PAYMENT PROCESSING MCMASTER UNIVERSITY

1
PAYMENT PROCESSING _at_ MCMASTER UNIVERSITY

• April 22nd 23rd, 2009

2
Presenters

• Nancy Gray Financial Services
• Stacey Farkas Financial Services
• Tim Russell UTS
• Theresa Cooke Financial Services
• Tawnya Smith Internal Audit
• Diane Carment Conference Services

3
Agenda

• PCI COMMITTEE (5 min)
• REVIEW OF PAYMENT PROCESSING PCI SECURITY
  STANDARDS (5 min)
• UPDATES SINCE PREVIOUS WORKSHOP (15 min)
• COMMON AUDIT FINDINGS (10 min)
• PCI FEES (10 min)
• ONLINE CASHIERING (5 min)
• INTERAC ONLINE (5 min)
• BREAK (10 min)
• SUSPICIOUS TRANSACTIONS SECURITY PROTOCOL (15
  min)
• 2009 SAQ QUESTIONAIRES (25 min)
• CONFERENCE SERVICES-STARREZ DEMO (15min)
• ACTIONS REQUIRED (5 min)

4
PCI Steering Committee
Lilian Scime (Chair) Nancy Gray Gina
Robinson Rocco Piro Mike Sowerby Tim Russell John
McKay Tawnya Smith Absent John Kearney Stacey
Farkas
5
OVERVIEW Payment Processing _at_ Mac
5
6
Payment Card Industry Security Standards

• Standards developed by the credit card companies
  (Visa, M/C) to protect cardholders
• Standards cover policies, business processes,
  systems, etc.
• Every merchant is required to be in compliance
  with these standards
• Risk to University as a whole if there is a
  breach and anyone is found to be non-compliant
• Lose the ability to accept credit cards
• FINES
• Reputation Risk
• Selfattestation is our means to ensure
  compliance
• INTERNAL audits will occur
• EXTERNAL audits could occur

7
UPDATES

• Growth in Merchants
• 3 new e-commerce sites
• New virtual terminal users or moved to large
  accounts
• 21million credit card sales in 07/08!
• Important to contact Financial Services when
  staff turn over
• Fill out new Payment Card Merchant Number
  Approval Form
• One-on-one training provided
• Access to system terminated

8
Updates

• AMEX
• Accepted university wide August 2008 with
  negotiated lower rates
• 0.5 1.20 lower than before w/ no contract
• Updates required to be made to websites/promotiona
  l materials
• Changes to Visa M/C rates
• Fee structure has changed for Visa and Mastercard
• Rates are higher based on the type of card
• Card-present vs. not-present
• Consumer, corporate, premium

9
Updates - Trustwave

• Engaged Trustwave to perform a pre-assessment for
  eCommerce Merchants and their High Priority
  findings were
• Staffing to manage on-going PCI compliance is
  insufficient.

Outcome Security Analyst (Desmond Irvine)
commenced work this week to support Ken Craft.
10
Updates - Trustwave

• Implement central logging and auditing server and
  processes for PCI systems.

Outcome Space is planned within Gilmour Hall
renovation with on-going discussions with current
eCommerce merchants and external software vendors
to work towards this direction.
11
Updates - Trustwave

• Communicate directives to merchants recurring
  billing, CVV, PAN storage etc
• Review and manage access accounts on all card
  processing systems and apply central account to
  remaining accounts.

Outcome Implemented CVV with eCommerce merchants
in October 2008 and dealt directly with merchants
as required.
Outcome This is being addressed as part of this
training.
12
Internal Audit

• Overview of an Internal Audit related to Payment
  Processing
• Assess PCI Compliance as sub-section of cash
  controls when performing Internal Audits
• Audit for compliance to policy and the
  attestations made in the Self Assessment
  Questionnaires
• Issue report to department management outlining
  situations requiring corrective action
• Serious non-compliance could result in suspension
  of individual merchant privileges

