Credit Card Risks: Update on PCI ComplianceMonday, May 23 | 2:40pm – 3:55 | CPE: 2Joe Helmy, VP – Emerging Verticals, MasterCardJennifer Cooperman, MBA, CPFO, Treasurer, City of Portland, ORTod Burton, Financial Planning & Debt Project Manager, Tualatin
Valley Water District, OR
• Payment Card Industry Data Security Standard (PCI DSS)• Framework for a robust payment card security process
including:– Prevention– Detection– Remediation/Mitigation
• Applies to any application that transmits, processes or stores credit card data
• Payment Brands such as the card networks of MasterCard and Visa helped develop the PCI DSS framework
• PCI compliance must be reviewed by a third party, the Qualified Security Accessor (QSA) company
PCI Overview: What is PCI?
• The goal of PCI is to protect cardholder data & sensitive authorization data
• The risk of being non-compliant could lead to data breaches which can impact your organization’s reputation, ability to conduct business, stock prices etc.
• Adhering to the PCI standards helps reduce the risk of potential data breaches
• The PCI DSS Standards are a great resource to help develop and maintain a secure application. They provide guidelines on how credit card data should be transmitted, processed, and stored securely
• Compliance is an ongoing process, not annual!
Why PCI is Important?
• PCI applies to your application if:• You transmit credit card data• You process credit card data• You store credit card data
WHEN DOES PCI RELATE TO ME?
Just one new uncontrolled Wi-Fi access point, unprotected account, or unencrypted drive could take you out of compliance.
2015 Verizon PCI Compliance Report
• Do understand the payment card data flows for the entire transaction process.
• Do retain cardholder data only if there is a business need and authorized. Ensure it’s protected.
• Do mask the Primary Account Number (PAN) whenever it is displayed. The first six and last four digits are the maximum number of digits that may be displayed or first six and any other four (truncation)
• Do document and limit users who need to view full PAN with a business case.
• Do ensure any third parties with access to this data is in compliance with PCI DSS.
Data Storage Do’s & Don'ts
• Don’t store cardholder data unless necessary• Don’t permit any unauthorized people access to stored
credit cardholder data• Don’t store full contents of any track from the card’s
magnetic stripe or chip (referred to as full track, track, track 1, track 2,or magnetic stripe data). If required for business purposes, the cardholder’s name, PAN, expiration date, and service code may be stored as long as they are protected in accordance with PCI DSS requirements.
• Don’t store the Card Verification Code (CVC/CVV) code or PIN/PIN Block
Data Storage Do’s & Don'ts
Portland’s Payment Card Program
2005: Began accepting card payments2006: Deployed internally developed, customized payment gateway2008: Began using a QSA2010: Achieved Level 1 merchant status2016: 82 MIDs, >10 million transactions/year, >$175 million/year
Where We Weren’t Compliant
• Access to payment gateway / PCI data• QA process for payment gateway code• Security policies and procedures• Security patches and passwords• Penetration testing• Monitoring service providers
Changes To Comply With PCI
• Replace payment gateway• Turned off IVR• Stop collecting CVV on recorded calls• VoIP telephony• Point-to-point encryption on devices• Education and awareness• Documentation
What It Took To Get Compliant (1)
• Taking PCI seriously• Having a champion• Working as one organization• Defining PCI as a Citywide project• Retaining on-call PCI audit services• Sharing progress and setbacks with our
bank
What It Took To Get Compliant (2)
• Understanding PCI DSS requirements• Understanding risks of non-compliance• Researching compliant entities• Methodical analysis of each location and
business process• Commitment to reducing PCI scope• Changing business processes and turning
off non-compliant services
Project Challenges
• Enterprise-level project• Education and awareness• Scope identification• Communication platform and plan• Trade-off between business wants and
requirements and need to change
New City Policy On PCI Compliance
• All city bureaus and designated agents to be fully compliant with PCI DSS.
• Treasury SME and Technology SME required in RFP / contract development.
• AOC required from designated agents • Failure to deliver AOC is material breach.• Bureaus to have remediation plans
(including termination) if designated agent cannot deliver AOC.
What Keeps Me Up At Night?
• Will we get compliant before deadline?• What new services are City bureaus
contracting for that involve card processing and PCI data?
• Now that we have policies/procedures, are they being followed?
• Are all designated agents compliant?• What will be in PCI DSS v4.0?
