pci 3.0 boot camp - treasury management•implement additional security features for any required...

PCI 3.2Annual 2018 Training

PCI 3.2 Training - 2018 1

Agenda

• PCI Overview• What’s New in Harvard’s Program• What’s New in PCI DSS 3.2• SAQ Review• Questions


PCI Compliance Reset

Self Assessment Questionnaire

Start early

Complete accurately

Cash Management-central POC

Use IT Support and Vendors

Use HUIT Sec/NOC/SOC/EndPoint Support

Answer N/A or No with compensating controls

Keep supporting documentation on file


Answering the SAQ

• Yes

– The expected testing has been performed, and all elements of the requirement have been met as stated.


Answering the SAQ

• Yes with CCW (Compensating Control Worksheet)

– The expected testing has been performed, and the requirement has been met with the assistance of a compensating control.

– All responses in this column require completion of a Compensating Control Worksheet (CCW) in Appendix B of the SAQ.

– Information on the use of compensating controls and guidance on how to complete the worksheet is provided in the PCI DSS.


How to Answer an SAQ

• No – Some or all elements of the requirement have not

been met, or are in the process of being implemented, or require further testing before it will be known if they are in place.

• N/A (Not Applicable) – The requirement does not apply to the organization’s

environment. (See Guidance for Non-Applicability of Certain, Specific Requirements below for examples.)

– All responses in this column require a supporting explanation in Appendix C of the SAQ.



• Documented local Business Policies

– Document current business processes

– Updated/reviewed annually

– Comply with latest PCI standards

– Annual PCI Awareness Training for all staff

• Hr.harvard.edu training portal (type “pci…” in search bar and link will appear)



• Vendor Service Agreements

– Document which PCI DSS requirements are managed by each service provider, and which are managed by merchant.

– Do not engage in online service agreements.

– PCI Rider is required.

– Vendor Risk Assessment if collecting Level 4 data

– Procurement Office should negotiate agreement.


New Scanning Requirements


Network Diagrams and

Data Flow Diagram of CDE

must be submitted to

Cash Management

Submit Document

Internal Vulnerability

Scans or Applications

must be done if required

Internal Scans

Only required for hosting vendors

not listed on Visa’s Registry of

Approved Vendors

Must be run on a monthly basis

Must be run after any significant change in the

network

External Scans

What’s New in Harvard’s Program


TouchNet UStores

• Flexible, PCI-compliant eCommerce portal/website

• Created for non-student account payments

• Ability to brand store

• ERP integration to G/L

• Online stores

• Payment pages

• Mobile

• Robust reporting for merchant

• Enhanced detailed reporting across merchants for school administrators


TouchNet uPay

• Secure interfaces for third-party applications (Technolutions, AudienceView, Cvent, Certain, Salesforce interface…)

• ERP integration to G/L

• Robust reporting for merchant

• Enhanced detailed reporting across merchants for school administrators


New Scanning Requirement

• Need Scanning

– Technolutions

– Hobsons

– Harvard-hosted

• No Scanning

– Cvent

– Certain

– AudienceView

– Rackspace

– AWS

– Salesforce

– TouchNet

– Tessitura

– T2

PCI 3.2 Training - 201814

SSL/Early TLS

Requirement 2.2.3

• Implement additional security features for any required services, protocols, or daemons that are considered to be insecure

Requirement 2.3

• Encrypt all non-console administrative access using strong cryptography.

Requirement 4.1

• Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks.


SAQ Review


SAQ Review


SAQ A

• All Processing of cardholder data is entirely outsourced to PCI DSS validated 3rd-party Service Provider

SAQ A-EP

• All processing of cardholder data, with the exception of the payment page, is entirely outsourced to a PCI DSS validated 3rd-party payment processor

When to use SAQ A vs SAQ A-EP

Examples of SAQ A Merchant


• Merchant has no access to their website, and website is entirely hosted and managed by compliant 3rd-party payment processor OR

• Merchant website provides an iFrame or URL link to PCI DSS compliant 3rd-party payment processor.

SAQ A

• Merchant website creates the payment form, and Direct Post (SOAP) to payment processor

• Merchant website loads or delivers script that runs in consumers’ browser (eg. JavaScript) and provides functionality that supports creation

SAQ A-EP

Network Penetration Tests

An annual penetration tests is required for all merchants who meet any of the following criteria's:


Merchants accept CC’s on devices

that transmit over Harvard’s network

Merchants store CC #’s on a back-end

server

Some element of the payment page originates on the merchant website

• The local unit is responsible for the cost of the penetration test ($7500-$10,000)• Merchants are responsible for correcting any identified deficiencies during test• Annual Requirement

Mitigate Penetration Testing

• Implement P2PE for SAQ A-EP, SAQ C and C-VT

– Vendor must be listed on PCI SSC website

– Removes CHD from merchant environment

– Reduces PCI Compliance Scope

– Abbreviated SAQ (SAQ C/C-VT to SAQ P2PE)

• Approximately 18 questions


Validating P2PE

• Solution Vendor must be listed with PCI SSC

• Remove all card data regardless of encryption format in current environment

• Vendor Implementation Guide should be on file at Cash Management

• Test VLAN between merchant and vendor

• Validate CDE does not enter merchant environment


SAQ Requirements


SAQ A Requirements

#2

• Changing vendor defaults and removing unnecessary default accounts

#8

• Uniquely identifying and authenticating users, requiring strong passwords, deactivating terminated user accounts

#12

• Requiring Merchants to have a n incident response plan


SAQ C Requirements

#6• Applying or

updating PCI DSS requirements significant when changes are made to in-scope networks or systems

#8• More robust user

identification and authentication management, expansion of existing multi-factor authentication to include non-console administrator access

#9• Basic measures for

physical security including use of entry controls appropriate to protect facilities and systems in the cardholder data environment, monitoring of individual physical access to and from sensitive areas using access control mechanisms

#11• Segmentation

testing penetration testing to be performed by a suitably qualified person


SAQ C-VT Requirements

#8

• More robust user identification and authentication management, expansion of existing multi-factor authentication to include non-console administrator access

#9

• Basic measures for physical security including use of entry controls appropriate to protect facilities and systems in the cardholder data environment, monitoring of individual physical access to and from sensitive areas using access control mechanisms

#11

• Segmentation testing penetration testing to be performed by a suitably qualified person


SAQ P2PE Requirements

#3

• Is the PAN masked when displayed

#4

• Are policies in place that state that unprotected PANS are not to be sent via end-user messaging technologies


Resources

– otm.finance.harvard.edu

– https://www.pcisecuritystandards.org/merchants/index.php

– SAQs

• https://www.pcisecuritystandards.org/security_standards/documents.php?category=saqs

– Harvard Support/Questions

• [email protected]

– Trustwave QSA – Cash Management will arrange teleconference


http://otm.finance.harvard.edu/credit-card-merchant-accounts

https://www.pcisecuritystandards.org/merchants/index.php

https://www.pcisecuritystandards.org/security_standards/documents.php?category=saqs

mailto:[email protected]

pci 3.0 boot camp - treasury management•implement additional security features for any required...

Documents