October, 2019 Duane K. Faber Agenda Introduction What is PCI? - - PowerPoint PPT Presentation

October, 2019

Duane K. Faber

Agenda

• Introduction
• What is PCI?
• Why is PCI Important?
• Definitions and Descriptions
• PCI, SSC, DSS
• Consumers, Merchants, Acquirers
• Service Providers
• PCI Requirements
• Roles, Responsibilities
• Best Practices
• Discussion

Agenda

Duane Faber

• Infrastructure, Information Security Leader for large ($1billion+) retail companies
• PCI Level 1 Merchant organization principle 2008 – 2018
• Minnesota State
• System Office – Information Technology Services, Security Team
• PCI Program Advisor
• PCI SSC Certified Internal Security Assessor (ISA) - 2019

Valid ISA Name: Duane Faber ISA Certificate #: 805-590 ISA Certified Through: 18 Apr 2020 Company: Minnesota State

What is PCI?

Payment Card Industry (PCI)

Organizations that accept, process, or develop solutions for credit and debit cards as a form

• f payment for goods and services.

Security Standards Council (SSC)

Founded in 2006 by the five major card brands in response to increased payment card theft and fraud policies, controls and development standards for PCI

Data Security Standard (DSS)

Published sets of standards and requirements to meet the standards according to

• rganization’s role

DSS* – Merchants accepting cards for payment PA-DSS – Application Development ASV – Approved Scanning Vendors PFI – PCI Forensic Investigators …and many more…

*Current PCI DSS version 3.2.1 (May, 2018)

Why is PCI important?

Financial Impact

– Organizations found not compliant to the PCI DSS can face penalties and other negative impacts.

• Penalties from the card brands, to the acquirer, passed on to the merchant (not the PCI SSC itself)
• Suspension of payment card acceptance

– Breach Event

• Base penalty of $500,000 is widely applied
• Lawsuits from affected cardholders
• Negative publicity / impact on reputation

Information Security and Protection

– PCI DSS compliance contributes to building and fortifying an organization’s overall information security posture. – Protecting anyone using payment cards – from staff to the general public – when purchasing goods and services throughout your organization.

• Consumer
• Individual purchasing goods, services, or both; the customer.
• Merchant
• Any entity that accepts payment cards bearing the logos of any of the five members of PCI

SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services.

• Acquirer
• Typically financial institution that processes payment card transactions for merchants,

subject to payment brand rules and procedures regarding merchant compliance.

• Issues Merchant IDs to colleges, universities and system office.
• They may be subsidiary of a bank, but not involved with regular banking services.
• Elavon is acquirer, subsidiary of US Bank
• Wells Fargo Merchant Services is acquirer, subsidiary of Wells Fargo Bank
• First Data is acquirer, partner with Bremer Bank
• Annual PCI compliance status is filed with the acquirer, not the bank.
• Issuer
• Entity that issues payment cards or performs, facilitates, or supports issuing services

including but not limited to issuing banks and issuing processors.

Definitions and Descriptions

• Merchant Levels
• Level 1 6 million+ transactions annually

*Any merchant that has had a data breach or attack that resulted in an account data compromise

• Level 2 1 million – 6 million transactions annually
• Level 3 20,000 – 1 million eCommerce transactions
• Level 4 <20,000 eCommerce transactions OR <1 million total transactions annually

Most colleges, universities, and organizations fall under Merchant Level 3 or 4.

• Report of Compliance (ROC)
• Annual Report documenting complete details of an entity’s PCI DSS assessment.
• Required for use by external Qualified Security Assessors (QSA’s) for Merchant Level 1 and most Service Provider assessments.
• Self-Assessment Questionnaire (SAQ)
• Reporting tool used to document self-assessment results from an entity’s PCI DSS assessment.
• Attestation of Compliance (AOC)
• Form for merchants and service providers to attest to the results of a PCI DSS assessment, as documented in the Report on

Compliance or Self-Assessment Questionnaire.

Definitions and Descriptions

Definitions and Descriptions

• Service Provider

– An entity that is not a payment brand, involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This also includes entities that provide services that control or could impact the security of cardholder data. – Examples

• Point-Of-Sale (POS) or Payment Card Terminal Resellers
• Cafeteria / Coffee Shop Sales
• Bookstore / Merchandise Sales
• Athletics / Theater Ticket Sales
• Soda Machine Vendors
• Class / Seminar Registration Providers
• Tuition & Fees, Transcript Processing Providers
• eCommerce Providers
• Fundraising / Crowdfunding Websites
• Infrastructure (Switches, Firewalls, WiFi Access Points) Management

…regardless of local or remotely hosted system, website, or service.

