payment card industry data security standard (pci) presentation eitac jan 2014 les mcdermid january...
TRANSCRIPT
Payment Card Industry Data Security Standard (PCI)
Presentation EITAC Jan 2014
Les McDermidJanuary 16, 2014
Overview
• What is PCI and Why• Compliance - Risks and Benefits • Queen’s - Credit Card Acceptance• Payment Card Industry (PCI) Compliance Implementation
Working Groupo Termso Work Started
• Thoughts• NCI – Secured Intelligence
2
What is PCI and Why
• Payment Card Industry Data Security Standard (“PCI DSS”)
Created by The PCI Council PCI Is a comprehensive set of mandated international security requirements developed to protect personal information and ensure security when transactions are processed using a payment
• All members of the payment card industry (financial institutions, credit card companies and merchants) must comply with these standards if they want to accept credit cards.
• Level of compliance is based on the volume of transactions not $$
3
The PCI standards require two types of controls that work in tandem to address payment card security vulnerabilities:
1. Policies and ProcessesSpecific operational policies and procedures that a merchant uses to implement, manage, and maintain the security of card information
2. TechnologyThe devices (applications) such as software, hardware, and third-party services that are configured to deliver secure payment card processing, transmission and storage
What is PCI and Why
4
What is PCI and Why
• Based on a preliminary, high-level review of these 12 standards by Queen’s IT, we are not in compliance.
• The University must be in compliance with PCI DSS as a condition of its continued acceptance of credit cards
• Current agreement with Chase Paymentech, states:
“Each party shall comply with all laws and regulations and Payment Brand Rules applicable to the operation of its business.”
• Queen’s is classified as a merchant since it qualifies under the PCI DSS definition as “an entity that accepts payment cards bearing the logos of any of the five members of the PCI Security Standards Council (AMEX, Discover, JCB, Mastercard or VISA) as payment for goods and services.”
What is PCI and Why
6
• Increased consumer confidence (including donors)
• Reduced risk of security breaches
• “Safe Harbour” from punitive fines from selected payment brands if a breach occurs at a certified PCI compliant organization
• Opportunity to better understand and improve the wider internal control environment (i.e., enhanced corporate security strategy)
Compliance - Risks and Benefits
7
• Reputational damage• Loss of credit card acceptance privileges • Fines oUp to $500,000 per incident
• Lost revenue and downtime for systems that are breached
• Forensic investigation costs• Reimbursement of fraudulent purchases• Costs to remedy the problem, including card re-
issuance costs which are borne by the merchant that had the breach
• Requirement to demonstrate a much higher standard of compliance to PCI standards going forward
Compliance - Risks and Benefits
8
• Two acquirers being used:o Chase Paymentecho Global Payments
• Range of credit card acceptance methodso E-commerce, point-of-sale, paper forms, telephone, e-
mail, etc.
• Internal Audit report of February 2013o Control environment varies by department / merchanto Minimal awareness of PCI requirements at the local
levelo Incidences of insecure storage of cardholder datao Current University policies and procedures do not
address PCI requirements
Queen’s - Credit Card Acceptance
9
Queen’s - Credit Card Acceptance
10
Number of Transactions Reported (12 months ending October 31, 2012)
Department / Unit Chase Global AMEX Totals
Underground Parking Garage 27,942 27,942
Queen’s Registrar 15,410 75 15,485
Queen’s Advancement 13,433 1,153 14,586
Queen’s Athletics and Recreation 13,767 375 14,142
Queen’s Pay & Display 12,189 1,312 13,501
Queen’s CTE and PLS 8,353 8,353
Queen’s Univ / Computing Serv. 5,446 215 5,661
Queen’s Graduate Studies 4,669 7 4,676
Physical Therapy Clinic 3,408 1 3,409
Queen’s Univ / Donald Gordon Ctr. 2,479 289 2,768
Source: Chase Paymentech, Global Payments, and American Express. Does not include refund transactions.
• Total transactions ~ 92,000.• E-commerce transactions ~ 67,000.
Queen’s - Credit Card Acceptance
Nature of Revenue Collected Using Payment Cards
Grants
Contracts Fe
es
Tuition
Donations
Sales
& Se
rvice
Exter
nal Cost
Recove
ries
Other0.0%
5.0%
10.0%
15.0%
20.0%
25.0%
30.0%
35.0%
40.0%
45.0%
50.0%
Queen’s - Credit Card Acceptance
PCI Compliance Implementation Working Group
Payment Card Industry Compliance Implementation Working Group
Objective: To ensure that there are policies and procedures in place that enables the University to comply with the Payment Card Industry Data Security Standards (“PCI DSS”).
