Payment Card Industry Data Security Standards

Payment Card Industry Data

Security Standards

PCI DSS

Rhonda Chorney

Today’s Agenda

1. What is PCI DSS?

2. Where are we today?

3. Why is compliance so important?

4. What are the PCI requirements?

5. What’s an SAQ? Attestation of Compliance?

6. The annual compliance cycle.

What is PCI-DSS?

• PCI DSS is a widely accepted set of policies

and procedures intended to optimize the

security of credit, and debit card transactions

and protect cardholders against misuse of

their personal information.

• The PCI DSS was created jointly in 2004 by

four major credit-card companies: Visa,

What is meant by Cardholder Data?

• Cardholder data refers to any information

contained on a customer’s payment card. Data is printed on either side of the card and is

contained in digital format on the magnetic stripe or in the chip embedded on the front side.

• Cardholder data includes the primary account

number (PAN), cardholder name, expiration date and the 3-4 digit card verification number

UM Merchant Stats

Merchant Type Number of _Merchants Number of _Terminals

Interactive Voice Response

(IVR) 15 n/a

Point of Sale (POS)

Standalone Terminals

Integrated with Payment App. POS Batch Software

39 69

Where are we today?

• In 2010 all merchants completed the Self Assessment Questionnaires and the

Attestation of Compliance.

Where are we today?

• Feb, 2013 we upgraded CORE, which is the

software that the cashiers use and once the self assessment is completed the main cashiers office will be compliant.

• Oct, 2013 Raiser’s Edge has been upgraded for Donor Relations which will contribute towards becoming compliant. Donor Relations also has Online Donation forms which must be replaced to

bring them to full compliance. This work is forecast to

Where are we today?

• Nov, 2013 – Meetings will be initiated with

Kinesiology to plan the upgrade to the CLASS application to bring it to PCI DSS compliance • The goal is to have the entire U of M PCI

Why Is Compliance So Important?

A security breach and subsequent compromise of payment card data has far reaching consequences:

Loss of reputation Loss of customers

Potential financial liabilities, such as fines of up to $500,000 for a breach; $10,000 per month for non compliance

Litigation

Who Does PCI DSS Apply To?

PCI DSS applies to all organizations that

process, store or transmit cardholder data: merchants

payment card issuing banks processors

software developers other vendors

What Are the PCI Requirements?

REQUIREMENTS

(note: requirements not listed are the responsibility of IST)

3. Protect stored cardholder data (eg. mask PAN when displayed; don’t store unnecessary data such as PIN)

7. Restrict access to cardholder data by business need-to-know (eg. limit access to system components)

What Are the PCI DSS Requirements?

REQUIREMENTS

(note: requirements not listed are the responsibility of IST)

9. Restrict physical access to cardholder data

The Self Assessment Questionnaire (SAQ)

The Self Assessment Questionnaire (SAQ) is a validation tool intended to assist merchants in self-evaluating their compliance with the PCI-DSS.

The Self Assessment Questionnaire (SAQ)

Merchants are pre-assigned to an SAQ based on specific eligibility criteria:

• SAQ A: telephone (IVR) or web processing; • SAQ B: standalone POS terminal;

• SAQ C: card processing via a 3rd _{party payment}

application.

Self Assessment Questionnaire (SAQ)

• Questions on the SAQ’s are derived from the PCI Requirements relevant to merchant type.

SAQ A covers Requirements 9 (physical

storage of data) and 12 (familiarity with Cash Control Policy) only.

Process going forward

• The assigned SAQ and Attestation of

Compliance forms will be sent to each merchant owner for completion, within the next week.

• The requested completion date is Nov 30th. • Forward the completed documents, soft and

Self Assessment Questionnaire for POS Merchants (SAQ B)

Requirement 3: Protect stored cardholder data

In general, no cardholder data should ever be stored unless it’s necessary to meet the needs of the business. Sensitive data on the magnetic stripe or chip must never be stored. If your organization stores PAN, it is crucial to render it unreadable (see 3.3).

QUESTION RESPONSE: YES NO N/A

3.2 Do all systems adhere to the following requirements regarding storage of sensitive authentication data after authorization (even if encrypted)?

3.2.1 Do not store the full contents of any track from the magnetic stripe (located on the back of a card, contained in a chip, or elsewhere). This data is alternatively called full track, track, track 1, track 2, and magnetic-stripe data.

