Credit Card Data Credit Card Data Security ComplianceSecurity Compliance

Achieving PCI ComplianceAchieving PCI ComplianceJuly 2009July 2009

Kim RayKim RayBilling and Payment Services Billing and Payment Services Campus Credit Card CoordinatorCampus Credit Card Coordinator

Karen Eft Karen Eft IT Policy ManagerIT Policy ManagerOffice of the CIOOffice of the CIO

Kate RileyKate RileyIT Security AnalystIT Security AnalystInformation System TechnologyInformation System Technology

Who Accepts Credit Cards?Who Accepts Credit Cards?

Departments with a business need for:Departments with a business need for:

– Tickets Sales Tickets Sales – Enrollment/Registration/Conference HostingEnrollment/Registration/Conference Hosting– Donations/GiftsDonations/Gifts– Gift Shops/Admission Desks/MembershipsGift Shops/Admission Desks/Memberships– Publication SalesPublication Sales– Public ServicesPublic Services (e.g., Library, Optometry, Parking, Cal (e.g., Library, Optometry, Parking, Cal

Overstock)Overstock)

Who Accepts Credit Cards?Who Accepts Credit Cards? Over 130+ merchant accounts with Over 130+ merchant accounts with

annual sales exceeding $103 annual sales exceeding $103 million/yearmillion/year

Gross Annual Credit Card Sales

$0

$20,000,000

$40,000,000

$60,000,000

$80,000,000

$100,000,000

$120,000,000

2002 2003 2004 2005 2006 2007 2008

$43 million/2003

Obtain Credit Card NumberObtain Credit Card Number

How we Accept Credit CardsHow we Accept Credit Cards

UC’s Acquiring Bank:UC’s Acquiring Bank:•Issues Merchant Account NumbersIssues Merchant Account Numbers

•Processes authorizations, sales, creditsProcesses authorizations, sales, credits

System Application Database – System Application Database – On-campus or Hosted by VendorOn-campus or Hosted by Vendor

Internet GatewaysInternet Gateways

Customers making purchases in-personCustomers making purchases in-person

– Gifts at the Berkeley Art Museum storeGifts at the Berkeley Art Museum store– Services at the Optometry ClinicServices at the Optometry Clinic– Admission to the Botanical GardensAdmission to the Botanical Gardens– Parking pass at Parking and Parking pass at Parking and

TransportationTransportation

How to Accept Credit CardsHow to Accept Credit CardsCard PresentCard Present

How to Accept Credit CardsHow to Accept Credit CardsCard Not PresentCard Not Present

Customers making purchases by phone Customers making purchases by phone or mail requestsor mail requests

– Conference registration by mailConference registration by mail– Publication purchases over the phonePublication purchases over the phone

Prohibited in University Cash-Handling Policy Prohibited in University Cash-Handling Policy (BUS 49) (BUS 49)

– Violation of the intent of section 4(a) in the Violation of the intent of section 4(a) in the Uniform Commercial CodeUniform Commercial Code

The Campus Controller may grant a variance The Campus Controller may grant a variance – Such a request must provide detail of the Such a request must provide detail of the

compensating controls in place to secure the compensating controls in place to secure the datadata

Accepting Credit Card Data by FaxAccepting Credit Card Data by Fax

Obtain Credit Card NumberObtain Credit Card Number

How we Accept Credit CardsHow we Accept Credit Cards

UC’s Acquiring Bank:UC’s Acquiring Bank:•Issues Merchant Account NumbersIssues Merchant Account Numbers

•Processes authorizations, sales, creditsProcesses authorizations, sales, credits

System Application Database – System Application Database – On-campus or Hosted by VendorOn-campus or Hosted by Vendor

Internet GatewaysInternet Gateways

Customers making purchases online Customers making purchases online through a department’s web application through a department’s web application that interfaces with an Internet Gatewaythat interfaces with an Internet Gateway

– Enroll in a course with University Enroll in a course with University ExtensionExtension

