pci-dss compliance and payment card acceptance cathy freeman cash and treasury services phone:...

PCI-DSS Compliance and PCI-DSS Compliance and Payment Card AcceptancePayment Card AcceptancePCI-DSS Compliance and PCI-DSS Compliance and

Payment Card AcceptancePayment Card Acceptance

Cathy Freeman

Cash and Treasury Services

Phone: 864-656-0530

Email: [email protected]

Website: http://www.clemson.edu/cfo/cash-treasury/

AgendaAgendaPCI-DSS DefinedBrief HistoryWhy is PCI-DSS Compliance Important?Merchant Levels and RequirementsCU PCI-Best PracticesPCI Compliance ResponsibilitiesVirtual TerminalsCredit Card Payment InformationWho Get’s OverlookedAccepting Credit Card on CampusQuestions

PCI-DSS DefinedPCI-DSS Defined

Payment Card Industry Data Security StandardsA collaborative effort to achieve a common set of security standards for use by entities that process, store or transport payment card data.

Multiple Credit Card organizations participating in PCI effortsMembers include Visa, MasterCard, American Express, Diner’s Club, Discover Card and JCB.

PCI-DSS DefinitionsPCI-DSS DefinitionsCardholder Customer to whom a card is issued or

individual authorized to use the card

Cardholder Data

Full magnetic stripe or the Primary Account Number (PAN) plus any of the following•Cardholder name•Expiration date•Service Code

Cardholder Validation Value or Code

Data element on a card’s magnetic stripe that uses secure cryptographic process to protect data integrity on the stripe, and reveals any alteration or counterfeiting.

Compromise Intrusion into computer system where unauthorized disclosure, modification, or destruction of cardholder data is suspected.

Encryption Process of converting information into an unintelligible form except to holders of a specific cryptographic key. Use of encryption protects information between the encryption process and the decryption process against unauthorized disclosure

PCI-DSS DefinitionsPCI-DSS DefinitionsFirewall Hardware, software, or both that protect

resources of one network from intruders from other networks.

Information Security

Protection of information to insure confidentiality, integrity and availability.

Magnetic Stripe

Data encoded in the magnetic stripe used for authorization during transactions when the card is presented.

Merchant Any person/business that accepts payments by debit or credit cards. It is an agreement between a retailer, a merchant bank and payment processor for the settlement of credit card and/or debit card transactions.

PCI-DSS DefinitionsPCI-DSS DefinitionsPAN Primary Account Number is the payment card

number (credit or debit) that identifies the issuer and the particular cardholder account. Also called Account Number.

POS Point of Sale. Hardware and/or software used to process payment card transactions at merchant locations.

Service Code Three or four digit number on the magnetic stripe that specifies acceptance requirements and limitations for a magnetic stripe read transaction.

Vulnerability Scan

Scans used to identify vulnerabilities in operating systems, services and devices that could be used by hackers to target the company’s private network.

Brief HistoryBrief HistoryThe Payment Card Industry Security Standards

Council (PCI SSC) was launched on September 7, 2006 to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with focus on improving payment account security throughout the transaction process.

The major credit card companies (VISA, MasterCard, Discover, and American Express) came together and published a uniform set of data security standards that ALL merchants must comply with in connection with the acceptance of payment cards. These new standards are called Payment Card Industry Data Security Standards or PCI DSS. These standards have placed additional responsibilities on CU departments in connection with acceptance of payment cards.

Why is PCI Compliance Important ?

Why is PCI Compliance Important ?

Why is PCI Compliance Important?


Good business practice.PCI compliance is like insurance.Large monetary fines assessed to your

department and/or Clemson University.Loss of merchant status for department.Loss of merchant status for Clemson

University.Loss of faith in Clemson University name.You are vulnerable!



Because they are after us!Since 2008 educational institutions have

experienced a staggering 158 data breaches resulting in over 2.3 million reported records compromised.

Higher ed institutions have become a predominant target for cyber criminals because of the substantial amount of distinct type of data they possess. Databases at colleges include names, addresses, financial information, credit card numbers, SSN and healthcare records of employees, students and parents.

Source: Application Security, Inc.



Estimated $3.4 Billion Lost to Online FraudThe $700 million increase in estimated total fraud loss (vs. 2010)was driven by the overall growth in ecommerce in 2011.

Source: CyberSource Online Fraud ReportCountries With The Most Card Fraud: U.S. and

MexicoOne recent survey finds that 27% of cardholders (debit, credit and prepaid) around the world have experienced fraud in the past five years. Rates of fraud vary across countries but in Mexico and the United States are more prone to fraud with 44% and 42% of respondents there saying they’ve experienced card fraud. The report from Aite Group and ACI Worldwide, which surveyed over 5000 consumers in 17 countries, notes that U.S. consumers are heavy card users-more card use means greater likelihood for card fraud.

