Payment Card Industry Data Security Standards - PowerPoint PPT Presentation

1 / 46
About This Presentation
Title:

Payment Card Industry Data Security Standards

Description:

... use of wireless communications to access payment-card-related computer ... on the University's credit card processor accepting alternate control measures. ... – PowerPoint PPT presentation

Number of Views:146
Avg rating:3.0/5.0
Slides: 47
Provided by: administra56
Category:

less

Transcript and Presenter's Notes

Title: Payment Card Industry Data Security Standards


1
Payment Card Industry Data Security Standards
  • Michigan State Universitys project to attain
    compliance

2
What is PCI DSS?
  • Payment Card Industry Data Security Standards
    were developed by Visa and MasterCard and have
    been adopted by other major payment card
    companies.
  • PCI DSS is an extensive set of guidelines that
    help keep customers payment card information
    safe.
  • Compliance with PCI DSS guidelines is required
    non-compliance, in the event of data exposure,
    may result in significant fines for the merchant
    (i.e., MSU) 500,000 and up.

3
When do the new rules take effect?
June, 2005
4
PCI DSS Project Team
  • Mary Nelson, Manager of the MSU Cashiers Office,
    is leading the project.
  • Administrative Information Services (AIS),
    Academic Computing and Network Services (ACNS)
    and Internal Audit are helping coordinate the
    work across campus.

5
Who is affected?
Every college and department at MSU that accepts
payment cards, regardless of the amounts
involved, must comply with Payment Card Industry
Data Security Standards.
6
MSU Merchant Classification
  • There are two basic types of payment card
    compliance groups at MSU
  • Offices that use processing software which runs
    on servers owned and managed by that office
    (Complex Compliance Group).
  • Offices that process payments through webCredit
    or card-swipe terminals or that use an outside
    vendor to process payments (Simplified Compliance
    Group).

7
Warning!
If you believe that you belong to the Simplified
Compliance Group, but store payment card
information such as payment card account numbers
and expiration dates on servers (data, fax,
imaging) or on desktop PCs, you may actually
belong to the Complex Compliance Group. More
information on this topic later
8
What are the compliance categories?
  • Build and maintain a secure network
  • Protect cardholder data
  • Maintain a vulnerability management program
  • Implement strong access control measures
  • Regularly monitor and test networks
  • Maintain an information security policy

9
Build and maintain a secure network
  • Requirement 1 Install and maintain a firewall
    configuration to protect data
  • Requirement 2 Do not use vendor-supplied
    defaults for system passwords and other security
    parameters

10
Protect cardholder data
  • Requirement 3 Protect stored data
  • Requirement 4 Encrypt transmission of
    cardholder data and sensitive information across
    public networks

11
Maintain a vulnerability management program
  • Requirement 5 Use and regularly update
    anti-virus software
  • Requirement 6 Develop and maintain security
    systems and applications

12
Implement strong access control measures
  • Requirement 7 Restrict access to data by
    business need-to-know
  • Requirement 8 Assign a unique ID to each person
    with computer access
  • Requirement 9 Restrict physical access to
    cardholder data

13
Regularly monitor and test networks
  • Requirement 10 Track and monitor all access to
    network resources and cardholder data
  • Requirement 11 Regularly test security systems
    and processes

14
Maintain an information security policy
  • Requirement 12 Maintain a policy that addresses
    information security

15
Merchant Classification Review
  • Offices that use processing software which runs
    on servers owned and managed by that office
    Complex Compliance Group.
  • Offices that process payments through webCredit
    or card-swipe terminals or that use an outside
    vendor to process payments Simplified Compliance
    Group.

Which group do you belong to?
16
How do we prove were compliant?
  • Complete relevant sections of the PCI
    Self-Assessment Questionnaire (both merchant
    types).
  • Submit payment card servers to vulnerability
    scans by approved vendor at least quarterly
    (Complex Compliance Group only). The company
    chosen to do scans at MSU is Ambiron TrustWave.

