compliance with the pci dss
play

Compliance With The PCI DSS Property of CampusGuard Todays Agenda - PowerPoint PPT Presentation

May 02, 2023 •145 likes •465 views

Compliance With The PCI DSS Property of CampusGuard Todays Agenda PCI DSS Introduction How are Colleges and Universities Affected? How Do You Validate Compliance? Best Practices Q&A Property of CampusGuard CampusGuard

  1. Compliance With The PCI DSS Property of CampusGuard

  2. Today’s Agenda  PCI DSS Introduction  How are Colleges and Universities Affected?  How Do You Validate Compliance?  Best Practices  Q&A Property of CampusGuard

  3. CampusGuard  Full-Service QSA/ASV Firm  We Know Security  Focused Solely on Higher Education Property of CampusGuard

  4. The Target Breach  40 million customers  Insider ?  POS was the vector  Lessons for all… Property of CampusGuard

  5. PCI… MERCHANTS & SOFTWARE MANUFACTURERS PROCESSORS DEVELOPERS PCI Security PCI PTS PCI DSS & Compliance PCI PA-DSS PIN Transaction Payment Application Data Security Security Vendors Standard Ecosystem of payment devices, applications, infrastructure and users Property of CampusGuard

  6. PCI Relationships Responsible for managing the Responsible for enforcing and PCI DSS and certifying QSAs monitoring merchant compliance and ASVs with the PCI DSS CREDIT CARD SECURITY Bank Merchant Communicates and educates Responsible for safeguarding merchants on PCI DSS and credit card data and complying reports compliance status to with the PCI DSS Card Associations Property of CampusGuard

  7. Penalties can be Huge  In the event of a breach the bank can make the merchant responsible for:  Fines from card associations  Up to $500,000  + Cost to notify victims  + Cost to replace cards  + Cost for any fraudulent transactions  + Forensics  + Level 1 certification Bad Publicity – Priceless! Property of CampusGuard

  8. How Much Time Left?  You are assumed to be compliant NOW!  Banks will be requiring your validation SOON! Property of CampusGuard

  9. Higher Ed Is Vulnerable Past 3 Years Government Higher Education Healthcare 6% 8% 33% Financial Services 14% 17% 22% Other Retailers Source: Privacy Rights Clearinghouse Property of CampusGuard

  10. Colleges and Universities are like Cities… Property of CampusGuard

  11. A Campus Is A “City" Challenges for PCI Compliance:  Open networks and systems  Scope conversations complex  Overloaded staff  Fiscal constraints Property of CampusGuard

  12. PCI in Higher Education Source: 2012 Treasury Institute PCI Workshop Property of CampusGuard

  13. PCI in Higher Education Source: 2012 Treasury Institute PCI Workshop Property of CampusGuard

  14. PCI in Higher Education Source: 2012 Treasury Institute PCI Workshop Property of CampusGuard

  15. PCI in Higher Education Source: 2012 Treasury Institute PCI Workshop Property of CampusGuard

  16. PCI DSS: 6 Goals, 12 Requirements Control Objective Requirements 1. Install and maintain a firewall configuration to protect data 1. Build and maintain a secure 2. Change vendor-supplied defaults for system passwords and other network security parameters 3. Protect stored data 4. Encrypt transmission of cardholder magnetic-stripe data and 2. Protect cardholder data sensitive information across public networks 5. Use and regularly update antivirus software 3. Maintain a vulnerability 6. Develop and maintain secure systems and applications management program 7. Restrict access to data to a need-to-know basis 8. Assign a unique ID to each person with computer access 4. Implement strong access 9. Restrict physical access to cardholder data control measures 10. Track and monitor all access to network resources and 5. Regularly monitor and test cardholder data networks 11. Regularly test security systems and processes 6. Maintain an information 12. Maintain a policy that addresses information security security policy Property of CampusGuard

