Slide 1

1 PCI Compliance Training University of Nevada, Reno Presented by The Controllers Office Slide 2 2 PCI Compliance In 2008, UNR reached an e commerce transaction volume threshold requiring the university to follow the Payment Card Industry Data Security Standards (PCI-DSS). In response to this requirement, UNR has developed an information security policy related to credit card processing by university departments. This training will provide you with an over view of the policies and procedures you must follow in order to continue to receive payments via credit card. Slide 3 3 What is PCI Compliance? The PCI-DSS Program is a mandated set of security standards created by the major credit card companies to offer merchants and service providers a complete, unified approach to safeguarding cardholder data for all credit card brands. The PCI-DSS requirements apply to all payment card network members, merchants and service providers that store, process or transmit cardholder data. The requirements apply to all methods of credit card processing, the most comprehensive and demanding of which apply to e commerce websites, and retail POS systems that process credit cards over the Internet. Slide 4 4 PCI Compliance Policy Roles and Responsibilities All employees, contractors, vendors and third-parties that use, maintain or handle UNR information assets must follow this policy. The following university positions and departments have responsibilities related to the development, monitoring and enforcement of this policy. Chief Information and Chief Security Officers - The Chief Information Officer, Steve Zink, is responsible for coordinating and overseeing UNRs compliance regarding the confidentiality, integrity and security of its information assets. The Chief Security Officer, Jeff Springer, works closely with the Chief Information Officer and other UNR managers and staff involved in securing the universitys information assets to enforce established policies, identify areas of concern, and implement appropriate changes as needed. Slide 5 5 PCI Compliance Policy Roles and Responsibilities Network Security Department - The Network Security Department works with department system managers, administrators and users to develop security policies, standards and procedures to help protect the assets of UNR. IT Critical Systems Group - UNR IT Critical Systems Group is the direct link between information security policies and the network, systems and data. Human Resources - The Human Resources Department will, when requested by the department, perform background checks including pre-employment, criminal, and credit history on all potential employees who will have access to systems, networks, or data that contain credit card information. Slide 6 6 PCI Compliance Policy Roles and Responsibilities University Departments Departments are responsible for ensuring that reference checks are done on all classified and professional employees hired. Departments will request that Human Resources conduct background checks including pre-employment, criminal, and credit history on all potential employees who will have access to systems, networks, or data that contain credit card information. Departments will enter termination information into the Employee Separation Notification form on the HR website which generates an email sent to the notification group which notifies Computing and Telecommunications when any employee is terminated. This will result in the employees access being terminated for all university PCI systems. Slide 7 PCI Compliance Policy Roles and Responsibilities BCN Purchasing Department The Purchasing Department will ensure third parties, with whom cardholder data is shared, are contractually required to adhere to the PCI-DSS requirements and to acknowledge they are responsible for the security of the cardholder data which they process. Controllers Office The Controllers Office will verify that all employees responsible for processing credit card payments attend a security awareness training upon hire and at least annually. If training is not completed, then the departments merchant number will be deactivated. 7 Slide 8 8 PCI Compliance Policy Roles and Responsibilities Each user of UNR computing and information resources must realize the fundamental importance of information resources and recognize their responsibility for safekeeping those resources. The following are specific responsibilities of all UNR information system users: Understand what the consequences of their actions are with regard to computing security practices and act accordingly. Embrace the Security is everyones responsibility philosophy to assist UNR in meeting its business goals. Maintain awareness of the contents of the information security policies. Employees must read and sign the UNR Security Awareness and Acceptable Use Policy and accept the Campus Use Agreement during the NetID activation process and annually thereafter. All users must accept the Campus Use Agreement during the NetID activation process. Slide 9 9 PCI Compliance Data Access General Access All confidential or sensitive data must be protected via access controls to ensure that data is not improperly disclosed, modified, deleted or rendered unavailable. Employees will only be authorized to view information based on what is required to perform their job. Slide 10 10 PCI Compliance Data Access Data Access Request Process-PCI Network As part of the PCI compliance process at UNR a separate PCI network has been established to process credit card transactions for certain