– Purchase a ticket for an Athletics gamePurchase a ticket for an Athletics game– Pay a student intent to register feePay a student intent to register fee– Pay a Visiting Scholar’s feePay a Visiting Scholar’s fee

How we Accept Credit CardsHow we Accept Credit CardsCard Not PresentCard Not Present

Department Web Application Department Web Application

The department has a business need to The department has a business need to collect and store personally identifiable collect and store personally identifiable informationinformation– Hosted: On-campus or by VendorHosted: On-campus or by Vendor

Must comply with Campus Minimum Must comply with Campus Minimum Security Standards:Security Standards:– https://security.berkeley.edu/MinStds/

Networked DevisesNetworked DevisesElectronic InformationElectronic Information

Campus Minimum Security Campus Minimum Security StandardsStandards

Karen EftKaren EftIT Policy ManagerIT Policy Manager

Office of the Chief Information OfficerOffice of the Chief Information Officer

Campus IT Security PolicyCampus IT Security Policy

Each member of the campus community is Each member of the campus community is responsible for the security and protection of responsible for the security and protection of electronic information resources over which he or electronic information resources over which he or she has control.she has control.

Resources to be protected include networks, Resources to be protected include networks, computers, software, and data. The physical and computers, software, and data. The physical and logical integrity of these resources must be logical integrity of these resources must be protected against threats such as unauthorized protected against threats such as unauthorized intrusions, malicious misuse, or inadvertent intrusions, malicious misuse, or inadvertent compromise. compromise.

UC-wide Business & Finance UC-wide Business & Finance Bulletins, “IS” seriesBulletins, “IS” series

Oversight of Electronic Information:Oversight of Electronic Information:

IS-2, Inventory, Classification, and Release of University Electronic Information

IS-3, Electronic Information Security

IS-11, Identity and Access Management

IS-12, Continuity Planning and Disaster Recovery

(http://www.ucop.edu/irc/itsec/uc/mgt_guide/guide.html)(http://www.ucop.edu/irc/itsec/uc/mgt_guide/guide.html)

Minimum Security StandardsMinimum Security Standards

Minimum Minimum ≠≠ minimal minimal

Why do we put you through this?Why do we put you through this?

Prevent Identity TheftPrevent Identity Theft

Horrible consequences for victims of identity theft.Horrible consequences for victims of identity theft.

When un-encrypted data of specific types is When un-encrypted data of specific types is “breached” we have to notify the subjects.“breached” we have to notify the subjects.

Incredible waste of time and effort responding to Incredible waste of time and effort responding to security incidents.security incidents.

Notifications can cost Millions of dollars.Notifications can cost Millions of dollars.

Damage to reputation / good will.Damage to reputation / good will.

Reduced level of donations or research funding.Reduced level of donations or research funding.

Minimum Security StandardsMinimum Security Standards

MSS for Networked DevicesMSS for Networked Devices

MSS for Electronic InformationMSS for Electronic Information

Minimum Security StandardsMinimum Security Standardsfor Networked Devicesfor Networked Devices

1.1. Keep software patches currentKeep software patches current

2.2. Run approved anti-virus softwareRun approved anti-virus software

3.3. Run approved host-based firewall softwareRun approved host-based firewall software

4.4. Use secure passwordsUse secure passwords

5.5. No unencrypted authenticationNo unencrypted authentication

6.6. No unauthenticated email relaysNo unauthenticated email relays

7.7. No unauthenticated proxy servicesNo unauthenticated proxy services

8.8. Ensure physical securityEnsure physical security

9.9. Don’t run unnecessary servicesDon’t run unnecessary services

Minimum Security StandardsMinimum Security Standardsfor Electronic Informationfor Electronic Information( MSSEI )( MSSEI )

1.1. Notice-triggering informationNotice-triggering informationHigh ConfidentialityHigh Confidentiality - apply all protective - apply all protective

measures listed in Attachment A measures listed in Attachment A

2.2. Payment Card Industry DataPayment Card Industry Data

May not be stored May not be stored without explicit without explicit approval from UC Berkeley Billing and approval from UC Berkeley Billing and Payment ServicesPayment Services

