PCI Information Session. May NCSU PCI Team

Similar documents
PCI COMPLIANCE PCI COMPLIANCE RESPONSE BREACH VULNERABLE SECURITY TECHNOLOGY INTERNET ISSUES STRATEGY APPS INFRASTRUCTURE LOGS

Understanding the SAQs for PCI DSS v3.0

Introduction. Scott Jerabek. The CBORD Group. Product Manager

C&H Financial Services. PCI and Tin Compliance Basics

The Changing Landscape of Card Acceptance

UNIVERSITY OF OKLAHOMA Campus Payment Card Security Standard Norman Campus

PCI DSS Security Awareness Training. The University of Tennessee and The University of Tennessee Foundation. for Credit Card Merchants at

Merchant Services What You Need to Know. Agenda 6/5/2017. Overview of Merchant Services. EMV, Tokenization/Encryption, and PCI (Oh My!

PAYMENT CARD INDUSTRY DATA SECURITY STANDARD SELF-ASSESSMENT QUESTIONNAIRE (SAQ) A GUIDE

PCI DSS SECURITY AWARENESS

PCI Requirements Office of Business and Finance Issued July 2015

PCI Requirements Office of Business and Finance Issued July 2015

Payment Card Industry Data Security Standard Self-Assessment Questionnaire B Guide

CCV s self-service payment solutions drive PCI-DSS-compliant security

3.17 Payment Card Industry (PCI) Compliance Policy

CREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 04/29/2016

Types of Systems Audit & Relevance. Presented By: Prasad Pendse, CISA

Sarbanes-Oxley Compliance Kit

PCI Data Breach Preparedness How To Prevent Your Organization From Becoming the Next Data Breach Headline

SAMPLE DATA FLOW DIAGRAMS for MERCHANT ENVIRONMENTS

What is Stripe? Is Stripe secure? PCI compliant?

AUTHORIZE.NET SAQ ELIGIBILITY WHITE PAPER NICK TRENC CISSP, CISA, QSA, PA- QSA. North America Europe coalfire.

Best Practices for Securing E-commerce

Straight Answers on PCI and EMV

112 th Annual Conference May 6-9, 2018 St. Louis, Missouri

EMV Chip Cards. Table of Contents GENERAL BACKGROUND GENERAL FAQ FREQUENTLY ASKED QUESTIONS GENERAL BACKGROUND...1 GENERAL FAQ MERCHANT FAQ...

COLUMBIA UNIVERSITY CREDIT CARD ACCEPTANCE AND PROCESSING POLICY

Policies and Procedures

Leveraging Data Security Technology. October 19 th 9:15 AM

The Shared Electronic Banking Services Company (KNET) Knet securing E-payment for EGOV

The Future of Payment Security in Canada

The Fork in the Road to PCI Compliance

White Paper. Payment fraud threatens retail business. P2PE helps you fight back

EMV Basics and the market

CONTRACTUAL COMPLIANCE DEADLINE COMPOUNDED FINES FOR MISSING THE REVIEW APPROACHING DEADLINES

PCI DSS practical guide for Travel Agents

White Paper PCI-Validated Point-to-Point Encryption On Microsoft Azure. By Christopher Kronenthal, Chief Technology Officer

EMV, PCI, Tokenization, Encryption What You Should Know for Presented by: The Bryan Cave Payments Team

EMV Just the Facts. Ozarks Association of Government Accountants

The Inner Circle Guide to PCI DSS Compliance in the Contact Centre

esocket POS Integrated POS solution Knet

PCI DSS made easy. GFI Software

The top five benefits of outsourcing B2B payments processing

User s Starter Kit. For Home or Small Office Use. fcbbanks.com

PCI BLOG. P2PE, EMV, Tokenization, Oh My!

Protecting Your Swipe Devices from Illegal Tampering. Point of Sale Device Protection. Physical Security

EMV and Educational Institutions:

Oversight of payment instruments. The Banque de France s approach CONFERENCE. E-payments in Europe

PREDICTIVE INTELLIGENCE SECURITY, PRIVACY, AND ARCHITECTURE

First Data (FD) Mobile Pay FAQs ISO Channel

Payment Card Industry Data Security Standards (PCI DSS) Compliance in Restaurants

Bankcard Compliance Group. PIN Security & Key Management TR-39 PCI PIN TRANSACTION SECURITY.

