Home >Documents >1 PCI Compliance Training University of Nevada, Reno Presented by The Controllers Office

1 PCI Compliance Training University of Nevada, Reno Presented by The Controllers Office

Date post:29-Mar-2015
Category:
View:213 times
Download:0 times
Share this document with a friend
Transcript:
  • Slide 1

1 PCI Compliance Training University of Nevada, Reno Presented by The Controllers Office Slide 2 2 PCI Compliance In 2008, UNR reached an e commerce transaction volume threshold requiring the university to follow the Payment Card Industry Data Security Standards (PCI-DSS). In response to this requirement, UNR has developed an information security policy related to credit card processing by university departments. This training will provide you with an over view of the policies and procedures you must follow in order to continue to receive payments via credit card. Slide 3 3 What is PCI Compliance? The PCI-DSS Program is a mandated set of security standards created by the major credit card companies to offer merchants and service providers a complete, unified approach to safeguarding cardholder data for all credit card brands. The PCI-DSS requirements apply to all payment card network members, merchants and service providers that store, process or transmit cardholder data. The requirements apply to all methods of credit card processing, the most comprehensive and demanding of which apply to e commerce websites, and retail POS systems that process credit cards over the Internet. Slide 4 4 PCI Compliance Policy Roles and Responsibilities All employees, contractors, vendors and third-parties that use, maintain or handle UNR information assets must follow this policy. The following university positions and departments have responsibilities related to the development, monitoring and enforcement of this policy. Chief Information and Chief Security Officers - The Chief Information Officer, Steve Zink, is responsible for coordinating and overseeing UNRs compliance regarding the confidentiality, integrity and security of its information assets. The Chief Security Officer, Jeff Springer, works closely with the Chief Information Officer and other UNR managers and staff involved in securing the universitys information assets to enforce established policies, identify areas of concern, and implement appropriate changes as needed. Slide 5 5 PCI Compliance Policy Roles and Responsibilities Network Security Department - The Network Security Department works with department system managers, administrators and users to develop security policies, standards and procedures to help protect the assets of UNR. IT Critical Systems Group - UNR IT Critical Systems Group is the direct link between information security policies and the network, systems and data. Human Resources - The Human Resources Department will, when requested by the department, perform background checks including pre-employment, criminal, and credit history on all potential employees who will have access to systems, networks, or data that contain credit card information. Slide 6 6 PCI Compliance Policy Roles and Responsibilities University Departments Departments are responsible for ensuring that reference checks are done on all classified and professional employees hired. Departments will request that Human Resources conduct background checks including pre-employment, criminal, and credit history on all potential employees who will have access to systems, networks, or data that contain credit card information. Departments will enter termination information into the Employee Separation Notification form on the HR website which generates an email sent to the notification group which notifies Computing and Telecommunications when any employee is terminated. This will result in the employees access being terminated for all university PCI systems. Slide 7 PCI Compliance Policy Roles and Responsibilities BCN Purchasing Department The Purchasing Department will ensure third parties, with whom cardholder data is shared, are contractually required to adhere to the PCI-DSS requirements and to acknowledge they are responsible for the security of the cardholder data which they process. Controllers Office The Controllers Office will verify that all employees responsible for processing credit card payments attend a security awareness training upon hire and at least annually. If training is not completed, then the departments merchant number will be deactivated. 7 Slide 8 8 PCI Compliance Policy Roles and Responsibilities Each user of UNR computing and information resources must realize the fundamental importance of information resources and recognize their responsibility for safekeeping those resources. The following are specific responsibilities of all UNR information system users: Understand what the consequences of their actions are with regard to computing security practices and act accordingly. Embrace the Security is everyones responsibility philosophy to assist UNR in meeting its business goals. Maintain awareness of the contents of the information security policies. Employees must read and sign the UNR Security Awareness and Acceptable Use Policy and accept the Campus Use Agreement during the NetID activation process and annually thereafter. All users must accept the Campus Use Agreement during the NetID activation process. Slide 9 9 PCI Compliance Data Access General Access All confidential or sensitive data must be protected via access controls to ensure that data is not improperly disclosed, modified, deleted or rendered unavailable. Employees will only be authorized to view information based on what is required to perform their job. Slide 10 10 PCI Compliance Data Access Data Access Request Process-PCI Network As part of the PCI compliance process at UNR a separate PCI network has been established to process credit card transactions for certain campus software applications such as the WolfCard and the bookstore. Employees needing access to this network will be required to complete an additional security application and have a separate login and password. Shared or group user IDs are never permitted for user-level access. Every user must use a unique user ID and a personal secret password for access to UNR information systems and networks. Slide 11 11 Credit Card Processing Methods of accepting credit card numbers Departments may receive credit card numbers by phone, fax or mail. After the authorization for the charge is received the credit card number must be shredded or if retained, it must be kept in a locked, secure location and shredded after 120 days. Only employees with a business need to know should have access to the stored receipts. Credit card numbers may not be received via email, this is not a secure transmission method. If an email is received do not process the payment. Respond to the sender that the payment cannot be processed through an email request. Make sure the credit card number does not appear in your response. Immediately delete the original email containing the credit card number. Slide 12 12 Credit Card Processing Methods of Processing credit card transactions: Using credit card terminals that are connected to the bank via an analog phone line or an IP connection. A website hosted by the university where the credit card payment is made via a third party processor, such as Authorize.net. A website hosted by a third party. Manual credit card machines that make an imprint of the credit card are not allowed. Use of credit card terminals off campus for special events must be connected via an analog phone line to be PCI compliant. Departments are not allowed to enter a credit card number using a UNR computer unless the computer is dedicated for this purpose only and has been set up by Network Security in the PCI network. Slide 13 Credit Card Processing PCI rules and procedures apply to university pcards and transactions between departments. University pcard numbers may not be stored in any electronic format, but may be stored on a hard copy which is kept in a locked, secure location. NRS 597.945 prohibits a business from printing more than the last 5 digits of a credit card number on any copy of the receipt. All departments should have been contacted by Wells Fargo Bank in December 2009 or January 2010 to modify existing or replace existing credit card terminals so that they meet this requirement. 13 Slide 14 Incident Response Plan and Procedures Incident Identification Employees must be aware of their responsibilities in detecting security incidents to facilitate the incident response plan and procedures. All employees have the responsibility to assist in the incident response procedures within their particular areas of responsibility. Some examples of security incidents that an employee might recognize in their day to day activities include, but are not limited to: Theft, damage, or unauthorized access (e.g., unauthorized logins, papers missing from their desk, broken locks, missing log files, alert from a security guard, video evidence of a break-in or unscheduled/unauthorized physical entry) Fraud Inaccurate information within databases, logs, files or paper records 14 Slide 15 Incident Response Plan and Procedures Incident Identification (continued) Abnormal system behavior (e.g., unscheduled system reboot, unexpected messages, abnormal errors in system log files or on terminals). Security event notifications (e.g., file integrity alerts, intrusion detection alarms, and physical security alarms). All employees, regardless of job responsibilities, should be aware of the potential incident identifiers and who to notify in these situations. 15 Slide 16 Incident Response Plan and Procedures With the exception of steps outlined below, it is imperative that any investigative or corrective action be taken only by Network Security Department personnel to assure the integrity of the incident investigation and recovery process. When faced with a potential situation you should do the following: If the incident involves a compromised computer system. Do not alter the state of the computer system. The computer system should remain on and all currently running computer programs left as is. Do not shutdown

Popular Tags:

Click here to load reader

Embed Size (px)
Recommended