1) MSSEI notice-triggering information:1) MSSEI notice-triggering information:

First name OR first initial AND last nameFirst name OR first initial AND last name

in combination with one or more of the following:in combination with one or more of the following:

– Social Security Number, Social Security Number, – driver's license number, driver's license number, – California Identification Number, California Identification Number, – financial account number, credit or debit card financial account number, credit or debit card

number, in combination with any required number, in combination with any required security code, access code, or password that security code, access code, or password that would permit access to an individual's financial would permit access to an individual's financial account, account,

– medical information,medical information,– health insurance information.health insurance information.

Protective Measures for high Protective Measures for high confidentiality information:confidentiality information:

more …

Protective Measures for high Protective Measures for high confidentiality information (cont’d):confidentiality information (cont’d):

more ...

Protective Measures for high Protective Measures for high confidentiality information (cont’d):confidentiality information (cont’d):

2) Payment Card Industry Data 2) Payment Card Industry Data Security Standard (PCI DSS):Security Standard (PCI DSS):

Primary Account Number (PAN) (credit card Primary Account Number (PAN) (credit card number) AND any of the following if stored, number) AND any of the following if stored, processed, or transmitted with the PAN:processed, or transmitted with the PAN:

– Cardholder Name, Cardholder Name,

– Service Code,Service Code,

– Expiration Date.Expiration Date.

MSSEI:MSSEI:

1.1. Notice-triggering informationNotice-triggering informationHigh ConfidentialityHigh Confidentiality - apply all protective - apply all protective

measures listed in Attachment A measures listed in Attachment A

2.2. Payment Card Industry DataPayment Card Industry Data

May not be stored May not be stored without explicit without explicit approval from UC Berkeley Billing and approval from UC Berkeley Billing and Payment ServicesPayment Services

Compliance:Compliance:

Departmental Security Contact PolicyDepartmental Security Contact Policy

Guidelines and Procedures for Blocking Guidelines and Procedures for Blocking Network AccessNetwork Access

Security Incident Response ProceduresSecurity Incident Response Procedures

Departmental Security Contact PolicyDepartmental Security Contact Policy

To implement this policy, each department To implement this policy, each department needs to appoint a security contact and one or needs to appoint a security contact and one or more backup contacts. Departments may agree more backup contacts. Departments may agree to share contacts for efficiency. …to share contacts for efficiency. …

Contacts need to have some familiarity with the Contacts need to have some familiarity with the computers in their department and be able to computers in their department and be able to determine who a responsible technical person is; determine who a responsible technical person is; it is not necessary for the contact to have it is not necessary for the contact to have extensive security expertise. extensive security expertise.

Guidelines and Procedures forGuidelines and Procedures forBlocking Network AccessBlocking Network Access

When computers pose a serious risk to campus When computers pose a serious risk to campus information system resources or the Internet, information system resources or the Internet, their network connection may be blocked.their network connection may be blocked.

If the threat is immediate, the offending If the threat is immediate, the offending computer(s) will be blocked immediately and computer(s) will be blocked immediately and notification will be sent to the departmental notification will be sent to the departmental security contact(s) via email that the block has security contact(s) via email that the block has occurred.occurred.

Security Incident Response ProceduresSecurity Incident Response Procedures

Berkeley Campus Plan Implementing UC Requirements Berkeley Campus Plan Implementing UC Requirements for Protection of Computerized Personal Informationfor Protection of Computerized Personal Information

1.1. DefinitionsDefinitions

2.2. ResponsibilitiesResponsibilities

3.3. Incident Response ProcessIncident Response Process

4.4. Notification ProceduresNotification Procedures

5.5. Reporting RequirementsReporting Requirements

Attachment A: Information Practices Act: Sections 1798.29, Attachment A: Information Practices Act: Sections 1798.29, 1798.82, 1798.841798.82, 1798.84

Attachment B: Revision to IS-3 to Cover SB 1386 Requirements

Attachment C: Draft notification text for a 1386 breachAttachment C: Draft notification text for a 1386 breach

Security Incident Response ProceduresSecurity Incident Response Procedures

Remove the threat.Remove the threat.

