PCI Information Session. May NCSU PCI Team

Transcription

1 PCI Information Session May NCSU PCI Team

2 Agenda PCI compliance process Security Training Why compliance is important PCI DSS update from NCSU ISA 2014 attestation process Questions

3 PCI Compliance Process Annually: Complete Assessment Questionnaire Complete Security Awareness Training & SAQ Training Update Policy & Procedures Update Data Flow Diagrams Sign Merchant Service Agreement Complete SAQ

4 Security Awareness Training Login and password will arrive via for training access from Training must be completed no later than June 20, 2014.

5 Training Example

6 SAQ Training Training is available now for SAQ B merchants. Training for SAQ A merchants provided by Security & Compliance. May be changes for those last year. Training must be completed prior to SAQ submission.

7 Why is Compliance Important?

8 Why is Compliance Important? It allows the University to continue to accept credit cards as a form of payment Demonstrates that the University accepts the responsibility of safeguarding our customers payment card data throughout every transaction and solidify confidence in protecting data against the hassle and cost of data breaches.

9 Why is Compliance important? Compliance vs Security Security Compliance

10 Why is Compliance Important? Penalties can be Huge In the event of a breach the bank can make the merchant responsible for: Fines from card associations Up to $500,000 Cost to notify victims Cost to replace cards Cost for any fraudulent transactions Forensics Level 1 certification - Average cost of QSA report ~ $225,000 Bad Publicity Priceless!

11 Things to remember. Check out Merchant Services website frequently Contact Merchant Services if you have questions Notify Merchant Services with ANY changes to your business process

12 What s new for PCI-DSS 3.0 PCI-DSS 3.0 (112 pages): Summary of Changes (12 pages): Mostly clarifications 64 Clarifications 19 Evolving Requirements 1 Additional Guidance

13 What s new for PCI-DSS 3.0 Additional Guidance Added guidance on combining multiple scan reports in order to achieve and document a passing result. Clarification Clarified that quarterly internal vulnerability scans include rescans as needed until all high vulnerabilities (as identified by PCI DSS Requirement 6.1) are resolved, and must be performed by qualified personnel. Evolving Requirement New requirement to implement a methodology for penetration testing.

14 What s new for PCI-DSS 3.0 Big Changes SAQs Data Flow Diagram Inventory Service Providers Antimalware Physical Protection

15 What s new for PCI-DSS 3.0 SAQs SAQ A (14 Questions) Card not present merchants (ecommerce or mail/telephone order) that have fully outsourced all cardholder data functions to PCI DSS compliant third party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant s systems or premises. SAQ A-EP (139 Questions) Ecommerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant s systems or premises.

16 What s new for PCI-DSS 3.0 Data Flow Diagram Current network diagram that identifies all connections between the cardholder data environment and other networks, including any wireless networks Current diagram that shows all cardholder data flows across systems and networks

17 What s new for PCI-DSS 3.0 Inventory 2.4 Maintain an inventory of system components that are in scope for PCI DSS. System Components defined on page 10, PCI-DSS a Examine system inventory to verify that a list of hardware and software components is maintained and includes a description of function/use for each.

18 What s new for PCI-DSS 3.0 Service Providers Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity. Formal written agreement Amendment to contract Modification/Clarification to existing language

19 What s new for PCI-DSS 3.0 AntiMalware For systems considered to be not commonly affected by malicious software, perform periodic evaluations to identify and evaluate evolving malware threats in order to confirm whether such systems continue to not require anti-virus software. 5.3 Ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period.

20 What s new for PCI-DSS 3.0 Physical protection 9.3 Control physical access for onsite personnel to the sensitive areas as follows: Access must be authorized and based on individual job function. Access is revoked immediately upon termination, and all physical access mechanisms, such as keys, access cards, etc., are returned or disabled. 9.9 Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution.

21 New estore for NCSU Higher One estore coming soon. What s the plan. Onboard merchants that have been waiting for ecommerce solution Onboard merchants that are not PCI-DSS compliant Migrate existing ecommerce merchants to new solution Timeline is to begin in June 2014.

22 Hot Topics!! Mobile Payment Options None of these products are PCI Certified There are lots of products on the market right now! FD 400 terminal is PCI Certified FD 400 is current NCSU mobile payment solution. Terminal connects to cellular signal to receive authorization from FDMS.

23 Questions????