PCI Information SessionMay 2014 - NCSU PCI Team

Agenda➢ PCI compliance process➢ Security Training➢ Why compliance is important➢ PCI DSS update from NCSU ISA➢ 2014 attestation process➢ Questions

PCI Compliance ProcessAnnually:➢ Complete Assessment Questionnaire➢ Complete Security Awareness Training & SAQ Training➢ Update Policy & Procedures➢ Update Data Flow Diagrams➢ Sign Merchant Service Agreement➢ Complete SAQ

Security Awareness TrainingLogin and password will arrive via email for training access from merchantservices@ncsu.edu

Training must be completed no later than June 20, 2014.

Training Example

SAQ TrainingTraining is available now for SAQ B merchants.

Training for SAQ A merchants provided by Security & Compliance. May be changes for those last year.

Training must be completed prior to SAQ submission.

Why is Compliance Important?

Why is Compliance Important?➢ It allows the University to continue to accept

credit cards as a form of payment➢ Demonstrates that the University accepts the

responsibility of safeguarding our customers’ payment card data throughout every transaction and solidify confidence in protecting data against the hassle and cost of data breaches.

Why is Compliance important?

Security

Compliance

Compliance vs Security

Why is Compliance Important?Penalties can be Huge In the event of a breach the bank can make the merchant responsible for: • Fines from card associations

Up to $500,000 • Cost to notify victims • Cost to replace cards • Cost for any fraudulent transactions • Forensics • Level 1 certification - Average cost of QSA report ~ $225,000 Bad Publicity – Priceless!

Things to remember….➢ Check out Merchant Services website frequently

http://controller.ofb.ncsu.edu/merchant-services/

➢ Contact Merchant Services if you have questions

➢ Notify Merchant Services with ANY changes to your business process

What’s new for PCI-DSS 3.0PCI-DSS 3.0 (112 pages):

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf

Summary of Changes (12 pages):

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3_Summary_of_Changes.pdf

Mostly clarifications64 Clarifications

19 Evolving Requirements1 Additional Guidance

What’s new for PCI-DSS 3.0Additional Guidance

Added guidance on combining multiple scan reports in order to achieve and document a passing result.

Clarification Clarified that quarterly internal vulnerability scans include rescans as needed until all “high” vulnerabilities (as identified by PCI DSS Requirement 6.1) are resolved, and must be performed by qualified personnel.

Evolving RequirementNew requirement to implement a methodology for penetration testing

.

What’s new for PCI-DSS 3.0Big Changes

SAQs

Data Flow Diagram

Inventory

Service Providers

Antimalware

Physical Protection

What’s new for PCI-DSS 3.0SAQsSAQ A (14 Questions)

Card not present merchants (ecommerce or mail/telephone order) that have fully outsourced all cardholder data functions to PCI DSS compliant third party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.

SAQ A-EP (139 Questions)Ecommerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.

What’s new for PCI-DSS 3.0Data Flow Diagram

1.1.2 Current network diagram that identifies all connections between the cardholder data environment and other networks, including any wireless networks

1.1.3 Current diagram that shows all cardholder data flows across systems and networks

What’s new for PCI-DSS 3.0Inventory

2.4 Maintain an inventory of system components that are in scope for PCI DSS.

System Components defined on page 10, PCI-DSS 3.0

2.4.a Examine system inventory to verify that a list of hardware and software components is maintained and includes a description of function/use for each.

What’s new for PCI-DSS 3.0Service Providers

12.8.5 Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.

Formal written agreement

Amendment to contract

Modification/Clarification to existing language

What’s new for PCI-DSS 3.0AntiMalware

5.1.2 For systems considered to be not commonly affected by malicious software, perform periodic evaluations to identify and evaluate evolving malware threats in order to confirm whether such systems continue to not require anti-virus software.

5.3 Ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period.

What’s new for PCI-DSS 3.0Physical protection

9.3 Control physical access for onsite personnel to the sensitive areas as follows:

Access must be authorized and based on individual job function.

Access is revoked immediately upon termination, and all physical access mechanisms, such as keys, access cards, etc., are returned or disabled.

9.9 Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution.

New eStore for NCSUHigher One estore coming soon.

What’s the plan….Onboard merchants that have been waiting for eCommerce solutionOnboard merchants that are not PCI-DSS compliantMigrate existing eCommerce merchants to new solution

Timeline is to begin in June 2014.

Mobile Payment Options

There are lots of products onthe market right now!

FD 400 is current NCSU mobile payment solution. Terminal connects to cellular signal to receive authorization from FDMS.

Hot Topics!!

None of these products are PCI Certified

FD 400 terminal is PCI Certified

Questions????