Preserve evidence.Preserve evidence.

““Maybe” re-build the environment to resume Maybe” re-build the environment to resume operations.operations.

Determine whether a breach, then whether Determine whether a breach, then whether notification is required.notification is required.

Security Incident RepercussionsSecurity Incident Repercussions

Very costlyVery costly

Very intrusive upon regular operationsVery intrusive upon regular operations

Damaging to the department or project, to Damaging to the department or project, to the Berkeley Campus, to the University of the Berkeley Campus, to the University of California, to faculty, to staffCalifornia, to faculty, to staff

Assistance:Assistance:

security@berkeley.edusecurity@berkeley.edu

Technical services and toolsTechnical services and tools

Implementing GuidelinesImplementing Guidelines

Requests for ExceptionRequests for Exception

Implementing Guidelines:Implementing Guidelines:1. Software patch updates: See the Software patch 1. Software patch updates: See the Software patch

updates FAQ page, which includes examples of "non-updates FAQ page, which includes examples of "non-compliant" operating systems. Also see instructions for:compliant" operating systems. Also see instructions for:

* Microsoft Windows Operating System* Microsoft Windows Operating System

* Linux/UNIX Operating System* Linux/UNIX Operating System

* Macintosh Operating System* Macintosh Operating System

2. Anti-virus software2. Anti-virus software

* Updating Firewall/Antivirus* Updating Firewall/Antivirus

3. Host-based firewall software3. Host-based firewall software

etc., etc.etc., etc.

Campus Minimum Security StandardsCampus Minimum Security Standards

Requests for Exception:Requests for Exception:

Departments, units, or individuals who Departments, units, or individuals who believe their environments require believe their environments require configurations that do not comply with the configurations that do not comply with the Minimum Standards may request exceptions Minimum Standards may request exceptions to the Policies.to the Policies.

Campus Minimum Security StandardsCampus Minimum Security Standards

Minimum Security StandardsMinimum Security Standards

MSS for Networked DevicesMSS for Networked Devices

MSS for Electronic InformationMSS for Electronic Information

Data Security on CampusData Security on Campus

Kate RileyKate RileyIT Security AnalystIT Security Analyst

IST-Application ServicesIST-Application Services

AttacksAttacks

This campus receives millions This campus receives millions attacks per day:attacks per day:– Attempts to exploit unpatched Attempts to exploit unpatched

systemssystems– Attacks specific to application Attacks specific to application

softwaresoftware– Phishing attacksPhishing attacks

Motivation for AttacksMotivation for Attacks

Defacement Defacement

Denial of ServiceDenial of Service

Data TheftData Theft

Campus OfferingsCampus Offerings

Restricted Data Management (RDM)Restricted Data Management (RDM) Scanning ToolsScanning Tools

– AppScanAppScan– NessusNessus

Aggressive IP Distribution (AID) Aggressive IP Distribution (AID) YouYou

Credit Card Data SecurityCredit Card Data Security

2005: Visa and MasterCard released Payment Card 2005: Visa and MasterCard released Payment Card Industry: Data Security Standards (PCI:DSS 1.0)Industry: Data Security Standards (PCI:DSS 1.0)

2008: New Standards (PCI:DSS 1.1) made 2008: New Standards (PCI:DSS 1.1) made compliance with standards even more challengingcompliance with standards even more challenging

2009: PCI:DSS 1.2 just released2009: PCI:DSS 1.2 just released

University Cash-Handling Policy (BUS 49) requires University Cash-Handling Policy (BUS 49) requires that all campus merchants comply with PCI:DSSthat all campus merchants comply with PCI:DSS

Credit Card Data SecurityCredit Card Data Security

General rules:General rules:

– Will not capture or transmit the credit card Will not capture or transmit the credit card number on the campus networknumber on the campus network

Includes emails, spreadsheets, printers, etc.Includes emails, spreadsheets, printers, etc.