NOTE: An entity providing the provisioning service of public network access, providing just the communication link (AT&T, Verizon, Comcast, etc.) would not be considered a PCI Service Provider. www.online.com

Definitions and Descriptions

Does your college, university, or organization…

… Sell tickets at athletic or theater events for someone else?

Hockey Association Theater Company High School Football Team Foundation

… Provide computer and/or network management services?

Foundation Cafeteria vendor Vendors during commerce events (Student Art, Horticulture, Mechanic Tool sales)

…you are a PCI Service Provider

Are you a Service Provider?

12 Requirements

DSS

• Build and Maintain a Secure Network and Systems

1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters

• Protect Cardholder Data

3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks

• Maintain a Vulnerability Management Program

5. Protect all systems against malware and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications

• Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need to know 8. Identify and authenticate access to system components 9. Restrict physical access to cardholder data

• Regularly Monitor and Test Networks
• 10. Track and monitor all access to network resources and cardholder data
• 11. Regularly test security systems and processes
• Maintain an Information Security Policy
• 12. Maintain a policy that addresses information security for all personnel

Roles and Responsibilities *Person that signs the Merchant Agreement is ultimately responsible for PCI Compliance and obligations

PCI = Collaboration

– Finance / Accounting

• Banking and payment processing service provider relationship
• Financial management of college, university, or organizations

– Legal

• Service provider contract language

– Human Resources

• Onboarding / Background checks (where applicable)

– IT

• Technical infrastructure and controls

– Loss Prevention / Physical Security

• Physical protection of the PCI environment.

Key, security system, visitor log management.

– Leadership Team

• Messaging to organization on the importance,

priority of PCI.

• Provide necessary resource to support PCI.

*Based on organization’s decision

Roles and Responsibilities

What needs to be done? Who does it?

• Annual Self-Assessment Questionnaire (SAQ) and Attestation of Compliance (AOC)

– Generally Finance / Accounting and IT collaboration – Generally signed by CFO – Eight different types of SAQs (A, A-EP, B, B-IP, C-VT, C, P2PE-HW, D), depending on payment channel

• May have multiple SAQs for same vendor (one for stand-alone dial-up terminal, other is ecommerce site)
• Network Data Flow Diagramming
• Quarterly (90 day) External Scanning and Reporting

– IT

• Vetting and approval of PCI Service Provider solutions

– Finance / Accounting and IT

• Periodic review of sensitive area access

– Report provided by Key / Badge Management Team (Loss Prevention, Campus Security, or IT) – Review and sign off by Head of IT

• Service Provider Contract and Attestation of Compliance (AOC) Management

– Finance / Accounting – Annual, Current Attestation of Compliance (AOC)

• Direct deliverable from Primary Service Provider
• Request for Primary Service Provider to provide Secondary Service Provider’s AOC

– Periodic review of Service Provider contracts, awareness of terms and conditions

Best Practices

Discover and Document

All Merchant and Service Provider Contracts and Agreements How all departments take in and process payment cards

Website / Fax / Phone / Mailed form / Email

Network Data Flow Diagrams

POS Stand-alone terminals (analog or digital?) Fax / Phone using Voice Over IP (VOIP)

Records storage inventory that may contain legacy PCI data

Reduce scope of the PCI environment

Have Service Providers own, maintain and manage a separate network.

Outsourced cafeteria services Soda Machines

Change Level of integration with POS systems

Stand-alone terminals

Dial-up or Cellular-only

Implement a certified Point-To-Point Encryption (P2PE) solution

This greatly reduces scope, but does not completely remove PCI compliance responsibility

Migrate responsibility and management to Service Provider

Mobile payment terminal Website and payment cloud hosting

Message to and collaborate with department heads

Work together and understand needs to implement potential solutions and services to ensure vetted and approved vendors.

If you are a Service Provider – get out of the Service Provider business!

DISCUSSION

Ask me!

Thank you

Duane K. Faber

651.201.1532 duane.faber@minnstate.edu