Source: Forbes

Why is Compliance Important?

You don’t want to make the headlines!

Why is Compliance Important?

You don’t want to make the headlines!


Costs of Non-Compliance.


Costs of Non-Compliance.The payment brands may, at their

discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine on downstream till it eventually hits the merchant. Furthermore, the bank will also most likely either terminate your relationship or increase transaction fees. Penalties are not openly discussed nor widely publicized, but they can be catastrophic to a small business.


Breach Trends and The Facts


Breach Trends and The FactsMain causes of a data breach-Hacking in

now #1Data Breaches Will Likely Affect Your

Reputation. 76% of organizations surveyed acknowledged

that their reputation was impacted as a result of the loss or theft of customer information.

Type of Data Most Often StolenPassword/pinCredit card or bank payment informationCredit or payment historyDriver’s license/SSN


Breach Trends and The Facts


Breach Trends and The FactsIt Can Be A Long Road To Recovery

64% of organizations say they are concerned that data compromised in a data breach will be used to commit other types of fraud.

Breaches Can Strike Twice or Even Three Times85% of recent survey respondents indicated that

their organization had more than one breach involving customer data in the last 24 months.

Your Reputation Doesn’t Bounce Back ImmediatelyTo restore an organization’s reputation after a

breach that involved customer information takes about a year (11.8 months).

Definition of Merchant LevelsDefinition of Merchant LevelsAll merchants will fall into one of the four merchant levels based on Visa transaction volume over a 12-month period. Transaction volume is based on the aggregate number of Visa transactions (inclusive of credit, debit and prepaid) from a merchant Doing Business As (‘DBA’). In cases where a merchant corporation has more than one DBA, Visa acquirers must consider the aggregate volume of transactions stored, processed or transmitted by the corporate entity to determine the validation level. If data is not aggregated, such that the corporate entity does not store, process or transmit cardholder data on behalf of multiple DBAs, acquirers will continue to consider the DBA’s individual transaction volume to determine the validation level. Merchant levels as defined by Visa:

Merchant LevelsMerchant Levels

Merchant Levels Merchant Levels

Merchant RequirementsMerchant Requirements

QSA Onsite ReviewQSA Onsite Review

Is a detailed audit against the PCI Data Security Standard

Potentially targets all systems and networks that store, process and/or transmit cardholder information

Includes review of contractual relationships, but not assessment of the Third Party themselves.

Must be performed using an offering from a Visa certified provider (QSA)

Biggest difficulties in having onsite reviews are the initial scoping and the subsequent cost of correction to compliant levels.

Self Assessment Questionnaire

Self Assessment Questionnaire

Is a selected subset of the full Onsite Audit CriteriaIs completed by the Merchant or Service ProviderIs submitted to Acquirer(s)Is made up mainly of Yes/No/Not Applicable

responsesIs broken into five of the six sections from PCI DSS

Build and Maintain a Secure NetworkProtect Cardholder DataImplement Strong Control MeasuresRegularly Monitor and Test NetworksMaintain an Information Security Policy

Network Security ScanningNetwork Security ScanningTargets Internet facing devices, systems and

applications includingRouters and firewallsServers and hosts (including virtual)Applications

Must be performed using an offering from MasterCard certified provider

May not have any Severity 3 or greater issues:5 (Urgent): Trojan Horses, file read and write

exploits, remote command execution4 (Critical): Potential Trojan Horses, file read exploit3 (High): Limited exploit of read, directory browsing

and denial of service.

Merchant RequirementsSix Goals, Twelve Requirements


Build and Maintain a Secure Network

1. Install and maintain a firewall configuration to protect cardholder data.

2. Do not use vendor supplied defaults for system passwords and other security parameters

Protect Cardholder Data

3. Protect stored cardholder data4. Encrypt transmissions of cardholder data

across open, public networks.

Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus software

6. Develop and maintain secure systems and applications



Implement StrongAccess Control Measures

7. Restrict access to cardholder data by business need-to-know

8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data

Regularly Monitor andTest Networks

10.Track and monitor all access to network resources and cardholder data

11.Regularly test security systems and processes

Maintain an Information Security Policy

12.Maintain a policy that addresses information security

CU PCI Compliance Best Practices


1.Merchants should discontinue to store credit card numbers and the security code on any computer, server, or database. This includes Excel spreadsheets.2.Treat payment card receipts like you would cash.3. Keep payment card data secure and confidential.4. Limit access to system components and cardholder data to only those individuals whose job requires such access.5.Assign all users a unique ID before allowing them to access system components or cardholder data.