THE ADOPTION OF EMV TECHNOLOGY IN THE U.S. By Guy Berg Global Industry Sales Consultant Datacard Group

CardConnect P2PE Merchant Instruction Manual

Online Payment Services

Terms and Conditions for using BEA Credit Card in Digital Wallet

Flexible Spending Account Administration Best Practices

EMV in the U.S. Liability shift; what does this mean for the U.S.?

Dates Visa MasterCard Discover American Express. Acquirers, subprocessors. support EMV. International ATM liability shift 2

ASSESSMENT AND EVALUATION OF THE CITY OF PHILADELPHIA S INFORMATION TECHNOLOGY GENERAL CONTROLS FISCAL 2016

Table of Contents. Paymetric White Paper Outsourcing Payment Security 2. The Issue: Payments & Card Data Security

City of Grand Rapids, Michigan. Request for Information # Payment Processing Services. Due Date: June 26, :00 A.M.

Top 10 Tips for Choosing a Merchant Services Provider

ICT and introduction to GDPR

THE UNIVERSITY OF GEORGIA INTERNAL AUDITING DIVISION INTERNAL CONTROL QUESTIONNAIRE GENERAL

ORACLE HOSPITALITY HOTEL CONSULTING SERVICE DESCRIPTIONS November 3, 2017

Tampa Bay Information Network TBIN Audit Plan

Credit Card Processing:

TAG Certified Against Fraud Guidelines. Version 1.0 Released May 2016

EMV Implementation Guide

How EMV Compliance is Enhancing Self-Service Bill Payment

Taco Bell Security and Acceptable use policy For B & G Food Enterprises, LLC

Navigating the New Health Economy

Payment Card Industry (PCI) Payment Application Data Security Standard (PA-DSS) Attestation of Validation Version 2.02

EMV: The Journey Begins October 1st

EMV Adoption in the U.S.

Oklahoma Universal Service Fund (OUSF) Fiscal Year 2017/2018 Remittance Worksheet Instructions

This document is intended educate you on the additional products as well as help you understand how these products can help your business.

How Tablet POS Empowers Staff and Enhances Customer Experiences. National Computer Corporation

EMV FAQ S FROM A MERCHANT S PERSPECTIVE

Hot Topics in Payments Cornerstone CU League Small CU Committee July 9, 2014

CONTENTS OUR ACCREDITATIONS. PCI Pal is a suite of solutions. designed to descope your payment. environment from the requirements

ESTUDIO JURÍDICO ALMAGRO ABOGADOS

Global Partner Management Notice

- POSresult: Once your POS receives the payment transaction response, use this to advise us of the results.

OHIO TURNPIKE AND INFRASTRUCTURE COMMISSION 682 Prospect Street Berea, Ohio 44017

PCI Compliance. PCI Compliance: Simpler than you think. By Geoff Milton, Director of Sales, ShieldQ. 1 ShieldQ.com.

Oracle Cloud Hosting and Delivery Policies Effective Date: Dec 1, 2015 Version 1.6

Testing & Certification Terminology

Card Payment acceptance at Common Use positions at airports

Making PayPal work for you. Welcome Kit

What is. Software on a mobile device that replaces the paper forms currently used by OTS program participants.

Learn Why Real Time Posting In Your Retail Network Is Key to Cash Payer Adoption

TransKrypt Security Server

Agenda. What is EMV. Chip vs Mag Stripe. Benefits of EMV. Timeframes & Liability Shift. Costs. Things to consider. Questions

Fraud Prevention, Detection, and Internal Controls

Online payment solutions for Asia-Pacific

University Internal Audit

Secure Remote Payment Council (SRPc) White Paper Discussion: EMV Enhancements Post Implementation September 13, 2016

EMV is coming. Here s how to stay ahead of the trend. Presented by CO-OP Financial Services

Transcription:

PCI Information Session May 2014 - NCSU PCI Team

Agenda PCI compliance process Security Training Why compliance is important PCI DSS update from NCSU ISA 2014 attestation process Questions

PCI Compliance Process Annually: Complete Assessment Questionnaire Complete Security Awareness Training & SAQ Training Update Policy & Procedures Update Data Flow Diagrams Sign Merchant Service Agreement Complete SAQ

Security Awareness Training Login and password will arrive via email for training access from merchantservices@ncsu.edu Training must be completed no later than June 20, 2014.

