PCI Information Session May 2014 - NCSU PCI Team
Agenda PCI compliance process Security Training Why compliance is important PCI DSS update from NCSU ISA 2014 attestation process Questions
PCI Compliance Process Annually: Complete Assessment Questionnaire Complete Security Awareness Training & SAQ Training Update Policy & Procedures Update Data Flow Diagrams Sign Merchant Service Agreement Complete SAQ
Security Awareness Training Login and password will arrive via email for training access from merchantservices@ncsu.edu Training must be completed no later than June 20, 2014.
Training Example
SAQ Training Training is available now for SAQ B merchants. Training for SAQ A merchants provided by Security & Compliance. May be changes for those last year. Training must be completed prior to SAQ submission.
Why is Compliance Important?
Why is Compliance Important? It allows the University to continue to accept credit cards as a form of payment Demonstrates that the University accepts the responsibility of safeguarding our customers payment card data throughout every transaction and solidify confidence in protecting data against the hassle and cost of data breaches.
Why is Compliance important? Compliance vs Security Security Compliance
Why is Compliance Important? Penalties can be Huge In the event of a breach the bank can make the merchant responsible for: Fines from card associations Up to $500,000 Cost to notify victims Cost to replace cards Cost for any fraudulent transactions Forensics Level 1 certification - Average cost of QSA report ~ $225,000 Bad Publicity Priceless!
Things to remember. Check out Merchant Services website frequently http://controller.ofb.ncsu.edu/merchant-services/ Contact Merchant Services if you have questions Notify Merchant Services with ANY changes to your business process
What s new for PCI-DSS 3.0 PCI-DSS 3.0 (112 pages): https://www.pcisecuritystandards.org/documents/pci_dss_v3.pdf Summary of Changes (12 pages): https://www.pcisecuritystandards.org/documents/pci_dss_v3_summary_of_changes.pdf Mostly clarifications 64 Clarifications 19 Evolving Requirements 1 Additional Guidance
What s new for PCI-DSS 3.0 Additional Guidance Added guidance on combining multiple scan reports in order to achieve and document a passing result. Clarification Clarified that quarterly internal vulnerability scans include rescans as needed until all high vulnerabilities (as identified by PCI DSS Requirement 6.1) are resolved, and must be performed by qualified personnel. Evolving Requirement New requirement to implement a methodology for penetration testing.
What s new for PCI-DSS 3.0 Big Changes SAQs Data Flow Diagram Inventory Service Providers Antimalware Physical Protection
What s new for PCI-DSS 3.0 SAQs SAQ A (14 Questions) Card not present merchants (ecommerce or mail/telephone order) that have fully outsourced all cardholder data functions to PCI DSS compliant third party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant s systems or premises. SAQ A-EP (139 Questions) Ecommerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant s systems or premises.
What s new for PCI-DSS 3.0 Data Flow Diagram 1.1.2 Current network diagram that identifies all connections between the cardholder data environment and other networks, including any wireless networks 1.1.3 Current diagram that shows all cardholder data flows across systems and networks
What s new for PCI-DSS 3.0 Inventory 2.4 Maintain an inventory of system components that are in scope for PCI DSS. System Components defined on page 10, PCI-DSS 3.0 2.4.a Examine system inventory to verify that a list of hardware and software components is maintained and includes a description of function/use for each.
What s new for PCI-DSS 3.0 Service Providers 12.8.5 Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity. Formal written agreement Amendment to contract Modification/Clarification to existing language
What s new for PCI-DSS 3.0 AntiMalware 5.1.2 For systems considered to be not commonly affected by malicious software, perform periodic evaluations to identify and evaluate evolving malware threats in order to confirm whether such systems continue to not require anti-virus software. 5.3 Ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period.
What s new for PCI-DSS 3.0 Physical protection 9.3 Control physical access for onsite personnel to the sensitive areas as follows: Access must be authorized and based on individual job function. Access is revoked immediately upon termination, and all physical access mechanisms, such as keys, access cards, etc., are returned or disabled. 9.9 Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution.
New estore for NCSU Higher One estore coming soon. What s the plan. Onboard merchants that have been waiting for ecommerce solution Onboard merchants that are not PCI-DSS compliant Migrate existing ecommerce merchants to new solution Timeline is to begin in June 2014.
Hot Topics!! Mobile Payment Options None of these products are PCI Certified There are lots of products on the market right now! FD 400 terminal is PCI Certified FD 400 is current NCSU mobile payment solution. Terminal connects to cellular signal to receive authorization from FDMS.
Questions????