7. Documents containing cardholder data should be kept in a secure environment (i.e. safe, locked file cabinet, etc.).

8. Never send cardholder information via email. Credit card numbers must not be transmitted in an insecure manner, such as email, unsecured fax or through campus mail.

9. Fax transmittal of cardholder data is permissible only if the receiving fax is located in a secure environment.

10. Render sensitive cardholder data unreadable anywhere it is stored.



11. Manual swipes or imprinters are not authorized for use.

12. Any new systems/software that process payment cards are required to be approved by the Cash and Treasury Office prior to being purchased.

13. Any computer system hosting a credit card application must be housed in CCIT’s data centers due to security requirements.

14. Computer systems that process payment cards must be behind a firewall.

15. Use and regularly update anti-virus software.



16. Do not use vendor-supplied defaults for systems passwords and other security parameters.

17. Computer systems that process payment cards must have the ability to monitor and track access to network resources and cardholder data.

18. Report all suspected or known security breaches to Cash and Treasury Services and CCIT’s Information Security & Privacy.

Credit Card Data Storage Motto

Credit Card Data Storage Motto

If you don’t need If you don’t need it,it,

DON’T KEEP IT!DON’T KEEP IT!

CU PCI Compliance Responsibilities


MerchantComplete and submit Security Assessment Questionnaire (SAQ) annually. Each merchant is responsible for their own PCI DSS Compliance.Development of a departmental credit card data information security policy, procedures or plan.Implementation of all data security controls necessary to comply with PCI DSS requirements.Attendance to an annual PCI DSS Compliance Training conducted by the Cash and Treasury Services Department.



Cash and Treasury ServicesProvide guidance and support to the merchants PCI DSS Compliance efforts.Make recommendations on how to lower a merchants risk of exposure to breaches.Coordinate and assist in the completion and submission of SAQ’s by all merchants.Serve as Liaison between merchant and the Credit Card Processer.Assist merchants in responding to a possible breach.



CCIT Information Security & PrivacyCompletes and coordinates with Cash and Treasury Services a single Security Assessment Questionnaire (SAQ) for the University.Provide guidance and support to the merchants PCI DSS Compliance efforts from a technical perspective.Make recommendations on how to implement Compensating Controls that will meet particular PCI DSS requirements.Provide Application and Website Vulnerability Scanning. This can also be done at the system level.Assist Merchants/Cash and Treasury Services to a possible breach and breach investigation.

Virtual Terminals and PCI Compliance


A virtual terminal is a web-based application that allows merchants to accept credit card payments using their Internet connected computers. Like the traditional credit card terminals that you see at most retail stores, virtual terminals can accept both swiped and keyed transactions.Virtual terminal workstations must be segmented and secured. A merchant must meet the following criteria:Merchant’s only payment processing is via a virtual terminal accessed by an Internet-connected web browser



Merchant accesses the virtual terminal via a computer that is isolated in a single location, and is not connected to other locations or systems within your environment

Merchant’s virtual terminal solution is provided and hosted by a PCI DSS validated third party service provider

Merchant’s computer does not have software installed that causes cardholder data to be stored (for example, there is no software for batch processing or store-and-forward)

Merchant’s computer does not have any attached hardware devices that are used to capture or store cardholder data (for example, there are no card readers attached)



Merchant does not otherwise receive or transmit cardholder data electronically through any channels (for example, via an internal network or the Internet)

Merchant does not store cardholder data in electronic format

If merchant does store cardholder data, such data is only in paper reports or copies of paper receipts and is not received electronically.

Credit Card PaymentsCredit Card Payments

Nearly one-third (30%) of students put tuition on their credit card, an increase from 24 percent in the previous study.

84% of the student population overall have credit cards.

92% of undergraduate credit cardholders charged textbooks, school supplies, or other direct education expenses, up from 85% when the study was conducted in 2004

Source: Sallie Mae, “How Undergraduate Students Use Credit Cards:, April 2009)


E-commerce & Online Payment

Point of Sale Terminals

Current credit card payment methods on campus


In FY 2012, Clemson University merchants processed:

Total Transactions (Online and POS): 201,731

Total Revenue (Online and POS): $53,042,373.91

Number of Merchants: 110

What Gets Overlooked?What Gets Overlooked?

Paper


People


Process

PCI Compliance Cycle

Accepting Credit Cards on Campus

Accepting Credit Cards on Campus

Thinking of taking payment cards or changing your current process? Contact Cash and Treasury Services first.