Training Example

SAQ Training Training is available now for SAQ B merchants. Training for SAQ A merchants provided by Security & Compliance. May be changes for those last year. Training must be completed prior to SAQ submission.

Why is Compliance Important?

Why is Compliance Important? It allows the University to continue to accept credit cards as a form of payment Demonstrates that the University accepts the responsibility of safeguarding our customers payment card data throughout every transaction and solidify confidence in protecting data against the hassle and cost of data breaches.

Why is Compliance important? Compliance vs Security Security Compliance

Why is Compliance Important? Penalties can be Huge In the event of a breach the bank can make the merchant responsible for: Fines from card associations Up to $500,000 Cost to notify victims Cost to replace cards Cost for any fraudulent transactions Forensics Level 1 certification - Average cost of QSA report ~ $225,000 Bad Publicity Priceless!

Things to remember. Check out Merchant Services website frequently http://controller.ofb.ncsu.edu/merchant-services/ Contact Merchant Services if you have questions Notify Merchant Services with ANY changes to your business process

What s new for PCI-DSS 3.0 PCI-DSS 3.0 (112 pages): https://www.pcisecuritystandards.org/documents/pci_dss_v3.pdf Summary of Changes (12 pages): https://www.pcisecuritystandards.org/documents/pci_dss_v3_summary_of_changes.pdf Mostly clarifications 64 Clarifications 19 Evolving Requirements 1 Additional Guidance

What s new for PCI-DSS 3.0 Additional Guidance Added guidance on combining multiple scan reports in order to achieve and document a passing result. Clarification Clarified that quarterly internal vulnerability scans include rescans as needed until all high vulnerabilities (as identified by PCI DSS Requirement 6.1) are resolved, and must be performed by qualified personnel. Evolving Requirement New requirement to implement a methodology for penetration testing.

What s new for PCI-DSS 3.0 Big Changes SAQs Data Flow Diagram Inventory Service Providers Antimalware Physical Protection

What s new for PCI-DSS 3.0 SAQs SAQ A (14 Questions) Card not present merchants (ecommerce or mail/telephone order) that have fully outsourced all cardholder data functions to PCI DSS compliant third party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant s systems or premises. SAQ A-EP (139 Questions) Ecommerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant s systems or premises.

What s new for PCI-DSS 3.0 Data Flow Diagram 1.1.2 Current network diagram that identifies all connections between the cardholder data environment and other networks, including any wireless networks 1.1.3 Current diagram that shows all cardholder data flows across systems and networks

What s new for PCI-DSS 3.0 Inventory 2.4 Maintain an inventory of system components that are in scope for PCI DSS. System Components defined on page 10, PCI-DSS 3.0 2.4.a Examine system inventory to verify that a list of hardware and software components is maintained and includes a description of function/use for each.

What s new for PCI-DSS 3.0 Service Providers 12.8.5 Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity. Formal written agreement Amendment to contract Modification/Clarification to existing language

What s new for PCI-DSS 3.0 AntiMalware 5.1.2 For systems considered to be not commonly affected by malicious software, perform periodic evaluations to identify and evaluate evolving malware threats in order to confirm whether such systems continue to not require anti-virus software. 5.3 Ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period.

What s new for PCI-DSS 3.0 Physical protection 9.3 Control physical access for onsite personnel to the sensitive areas as follows: Access must be authorized and based on individual job function. Access is revoked immediately upon termination, and all physical access mechanisms, such as keys, access cards, etc., are returned or disabled. 9.9 Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution.

New estore for NCSU Higher One estore coming soon. What s the plan. Onboard merchants that have been waiting for ecommerce solution Onboard merchants that are not PCI-DSS compliant Migrate existing ecommerce merchants to new solution Timeline is to begin in June 2014.

Hot Topics!! Mobile Payment Options None of these products are PCI Certified There are lots of products on the market right now! FD 400 terminal is PCI Certified FD 400 is current NCSU mobile payment solution. Terminal connects to cellular signal to receive authorization from FDMS.

Questions????

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback