October, 2019 Duane K. Faber
Agenda • Introduction • What is PCI? • Why is PCI Important? • Definitions and Descriptions • PCI, SSC, DSS • Consumers, Merchants, Acquirers • Service Providers • PCI Requirements • Roles, Responsibilities • Best Practices • Discussion
Agenda Duane Faber • Infrastructure, Information Security Leader for large ($1billion+) retail companies • PCI Level 1 Merchant organization principle 2008 – 2018 • Minnesota State • System Office – Information Technology Services, Security Team • PCI Program Advisor • PCI SSC Certified Internal Security Assessor (ISA) - 2019 Valid ISA Name: Duane Faber ISA Certificate #: 805-590 ISA Certified Through: 18 Apr 2020 Company: Minnesota State
What is PCI? Payment Card Industry (PCI) Organizations that accept, process, or develop solutions for credit and debit cards as a form of payment for goods and services. Security Standards Council (SSC) Founded in 2006 by the five major card brands in response to increased payment card theft and fraud policies, controls and development standards for PCI Data Security Standard (DSS) Published sets of standards and requirements to meet the standards according to organization’s role DSS* – Merchants accepting cards for payment PA-DSS – Application Development ASV – Approved Scanning Vendors PFI – PCI Forensic Investigators …and many more… *Current PCI DSS version 3.2.1 (May, 2018)
Why is PCI important? Financial Impact – Organizations found not compliant to the PCI DSS can face penalties and other negative impacts. • Penalties from the card brands, to the acquirer, passed on to the merchant (not the PCI SSC itself) • Suspension of payment card acceptance – Breach Event • Base penalty of $500,000 is widely applied • Lawsuits from affected cardholders • Negative publicity / impact on reputation Information Security and Protection – PCI DSS compliance contributes to building and fortifying an organization’s overall information security posture . – Protecting anyone using payment cards – from staff to the general public – when purchasing goods and services throughout your organization.
Definitions and Descriptions • Consumer • Individual purchasing goods, services, or both; the customer. • Merchant • Any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. • Acquirer • Typically financial institution that processes payment card transactions for merchants, subject to payment brand rules and procedures regarding merchant compliance . • Issues Merchant IDs to colleges, universities and system office. • They may be subsidiary of a bank, but not involved with regular banking services. • Elavon is acquirer, subsidiary of US Bank • Wells Fargo Merchant Services is acquirer, subsidiary of Wells Fargo Bank • First Data is acquirer, partner with Bremer Bank • Annual PCI compliance status is filed with the acquirer, not the bank. • Issuer • Entity that issues payment cards or performs, facilitates, or supports issuing services including but not limited to issuing banks and issuing processors .
Definitions and Descriptions • Merchant Levels • Level 1 6 million+ transactions annually *Any merchant that has had a data breach or attack that resulted in an account data compromise • Level 2 1 million – 6 million transactions annually • Level 3 20,000 – 1 million eCommerce transactions • Level 4 <20,000 eCommerce transactions OR <1 million total transactions annually Most colleges, universities, and organizations fall under Merchant Level 3 or 4. • Report of Compliance (ROC) • Annual Report documenting complete details of an entity’s PCI DSS assessment. • Required for use by external Qualified Security Assessors (QSA’s) for Merchant Level 1 and most Service Provider assessments. • Self-Assessment Questionnaire (SAQ) • Reporting tool used to document self-assessment results from an entity’s PCI DSS assessment. • Attestation of Compliance (AOC) • Form for merchants and service providers to attest to the results of a PCI DSS assessment, as documented in the Report on Compliance or Self-Assessment Questionnaire.
Definitions and Descriptions • Service Provider – An entity that is not a payment brand, involved in the processing, storage, or transmission of cardholder data on behalf of another entity . This also includes entities that provide services that control or could impact the security of cardholder data. – Examples • Point-Of-Sale (POS) or Payment Card Terminal Resellers • Cafeteria / Coffee Shop Sales • Bookstore / Merchandise Sales • Athletics / Theater Ticket Sales • Soda Machine Vendors • Class / Seminar Registration Providers www.online.com • Tuition & Fees, Transcript Processing Providers • eCommerce Providers • Fundraising / Crowdfunding Websites • Infrastructure (Switches, Firewalls, WiFi Access Points) Management …regardless of local or remotely hosted system, website, or service. NOTE: An entity providing the provisioning service of public network access, providing just the communication link (AT&T, Verizon, Comcast, etc.) would not be considered a PCI Service Provider.
Definitions and Descriptions Are you a Service Provider? Does your college, university, or organization… … Sell tickets at athletic or theater events for someone else? Hockey Association Theater Company High School Football Team Foundation … Provide computer and/or network management services? Foundation Cafeteria vendor Vendors during commerce events (Student Art, Horticulture, Mechanic Tool sales) …you are a PCI Service Provider
12 Requirements • Build and Maintain a Secure Network and Systems 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters DSS • Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks • Maintain a Vulnerability Management Program 5. Protect all systems against malware and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications • Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need to know 8. Identify and authenticate access to system components 9. Restrict physical access to cardholder data • Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes • Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel
Roles and Responsibilities * Person that signs the Merchant Agreement is ultimately responsible for PCI Compliance and obligations PCI = Collaboration – Finance / Accounting – IT • • Banking and payment processing service provider relationship Technical infrastructure and controls • Financial management of college, university, or organizations – Loss Prevention / Physical Security – Legal • Physical protection of the PCI environment. Key, security system, visitor log management. • Service provider contract language – Leadership Team – Human Resources • Messaging to organization on the importance, • Onboarding / Background checks (where applicable) priority of PCI. • Provide necessary resource to support PCI. * Based on organization’s decision
Roles and Responsibilities What needs to be done? Who does it? • Annual Self-Assessment Questionnaire (SAQ) and Attestation of Compliance (AOC) – Generally Finance / Accounting and IT collaboration – Generally signed by CFO – Eight different types of SAQs (A, A-EP, B, B-IP, C-VT, C, P2PE-HW, D), depending on payment channel o May have multiple SAQs for same vendor (one for stand-alone dial-up terminal, other is ecommerce site) • Network Data Flow Diagramming • Quarterly (90 day) External Scanning and Reporting – IT • Vetting and approval of PCI Service Provider solutions – Finance / Accounting and IT • Periodic review of sensitive area access – Report provided by Key / Badge Management Team (Loss Prevention, Campus Security, or IT) – Review and sign off by Head of IT • Service Provider Contract and Attestation of Compliance (AOC) Management – Finance / Accounting – Annual, Current Attestation of Compliance (AOC) o Direct deliverable from Primary Service Provider o Request for Primary Service Provider to provide Secondary Service Provider’s AOC – Periodic review of Service Provider contracts, awareness of terms and conditions
Recommend
More recommend
