pci 3.0 boot camp - treasury management•implement additional security features for any required...
TRANSCRIPT
PCI 3.2Annual 2018 Training
PCI 3.2 Training - 2018 1
Agenda
• PCI Overview• What’s New in Harvard’s Program• What’s New in PCI DSS 3.2• SAQ Review• Questions
PCI 3.2 Training - 2018 2
PCI Compliance Reset
Self Assessment Questionnaire
Start early
Complete accurately
Cash Management-central POC
Use IT Support and Vendors
Use HUIT Sec/NOC/SOC/EndPoint Support
Answer N/A or No with compensating controls
Keep supporting documentation on file
PCI 3.2 Training - 2018 3
Answering the SAQ
• Yes
– The expected testing has been performed, and all elements of the requirement have been met as stated.
PCI 3.2 Training - 2018 4
Answering the SAQ
• Yes with CCW (Compensating Control Worksheet)
– The expected testing has been performed, and the requirement has been met with the assistance of a compensating control.
– All responses in this column require completion of a Compensating Control Worksheet (CCW) in Appendix B of the SAQ.
– Information on the use of compensating controls and guidance on how to complete the worksheet is provided in the PCI DSS.
PCI 3.2 Training - 2018 5
How to Answer an SAQ
• No – Some or all elements of the requirement have not
been met, or are in the process of being implemented, or require further testing before it will be known if they are in place.
• N/A (Not Applicable) – The requirement does not apply to the organization’s
environment. (See Guidance for Non-Applicability of Certain, Specific Requirements below for examples.)
– All responses in this column require a supporting explanation in Appendix C of the SAQ.
PCI 3.2 Training - 2018 6
PCI Compliance Reset
• Documented local Business Policies
– Document current business processes
– Updated/reviewed annually
– Comply with latest PCI standards
– Annual PCI Awareness Training for all staff
• Hr.harvard.edu training portal (type “pci…” in search bar and link will appear)
PCI 3.2 Training - 2018 7
PCI Compliance Reset
• Vendor Service Agreements
– Document which PCI DSS requirements are managed by each service provider, and which are managed by merchant.
– Do not engage in online service agreements.
– PCI Rider is required.
– Vendor Risk Assessment if collecting Level 4 data
– Procurement Office should negotiate agreement.
PCI 3.2 Training - 2018 8
New Scanning Requirements
PCI 3.2 Training - 2018 9
Network Diagrams and
Data Flow Diagram of CDE
must be submitted to
Cash Management
Submit Document
Internal Vulnerability
Scans or Applications
must be done if required
Internal Scans
Only required for hosting vendors
not listed on Visa’s Registry of
Approved Vendors
Must be run on a monthly basis
Must be run after any significant change in the
network
External Scans
What’s New in Harvard’s Program
PCI 3.2 Training - 2018 10
TouchNet UStores
• Flexible, PCI-compliant eCommerce portal/website
• Created for non-student account payments
• Ability to brand store
• ERP integration to G/L
• Online stores
• Payment pages
• Mobile
• Robust reporting for merchant
• Enhanced detailed reporting across merchants for school administrators
PCI 3.2 Training - 2018 11
TouchNet uPay
• Secure interfaces for third-party applications (Technolutions, AudienceView, Cvent, Certain, Salesforce interface…)
• ERP integration to G/L
• Robust reporting for merchant
• Enhanced detailed reporting across merchants for school administrators
PCI 3.2 Training - 2018 13
New Scanning Requirement
• Need Scanning
– Technolutions
– Hobsons
– Harvard-hosted
• No Scanning
– Cvent
– Certain
– AudienceView
– Rackspace
– AWS
– Salesforce
– TouchNet
– Tessitura
– T2
PCI 3.2 Training - 201814
SSL/Early TLS
Requirement 2.2.3
• Implement additional security features for any required services, protocols, or daemons that are considered to be insecure
Requirement 2.3
• Encrypt all non-console administrative access using strong cryptography.
Requirement 4.1
• Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks.
PCI 3.2 Training - 2018 15
SAQ Review
PCI 3.2 Training - 2018 16
PCI 3.2 Training - 2018 17
SAQ Review
PCI 3.2 Training - 2018 18
SAQ A
• All Processing of cardholder data is entirely outsourced to PCI DSS validated 3rd-party Service Provider
SAQ A-EP
• All processing of cardholder data, with the exception of the payment page, is entirely outsourced to a PCI DSS validated 3rd-party payment processor
When to use SAQ A vs SAQ A-EP
Examples of SAQ A Merchant
PCI 3.2 Training - 2018 19
• Merchant has no access to their website, and website is entirely hosted and managed by compliant 3rd-party payment processor OR
• Merchant website provides an iFrame or URL link to PCI DSS compliant 3rd-party payment processor.
SAQ A
• Merchant website creates the payment form, and Direct Post (SOAP) to payment processor
• Merchant website loads or delivers script that runs in consumers’ browser (eg. JavaScript) and provides functionality that supports creation
SAQ A-EP
Network Penetration Tests
An annual penetration tests is required for all merchants who meet any of the following criteria's:
PCI 3.2 Training - 2018 20
Merchants accept CC’s on devices
that transmit over Harvard’s network
Merchants store CC #’s on a back-end
server
Some element of the payment page originates on the merchant website
• The local unit is responsible for the cost of the penetration test ($7500-$10,000)• Merchants are responsible for correcting any identified deficiencies during test• Annual Requirement
Mitigate Penetration Testing
• Implement P2PE for SAQ A-EP, SAQ C and C-VT
– Vendor must be listed on PCI SSC website
– Removes CHD from merchant environment
– Reduces PCI Compliance Scope
– Abbreviated SAQ (SAQ C/C-VT to SAQ P2PE)
• Approximately 18 questions
PCI 3.2 Training - 2018 21
Validating P2PE
• Solution Vendor must be listed with PCI SSC
• Remove all card data regardless of encryption format in current environment
• Vendor Implementation Guide should be on file at Cash Management
• Test VLAN between merchant and vendor
• Validate CDE does not enter merchant environment
PCI 3.2 Training - 2018 22
SAQ Requirements
PCI 3.2 Training - 2018 23
SAQ A Requirements
#2
• Changing vendor defaults and removing unnecessary default accounts
#8
• Uniquely identifying and authenticating users, requiring strong passwords, deactivating terminated user accounts
#12
• Requiring Merchants to have a n incident response plan
PCI 3.2 Training - 2018 24
SAQ C Requirements
#6• Applying or
updating PCI DSS requirements significant when changes are made to in-scope networks or systems
#8• More robust user
identification and authentication management, expansion of existing multi-factor authentication to include non-console administrator access
#9• Basic measures for
physical security including use of entry controls appropriate to protect facilities and systems in the cardholder data environment, monitoring of individual physical access to and from sensitive areas using access control mechanisms
#11• Segmentation
testing penetration testing to be performed by a suitably qualified person
PCI 3.2 Training - 2018 25
SAQ C-VT Requirements
#8
• More robust user identification and authentication management, expansion of existing multi-factor authentication to include non-console administrator access
#9
• Basic measures for physical security including use of entry controls appropriate to protect facilities and systems in the cardholder data environment, monitoring of individual physical access to and from sensitive areas using access control mechanisms
#11
• Segmentation testing penetration testing to be performed by a suitably qualified person
PCI 3.2 Training - 2018 26
SAQ P2PE Requirements
#3
• Is the PAN masked when displayed
#4
• Are policies in place that state that unprotected PANS are not to be sent via end-user messaging technologies
PCI 3.2 Training - 2018 27
Resources
– otm.finance.harvard.edu
– https://www.pcisecuritystandards.org/merchants/index.php
– SAQs
• https://www.pcisecuritystandards.org/security_standards/documents.php?category=saqs
– Harvard Support/Questions
– Trustwave QSA – Cash Management will arrange teleconference
PCI 3.2 Training - 2018 28