Requirement 2.3](https://reader034.fdocuments.us/reader034/viewer/2022042221/5ec7e9b3eab61f50f12970aa/html5/thumbnails/26.jpg)
SAQ C-VT Requirements
#8
• More robust user identification and authentication management, expansion of existing multi-factor authentication to include non-console administrator access
#9
• Basic measures for physical security including use of entry controls appropriate to protect facilities and systems in the cardholder data environment, monitoring of individual physical access to and from sensitive areas using access control mechanisms
#11
• Segmentation testing penetration testing to be performed by a suitably qualified person
PCI 3.2 Training - 2018 26
![Page 27: PCI 3.0 Boot Camp - Treasury management•Implement additional security features for any required services, protocols, or daemons that are considered to be insecure Requirement 2.3](https://reader034.fdocuments.us/reader034/viewer/2022042221/5ec7e9b3eab61f50f12970aa/html5/thumbnails/27.jpg)
SAQ P2PE Requirements
#3
• Is the PAN masked when displayed
#4
• Are policies in place that state that unprotected PANS are not to be sent via end-user messaging technologies
PCI 3.2 Training - 2018 27
![Page 28: PCI 3.0 Boot Camp - Treasury management•Implement additional security features for any required services, protocols, or daemons that are considered to be insecure Requirement 2.3](https://reader034.fdocuments.us/reader034/viewer/2022042221/5ec7e9b3eab61f50f12970aa/html5/thumbnails/28.jpg)
Resources
– otm.finance.harvard.edu
– https://www.pcisecuritystandards.org/merchants/index.php
– SAQs
• https://www.pcisecuritystandards.org/security_standards/documents.php?category=saqs
– Harvard Support/Questions
– Trustwave QSA – Cash Management will arrange teleconference
PCI 3.2 Training - 2018 28