Payment Card Industry (PCI) Compliance Training Presented to: - - PDF document

April 29, 2014 Page 1

Presented to:

Payment Card Industry (PCI) Compliance Training

Diocese of Rockford

Presenters: Mary Breeden and Sarilyn Neiber

What are the PCI DSS Standards? First, let’s begin by telling you what PCI DSS stands for? PCI DDS stands for Payment Card Industry Data Security Standard. Who created the PCI DSS? The Payment Card Industry Security Standards Council (PCI SSC) was launched on September 7, 2006 to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with focus on improving payment account security throughout the transaction process. The PCI DSS is administered and managed by the PCI SSC (www.pcisecuritystandards.org), an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB.).

What is the Payment Card Industry (PCI) Data Security Standard (DSS)?

April 29, 2014 Page 2

• PCI DSS is the global data security standard adopted by the payment card brands for

all entities that process, store or transmit cardholder data. It consists of common sense steps that mirror security best practices.

What is the Payment Card Industry Data Security Standard?

Build and Maintain a Secure Network

• 1. Install and maintain a firewall configuration to protect cardholder data
• 2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

• 3. Protect stored cardholder data
• 4. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

• 5. Use and regularly update anti-virus software or programs
• 6. Develop and maintain secure systems and applications

Implement Strong Access and Control Measures

• 7. Restrict access to cardholder data by business need to know
• 8. Assign a unique ID to each person with computer access
• 9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

• 10. Track and monitor all access to network resources and cardholder data
• 11. Regularly test security systems and processes

Maintain an Information Security Policy

• 12. Maintain a policy that addresses information security for all personnel

Best Practices for Securing Cardholder Data

April 29, 2014 Page 3 PCI DSS applies to ALL organizations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. Said another way, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply. To whom does the PCI DSS apply? According to the PCI Security Council, more than 80% of security breach attacks happen at the small merchant level. What happens if my parish is at fault for a data breach? – Fines and Penalties from the card brands – Could wipe out church funds and then some – Termination of your ability to process cards – Loss of confidence by your parishioners – Legal costs Why is maintaining PCI DSS compliance important?

April 29, 2014 Page 4 All small merchants must complete a Self- Assessment Questionnaire (SAQ). In addition to the SAQ you may be required to perform quarterly Network Scans of your network and website. There a 5 different SAQs and the parish will be required to complete one of the 5 based upon how you process cards.

What does my parish need to do to demonstrate compliance with the PCI DSS?

SAQ How do you accept payment cards? A Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants. B Imprint-only merchants with no electronic cardholder data storage, or standalone, dial-out terminal merchants with no electronic cardholder data storage. C-VT Merchants using only web-based virtual terminals, no electronic cardholder data storage. C Merchants with payment application systems connected to the Internet, no electronic cardholder data storage. D All other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by a payment brand as eligible to complete an SAQ.

PCI: ongoing 3-step process

• Assess – identifying cardholder data, taking an inventory of your IT assets and business

processes for payment card processing, and analyzing them for vulnerabilities.

• Remediate – fixing vulnerabilities and not storing cardholder data unless you need it.
• Report – compiling and submitting required reports to the acquiring bank and card brands

you do business with. Other practical steps

• Buy and use only validated payment software at your Point of Sale (POS) or website

shopping cart.

• Do not store any sensitive cardholder data in computers or on paper.
• Use a firewall on your network and PCs.
• Make sure your wireless router is password-protected and uses encryption.
• Use strong passwords. Be sure to change default passwords on hardware and software
• Regularly check PIN entry devices and PCs to make sure no one has installed rogue

software or “skimming” devices.

• Teach your employees about security and protecting cardholder data.
• Follow the PCI standard.

What can merchant do from a practical standpoint?

April 29, 2014 Page 5 What tools are available to help with this process?

Reach out to your merchant services provider. This would be the company that sends your parish a merchant statement every month. More than likely they have partnered with Qualified Security Assessor that has been approved by the card brands to help you with this process.

Also a wealth of information can be found at: https://www.pcisecuritystandards.org/merchants/index.php www.pcicomplianceguide.org

We used both of these websites as reference material for our presentation.

What tools are available to help with this process?

• Know who is responsible at your parish for such matters
• Contact your merchant services provider immediately
• Contact law enforcement

What should a parish do if there is a compromise?

April 29, 2014 Page 6

• Other Considerations:

What other data might you have? Bank routing and bank account numbers to process electronic debits from your parishioners. This data is very sensitive and must be treated in a secure manner.

• Recent NACHA Rule Amendment

– These policies, procedures, and systems must:

• Protect the confidentiality and integrity of Protected Information
• Protect against anticipated threats or hazards to the security or integrity of

Protected Information; and

• Protect against unauthorized use of Protected Information that could result in

harm to a natural person.

Other considerations

Questions?

Conclusion/ Q&A

April 29, 2014 Page 7 ▪ If there is no compelling reason to retain donor credit card or bank account information, shred it ▪ If you do need to keep it for a period of time, store it securely in a locked cabinet with access restricted to those who need to use it ▪ Swipe devices used on phones/computers must use encrypted transmission ▪ ALL merchants must compete a Self-Assessment Questionnaire (SAQ) annually ▪ For assistance, contact the Treasury Department at your local bank or your merchant services provider ▪ Best Practices, PCI FAQ and other useful information may be found online at: www.pcicomplianceguide.org ▪ ACH transactions follow NACHA rules including: Protect the confidentiality of protected information, Protect against anticipated threats to security, Protect against unauthorized use of informtion Questions from 4/29/2014 presentation researched by the bank: 1. Is there PERSONAL liability to those processing transactions in the case of a breach?

• Possibly. Review the merchant services agreements and applications to see if the signing officer/officers

includes a personal guaranty. If so, the officers could be liable. 2. Mobile payment guidelines can be found at: https://www.pcisecuritystandards.org/documents/Mobile_Payment_Security_Guidelines_Merchants_v1.pdf

Presentation Notes