campus software applications such as the WolfCard and the bookstore. Employees needing access to this network will be required to complete an additional security application and have a separate login and password. Shared or group user IDs are never permitted for user-level access. Every user must use a unique user ID and a personal secret password for access to UNR information systems and networks. Slide 11 11 Credit Card Processing Methods of accepting credit card numbers Departments may receive credit card numbers by phone, fax or mail. After the authorization for the charge is received the credit card number must be shredded or if retained, it must be kept in a locked, secure location and shredded after 120 days. Only employees with a business need to know should have access to the stored receipts. Credit card numbers may not be received via email, this is not a secure transmission method. If an email is received do not process the payment. Respond to the sender that the payment cannot be processed through an email request. Make sure the credit card number does not appear in your response. Immediately delete the original email containing the credit card number. Slide 12 12 Credit Card Processing Methods of Processing credit card transactions: Using credit card terminals that are connected to the bank via an analog phone line or an IP connection. A website hosted by the university where the credit card payment is made via a third party processor, such as Authorize.net. A website hosted by a third party. Manual credit card machines that make an imprint of the credit card are not allowed. Use of credit card terminals off campus for special events must be connected via an analog phone line to be PCI compliant. Departments are not allowed to enter a credit card number using a UNR computer unless the computer is dedicated for this purpose only and has been set up by Network Security in the PCI network. Slide 13 Credit Card Processing PCI rules and procedures apply to university pcards and transactions between departments. University pcard numbers may not be stored in any electronic format, but may be stored on a hard copy which is kept in a locked, secure location. NRS 597.945 prohibits a business from printing more than the last 5 digits of a credit card number on any copy of the receipt. All departments should have been contacted by Wells Fargo Bank in December 2009 or January 2010 to modify existing or replace existing credit card terminals so that they meet this requirement. 13 Slide 14 Incident Response Plan and Procedures Incident Identification Employees must be aware of their responsibilities in detecting security incidents to facilitate the incident response plan and procedures. All employees have the responsibility to assist in the incident response procedures within their particular areas of responsibility. Some examples of security incidents that an employee might recognize in their day to day activities include, but are not limited to: Theft, damage, or unauthorized access (e.g., unauthorized logins, papers missing from their desk, broken locks, missing log files, alert from a security guard, video evidence of a break-in or unscheduled/unauthorized physical entry) Fraud Inaccurate information within databases, logs, files or paper records 14 Slide 15 Incident Response Plan and Procedures Incident Identification (continued) Abnormal system behavior (e.g., unscheduled system reboot, unexpected messages, abnormal errors in system log files or on terminals). Security event notifications (e.g., file integrity alerts, intrusion detection alarms, and physical security alarms). All employees, regardless of job responsibilities, should be aware of the potential incident identifiers and who to notify in these situations. 15 Slide 16 Incident Response Plan and Procedures With the exception of steps outlined below, it is imperative that any investigative or corrective action be taken only by Network Security Department personnel to assure the integrity of the incident investigation and recovery process. When faced with a potential situation you should do the following: If the incident involves a compromised computer system. Do not alter the state of the computer system. The computer system should remain on and all currently running computer programs left as is. Do not shutdown the computer or restart the computer. 16 Slide 17 Incident Response Plan and Procedures Immediately disconnect the computer from the network by removing the network cable from the back of the computer. Document any information you know while waiting for the Network Security Department to respond to the incident. If known, this must include date, time, and the nature of the incident. Any information you can provide will aid in responding in an appropriate manner. 17 Slide 18 Incident Response Plan and Procedures Reporting and Incident Declaration Procedures The Network Security Department should be notified immediately of any suspected or real security incidents involving UNR computing assets. If it is unclear as to whether a situation should be considered a security incident, the Network Security Department should be contacted to evaluate the situation. No one should communicate with anyone outside of their supervisor(s) or the Network Security Department about any details or generalities surrounding any suspected or actual incident. All communications with law enforcement or the public will be coordinated by the Network Security Department to the Vice President for Information Technology who will notify the Presidents Office. 