  17. Merchant Levels Level 1 > 6 million Visa/MC txns/yr > 2.5 million transactions/yr 2 1 to 6 million Visa/MC txns/yr 50,000 to 2.5 million txns/yr 20,000 to 1 million Visa/MC 3 All other Amex Merchants ecommerce txns/yr Most Colleges and Universities 4 All other Visa/MC merchants N/A Property of CampusGuard

  18. Validation Requirements Level • Annual on-site assessment (QSA) • Annual on-site assessment (QSA) 1 • Quarterly network scan (ASV) • Quarterly network scan (ASV) • Annual penetration test (ASV) • Annual penetration test (ASV) • Annual on-site assessment (QSA) • Quarterly network scan (ASV) 2 • Quarterly network scan (ASV) • Annual penetration test (ASV) • Annual penetration test (ASV) • Annual Self-Assessment • Quarterly network scan (ASV) Questionnaire (SAQ) • Annual penetration test (ASV) 3 • Quarterly network scan (ASV) • Annual penetration test (ASV) • At discretion of acquirer  N/A • Annual SAQ 4 • Quarterly network scan (ASV) • Annual penetration test (ASV) Property of CampusGuard

  19. Self-Assessment Questionnaires Card-Not Imprint Only, No Standalone Dial Payment All other Present, All Cardholder Data Out Terminal, No Application methods Cardholder Data Storage Cardholder Data Systems Functions Storage Connected to Outsourced the Internet SAQ A SAQ B SAQ B SAQ C / VT SAQ D (11 questions) (29 questions) (29 questions) (80/51 questions) (286 questions) 11 286 Move as far to the left as possible! Property of CampusGuard

  20. Can I assess myself?  Short answer: Maybe (but you probably don’t want to)  Long answer: You can assess yourself, provided:  You follow audit procedures  Your acquirer agrees  An approved officer (think President or CFO) signs on the “dotted line” (attesting to the veracity of the results)  You’re absolutely sure you’re going to do it right Property of CampusGuard

  21. What’s in PCI Scope? Office Workstations? Card Swipe Machine? Student in dorm? Shopping Cart? Computer Lab? Phone Transaction? Property of CampusGuard

  22. PCI DSS Assessment Your Campus Service Provider ? PCI DSS PA-DSS Level 1 Internet Payment Application PCI DSS SAQ ? A/B/C/D? Property of CampusGuard

  23. Case Study: The commercial software was PA-DSS certified, but 1 – Firewall configuration 7 – Access to system components and cardholder data 8 – Assign unique ID to each person with computer access 9 – Restrict physical access 11 – Regularly test security systems and processes 12 – Maintain a policy that addresses information security Property of CampusGuard

  24. Managing Compliance Property of CampusGuard

  25. Compliance Finish Line! ? Property of CampusGuard

  26. PCI Compliance Discovery and Remediation Validation Assessment • Payments Analysis • Correct Problems • ROC or SAQ • Quarterly Scanning • Merchant Discovery • Compensating • Penetration Testing Submission • Documentation Controls • Preliminary Scanning Re-Valida Re alidate te • Gap Analysis ever ery y 12 12 mos mos Property of CampusGuard

  27. Awareness Training • PCI DSS • General Info Security • Red Flags • Identity Theft • HIPAA • Clery Act • FERPA • Title IX • GLBA Property of CampusGuard

  28. Online Training: PCI DSS Topics An overview of PCI DSS  PCI DSS objectives and  requirements Costs of non-compliance  Sensitive Authentication Data  Hard-copy storage  Protecting cardholder information  Payment card transactions  Remote access  Good work practices  Security incidents  Restricted computer access  Restricted physical access  Tracking and monitoring  Social engineering  Property of CampusGuard

  29. Online Training: Administration Property of CampusGuard

  30. Closing Thoughts  PCI is a journey  PCI requires partnerships  Requires perseverance  Keep the faith Property of CampusGuard

  31. Ron King, CampusGuard rking@campusguard.com (972) 964-8884 Property of CampusGuard

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Compliance Overview and Compliance by Design [CbD] aka Doing the Right Things at the Right