PCI Compliance Implementation Working Group
Responsibilities:
1. To oversee and coordinate the University’s PCI DSS compliance efforts.
2. Provide guidance to the University on payment card best practices and permissible arrangements for payment card acceptance.
3. Develop policies and procedures to ensure that all departments and units of the University adopt and comply with the PCI DSS standards which will allow the University to continue to utilize payment cards (e.g. credit card, debit card, e-commerce transactions).
4. Develop and recommend policies and procedures to enhance the security or service levels for payment cards transactions across the University.
5. Develop a policy to address the University’s response to any breaches or potential breaches of cardholder data.
6. Develop a communications strategy to facilitate awareness about the University’s PCI compliance obligations, and ensure that any policies, procedures and best practices are widely disseminated across the University.
PCI Compliance Implementation Working Group
PCI Implementation Committee Members
• Gordon Lee - Project Chair, Office of the Treasurer• Heather Woermke - Co-Chair, Financial Services• Bo Wandschneider - Co-Chair, ITS• Beth Readman - Secretary, Office of the AVP (Finance)• Kellie Hart, Internal Audit• Tony Overvelde, Financial Services• Ginette Denford, Student Affairs• Donna Stover, Parking• Julie Anne Matias, Faculty of Education• Les McDermid, Advancement• George Farah, ITS• Stacy Shane, Engineering• Katie McGrath, ITS• Ray Pengelly, Observer
PCI Group - Work Started
RFP - CONSULTING SERVICES FOR PCI DSS COMPLIANCE PROGRAM
Deliverables include:
Queen’s expects the Selected Proponent to address the following areas of work during the Term of the Agreement: Phase One – Scope Survey • Surveying the overall current state of PCI DSS compliance at Queen’s; • Information gathering of design documentation and interviewing of relevant Queen’s
departments that accept payment cards; • Scope assessment of each identified application in terms of PCI compliance, from which
Queen’s can determine the ideal strategy to achieve and/or validate compliance; and• Identifying and exploring the feasibility of scope minimization solutions for compliance. Phase Two – Applications Assessment - Compliance approach for the selected applications: • Vulnerability and penetration testing; • Assessment, gap analysis of policy, procedures, network and system design, application design,
logs and monitoring; and• Report of findings with recommendations and plans for remediation, if necessary.
PCI Group - Work Started
Phase Three - Remediation Assistance - Remediation approach for the selected applications: • Lead presentation and description of remediation plan to relevant technical group(s)
and departments; and • Assistance of an advisory nature with regards to best practices and industry standard
approaches to technical groups and departments overseeing a remediation project.
Phase Four – Validation and Certification - Compliance approach for the selected applications: • Upon completion of the assessment and remediation phases, perform validation tests
as a certified QSA and ASV (Approved Scanning Vendor) that may be required for compliance, such as vulnerability scanning and penetration testing; and
• Assistance for application owners with initial Self Assessment Questionnaires (SAQs) and related sign-offs as necessary.
Phase Five – Ongoing PCI DSS Program Establishment – Contributions to the overall PCI compliance program at Queen’s, including: • Assistance with the development of policies, procedures and standards; • Knowledge transfer to the internal staff at Queen’s as required; and • Ability to proceed with other phases concurrently.
• PCI compliance is part of an overall policy on the usage of payment cards for payment of goods and services
• Standing Committee to ensure ongoing PCI compliance and merchant oversight
• Responsibility for compliance and associated costs
• Approval process for obtaining new merchant IDs
• PCI training
• Usage of payment applications
• Treatment of third-parties and affiliated entities
• Policies and procedures for records retention and destruction
PCI Group - Work Started Policy & Procedures Common Themes
18
• Incidence Response Plans
• Consequences of non-compliance
• Overall Responsibilities of:o PCI Steering Committeeo Financial Services / Treasuryo Information Technologyo Merchants, Departments, Unitso Internal Audito Procurement Services
PCI Group - Work Started Policy & Procedures Common Themes
19
Thoughts
• Paypal non compliant – use will be banned• Move everything that involves credit card information to
secure environment• One server for credit card applications• More rigor when setting up merchant id’s including
training on PCI compliance
Initial Observations
Initial Observations