Solving the PCI Puzzle with New Rules and Strategies

Size: px

Start display at page:

Download "Solving the PCI Puzzle with New Rules and Strategies"

Esther Sharp
5 years ago
Views:

1 Solving the PCI Puzzle with New Rules and Strategies May 8, 2018 Austin, TX 1:00 pm 2:00 pm Kristy Pritchett, Director of Student Accounts University of Alabama John McElroy, Product Strategy TouchNet

2 About TouchNet Commerce Platform Provider 100% Higher Ed Focused 800+ schools University of Alabama (since 2000) Strategic Partnerships: Ellucian & Peoplesoft 120+ TouchNet Ready Partners

3 The Unique PCI Challenges for College Campuses

4 About the University of Alabama Established in 1831, The University of Alabama, the state of Alabama s oldest public university, is a senior comprehensive doctoral-level institution. Its mission is to advance the intellectual and social condition of the people of the state through quality programs of teaching, research and service. Ellucian Banner is our ERP and we partner with TouchNet for a significant portion of our payment activity.

5 About the University of Alabama Established in 1831, The University of Alabama, the state of Alabama s oldest public university, is a senior comprehensive doctoral-level institution. Its mission is to advance the intellectual and social condition of the people of the state through quality programs of teaching, research and service. Ellucian Banner is our ERP and we partner with TouchNet for a significant portion of our payment activity. We have a little football team you might have heard about

University of Alabama s PCI Landscape 109 merchant IDs, approximately $370 million in annual credit/debit card volume 44 analog or cellular terminals, 11 IP/ethernet connected terminals, 6 back

6 University of Alabama s PCI Landscape 109 merchant IDs, approximately $370 million in annual credit/debit card volume 44 analog or cellular terminals, 11 IP/ethernet connected terminals, 6 back office point-of-sale via PC, 4 point-of-sale USB connected, 6 validated P2PE terminal merchants, 38 web merchants 6 third party relationships (not UA s MID) We accept payments: in-person, by phone, by mail, and online SAQ A (38), SAQ-B (44), SAQ-C-VT (6), SAQ-D (15), SAQ-P2PE (6)

7 Initial Strategy for PCI Worked with a QSA to establish our initial program Implement a centralized commerce platform Created a policy and partnered with administration for communication and enforcement Centralize SAQs with central management of many responsibilities Re-engaged QSA in 2017 Reinforced initial strategy Top recommendation: P2PE Everywhere

8 University of Alabama Business Office (Enterprise Commerce Platform Timeline) Student Cashiering Payment Gateway for Credit Card Added ACH Marketplace Student Account Center ebills erefunds edeposits Payment Plans Recovery Select Managed 1098T TouchNet Ready Partners X [ ]

9 Connect as Many Partners as Possible Campus Management Entrinsik Innosoft Hobsons Ruffalo Noel Levitz ScaleFunder Campus Call StarRez T2 Tix, Inc.

10 Goal of a Commerce Platform Commerce Platform Partners [ ACI / Blackboard / Nelnet / TMS / TouchNet /Etc. ] Reduce Risk and Consolidated PCI Effort Started with Online/CNP (SAQ A)

11 Biggest Challenge In Person/CP 8 hardware make/models 190 hardware devices SAQ B and D with lots of N/As Network and Cashiering Stations in scope Segmented networks

12 Previous Strategy: Convert to EMV (with E2EE) This was good and it s kept us safe (so it reduced our risk), but not our scope.

13 Early E2EE Programs: Reduced Risk, but not Scope First Data TransArmor Elavon SAFE-T Trustwave E2EE Voltage Verifone VeriShield Heartland E3 At the time, they were not Validated by the PCI Council

14 New Strategy: Validated P2PE for all devices POINT-TO-POINT ENCRYPTION A Global Payments Company 14

15 Validated Point-to-Point Encryption (P2PE)

16 In Scope

17 Reduces our PCI Scope/Paperwork P2PE SAQ Removed the network from scope Removed the PC/Workstation from scope No need for a segregated network 33 Questions vs. 332 Questions A Global Payments Company 17

18 A Global Payments Company 18

from scope No need for a segregated network 33

20 PCI Scope/Paperwork Reduction P2PE SAQ Removed the network from scope Removed the PC/Workstation from scope No need for a segregated network 33 Questions vs. 332 Questions A Global Payments Company 20

21 Exemption

22 PCI Compliance Validation Exemption Program(s)

23 Exemption Program Matrix Brand Program Name Reporting Frequency Submit to Brand Enrollment Method Device Requirements Visa TIP Bi-annual Yes Application 75% - EMV and/or Validated P2PE, Contactless enabled. SAQ N/A MC SDP Annual Yes "Proof of previous compliance." Prior SAQ on file. Discover DISC Bi-annual Yes Application Same N/A Same N/A Amex STEP Annual Yes Application Same N/A

24 Adoption of Contactless and EMV

25 Or the Adoption of Validated P2PE

26 Program Requirement Recap (CP/In-line) 75% of CP transactions via EMV and/or Validated P2PE Devices Devices must support contactless (NFC) Footnotes: Currently PCI compliant No recent breaches Not storing sensitive authentication data Still have to be PCI compliant!

27 Affiliated Acquirer Relationship Attest PCI Compliance ecommerce Apps Acquirer Relationship Online (Card-not-present) / CNP In-Line (Card Present) / CP Unaffiliated SAQ A (22) Non-Validate P2PE, SAQ C (160) or SAQ D (332); Validated P2PE SAQ P2PE (33) Affiliated Active participation in your PCI Compliance Active participation in your PCI Compliance

28 Affiliated Acquirer Relationship Attest PCI Compliance ecommerce Apps Acquirer Relationship Online (Card-not-present) / CNP In-Line (Card Present) / CP Affiliated Affiliated: Might be a more active PCI Compliance Participant/Partner Active participation in your PCI Compliance Might use a 3 rd party to asses your apps (reducing SAQ) to even fewer questions and/or making them available in an online portal Active participation in your PCI Compliance They might enroll MID s in the brand exemption programs, reducing and/or eliminating SAQ s all together; (i.e. no questions)

29 Online: The Wallet Race is On

30 Remember ALL Merchants Must be PCI Compliant. Period.

31 Even Level 4 Merchants Level 4 merchants must now validate compliance annually Over 90% of data breaches happening at this level

of trust $141 per/account breached* Average total cost of a

33 Why Schools Should Care About PCI? Avoid the headlines Card brand fines Damage to brand Loss of trust $141 per/account breached* Average total cost of a data breach is $3.62 million* * Ponemon Institute Cost of a Data Breach Study (2017)

34 There s still work to be done outside P2PE SAQ A for ecommerce / Attestation Scanning & Penetration Testing Must Have a Policy Contract and Vendor Management Device Inspections and Tracking PCI Awareness Training PCI Puzzle Solved? Getting Closer. A Global Payments Company 34

35 University of Alabama Recap In-Person/CP Take advantage of Validated P2PE and cardbrand s exemption programs Online/CNP Revisit ecommerce QSA is reviewing all ecommerce apps SAQs will be reduced down to the minimum Online portal will be used to complete remaining questions Should be down to a few clicks for merchants

36 Our New Goal Commerce Platform Partners [ ACI / Blackboard / Nelnet / TMS / TouchNet /Etc. ] Consolidate all Online/CNP to one platform: 1 SAQ A Leverage P2PE and/or Exemption Programs to Reduce/Eliminate In-Person/CP: No SAQ

37 Thanks! Questions? Kristy Pritchett, Director of Student Accounts University of Alabama John McElroy, Product Strategy TouchNet