Compliance Overview and Compliance by Design [CbD] aka Doing the Right Things at the Right

Compliance Overview and Compliance by Design [CbD] aka Doing the Right Things at the Right Time ASQ Meeting, 14 August 2012, Santa Ana, CA Dr. Raymond W. Brullo, DPM Compliance Officer , FDA Los Angeles District Office, Irvine, CA Doctor

516 views • 40 slides
Compliance Plans Kelly S. McIntosh July 20, 2017 Roadmap The importance of compliance and

Compliance Plans Kelly S. McIntosh July 20, 2017 Roadmap The importance of compliance and

Compliance Plans Kelly S. McIntosh July 20, 2017 Roadmap The importance of compliance and compliance programs Common compliance issues know your risk areas! Guidance for drafting or updating your compliance plan Elements of

1.16k views • 50 slides
OFFICE OF UNIVERSITY COMPLIANCE OFFICE OF UNIVERSITY COMPLIANCE Who We Are: Joint Audit and

OFFICE OF UNIVERSITY COMPLIANCE OFFICE OF UNIVERSITY COMPLIANCE Who We Are: Joint Audit and

OFFICE OF UNIVERSITY COMPLIANCE OFFICE OF UNIVERSITY COMPLIANCE Who We Are: Joint Audit and Compliance Committee President Kimberly Fearney Associate Vice President & Chief Compliance Officer Liz Vitullo Executive Assistant Omar

127 views • 8 slides
Education Governance & Compliance Committee April 6, 2018 What is Compliance?

Education Governance & Compliance Committee April 6, 2018 What is Compliance?

Compliance in Higher Education Governance & Compliance Committee April 6, 2018 What is Compliance? Conformity in fulfilling official requirements * Certification or confirmation that the doer of an actionmeets the

506 views • 14 slides
COMPLIANCE 2.0 RANDS CONTRIBUTION TO THE EVOLUTION OF CORPORATE COMPLIANCE AND NEXT STEPS

COMPLIANCE 2.0 RANDS CONTRIBUTION TO THE EVOLUTION OF CORPORATE COMPLIANCE AND NEXT STEPS

COMPLIANCE 2.0 RANDS CONTRIBUTION TO THE EVOLUTION OF CORPORATE COMPLIANCE AND NEXT STEPS PREPARED FOR: RAND CENTER FOR CORPORATE ETHICS AND GOVERNANCE ADVISORY BOARD PANEL : DONNA BOEHME PRINCIPAL, COMPLIANCE STRATEGISTS LLC MICHAEL

526 views • 13 slides
Corporate Compliance Programs: Weaving an Effective Compliance Web Simply put, corporate

Corporate Compliance Programs: Weaving an Effective Compliance Web Simply put, corporate

Corporate Compliance Programs: Weaving an Effective Compliance Web Simply put, corporate compliance programs are designed to prevent and detect violations of the law. Compliance programs make good business sense because they: reduce the

144 views • 12 slides
Fleet Compliance Awareness Workshop Compliance Questions Fleet Compliance Awareness Workshop

Fleet Compliance Awareness Workshop Compliance Questions Fleet Compliance Awareness Workshop

Fleet Compliance Awareness Workshop Compliance Questions Fleet Compliance Awareness Workshop Question 1 Q 1. When is the best time to carry out a daily vehicle check? [ a ] During a break [ b ] When the engine is running [ c ] Upon taking the

1.11k views • 69 slides
Achieving Compliance through Strategic Compliance Planning Symposium on Strategic Compliance in

Achieving Compliance through Strategic Compliance Planning Symposium on Strategic Compliance in

Achieving Compliance through Strategic Compliance Planning Symposium on Strategic Compliance in Indonesia through the Labour Inspection System Nancy Leppink Chief Labour Administration/Labour Inspection/ Occupational Safety and Health

