2014 PCI DSS Meeting

OSU Business AffairsProcess Improvement Team (PIT)Robin Whitlock & Dan Hough

10/28/2014

2

Today’s Presentation

What do you have to do?What is PCI DSS?Who Needs to Comply with PCI DSS?Why PCI DSS?Compliance Life CycleCardholder Data/StorageGoals & RequirementsWhat do you have to do?Coming in 2015: PCI 3.0ResourcesQuestions

3

Your to do list by December 12:

1. Verify credit card merchant information with Business Affairs

2. Obtain 3rd Party PCI DSS Certificate of Compliance (if applicable)

3. Merchant managers complete and sign the Cover Page & SAQ

Annual PCI DSS Assessment must be completed for all Merchants

4. Business Center Manager or FAM must review and sign

5. Send to Robin Whitlock and Dan Hough

4

What is PCI DSS?

Payment Card Industry Data Security Standards “Common set of industry tools and measurements to help ensure

the safe handling of sensitive information Provides an actionable framework for developing a robust

account data security process – including preventing, detecting and reacting to security incidents” (https://www.pcisecuritystandards.org/merchants/index.php)

Administered by the PCI Security Standards Council, which was founded by the major credit card companies (VISA, MC, Disc…)

5

Who Needs to Comply with PCI DSS?

Applies to all entities that store, process or transmit cardholder data (merchants, payment card issuing banks, processors, developers…) That means you!

Compliance is mandatory(eCommerce Policy, Oregon State Treasury,PCI DSS).

6

Why PCI DSS ?

241 breaches of sensitive information to date in 2014 (affecting >64 million records)1

Notable retail breaches since November 20132

1 Privacy Rights Clearinghouse, https://www.privacyrights.org, 10/28/142”Cyber Attacks on US Companies in 2014,” by Riley Walters, http://www.heritage.org/research/reports/2014/10/cyber-attacks-on-us-companies-in-2014

• Target • Home Depot • Staples • Kmart

• Albertsons • Michaels • Neiman Marcus • eBay

• PF Changs • UPS Stores • Aaron Brothers • Goodwill

• Supervalu • Dairy Queen

7

Compliance Life Cycle

Pre-Assessment / Gap Analysis

Implement / Remediate

PCI:DSS Validation

Ongoing Compliance Monitoring

8

Primary Account Number (PAN)

Expiration Date

Chip/Magnetic Strip Data CAV2/CVC2/CVV2

What is Cardholder Data?

Cardholder Name

1.These data elements must be protected if stored in conjunction with the PAN.

2.Sensitive authentication data must not be stored after authorization (even if encrypted).

3.Magnetic stripe or chip.

9

PCI Data Storage

Data ElementStorage

PermittedProtectionRequired

Cardholder Data

Primary Account Number (PAN) Yes Yes

Cardholder Name[1] Yes Yes[1]

Expiration Date[1] Yes Yes[1]

Sensitive Authentication

Data[2]

Full Magnetic Strip Data[3] No N/A

CAV2/CVC2/CVV2 No N/A

10

PCI DSS Goals & Requirements

Build and Maintain a Secure Network (2)

1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other parameters

Protect Cardholder Data (2)

3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks

(digital dozen)

11

PCI DSS Goals & Requirements

Maintain a Vulnerability Management Program (2)

5. Use and regularly update anti-virus software

6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures (3)

7. Restrict access to cardholder data by business need-to-know

8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data

12

PCI DSS Goals & Requirements

Regularly Monitor and Test Networks (2)

10.Track and monitor all access to network resources and cardholder data

11.Regularly test security systems and processes

Maintain an Information Security Policy (1)

12.Maintain a policy that addresses information security

13

Misconceptions

Self assessment means you’re compliantCompliance means you won’t suffer a breachOutsourcing takes away your need for compliancePCI:DSS is just about ITA single product can make you compliantCompliance can be automated

14

What do we have to do?