17
Compliance for Complex Compliance Merchants
  • We believe we have talked with all Complex
    Compliance Group merchants at MSU. If we have
    not yet contacted you and you believe you belong
    in this group, please contact Mary Nelson at
    355-5023, ext 150 or at nelsonm_at_ctlr.msu.edu.
    Scanning of payment card servers and completion
    of the entire PCI DSS Self-Assessment
    Questionnaire will be required and scanning is
    targeted to be completed by December 31, 2005.

18
Compliance for Simplified Compliance Merchants
  • How do you process payments?
  • Through MSUs webCredit
  • Through a company you contract with to handle
    your payment card processing
  • Using a card-swipe terminal
  • Using a card-swipe terminal attached to a
    PC-style cash register

19
Compliance for Simplified Compliance Merchants
(cont)
  • How do you receive payment card information from
    your customers?
  • Customer-entered through a web store front
  • Via US Mail
  • Via e-mail
  • Via paper fax or fax server
  • Over the phone
  • In person

20
Compliance for Simplified Compliance Merchants
(cont)
  • Do you store payment card information?
  • On paper
  • On card-imprint carbon forms
  • In a computer file, spreadsheet, database,
    imaging server, fax server or as e-mail
    attachments
  • On audit tapes from card-swipe terminals
  • On backup/storage media such as tape, microfilm,
    CD or DVD, etc.

21
Whats next?
  • If you can get rid of stored payment card
    information, do it.
  • If you accept payment card information from
    customers via e-mail, unsecured web form, fax
    server or network-attached fax, find another way
    this is not safe.
  • If you store payment card numbers and expiration
    dates in order to process future or multiple
    payments, consider another method. webCredit can
    handle scheduled payments.

22
Whats next? (cont)
  • Review the relevant portions of the PCI Data
    Security Standards.
  • Modify office procedures and policies as needed.
  • Restrict payment card information to personnel
    with a need to know.
  • Prepare to complete the appropriate portions of
    the PCI DSS Self-Assessment Questionnaire which
    will be forwarded to Mary Nelson (details to
    follow).

23
Whats next? (cont)
  • If you contract with an outside vendor to process
    payment card payments on your behalf, consult
    with that vendor to ensure that compliance is
    guaranteed.
  • Offices that do not comply risk having the
    ability to accept payment card payments revoked
    by the MSU Controllers Office.