605 views • 28 slides
COMPLIANCE CHARTER G A R Y N I M A X A S S I S T A N T V I C E P R E S I D E N T F O R C O

COMPLIANCE CHARTER G A R Y N I M A X A S S I S T A N T V I C E P R E S I D E N T F O R C O

COMPLIANCE CHARTER G A R Y N I M A X A S S I S T A N T V I C E P R E S I D E N T F O R C O M P L I A N C E U.S. Federal Sentencing Guidelines The compliance programs objective is to establish and promote standards that meet these seven

394 views • 4 slides
Compliance for Experts June 27, 2012 Presenters John Misgen, CPA Senior Compliance

Compliance for Experts June 27, 2012 Presenters John Misgen, CPA Senior Compliance

Bank Secrecy Act Compliance for Experts June 27, 2012 Presenters John Misgen, CPA Senior Compliance Consultant with CliftonLarsonAllen LLP for more than six years Has provided regulatory compliance assistance, including

605 views • 41 slides
Conference Jeremy Smith Compliance Manager Erin OHern Director of League Compliance Services

Conference Jeremy Smith Compliance Manager Erin OHern Director of League Compliance Services

NCUL Compliance Conference Jeremy Smith Compliance Manager Erin OHern Director of League Compliance Services Meet the Presenter As Compliance Manager, Jeremy Smith oversees compliance services for PolicyWorks' partner Credit Union

2.25k views • 157 slides
Internal Audit and Compliance Reporting Summary March 14, 2019 1 Compliance Long Range Plan

Internal Audit and Compliance Reporting Summary March 14, 2019 1 Compliance Long Range Plan

Internal Audit and Compliance Reporting Summary March 14, 2019 1 Compliance Long Range Plan One of the core requirements from the Compliance Resource Group (CRG) was that Compliance should develop a 3-5 year strategic plan to model the

793 views • 13 slides
Merchant PCI Compliance - Update PCI Compliance Reminders - Portal Access: www.pciapply.com/NWP

Merchant PCI Compliance - Update PCI Compliance Reminders - Portal Access: www.pciapply.com/NWP

Merchant PCI Compliance - Update PCI Compliance Reminders - Portal Access: www.pciapply.com/NWP - Agents have access to the Aperia Client Management Portal Experience - Get your user credentials! - Support/Compliance Center/Help Desk/QSA

66 views • 6 slides
Building a Culture of Compliance and Ethics Core Elements 1. Compliance standards (policies

Building a Culture of Compliance and Ethics Core Elements 1. Compliance standards (policies

Building a Culture of Compliance and Ethics Core Elements 1. Compliance standards (policies procedures and standards of conduct) 2. Dedicated compliance specialist & committee 3. Conducting training and education 4. Developing open lines

154 views • 11 slides
Compliance Athena Yiallourou AML Committee www.cfa.org.cy www.cfa.org.cy 1 1 AML AND

Compliance Athena Yiallourou AML Committee www.cfa.org.cy www.cfa.org.cy 1 1 AML AND

CYPRUS FIDUCIARY ASSOCIATION Induction Course in Administrative Services Compliance Athena Yiallourou AML Committee www.cfa.org.cy www.cfa.org.cy 1 1 AML AND COMPLIANCE CONTENT The content of the Compliance session will include

594 views • 48 slides
Enforcement: Compliance - Show Cause - Removal by: Sarah Patel Pacheco Crain Caton & James

Enforcement: Compliance - Show Cause - Removal by: Sarah Patel Pacheco Crain Caton & James

Enforcement: Compliance - Show Cause - Removal by: Sarah Patel Pacheco Crain Caton & James P.C . I F YOU THINK COMPLIANCE IS EXPENSIVE TRY NON - COMPLIANCE Former U.S. Deputy Attorney General Paul McNutty COMPLIANCE COMPLIANCE

528 views • 17 slides
Ellucian eTranscripts Overview Suzanne McCool May 22, 2014 Ellucian eTranscripts No cost ,

Ellucian eTranscripts Overview Suzanne McCool May 22, 2014 Ellucian eTranscripts No cost ,

Ellucian eTranscripts Overview Suzanne McCool May 22, 2014 Ellucian eTranscripts No cost , seamless , Ellucian Strategic Partner electronic transcript processing and delivery system that enables secure, real-time electronic authentication,

1.11k views • 21 slides
MONTEREY 250 J U N E 3 , 1 7 7 0 - 2 0 2 0 M O N T E R E Y 2 5 0 . O R G VIDEO HTTPS :// YOUTU .