18 Slide 19 19 Data Retention Policies Retention Requirements Cardholder data for all transactions should be kept for 120 days. This applies to all cardholder data retained in any kind of format. Cardholder data utilized for recurring transactions may be retained for the lifetime of the customers account with UNR. Once a customers account is disabled or terminated, all the cardholder data for that account must be purged within 120 days of the termination using an approved destruction method. Cardholder authorization data, including track, CVV2, and PIN information, may be retained only until completion of the authorization of a transaction. After authorization, the data must be deleted according to an approved disposal process described in the following section. Storage of cardholder authentication data post-authorization is forbidden. Slide 20 20 Data Retention Policies Hardcopy and Electronic Media Confidential or sensitive information, including credit card information, must never be copied onto removable media without authorization from the Network Security Department. At no time are hardcopy or electronic media containing confidential or sensitive information to be removed from any UNR secure office environment. The credit card number may not be kept in any electronic format, including Excel spreadsheets or USB thumb drives. All hardcopy documents containing credit card information currently in on or off-campus storage that are older than 3 years should be shredded. At the end of each of the next 3 years the oldest years documents should be shredded so that at the end of the 3 year period all credit card documents will be retained for a period of 120 days only. Slide 21 21 Data Disposal Policy Hardcopies (paper receipts, paper reports, and faxes): should be cross- cut shredded, incinerated, or pulped. A record must be maintained that indicates the records disposed of and the date of disposal. Before computer or communications equipment can be sent to a vendor for trade-in, servicing or disposal, all confidential or sensitive information must be destroyed or removed according to the approved methods in this policy. Outsourced destruction of media containing confidential or sensitive information must use a bonded Disposal Vendor that provides a Certificate of Destruction. If your department is involved in an audit, investigation, or litigation all destruction of records in your custody must cease. When you are notified that the audit, investigation or litigation is ended or resolved you may destroy documents according to this policy. Slide 22 22 PCI Compliance - Inventory A Media Inventory Log (Appendix D) is to be kept in all secure media (hardcopy and electronic) storage locations. Electronic Media - All stored electronic media containing confidential or sensitive information must be inventoried at least annually by the Network Security Department. At this time, the security controls on the storage mechanism will be checked. Upon completion of the inventory the log will be updated. Hardcopy Media - All stored hardcopy media containing PCI data must be inventoried at least annually by the Campus Department and the Media Inventory Logs must be submitted to the Controllers Office who will verify that all the required logs have been completed. The Controllers Office will submit the forms to Campus Auditors. At this time, the Campus Auditors will check security controls on the storage mechanism and review and approve the log. Slide 23 23 PCI Compliance - Summary All departments and department employees that accept payment via credit card must be aware of and follow the Universitys information security policy and must attend training on the policy annually. Credit card data is confidential data and access to this data should be limited and granted only on a business need to know basis. This access should be terminated whenever an employee changes job duties or terminates employment. Before a web application may be established to accept credit card payments, the department must obtain approval in writing from the Network Security Department Jeff Springer 784-8247 (jeffs@unr.edu) and Rhonda Dome at 784-4297 or Renee Reed at 784-3573.jeffs@unr.edu Slide 24 PCI Compliance - Summary Credit card data is sensitive and confidential and should only be retained as required for business purposes and must be deleted after 120 days. Credit card data may not be kept in any electronic format unless the format and method of storage has prior approval from the UNR Network Security Department. When credit card data is no longer needed or after 120 days, whichever comes first, the data must be deleted using an approved method such as sanitizing, incinerating, pulverizing or shredding. The Network Security Department can provide assistance with data destruction if needed. 24 Slide 25 PCI Compliance - Summary Before computer or communications equipment can be sent to a vendor for trade-in, servicing or disposal, all confidential or sensitive information must be destroyed or removed according to approved removal methods. If your department is involved in an audit, investigation, or litigation all destruction of records in your custody must cease. When you are notified that the audit, investigation or litigation is ended or resolved you may destroy documents according to this policy. 25 Slide 26 Contacts Philomena McCaffrey: Email: philomenam@unr.eduphilomenam@unr.edu Phone: 784-4176 Rhonda Dome Email: rhondad@unr.edu rhondad@unr.edu Phone: 784-4297 Renee Reed Email: rmreed@unr.edurmreed@unr.edu Phone: 784-3573 26