In the normal course of business, the following data elements from the magnetic stripe may need to be retained:

• The cardholder’s name,

• Primary account number (PAN),

• Expiration date, and

• Service code

To minimize risk, store only these data elements as needed for business. NEVER store the card verification code (CVV2) or value or PIN verification value data elements.

3.2.2 NEVER store the card-validation code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions.

3.2.3 Do not store the personal identification number (PIN) or the encrypted PIN block.

3.3 Is the PAN masked when displayed? The cardholder receipt generated by all electronic POS terminals, whether attended or unattended, must reflect only the last four (4) digits of the PAN. All preceding digits of the PAN must be replaced with fill characters, such as “X,” “*,” or “#,” that are neither blank spaces nor numeric characters.

Note:

Requirement 7: Restrict access to cardholder data by business need-to-know

To ensure critical data can only be accessed by authorized personnel, systems and processes must be in place to limit access based on need-to-know and according to job responsibilities.

Need-to-know is when access rights are granted to only the least amount of data and privileges needed to perform a job.

QUESTION RESPONSE YES NO N/A

Requirement 9: Restrict physical access to cardholder data.

Any physical access to data or systems that house cardholder data provides the opportunity for individuals to access devices or data and to remove systems or hardcopies, and should be appropriately restricted.

QUESTION RESPONSE: YES NO N/A 9.6 Are all paper and electronic media that contain cardholder data physically secure? (including

computers, removable electronic media, networking, and communications hardware, telecommunication lines, paper receipts, paper reports, and faxes).

9.7 (a) Is strict control maintained over the internal or external distribution of any kind of media that contains cardholder data?

(b) Do controls include the following:

9.7.1 Is the media classified so it can be identified as confidential?

9.7.2 Is the media sent by secured courier or other delivery method that can be accurately tracked?

9.8 Are processes and procedures in place to ensure management approval is obtained prior to moving any and all media containing cardholder data from a secured area (especially when media is distributed to individuals)?

9.9 Is strict control maintained over the storage and accessibility of media that contains cardholder data?

9.10 Is media containing cardholder data destroyed when it is no longer needed for business or legal reasons?

Destruction should be as follows:

Requirement 12: Maintain a policy that addresses information security.

The University’s Cash Control policy and procedures reference the acceptance and handling of payment cards.

Adherence to the terms of these documents is required to ensure information security.

*A new information security policy that will address protection of electronic cardholder data is currently being developed by IST.*

UM Cash Control Policy and Procedure Requirements Additional Information YES NO

Excerpt from Policy Document:

Section 2.2: All departments of the University whose activities include the acceptance and handling of cash on the University’s behalf are responsible for ensuring that:

(a) adequate controls and procedures are in place to safeguard cash from

time of receipt to time of deposit to a University authorized bank account through Financial Services;

(b) all cash and receipts are properly recorded and accounted for; and

(c) customer payment information is stored in a secure manner.

All employees entrusted with handling cash and credit card payment are familiar with the Cash Control Policy. Full document available at:

http://www.umanitoba.ca/admin/governance/gover ning_documents/financial/389.htm

Excerpts from Cash Control Procedures Document:

2.3.10 Departments are required to use University of Manitoba merchant services providers and may request information in this regard from RCGA.

Full document available at:

http://www.umanitoba.ca/admin/governance/governing_doc uments/financial/863.htm

The University contracts with TD Merchant Services for the provision of its Visa and Master Card merchant services. All payment card revenue must be deposited to the University’s main bank account. Departments must advise Financial Services of any situation where this is not the case.

Attestation of Compliance

• After completing the SAQ, the merchant must complete the Attestation of Compliance to

confirm that:

1. the merchant qualified for the SAQ 2. the merchant is in compliance

Part 2. Eligibility to Complete SAQ B

Complete this section to confirm your eligibility to use SAQ B:

__Yes Merchant uses only standalone, dial-up terminals; and the standalone, dial-up terminals __No are not connected to the Internet or any other systems within the merchant environment;

__Yes Merchant does not store cardholder data in electronic format; and __No

__Yes If Merchant does store cardholder data, such data is only paper reports or copies of paper __No receipts and is not received electronically.

Part 3. PCI DSS Validation

Based on the results noted in the SAQ dated Nov 30, 2013, Merchant 123 asserts the following compliance status (check one):

__Compliant: All sections of the PCI SAQ are complete and all questions answered “yes”. Therefore Merchant 123 has demonstrated full compliance with the PCI DSS.