MONTEREY 250 J U N E 3 , 1 7 7 0 - 2 0 2 0 M O N T E R E Y 2 5 0 . O R G VIDEO HTTPS :// YOUTU .

C E L E B R A T I N G MONTEREY 250 J U N E 3 , 1 7 7 0 - 2 0 2 0 M O N T E R E Y 2 5 0 . O R G VIDEO HTTPS :// YOUTU . BE / VAYKQHOF8NK MONTEREY 250 : BOLD PAST GOLDEN FUTURE A commemoration of all things Monterey . Events such as a

322 views • 19 slides
SPARK G N I T E R R A M E V I T A E C u s t o m L o g o P r o j e c t Introduction

SPARK G N I T E R R A M E V I T A E C u s t o m L o g o P r o j e c t Introduction

C K PROPOSAL SPARK G N I T E R R A M E V I T A E C u s t o m L o g o P r o j e c t Introduction We are excited to quote on your logo design project and believe that Spark is a perfect fit for your needs. Concept Presentation

554 views • 30 slides
ELECTRONIC PERSONNEL ACTION FORM (EPAF) Faculty EPAF Process Elizabeth Moll, Academic Affairs

ELECTRONIC PERSONNEL ACTION FORM (EPAF) Faculty EPAF Process Elizabeth Moll, Academic Affairs

ELECTRONIC PERSONNEL ACTION FORM (EPAF) Faculty EPAF Process Elizabeth Moll, Academic Affairs Sarah Ekis, Human Resources Agenda Why is this training important? Learning objectives What is an EPAF? Who creates an EPAF? Why

762 views • 65 slides
Student Employment Overview HR Partners May 2018 Students vs. GEs Student Employees

Student Employment Overview HR Partners May 2018 Students vs. GEs Student Employees

Student Employment Overview HR Partners May 2018 Students vs. GEs Student Employees Typically work open to any undergraduate, can have skill or experience limitations based on position Governed by UO Student Employment Policies and

1.01k views • 31 slides
Entry What is it? and How do I do it? Web Departmental Time Entry Todays Topics 1. What is

Entry What is it? and How do I do it? Web Departmental Time Entry Todays Topics 1. What is

Web Departmental Time Entry What is it? and How do I do it? Web Departmental Time Entry Todays Topics 1. What is it? 2. How do I do it? What is it? WDTE Web Departmental Time Entry Electronic submittal of departments hours

574 views • 33 slides
Banner Architecture Renewal Banner in the Cloud June 2016 Tim Olesen/Bob Cutler Project

Banner Architecture Renewal Banner in the Cloud June 2016 Tim Olesen/Bob Cutler Project

Student Affairs Office of Technology Banner Architecture Renewal Banner in the Cloud June 2016 Tim Olesen/Bob Cutler Project Director/Project Manager Student Affairs Office of Technology Why Technology Currency Scalable Performance

296 views • 19 slides
S ponsored P rograms A dministration April 30, 2019 ovpr.uconn.edu ovpr.uchc.edu Agenda

S ponsored P rograms A dministration April 30, 2019 ovpr.uconn.edu ovpr.uchc.edu Agenda

S ponsored P rograms A dministration April 30, 2019 ovpr.uconn.edu ovpr.uchc.edu Agenda Welcome Year End Dates Redesigned eRAWebsite NIH Funding Strategies Fringe Benefit Rates Salary Cap Updates ovpr.uconn.edu

477 views • 9 slides

More recommend