24
PCI DSS Self-Assessment Questionnaire Sample
Questions
3.1 Is sensitive cardholder data securely
disposed of when no longer needed? 3.2 Is it
prohibited to store the full contents of any
track from the magnetic stripe (on the back of
the card, in a chip, etc.) in the database, log
files, or point-of-sale products? 3.3 Is it
prohibited to store the card-validation code
(three-digit value printed on the signature panel
of a card) in the database, log files, or
point-of-sale products? 3.4 Are all but the last
four digits of the account number masked when
displaying cardholder data? 3.5 Are account
numbers (in databases, logs, files, backup media,
etc.) stored securely for example, by means of
encryption or truncation? 3.6 Are account numbers
sanitized before being logged in the audit log?
25
Sample Questions (cont)
4.1 Are transmissions of sensitive cardholder
data encrypted over public networks through the
use of SSL or other industry acceptable
methods? 4.2 If SSL is used for transmission of
sensitive cardholder data, is it using version
3.0 with 128-bit encryption? 4.5 Is encryption
used in the transmission of account numbers via
e-mail?
26
Sample Questions (cont)
5.1 Is there a virus scanner installed on all
servers and on all workstations, and is the virus
scanner regularly updated?
27
Sample Questions (cont)
7.1 Is access to payment card account numbers
restricted for users on a need-to-know basis?
28
Sample Questions (cont)
8.1 Are all users required to authenticate using,
at a minimum, a unique username and password? 8.2
If employees, administrators, or third parties
access the network remotely, is remote access
software (such as PCAnywhere, dial-in, or VPN)
configured with a unique username and password
and with encryption and other security features
turned on? 8.3 Are all passwords on network
devices and systems encrypted? 8.4 When an
employee leaves the company, are that employees
user accounts and passwords immediately
revoked? 8.5 Are all user accounts reviewed on a
regular basis to ensure that malicious,
out-of-date, or unknown accounts do not exist?
8.6 Are non-consumer accounts that are not used
for a lengthy amount of time (inactive accounts)
automatically disabled in the system after a
pre-defined period?
29
Sample Questions (cont)
8.7 Are accounts used by vendors for remote
maintenance enabled only during the time needed?
8.8 Are group, shared, or generic accounts and
passwords prohibited for non-consumer users? 8.9
Are non-consumer users required to change their
passwords on a predefined regular basis? 8.10 Is
there a password policy for non-consumer users
that enforces the use of strong passwords and
prevents the resubmission of previously used
passwords? 8.11 Is there an account-lockout
mechanism that blocks a malicious user from
obtaining access to an account by multiple
password retries or brute force?
30
Sample Questions (cont)
9.1 Are there multiple physical security controls
(such as badges, escorts, or mantraps) in place
that would prevent unauthorized individuals from
gaining access to the facility? 9.2 If wireless
technology is used, do you restrict access to
wireless access points, wireless gateways, and
wireless handheld devices? 9.3 Are equipment
(such as servers, workstations, laptops, and hard
drives) and media containing cardholder data
physically protected against unauthorized access?
31
Sample Questions (cont)
9.4 Is all cardholder data printed on paper or
received by fax protected against unauthorized
access? 9.5 Are procedures in place to handle
secure distribution and disposal of backup media
and other media containing sensitive cardholder
data? 9.6 Are all media devices that store
cardholder data properly inventoried and securely
stored? 9.7 Is cardholder data deleted or
destroyed before it is physically disposed (for
example, by shredding papers or degaussing backup
media)?
32
Sample Questions (cont)
12.1 Are information security policies, including
policies for access control, application and
system development, operational, network and
physical security, formally documented? 12.2 Are
information security policies and other relevant
security information disseminated to all system
users (including vendors, contractors, and
business partners)? 12.3 Are information
security policies reviewed at least once a year
and updated as needed? 12.4 Have the roles and
responsibilities for information security been
clearly defined within the company? 12.5 Is
there an up-to-date information security
awareness and training program in place for all
system users? 12.6 Are employees required to
sign an agreement verifying they have read and
understood the security policies and procedures?
33
Sample Questions (cont)
12.7 Is a background investigation (such as a
credit- and criminal-record check, within the
limits of local law) performed on all employees
with access to account numbers? 12.8 Are all
third parties with access to sensitive cardholder
data contractually obligated to comply with card
association security standards? 12.9 Is a
security incident response plan formally
documented and disseminated to the appropriate
responsible parties? 12.10 Are security
incidents reported to the person responsible for
security investigation? 12.11 Is there an
incident response team ready to be deployed in
case of a cardholder data compromise?
34
Proposed Requirements for University Units that
Accept Payment Cards
  • Units must comply with all Payment Card Industry
    Data Security Standard (PCI DSS) requirements.
    Any exceptions must be approved by the
    Controllers Office, based on the Universitys
    payment card processor accepting alternate
    control measures.

35
Proposed Requirements (cont)
  • Simplified compliance requirements apply to units
    that use only  
  • Non-internet-attached card-swipe systems
  • Paper-based payment card processes, or
  • Centrally provided (webCredit) payment card
    processing with no unit-based electronic storage
    of payment card numbers.

36
Proposed Requirements (cont)
  • Units must obtain Controllers Office approval
    before
  • Developing or purchasing computer-based systems
    that store or process payment card data
  • Contract with a payment card acceptance/processing
    entity outside the University
  • Store cardholder data that includes payment card
    numbers on unit-controlled networked systems
    (including but not limited to storage in
    spreadsheets, word processing documents, imaging
    systems, networked fax servers, etc.)

37
Proposed Requirements (cont)
  • Every merchant unit must 
  • Perform a risk assessment for payment card
    operations at least once per year, or when
    procedures or technology change.
  • Respond to periodic questionnaires or surveys
    when requested by the Controllers Office, to
    confirm your units ongoing PCI DSS compliance.
  • Document who (positions or persons) is
    responsible for payment card data security in the
    unit.
  • Have written operational procedures for payment
    card acceptance and related processes.