– Will not store credit card numbers Will not store credit card numbers electronically on campus in any device electronically on campus in any device

Payment Card Industry Data Payment Card Industry Data Security StandardsSecurity Standards

PCI:DSS defines requirements for:PCI:DSS defines requirements for:– Building and maintaining a secure networkBuilding and maintaining a secure network– Protecting cardholder dataProtecting cardholder data– Maintaining a vulnerability management Maintaining a vulnerability management

programprogram– Implementing strong access control measuresImplementing strong access control measures– Regularly monitoring and testing networksRegularly monitoring and testing networks– Maintaining an information security policyMaintaining an information security policy

Payment Card Industry Data Payment Card Industry Data Security Standards Security Standards

PCI:DSS requires campus merchants to PCI:DSS requires campus merchants to complete an annual self-assessment complete an annual self-assessment questionnaire to certify your compliance questionnaire to certify your compliance with security standards for your with security standards for your merchant typemerchant type

PCI Merchant TypesPCI Merchant Types

There are four PCI:DSS Self Assessment There are four PCI:DSS Self Assessment Questionnaires depending on acceptance Questionnaires depending on acceptance

methodmethod

SAQ-B: Sample ComplianceSAQ-B: Sample Compliance

Total: 26 questions similar to:Total: 26 questions similar to:

– Is the card number masked when displayed?Is the card number masked when displayed?– Are policies, procedures and practices in place to Are policies, procedures and practices in place to

preclude sending unencrypted card numbers by end-preclude sending unencrypted card numbers by end-user messaging technologies (e.g., email, instant user messaging technologies (e.g., email, instant message, chat)message, chat)

– Is access to system components and cardholder data Is access to system components and cardholder data limited to individuals with business need?limited to individuals with business need?

– Are all paper and electronic media with cardholder data Are all paper and electronic media with cardholder data physically secure?physically secure?

SAQ-D: Sample ComplianceSAQ-D: Sample Compliance

Total: 226+ questions cover the topics of:Total: 226+ questions cover the topics of:

– Install and maintain a firewall configuration to protect dataInstall and maintain a firewall configuration to protect data– Do not use vendor supplied passwords for system defaults and other Do not use vendor supplied passwords for system defaults and other

security parameterssecurity parameters– Protect stored cardholder dataProtect stored cardholder data– Encrypt transmission of cardholder data across open, public networksEncrypt transmission of cardholder data across open, public networks– Use and regularly update anti-virus software or programsUse and regularly update anti-virus software or programs– Develop and maintain secure systems and applicationsDevelop and maintain secure systems and applications– Restrict access to cardholder data by business need-to-knowRestrict access to cardholder data by business need-to-know– Perform penetration testing at least once a year and after any Perform penetration testing at least once a year and after any

significant infrastructure or application upgrade or modificationsignificant infrastructure or application upgrade or modification

33rdrd Party Service Agreements Party Service Agreements

– Service providers are contractually Service providers are contractually required to adhere to the PCI:DSS required to adhere to the PCI:DSS requirementsrequirements

– All campus credit card operations must All campus credit card operations must have a written agreement that has been have a written agreement that has been reviewed and approved by the campus reviewed and approved by the campus business contract officebusiness contract office

– No click-on agreements!No click-on agreements!