__Non-Compliant: Not all sections of the PCI SAQ are complete or some questions are

answered “no”, resulting in an overall NON- COMPLIANT rating, thereby Merchant 123 has not

demonstrated full compliance with the PCI DSS.

Target Date for Compliance: ___________________________

Part 3a. Confirmation of Compliant Status Merchant confirms:

Yes No

PCI DSS Self-Assessment Questionnaire B, was completed according to the instructions therein.

Yes

No All information within the above-referenced SAQ and in this attestation fairly represents the

results of my assessment.

Yes No N/A

I have confirmed with my payment application vendor that my payment system does not store sensitive authentication data after authorization. (if applicable)

Yes No

I have read the PCI DSS and I recognize that I must maintain full PCI DSS compliance at all times.

Yes

No No evidence of magnetic stripe (i.e., track) data1_{, CAV2, CVC2, CID, or CVV2 data}2_{, or PIN}

data3 _{storage after transaction authorization was found on ANY systems reviewed during this}

assessment. (applicable only if Merchant is storing data electronically)

•Part 3b. Merchant Acknowledgement

•Print Name of Department Head or Business Manager

_________________________________________________

Title _______________________________________________________

Signature ________________________________ Date _________________________________

What if Merchant is Non Compliant?

• If your responses indicate that you are not in compliance, please complete Part 4 of the Attestation of Compliance to indicate where

Part 4. Action Plan for Non-Compliant Status

Please select the appropriate “Compliance Status” for each requirement. If you answer “No” to any of the requirements, you are required to provide the date this Merchant will be compliant with the requirement and a brief description of the actions being taken to meet the requirement.

PCI

Requirement Description

Compliance Status

(Select One) Remediation Date and Actions (if Compliance Status is “No”)

3 Protect stored cardholder data Yes No

7 Restrict access to cardholder data

by business need to know

Yes No

9 Restrict physical access to

cardholder data.

Yes No

12 Adhere to University policy that

addresses information security.

What if Merchant is Non Compliant?

• Where non-compliance is indicated, further follow up will be scheduled by either IST or RCGA, depending on the area of vulnerability.

• Non compliant products must be upgraded,

3

Party Compliance

Most of our processing partners are already in compliance with PCI DSS:

TD Bank POS terminals (Freedom IV and

Freedom V) are compliant, provided all software upgrades have been completed by the

merchant.

Beanstream is compliant (web merchants)

Certain vendor software used by UM merchants (for example, Class, used by Faculty of

The Compliance Cycle

Assess

Identify cardholder data, take an inventory of your IT assets and business processes for payment card processing, and analyze them for vulnerabilities that could expose

cardholder data.

Remediate

Fix vulnerabilities and do not store cardholder data

unless you need it.

Report

Compile and submit required remediation

Steps in the Annual Compliance Cycle

1. Create an inventory of all campus merchants and confirm merchant contact information. 2. Promote awareness of the PCI requirements

and the consequences of non compliance to all UM merchants.

3. Request that each merchant review and sign off on the appropriate self-assessment

Steps in the Compliance Cycle cont.

4. Develop a policy that addresses storage of electronic data (IST/RCGA).

5. Obtain statements from all 3rd _party

vendors/partners confirming that they are also in compliance.

Helpful Tips

• Treat cardholder data like cash- keep it secure and if it need to be stored, deposit it right away. • If you don’t need it, don’t store it!

• Never store the CVV2 or PIN

Helpful Tips- continued

• Read and understand the Merchant Operating Guide for information on items such issuing

refunds, receipt requirements (for example, never issue a refund by cash or cheque for a purchase made by credit card).

• Read the TD Fraud Prevention brochures

Where can I find more information

•RCGA web site :

http://umanitoba.ca/admin/financial_services/revcap/staff_info.html

•TD Merchant Services Resource Center:

http://www.tdcanadatrust.com/merchantservices/resource_centre.jsp

•PCI Security Standards Council:

https://www.pcisecuritystandards.org/index.shtml

•Guidelines set by the University’s IST department for hosting a web application:

QUESTIONS?

• RCGA – Merchant Administration:

– Rhonda Chorney 474-8727 – Alicia Bressani 474-9574 – Anna Chugunova 290-5809 • IST - Technical:

– David Treble 474-8340