38
Proposed Requirements (cont)
  • Every merchant must
  • Review and update, as needed, all required
    payment card related policies, procedures and
    documentation, at least once per year.
  • Define, in writing, security responsibilities for
    all employees and contractors who have access to
    payment card data.
  • Educate all employees about the importance of
    cardholder data security at inception of duties
    involving cardholder data, and on an ongoing
    basis.
  • Require employees to acknowledge in writing that
    they have read understood University and
    departmental payment card data security policies
    procedures.

39
Proposed Requirements (cont)
  • Every merchant must
  • Screen employees, contractors, or volunteers who
    will have access to more than one card number at
    a time. (Note University background checks for
    regular employees are sufficient to meet this
    requirement units who involve student or other
    employees are responsible for screening.)
  • Remove access to payment card related systems or
    data immediately when employees, contractors or
    volunteers cease duties related to payment card
    processing.
  • Prohibit use of wireless communications to access
    payment-card-related computer systems.

40
Proposed Requirements (cont)
  • Every merchant must
  • Prohibit solicitation of payment card data from
    customers by e-mail
  • Appropriately secure all records that include
    payment cardholder data, including physical
    security of paper materials.
  • Report any potential exposure (to unauthorized
    parties) or loss of cardholder data to CO
    immediately.
  • Contractually require third parties with access
    to cardholder data to adhere to PCI DSS
    requirements.
  • Assume responsibility for payment card industry
    financial penalties that may arise out of unit
    non-compliance with PCI DSS requirements.

41
Proposed Requirements (cont)
  • Units with computer-based systems that store or
    process payment card data must additionally 
  • Complete a full PCI DSS self-assessment
    questionnaire annually.
  • Submit to and pay for vulnerability scanning of
    payment-card systems as required by PCI DSS.
  • Maintain payment-card-related systems on a
    subnetwork segmented to limit scanning
    requirements to appropriate unit-based systems.
    (Network configuration guidance is available from
    Academic Computing Network Services Network
    Security group.)

42
Proposed Requirements (cont)
  • Units with computer-based systems that store or
    process payment card data must additionally
  • Obtain Controllers Office approval for
    significant changes of configuration of payment
    card processing or storage hardware, software or
    network.
  • Review PCI DSS requirements in full, and comply
    with all PCI DSS requirements applicable to their
    technical and systems management environment. Any
    exceptions must be approved by the Controllers
    Office, based on the Universitys credit card
    processor accepting alternate control measures.

43
Proposed Requirements (cont)
  • Units that contract with a payment card
    acceptance/processing entity outside the
    University must ensure, via contract provisions,
    that that entity is compliant with PCI DSS
    requirements.

44
Web Sites of Interest
  • Payment Card Industry Data Security Standards
    http//usa.visa.com/download/business/accepting_vi
    sa/ops_risk_management/cisp_PCI_Data_Security_Stan
    dard.pdf
  • PCI Self-Assessment Questionnaire
    https//sdp.mastercardintl.com/pdf/758_PCI_Self_As
    smnt_Qust.pdf
  • VISA Security Information web site
  • http//www.visa.com/cisp
  • Managing Sensitive Data Initiative web site
  • http//lct.msu.edu/security
  • Ambiron TrustWave
  • http//www.atwcorp.com/

45
Contact Information
  • Contract review/questions, business office
    practices
  • Mary Nelson, Controllers Office
  • 355-5023, ext 150 or nelsonm_at_ctlr.msu.edu
  • Questions about webCredit
  • 353-4420, ext 311 or webcredit_at_ais.msu.edu
  • Network configuration and security
  • Joe Budzyn, ACNS
  • 432-7448 or budzyn_at_msu.edu
  • Audit Concerns
  • Rob Humphrey
  • 355-5030 or humphr70_at_msu.edu

46
Questions?
Write a Comment
User Comments (0)
About PowerShow.com