session pci information - university controller's office...19 evolving requirements 1...
TRANSCRIPT
PCI Information SessionMay 2014 - NCSU PCI Team
Agenda➢ PCI compliance process➢ Security Training➢ Why compliance is important➢ PCI DSS update from NCSU ISA➢ 2014 attestation process➢ Questions
PCI Compliance ProcessAnnually:➢ Complete Assessment Questionnaire➢ Complete Security Awareness Training & SAQ Training➢ Update Policy & Procedures➢ Update Data Flow Diagrams➢ Sign Merchant Service Agreement➢ Complete SAQ
Security Awareness TrainingLogin and password will arrive via email for training access from [email protected]
Training must be completed no later than June 20, 2014.
Training Example
SAQ TrainingTraining is available now for SAQ B merchants.
Training for SAQ A merchants provided by Security & Compliance. May be changes for those last year.
Training must be completed prior to SAQ submission.
Why is Compliance Important?
Why is Compliance Important?➢ It allows the University to continue to accept
credit cards as a form of payment➢ Demonstrates that the University accepts the
responsibility of safeguarding our customers’ payment card data throughout every transaction and solidify confidence in protecting data against the hassle and cost of data breaches.
Why is Compliance important?
Security
Compliance
Compliance vs Security
Why is Compliance Important?Penalties can be Huge In the event of a breach the bank can make the merchant responsible for: • Fines from card associations
Up to $500,000 • Cost to notify victims • Cost to replace cards • Cost for any fraudulent transactions • Forensics • Level 1 certification - Average cost of QSA report ~ $225,000 Bad Publicity – Priceless!
Things to remember….➢ Check out Merchant Services website frequently
http://controller.ofb.ncsu.edu/merchant-services/
➢ Contact Merchant Services if you have questions
➢ Notify Merchant Services with ANY changes to your business process
What’s new for PCI-DSS 3.0PCI-DSS 3.0 (112 pages):
https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf
Summary of Changes (12 pages):
https://www.pcisecuritystandards.org/documents/PCI_DSS_v3_Summary_of_Changes.pdf
Mostly clarifications64 Clarifications
19 Evolving Requirements1 Additional Guidance
What’s new for PCI-DSS 3.0Additional Guidance
Added guidance on combining multiple scan reports in order to achieve and document a passing result.
Clarification Clarified that quarterly internal vulnerability scans include rescans as needed until all “high” vulnerabilities (as identified by PCI DSS Requirement 6.1) are resolved, and must be performed by qualified personnel.
Evolving RequirementNew requirement to implement a methodology for penetration testing
.
What’s new for PCI-DSS 3.0Big Changes
SAQs
Data Flow Diagram
Inventory
Service Providers
Antimalware
Physical Protection
What’s new for PCI-DSS 3.0SAQsSAQ A (14 Questions)
Card not present merchants (ecommerce or mail/telephone order) that have fully outsourced all cardholder data functions to PCI DSS compliant third party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.
SAQ A-EP (139 Questions)Ecommerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.
What’s new for PCI-DSS 3.0Data Flow Diagram
1.1.2 Current network diagram that identifies all connections between the cardholder data environment and other networks, including any wireless networks
1.1.3 Current diagram that shows all cardholder data flows across systems and networks
What’s new for PCI-DSS 3.0Inventory
2.4 Maintain an inventory of system components that are in scope for PCI DSS.
System Components defined on page 10, PCI-DSS 3.0
2.4.a Examine system inventory to verify that a list of hardware and software components is maintained and includes a description of function/use for each.
What’s new for PCI-DSS 3.0Service Providers
12.8.5 Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.
Formal written agreement
Amendment to contract
Modification/Clarification to existing language
What’s new for PCI-DSS 3.0AntiMalware
5.1.2 For systems considered to be not commonly affected by malicious software, perform periodic evaluations to identify and evaluate evolving malware threats in order to confirm whether such systems continue to not require anti-virus software.
5.3 Ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period.
What’s new for PCI-DSS 3.0Physical protection
9.3 Control physical access for onsite personnel to the sensitive areas as follows:
Access must be authorized and based on individual job function.
Access is revoked immediately upon termination, and all physical access mechanisms, such as keys, access cards, etc., are returned or disabled.
9.9 Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution.
New eStore for NCSUHigher One estore coming soon.
What’s the plan….Onboard merchants that have been waiting for eCommerce solutionOnboard merchants that are not PCI-DSS compliantMigrate existing eCommerce merchants to new solution
Timeline is to begin in June 2014.
Mobile Payment Options
There are lots of products onthe market right now!
FD 400 is current NCSU mobile payment solution. Terminal connects to cellular signal to receive authorization from FDMS.
Hot Topics!!
None of these products are PCI Certified
FD 400 terminal is PCI Certified
Questions????