Misconceptions of PCI DSS in K12. Illustration by Lance Jackson

(1)

Misconceptions of PCI DSS in K12

Presented by: Barry Campbell Kaitlyn Hetzel

Business Development Mgr. Account Services Manager

(2)

What is PCI –DSS?

•Who here knows what PCI-DSS stands for? •Payment •Card •Industry •Data •Security •Standard

•It is the security requirement that any entity that has access to credit card numbers is required, by VISA, MasterCard, etc., to adhere to.

(3)

Pearson-SchoolPay Integration Discussion

Link Between Candy Jar

and PCI

• Winner of the Candy Jar announced • Winner of the best answer announced

•Dawn Fortes (Volusia County)

•Candy represents cardholder data & the jar

represents a system that’s PCI Compliant

• Easier to demonstrate our message and won‟t break any health code violations

- Exercise in fun-counting candies in a jar

- How it feels when you‟re establishing your policy is more like this…..

(4)

PCI-DSS is One Thing- Right?

(5)

Sort of. It‟s 6 Object Controls

“

Object controls

” logically group related things. PCI

DSS comes down to six areas of focus:

1. Build and maintain a secure network 2. Protect cardholder data

3. Maintain a vulnerability management program 4. Implement strong access control measures 5. Regularly monitor and test networks

(6)

Ah! So it‟s Six Things. Right?

(7)

Each Object Control

has one or more Requirements

For example, “Build and Maintain a Secure Network has these two requirements:

• Install and maintain a firewall configuration to protect cardholder data

• Do not use vendor-supplied defaults for system passwords and other security parameter.

(8)

So How Come I Now Have

220 Bunnies?

(9)

Making Sense of It All

• PCI is ultimately a logical set of business operation standards

• It‟s not a “one and done”…you always do it

• PCI DSS isn‟t a guarantee…it‟s a starting point, not the finish line

(10)

(11)

M1-It‟s About eCommerce

•

It‟s about cardholder data • Best practice:

Every human and system location in the district that

*could* come in contact with or leave a record of a 16 digit card number is a threat to your PCI

compliance.

Document these and establish a policy for that data interaction.

(12)

M2 – PCI DSS is Some

one

‟s

or Some

Department

‟s Job

•

PCI is no one person‟s job, it is everyone‟s job.

Everyone‟s job who touches cardholder data, that is.

• Best practice is to have set of policies and procedures that define the behavior of everyone (staff) and everything (hardware/software) in the district that touches cardholder data.

(13)

M3 – Our Online Payment

Service Handles IT

•

If you have an online payment system, they can offload a lot of PCI headaches

•If you take any credit card payments in person you will be responsible for handling the PCI compliance on those payments

• Best Practice: Know what your minimum exposure and workload is.

• If you only take online payments make sure your policy states that

(14)

• PCI Compliance Fees Are Becoming Commonplace but it is NOT a requirement for PCI Compliance

• Best practices to cut your costs:

• Inquire with your processor if there is a PCI Compliance fee/merchant account

• Inquire if there is any ability to handle PCI at the District level

• Make sure you are aware of any PCI – related procedures that they require

M4- You Have to Pay a Fee to

(15)

We‟re Back!

Each bunny represents a single PCI question… there are 220 of them per Merchant account!

(16)

The Rule Breakers …. A fun look at the people that make you say, “What were they thinking?”

(17)

(18)

•

Donor forms….filled out with way too much data

(19)

The “Get it Rights”

(20)

• Step One – Determine the scope of the PCI policy you will need

• Where are you taking payments, online, in person both? • How many departments are taking payments?

• How many merchant accounts do we have?

•Step Two – write your policy and have staff sign off on it

•Step Three – make sure your online providers are Level One PCI Providers

• Each software system that takes payment or touches card data needs to be PCI compliant too

• All except the smallest companies are required to being audited and appear on a VISA list

(21)

Validate Software Providers

to the District

It is easy to get the status of your various system providers. Just do the following:

1. Ask if they* have a ROC (Report of Compliance provided by audit firm)

2. Are they listed HERE:

http://www.visa.com/splisting/searchGrsp.do

*Please note whoever owns the interface where the card number is collected should have their name on the ROC

(22)

• Controlling your risk is manageable

• Make your payments policies and procedures cross departmental

• Always reduce scope where and when you can - Reduce the number of payment vendors you

support

- Reduce access to and interaction with 16 digit account numbers