PCI Data Security StandardsPCI Data Security Standards

PCI:DSS requirements at:PCI:DSS requirements at:– https://www.pcisecuritystandards.org/https://www.pcisecuritystandards.org/

Merchants complying with SAQ-C or SAQ-D Merchants complying with SAQ-C or SAQ-D may need quarterly network scansmay need quarterly network scans– The campus is working to limit the number of The campus is working to limit the number of

SAQ-C and SAQ-D merchantsSAQ-C and SAQ-D merchants Reduces our exposure to riskReduces our exposure to risk Less costly for the merchantLess costly for the merchant

Campus Certification VendorCampus Certification Vendor

The University contracted with Trustwave The University contracted with Trustwave to host the questionnaires online and to to host the questionnaires online and to conduct the scansconduct the scans– Via their online portal trustkeeper.netVia their online portal trustkeeper.net

Each merchant department has a Each merchant department has a designated administrator who oversees designated administrator who oversees PCI compliance for their merchant PCI compliance for their merchant accountsaccounts

Merchant Timeline - 2009Merchant Timeline - 2009July-August:July-August:

1.1. PCI:DSS TrainingPCI:DSS Training• PCI Administrators conduct PCI training PCI Administrators conduct PCI training

with all staff handling credit card data with all staff handling credit card data

2.2. Certify PCI:DSS ComplianceCertify PCI:DSS Compliance• PCI Administrators certify compliance via PCI Administrators certify compliance via

the trustkeeper.net portalthe trustkeeper.net portal

PCI:DSS TrainingPCI:DSS TrainingPCI:DSS Requirement 12.6PCI:DSS Requirement 12.6

““Is a formal security awareness program in Is a formal security awareness program in place to make all employees aware of the place to make all employees aware of the importance of cardholder data security?”importance of cardholder data security?”

– 12.6.1 “Educate employees upon hire and at 12.6.1 “Educate employees upon hire and at least annually”least annually”

– 12.6.2 “Require employees to acknowledge in 12.6.2 “Require employees to acknowledge in writing that they have read and understood the writing that they have read and understood the company’s security policy and procedures”company’s security policy and procedures”

Certify PCI:DSS ComplianceCertify PCI:DSS Compliance

PCI administrator logs into existing PCI administrator logs into existing merchant profile in trustkeeper.netmerchant profile in trustkeeper.net– Contact Billing and Payment Services Contact Billing and Payment Services

Office for PCI administrator changesOffice for PCI administrator changes Pays for the contract extension fee via Pays for the contract extension fee via

departmental BluCarddepartmental BluCard Completes and passes the appropriate Completes and passes the appropriate

PCI:DSS Self-Assessment PCI:DSS Self-Assessment QuestionnaireQuestionnaire

Consequences if not compliantConsequences if not compliant

– Visa merchants are subject to fines, up to Visa merchants are subject to fines, up to $500,000 per incident, for any merchant or $500,000 per incident, for any merchant or service provider that is compromised and not service provider that is compromised and not compliant at the time of the incidentcompliant at the time of the incident

– FDMS may also impose fines or penaltiesFDMS may also impose fines or penalties– The campus will no longer be able to self-The campus will no longer be able to self-

certify; we will need to pay for qualified auditors certify; we will need to pay for qualified auditors to come on-site to document our complianceto come on-site to document our compliance

– Managed response to any breach of sensitive Managed response to any breach of sensitive datadata

Campus PCI:DSS ComplianceCampus PCI:DSS Compliance

Compliance must be documented annually with Compliance must be documented annually with FDMS and UCOPFDMS and UCOP

Based on our campus wide activity, the Based on our campus wide activity, the Controller’s Office must file a formal ‘Attestation of Controller’s Office must file a formal ‘Attestation of Compliance” with First Data Merchant Services Compliance” with First Data Merchant Services annuallyannually

If one merchant answers ‘No’ to one question, If one merchant answers ‘No’ to one question, then the entire campus fails compliancethen the entire campus fails compliance

Campus Compliance Timeline - Campus Compliance Timeline - 20092009

September:September:

– Controllers Office files an ‘Attestation of Controllers Office files an ‘Attestation of Compliance’ with University’sCompliance’ with University’s bank bank

If one merchant answers ‘No’ to one If one merchant answers ‘No’ to one question, then the entire campus fails question, then the entire campus fails compliancecompliance