13
Internal Audit Common Audit Findings

• Generally focus on Access Control Measures
• Hard copy and/or electronic cardholder data
  should not be stored/saved unless there is a
  legitimate business purpose to do so
• POS merchants need to keep the merchants copy of
  payment card receipts when this is the only sales
  record resulting from the transaction (Merchant
  types B and C)
• Virtual terminal and E-commerce merchants do need
  to maintain custody of the system generated
  receipt and/or the daily sales summary (Merchant
  types A and D)

14
Internal Audit Common Audit Findings

• When storage of payment card info is necessary
  than all paper and electronic media containing
  cardholder data must be physically secure
• Secure Stored in a locked cabinet or room to
  which access is limited and controlled at all
  times other than when in use
• Payment card information should not be stored
  electronically i.e. Word, Excel etc.
• Limit access to need to know
• Controlled distribution of data
• Dont distribute via e-mail, distribution
  tracking, confirmation of receipt
• Record retention and destruction
• Password sharing in not permitted
• Review of technical compliance will also be
  performed scope to be determined

15
McMaster PCI Fees

• Compliance with card data security standards is
  essential
• External assessment (pre-audit) identified 4 high
  risk areas in our payment processing practices
• KEY weaknesses (GAPS) were the result of lack of
  centralized security, lack of staff to support
  this
• Need for ongoing training and support for our
  decentralized environment
• This fee is intended to fund those requirements
  and close those GAPS
• Designed to reflect actual setup and operational
  costs and create incentives to find economies of
  scale
• 1 FTE in UTS and 0.5 FTE in Financial Services

16
McMaster PCI Fees

• Annual PCI Compliance Levy Base charge
• 750 per e-Commerce merchant
• 350 per Point of Sale (POS) or Virtual Terminal
  merchant
• PLUS
• Volume based charge
• Commencing September 2009
• 0.50 of credit card sales CAP at max of 7,500
• Fiscal year 10/11
• 1 of credit card sales CAP at max of 10,000
• Rate structure to be reviewed periodically and
  increased or decreased as appropriate to fund the
  operational needs.

17
On-line Cashiering

• The internal cash receipt process has
• Two Purposes
• Posting transactions to your FAS account
• Creating batch data for bank reconciliation
• Two Processes
• Online Cashiering
• Scheduled Uploads
• Two Requirements
• Separate batch for each deposit
• Batch date must equal deposit date
• Reminder an admin fee of 25.00 will be assessed
  for non-compliance of these requirements

18
Internal Processing

• Online Cashiering
• Used for POS (debit and credit cards), Virtual
  Terminal and E-Commerce
• Secured access through Supersession/IBM
• Can be posted as one transaction or create more
  detailed reporting with multiple receipts and
  account numbers
• Batch will normally be closed upon verification
  by the Cashiers Office.
• Scheduled Upload
• Used for integrated E-Commerce
• Data comes from both Moneris and integrated
  system
• Program written to format data and assign batch
  dates/numbers.

19
NEWMerchant Codes for On-line Cashiering

• The Bank Reconciliation process requires that we
  identify distinct Merchant numbers with the
  on-line cashiering batch.
• We have assigned a 3 digit code to each merchant
  that will be cross referenced with the Merchant
  Name, Visa/MC and AMEX s (note as much as 13
  characters)
• This code will be used in the Cashier Name
  section of the On-line Cashiering Batch screen
  with the following format 001 TC 24332
• The process becomes effective as soon as you
  receive your code and no later than May 1st.

19
20
Batch Screen Example
CASHIER NAME 001 TC 24332
21
INTERAC Online

• We are working with UTS to be able to offer
  INTERAC Online as a payment method. This will
  allow students to pay from a link on the MUGSI
  website and we will have immediate notification.
• Expected to be ready for tuition payments in June
  09.
• Once we are up and running this new payment
  method will be available for use by our
  eCommerce merchants.