Credit Card Risks: Update on PCI Compliance
Tod Burton, Finance/Debt Project Manager, Tualatin Valley Water District
Overview• About Us
• Steps to PCI Compliance
• Lessons Learned
• The Sweet Side of PCI: Compliance
29
• Special district – only water • Population – 218,000• Service connections – 61,000• Billing for partner entities bringstotal accounts to over 80,000
• Over 500,000 bills sent annually• 70% paid through E‐Commerce methods• 22% paid by credit card…and growing…
Tualatin Valley Water District
Home To:
Steps to PCI Compliance
Institutionalize: Change Management
Policies, Incident Response, PCI Training Culture Changes
Organize Team: System & Customer Focus
Software Development, System Migration
Communications: Customer, Employee, Governing Body
Customer Transition and Volume Planning
Plan: Identify Target SAQ
Where You Are Now (SAQ D?) How to Reach Target (SAQ B Questionnaire)
31
Levels Criteria Required Actions
Level 1 •All merchants processing over 6,000,000 transactions per year
•NEW: Level 1 merchants no longer able to self assess unless they attend PCI DSS QAA training by PCI DSS Council and become accredited (information available in March). Effective 6/30/11
•Annual Onsite PCI DSS audit & ROC validated by a Qualified Security Assessor or Internal Audit (if PCI SSC certified)
•Quarterly Network Security Scan by ASV
Level 2 •Any merchant processing 1,000,000 to 6,000,000 transactions per year
•NEW: Level 2 merchants that conduct self assessment must attend PCI SSC training and become accredited (information available in March). Effective 6/30/11
• Complete self assessment (if PCI SSC certified), or
• Complete an annual onsite assessment conducted by a Qualified Security Assessor
•Quarterly Network Scan by ASV Level 3 •Any merchant processing 20,000 to 1,000,000 Visa or MC
e‐commerce transactions per year•Annual PCI DSS Self‐Assessment Questionnaire
•Quarterly Network Security ScanLevel 4 •Any merchant processing fewer than 20,000 Visa or MC e‐
commerce transactions per year, and all other merchants‐regardless of acceptance channel‐processing up to 1,000,000 Visa or MC trans. per year
•Annual PCI DSS Self‐Assessment Questionnaire
•Quarterly Network Security Scan
PCI/DSS Levels and Validation Requirements
3
SAQ DefinitionsQuestionnaire Definition
SAQ AAddresses requirements applicable to Acceptors that have outsourced all cardholder data storage, processing and transmission.
SAQ A‐EP
Addresses requirements applicable to ecommerce Acceptors that capture the cardholder data as part of the transaction process. This also requires vulnerability scanning and penetration testing on the cardholder data environment.
SAQ BAddresses requirements pertinent to Acceptors that process cardholder data via imprint machine or standalone dial‐up terminals only.
SAQ B‐IPAddresses requirements related to Acceptors cardholder data via a POS terminal using a Ethernet (internet) connection.
SAQ CConstructed to focus on requirements applicable to Acceptors whose payment applications systems are connected to the internet.
SAQ C‐VTDeveloped for Acceptors who process using a virtual terminal (access POS via a hosted user interface).
SAQ D
Addresses requirements relevant to all Acceptors defined by a payment brand as storing cardholder data electronically or those acceptors who do not fall under the types addressed by SAQ A, B or C.
SAQ P2PE‐HWAcceptors using only hardware payment terminals including in a PCI‐SSC listed, validated, P2PE solution, no electronic cardholder data storage.
3
Plan: Identify Target SAQ
• District used Trustwave – Compliance management site used by bank– Provided advice and clarifications
• SAQ B– merchant terminals– 3rd party hosted payment site + payment portal
• Not easy…– Need objective evaluators– Teams are invested in existing systems and processes– Will be expensive, don’t underestimate the costs
34
Organize Team: System & Customer Focus• Project Drivers
– Size and scope of system changes • Utility Billing & Web Site• System migration to Velocity Payment
– Availability of 3rd party providers• Limitations of new system
– Management and governing body oversight– Customer service training and volume management– Billing and payment changes for customers
35
Institutionalize: Change Management• PCI policy requires Cybersecurity policy
• Risk Management is natural fit– PCI Incident Response Plans
• Essential for employees that handle payment card information– PCI Training, PCI Inspection & Auditing, PCI Device Selection
Criteria
• Employee and governing body adoption of new security requirements
36
Lessons Learned• Maturity needed for project
– Organization’s experience with chartered projects – Ability to grasp vision and target environment– The need for team ownership and change management cannot
be overstated
• Do not underestimate the potential customer response
• Coordination with so many partsin flux creates risk– Need to stay on top of risks– Expect on‐going work for at least 6 months post go‐live
37
Resources
www.pcisecuritystandards.org
Best Practices –Treasury and Investment Management Committeewww.gfoa.org/best‐practices
• Your friendly banker and merchant services provider