Level/Tier Merchant Criteria Validation Requirements

1 Merchants processing over 6 million Visa transactions annually (all channels)

•Annual Report on Compliance by Qualified Security Assessor (“QSA”)•Quarterly network scan by Approved Scan Vendor (“ASV”)•Attestation of Compliance Form

2 Merchants processing 1 million to 6 million Visa transactions annually (all channels)

•Annual Self-Assessment Questionnaire•Quarterly network scan by ASV•Attestation of Compliance Form

3 Merchants processing 20,000 to 1 million Visa e-commerce transactions annually

•Annual SAQ•Quarterly network scan by ASV•Attestation of Compliance Form

4 Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually

•Annual SAQ •Quarterly network scan by ASV if applicable•Requirements set by acquirer

15

Annual PCI DSS Assessment Documents

Documents due by December 12, 2014:1. OSU Cover Page

2. Self Assessment Questionnaire (SAQ A-D Appropriate to merchant)

3. 3rd Party PCI DSS Certificate of Compliance (if applicable)

Resources Copies of your last assessment can be emailed to you on request Website: http://fa.oregonstate.edu/business-affairs/annual-pci-compliance-osu-credit-card-merchants

Status Report by Business Center SAQ Forms, Instructions, and guidelines Navigating the PCI DSS Glossary

16

Self Assessment Questionnaire (SAQ)

Completed by the merchant manager Subset of full requirementsBroken down by Goals & RequirementsMade up of Yes / No / Not Applicable responses

NA or “Compensating Control”- must be explained No- Must have Remediation Date and Actions

Attestation Section Fill out the Merchant Version Do not complete the Service Provider Version

17

Which SAQ? See PCI DSS Status Report

Form Description

SAQ ACard-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants.

SAQ BImprint-only merchants with no electronic cardholder data storage, or standalone, dial-out terminal merchants with no electronic cardholder data storage

SAQ C Merchants with payment application systems connected to the Internet, no electronic cardholder data storage

SAQ DAll other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by a payment brand as eligible to complete an SAQ.

18

Multiple Merchant Consolidation

Multiple merchants can be can be combined into a single submittal if:

1. The merchant IDs (MIDs) are of the same type (i.e. all POS, Web…)

2. All merchants are managed by same merchant manager

3. The same policies and procedures apply to all merchants

4. Strictest SAQ will apply (the one with the most questions)

5. List all merchants on cover page.

19

SAQ Example-Requirements

20

Compliance Summary

21

SAQ Example- Explanation of Non-Applicability

22

SAQ Example-Compensating Controls

23

Complete “Merchant” version not Qualified Security Assessor Company version (if avail). OSU does not use a Qualified Security Assessor Company

SAQ Example-Attestation

24

Tips and Hints

These focus on SAQ A and SAQ B since most merchants use these forms

SAQ ASAQ B

25

Your to do list by December 12:

1. Verify credit card merchant information with Business Affairs

2. Obtain 3rd Party PCI DSS Certificate of Compliance (if applicable)

3. Merchant managers complete and sign the Cover Page & SAQ (Annual PCI DSS Assessment must be completed for all Merchants).

4. Business Center Manager or FAM must review and sign.

5. Send to Robin Whitlock and Dan Hough Electronic submission is preferred.

26

Coming in 2015: PCI 3.0

December 2015 validation will be to PCI 3.0How PCI 3.0 requirements will be addressed by OSU merchants is still to be determined

We will keep you posted as information specific to OSU merchants becomes available

27

Resources PCI Compliance for OSU Credit Card Merchants (instructions & forms)

http://fa.oregonstate.edu/business-affairs/annual-pci-compliance-osu-credit-card-merchants

OSU FIS Manual http://oregonstate.edu/fa/manuals/fis/1401-06

OUS Policy Guideline for Electronic Commerce http://www.ous.edu/dept/cont-div/fpm/elec-40-005

Oregon Accounting Manual - Credit Card Acceptance for Payment http://www.oregon.gov/DAS/CFO/SARS/policies/oam/10.35.00.pr.pdf

Oregon State Treasury Cash Management Policy http://

www.oregon.gov/treasury/Divisions/Finance/StateAgencies/Pages/Cash-Management-Manual.aspx

Payment Card Industry Data Security Standards https://www.pcisecuritystandards.org/merchants/

28

Thank You

Business Affairs Contacts Robin Whitlock

Robin.Whitlock@OregonState.edu, 541-737-0622

Dan Hough Dan.Hough@OregonState.edu, 541-737-2935