22
INTERAC Online

• It is not compulsory to offer this payment
  method.
• Consumers using INTERAC Online must be registered
  for online banking with their financial
  institution.
• When making a purchase using this method, the
  consumer is redirected to their bank to authorize
  the payment.
• Participating Financial Institutions are

22
23
BREAK10 MINUTES
24
Suspicious Transactions and Security Protocol

• Several types of suspicious transactions
• Successful credit card transactions repeated
  several times
• Unsuccessful attempts to process transactions
• Transactions from unexpected locations

Notify Moneris, noting the date and time when
this occurs and who you spoke with. Inform UTS
IT Security (c-uts-security_at_mcmaster.ca)
Notify UTS IT Security and follow their directions
25
Suspicious Transactions and Security Protocol

• A Virus is detected on a PC that is used to
  process credit card transactions
• A new end point security solution is being
  implemented shortly which will assist with
  preventative measures.

Notify UTS IT Security immediately Do not attempt
to cleanse the PC at all. Shut down the PC
immediately. UTS IT Security may need to seize
the PC and perform an investigation on the system
to determine the nature of potential issues and
possible breach
26
PCI Compliance Self Assessment Types
26
27
Web site location http//www.mcmaster.ca/bms/B
MS_FS_Payment_Card.htm
28
PCI Self-Attestation Questionnaires

• New version 1.2
• Better definitions and clearer documentation,
  including Not Applicable fields.
• Partially completed documents were issued to the
  Merchant Signing Authority.
• POS Stand-alone terminals are IP lines in
  Canada. A ruling from Trustwave stated we could
  use SAQ Version B (rather than C) for these
  merchants.

29
PCI SAQ Part 1
As a Level 4 merchant (less than 20,000 eCommerce
Visa transactions via eCommerce per year) we are
not required to use a Qualified Security Assessor
Company.
29
30
PCI SAQ Part 2
Section 2 comprises Merchant information. This
varies for each SAQ type (A-D), especially with
Part 2D which addresses why each merchant is
completing a specific SAQ.
30
31
PCI SAQ Part 4

• Non-compliance status is required to be addressed
  by each merchant by a specific date.
• The number of sections addressed depends on the
  SAQ Type.

31
32
PCI SAQ Part 4, Requirement 4

• Addressed within the Policy for Acceptance of
  Payment Cards
• Re-iterated within this training

32
33
PCI SAQ Part 4, Requirement 12

• Addressed by University-wide IT Security policy
  and specific activities as required by PCI
  Steering Committee.
• It is the responsibility of each merchant to
  implement policy and directives.

33
34
PCI SAQ Part 3
Non-Compliancy is based on not completing the SAQ
or not meeting requirements. We do not always
need a Scan.
34
35
PCI SAQs

• Completed SAQs are due May 30th 2009. Send these
  to Financial Services, DTC 414.
• As indicated earlier, if an SAQ is not submitted
  by a merchant, it will result in suspension of
  their merchant account, due to the reputational
  and financial risk to the University.

35
36
Conference ServicesSTARREZ DEMO

• Diane Carment

37
Actions required

• Complete Self Assessment Questionnaires DUE MAY
  30, 2009
• Complete the list of all staff with access to the
  system (for each merchant number)
• Start using the new Merchant Codes in online
  cashiering as soon as you receive your code
• Follow the Security Protocol when issues arise.
• Please fill out the evaluation forms!
• Please call if you have questions or concerns
  surrounding your business processes or security
  see Key Contacts

38
Key Contacts

• Technical problems with processing
• Moneris help desk 1-866-319-7450
• Moneris e-select help 1-866-562-4354
• PCI standards/Security (c-uts-security_at_mcmaster.ca
  )
• Desmond Irvine X 21649 (irvined_at_mcmaster.ca)
• Ken Craft x23763 (craftk_at_mcmaster.ca)
• Tim Russell x28688(trussel_at_mcmaster.ca)
• Physical, Network and Telecom Security
• Via UTS Service Desk x24357 (uts_at_mcmaster.ca)
• Internal Audit
• Tawnya Smith x23872 (tsmith_at_mcmaster.ca)
• All other concerns
• Stacey Farkas x23654 (farkas_at_mcmaster.ca)
• Moneris website www.moneris.com
• Online services and support
• http//www.moneris.com/index.php?context/onlinese
  rvice/downloads
• Faculty of Health Sciences Merchants
• CSU Help Desk X 20848 (Verify)