Complying WithPayment Card Industry Data Security Standards (PCI DSS)

PCI DSS Overview

We live and work in a global community. Most of us give very little thought to handing over our credit or debit card to complete strangers or entering our card data into a website.

We do this in good faith, expecting that our information will be protected. Yet, each year millions of Americans are affected by credit card theft.

PCI DSS OverviewWith confidence their data is safe, individuals engage in payment card activity with Longwood University daily.

As a University employee, temporary hire, student or volunteer who processes payment card transactions, you are responsible for protecting and securing cardholder data at all times.

They depend on us to protect their cardholder and other personal information. We must maintain a secure data environment; loss of consumer confidence can have serious repercussions for our institution.

PCI DSS Overview

Government6%

Healthcare8%

Financial Services

14%

Retailers22%Other

17%

Higher Educa-tion33%

Data Security Breaches – Past 3 YearsSource: Privacy Rights Clearinghouse

Education is at risk: While many departments want to accept credit cards, they have different needs and some have little or no knowledge of credit card security requirements.

PCI DSS OverviewPayment Card Industry Data Security Standards (PCI DSS) are administered by the PCI Security Standards Council, which was founded by VISA, MC, AMEX, DISCOVER, and JCB.

Entities in the Payment Card “Ecosystem”:

PCI Security Standards Council (PCI SSC)Founded by card associations and responsible for administering PCI DSS

PCI Data Security Standards (PCI DSS)Technical and operational requirements set by PCI SSC to protect cardholder data

CardholderPerson holding a credit or debit card

Card Associations (Brands) – VISA,MC, AMEX,Discover,JCBEnforce compliance with the PCI DSS

PCI DSS OverviewPCI DSS applies to all entities that store, process or

transmit credit card data. If you are a merchant who accepts or processes payment cards, you MUST comply

with PCI DSS!

Entities in the Payment Card “Ecosystem”:

Issuing Bank Bank that issues payment cards to consumers (cardholders)

Acquiring Bank Contracts for payment services with merchant; merchant must validate PCI DSS compliance with its “acquirer”; acquirer reports compliance status to card associations

Merchant Entity that sells goods/services and accepts cards; responsible for safeguarding credit card data and complying with the PCI DSS

Service Provider Entity that provides all or some of the payment services for the merchant; responsible for safeguarding credit card data and complying with the PCI DSS

PCI DSS Overview

PCI DSS OverviewThe goal of PCI DSS is to protect cardholder data whenever it is processed, stored or transmitted. Sensitive authentication data (magnetic stripe data, chip data, CAV2/CID/CVC2/CVV2)

must NEVER be stored after authorization.

PCI DSS OverviewThe Self-Assessment Questionnaire (SAQ) is a tool by which eligible merchants and service providers can validate their

PCI DSS compliance through self-assessment.

SAQ A SAQ B SAQ C-VT SAQ C SAQ D(13 questions) (29 questions) (51 questions) (80 questions) (286 questions)

All cardholder data functions

outsourced; No electronic storage,

processing or transmission of cardholder data

Imprint machines or standalone dial-out terminals only; No

electronic cardholder data storage

Web-based virtual terminal; No

electronic cardholder data storage

Payment application connected to internet; No

electronic cardholder data storage

All other methods

PCI DSS: 6 Goals, 12 Requirements

Goals PCI DSS Requirements

1. Build and maintain a secure network

1. Install and maintain a firewall configuration to protect data 2. Change vendor-supplied defaults for system passwords and

other security parameters

2. Protect cardholder data3. Protect stored data4. Encrypt transmission of cardholder magnetic-stripe data and

sensitive information across public networks

3. Maintain a vulnerability management program

5. Use and regularly update antivirus software6. Develop and maintain secure systems and applications

4. Implement strong access control measures

7. Restrict access to data to a need-to-know basis8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data

5. Regularly monitor and test networks

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

6. Maintain an information security policy

12. Maintain a policy that addresses information security

What Does This Mean For Longwood?

PCI DSS applies to you if you store, process or transmit cardholder data (in person, by mail, fax or phone, or online) or you use a system that processes or stores credit card data. You must…

Evaluate your credit card acceptance activities and determine validation requirements (based on merchant level, card acceptance and processing methods)

Validate PCI compliance with our “Acquirer” annually using Self-Assessment Questionnaire

What Does This Mean For Longwood?

Participate in annual credit card security awareness training

Develop and comply with payment card acceptance policies/procedures

Maintain appropriate technical system security and network controls

ASSESS: Examine

Cardholder Environment

REMEDIATE: Resolve

Vulnerabilities

REPORT: Submit

Compliance Reports

PCI DSS Compliance is a Continuous Process

What Are The Consequences Of Noncompliance?

Consequences of noncompliance with PCI data security standardsinclude:

Loss of reputation and customers

Financial fees and fines

Litigation or sanctions

Termination of credit card payment acceptance

All merchants must adhere to PCI standards and certify compliance with applicable standards annually.

Merchants will abide by University policy and procedures.

Departments may not negotiate contracts with credit card processing companies or companies accepting credit card payments. All merchant accounts for accepting credit cards must be approved by Financial Operations.

Do not store credit card data unless required to conduct departmental business. Never store credit card numbers electronically in a database or spreadsheet, on portable media or on share drives.

Do not store full cardholder account numbers (PAN) with expiration dates. Mask all but the last 4 digits of the credit card number.

Best Practices

Never store sensitive authentication data - magnetic stripe data, chip data, the CAV2/CVC2/CVV2/CID, or the PIN/PIN block - under any circumstances.

Always protect cardholder data against unauthorized access. Keep credit card information locked in a secure location.

Do not allow unauthorized persons access to areas where credit card data is stored. Restrict physical access to computer workstations and other equipment used in credit card payment processing.

Permit only those employees with a legitimate “need to know” access to cardholder data.

Destroy documentation containing credit card information when no longer needed for business or legal reasons.

Best Practices

Each employee with access to payment card information via computer should have a unique login or password. Log out of computer when unattended. Never share passwords or user IDs.

Limit user access to specified privileges.

Never use vendor supplied default passwords. Passwords should be changed regularly – at least every 90 days.

Ensure computers handling credit card data possess updated versions of University recommended antivirus and spyware detection software.

Best Practices

Do NOT request, send or accept payment card information by email. If you receive cardholder data via email, do NOT process the transaction. Make the sender aware that, for their safety, they should never email credit card information. Remove the cardholder data when responding and direct them to an approved processing method. Delete the email containing cardholder data completely from your email account.

Maintain up-to-date policies and procedures, including departmental desktop procedures.

Complete annual credit card security training upon hire and at least annually.

Any confirmed or suspected breach should be reported immediately to the Information Security Office.

Best Practices

Questions?

Director of Cashiering & Student Accounts434.395.2270

Information Security Office434.395.2034