Do not go it alone. The state of South Carolina mandates who we can use for credit card processing. PayPal Accounts and devices like Square for your IPAD or IPhone cannot be used.

Our current credit card processing companies are FirstData, TouchNet and Official Payments.

Contact Cash and Treasury Services for current credit card rates charged by FirstData, TouchNet and Official Payments.

Clemson University accepts American Express, Discover, MasterCard and Visa.

Just Remember…Just Remember…Data Security is an ongoing process

Recognize the risks at all levels to your department.

Understand what you can do to be proactive.

Determine what behaviors and processes may have to change.

Want to know more?Resources

Want to know more?Resources

PCI Data Security Standards PCI for Merchantshttps://www.pcisecuritystandards.org/merchants/index.php PCI Data Security Standardshttps://www.pcisecuritystandards.org/security_standards/index.php CU Network Security Policyhttp://www.clemson.edu/ccit/about/policies/network_security.html

Points of ContactPoints of ContactHas data been compromised? The first 24

hours are critical!Contact:

Office of Information Security and Privacy864-656-7131

http://www.clemson.edu/ccit/help_support/safe_computing

/ And

Cash and Treasury Services Banking and Payment Card Coordinator

864-656-0530http://www.clemson.edu/cfo/cash-treasury/

Points of ContactPoints of ContactA confidential Ethics Line is provided as a service to assist any member of the University community with reporting concerns or issues about questionable practices. These may include fraud, theft, conflicts of interest, abuse of assets or property, or violations of laws or regulations.

Toll Free: 1-877-503-7283 (1-877-50FRAUD)Available 24 hours a day, seven days a week. Leave

a message. or

www.clemson.edu/administration/internalaudit/contactus.html

QuestionsQuestions

1) What Does PCI-DSS Stand For?

a. Protect Computer Identity-Data Security Standard

b. Payment Card Industry-Data Security Standard

c. Payment Card Industry-Data Safety Standard

d. Payment Card Identification-Develop Security Servic

e

PCI Compliance Training Questions



a. Protect Computer Identity-Data Security Standard

b. Payment Card Industry-Data Security Standard

c. Payment Card Industry-Data Safety Standard

d. Payment Card Identification-Develop Security

Service



Next Question


a. Protect Computer Identity-Data Security Standards

b. Payment Card Industry-Data Security Standards

c. Payment Card Industry-Data Safety Standards

d. Payment Card Identification-Develop Security

Service



Next Question

2) When was the Payment Card Industry Security Standards Council launched?

a. September 7th, 2003

b. September 7th, 2004

c. September 7th, 2005

d. September 7th, 2006



2) When was the Payment Card Industry Security Standards Council launched?

a. September 7th, 2003

b. September 7th, 2004

c. September 7th, 2005

d. September 7th, 2006



Next Question

3) The Payment Card Industry Security Standards Council (PCI SSC) breaks merchants up into 4 compliance levels?

a. True

b. False



3) The Payment Card Industry Security Standards Council (PCI SSC) breaks merchants up into 4 compliance levels?

a. True

b. False



Next Question

4) The Self-Assessment Questionnaire (SAQ) is filled out by the merchant?

a. True

b. False



4) The Self-Assessment Questionnaire (SAQ) is filled out by the merchant?

a. True

b. False



Next Question

5) There are 6 requirements for PCI-DSS compliance?

a. True

b. False



5) There are 6 requirements for PCI-DSS compliance?

a. True

b. False



Next Question

6) Which of the following is a Clemson University PCI Compliance best practice?

a. Keep payment card data confidential

b. Computer systems that process payment card

s must be behind a

firewall

c. Render

sensitive cardholder data unreadable anywhe

re it is

stored

d. All of the Above





Next Question

7) You can send cardholder information via email?

a. True

b. False





Next Question

8) Which of the following is a PCI Compliance responsibility for the merchant?

a. Complete the Self-Assessment Questionnaire

b. Development of a departmental credit card

data information security policy, procedures

or plan

c. Attend annual PCI DSS Compliance Training

d. All of the Above





Next Question

9) A virtual terminal workstation can be located in an open area for anyone to use?

a. True

b. False





Next Question

10) PayPal or devices like Square can be used to accept payments on campus?

a. True

b. False





Finish

Thank you for taking the PCI Compliance Training.

Need More Help?Contact

Cathy Freeman at [email protected] or 864-656-0530

To acknowledge that you have read and completed the online PCI Compliance

training, continue to the website below.

Clemson.edu/esig

pci-dss compliance and payment card acceptance cathy freeman cash and treasury services phone:...

Documents

payment card transactions

payment card number

transport payment card

payment account security

agenda pcidss

pcidss compliance important

payment processor

pci efforts members