Other Credit Card RequirementsOther Credit Card Requirements Payment Application Data Security Payment Application Data Security

Standards (PA:DSS) applies to payment Standards (PA:DSS) applies to payment applications that are sold, distributed or applications that are sold, distributed or licensed to third-partieslicensed to third-parties– Designed to help software vendors and others Designed to help software vendors and others

develop secure payment applications that:develop secure payment applications that: Do not store prohibited data (e.g., full magnetic Do not store prohibited data (e.g., full magnetic

stripe, CVV2 or PIN data)stripe, CVV2 or PIN data) Ensure the payment application supports compliance Ensure the payment application supports compliance

with the PCI DSS with the PCI DSS Ensure software development processes for web-Ensure software development processes for web-

based applications follow secure coding practicesbased applications follow secure coding practices

Other Credit Card RequirementsOther Credit Card Requirements

University Cash-Handling Policy (BUS 49) University Cash-Handling Policy (BUS 49) requires that relationships with a third requires that relationships with a third party vendor to manage credit card party vendor to manage credit card acceptance be approved by UCOP Banking acceptance be approved by UCOP Banking ServicesServices– The third party’s background, capabilities, The third party’s background, capabilities,

financial condition and references are reviewed financial condition and references are reviewed – Contract agreements are required to meet Contract agreements are required to meet

minimum levels of protection, regulatory minimum levels of protection, regulatory compliance, insurance, bonding, and compliance, insurance, bonding, and accurate/timely handling of credit card data as accurate/timely handling of credit card data as outlined in University policy BUS-49outlined in University policy BUS-49

Obtaining PCI ComplianceObtaining PCI ComplianceIf we control this connection is it PCI compliant?

Is server PCI compliant? Is application PCI compliant?

Is this connection PCI compliant?

PCI compliant UCB Pre-Approved Gateways

PCI compliant

Is this connection PCI compliant?

Are paper records PCI compliant?

PCI compliant

PCI Compliance Timeline - 2009PCI Compliance Timeline - 2009July-August:July-August:

– Campus departments conduct PCI training Campus departments conduct PCI training with all staff handling credit card datawith all staff handling credit card data

– PCI Administrators obtain and document PCI Administrators obtain and document compliance via the trustkeeper.net portalcompliance via the trustkeeper.net portal

September:September:

– Controllers Office files an ‘Attestation of Controllers Office files an ‘Attestation of Compliance’ with University’s bankCompliance’ with University’s bank

Resources/ReferencesResources/References VISA’s List of PCI:DSS Compliant VISA’s List of PCI:DSS Compliant

ApplicationsApplications

http://usa.visa.com/download/merchants/cisp-list-http://usa.visa.com/download/merchants/cisp-list-of-pcidss-compliant-service-providers.pdfof-pcidss-compliant-service-providers.pdf

PA:DSS Qualified ApplicationsPA:DSS Qualified Applications

https://www.pcisecuritystandards.org/https://www.pcisecuritystandards.org/security_standards/vpa/security_standards/vpa/

PCI:DSSPCI:DSS

https://www.pcisecuritystandards.orghttps://www.pcisecuritystandards.org

Resources/ReferencesResources/References

UC Cash-Handling Policy: BUS 49UC Cash-Handling Policy: BUS 49http://www.ucop.edu/ucophome/policies/bfb/bus49.pdfhttp://www.ucop.edu/ucophome/policies/bfb/bus49.pdf

UCB Minimum Security StandardsUCB Minimum Security Standardshttps://security.berkeley.edu/MinStds/https://security.berkeley.edu/MinStds/

ContactsContacts

Kim RayKim Raymerchantsupport@berkeley.edumerchantsupport@berkeley.edu

Karen EftKaren Eftitpolicy@berkeley.eduitpolicy@berkeley.edu

Technical QuestionsTechnical Questionssecurity@berkeley.edusecurity@berkeley.edu