Payment Card Industry Data Security Standards

PCI DSS

Rhonda Chorney Manager, Revenue Capital & General Accounting

Today’s Agenda

1. What is PCI DSS? 2. Where are we today? 3. Why is compliance so important? 4. What are the PCI requirements? 5. What’s an SAQ? Attestation of Compliance? 6. The annual compliance cycle. 7. Where can I find more information?

What is PCI-DSS?

• PCI DSS is a widely accepted set of policies and procedures intended to optimize the security of credit, and debit card transactions and protect cardholders against misuse of their personal information.

• The PCI DSS was created jointly in 2004 by

four major credit-card companies: Visa, MasterCard, Discover and American Express.

What is meant by Cardholder Data?

• Cardholder data refers to any information contained on a customer’s payment card. Data is printed on either side of the card and is contained in digital format on the magnetic stripe or in the chip embedded on the front side.

• Cardholder data includes the primary account number (PAN), cardholder name, expiration date and the 3-4 digit card verification number (CVV2).

UM Merchant Stats

Merchant Type Number of Merchants

Number of Terminals

Interactive Voice Response (IVR) 15 n/a

Point of Sale (POS) Standalone Terminals Integrated with Payment App. POS Batch Software

39 69

Web or e-commerce 35 n/a

Where are we today?

• In 2010 all merchants completed the Self Assessment Questionnaires and the Attestation of Compliance.

• Three merchants were not compliant at that time which were: the Main Cashiers office, Donor Relations, and Kinesiology

Where are we today?

• Feb, 2013 we upgraded CORE, which is the software that the cashiers use and once the self assessment is completed the main cashiers office will be compliant.

• Oct, 2013 Raiser’s Edge has been upgraded for

Donor Relations which will contribute towards becoming compliant. Donor Relations also has Online Donation forms which must be replaced to bring them to full compliance. This work is forecast to be completed by March/2014.

Where are we today?

• Nov, 2013 – Meetings will be initiated with Kinesiology to plan the upgrade to the CLASS application to bring it to PCI DSS compliance

• The goal is to have the entire U of M PCI compliant by May, 2014

Why Is Compliance So Important?

A security breach and subsequent compromise of payment card data has far reaching consequences:

Loss of reputation

Loss of customers

Potential financial liabilities, such as fines of up to $500,000 for a breach; $10,000 per month for non compliance

Litigation

Regulatory notification requirements

Loss of merchant status

Who Does PCI DSS Apply To?

PCI DSS applies to all organizations that process, store or transmit cardholder data:

merchants

payment card issuing banks

processors

software developers

other vendors

What Are the PCI Requirements?

REQUIREMENTS (note: requirements not listed are the responsibility of IST)

3. Protect stored cardholder data (eg. mask PAN when displayed; don’t store unnecessary data such as PIN) 7. Restrict access to cardholder data by business need-to-know (eg. limit access to system components) 8. Assign a unique ID to each person with computer access

What Are the PCI DSS Requirements?

REQUIREMENTS (note: requirements not listed are the responsibility of IST)

9. Restrict physical access to cardholder data 12. Maintain and adhere to a policy that addresses information security for employees and contractors (IST/Financial Services/Merchants)

The Self Assessment Questionnaire (SAQ)

The Self Assessment Questionnaire (SAQ) is a validation tool intended to assist merchants in self-evaluating their compliance with the PCI-DSS.

Definition

The Self Assessment Questionnaire (SAQ)

Merchants are pre-assigned to an SAQ based on specific eligibility criteria:

• SAQ A: telephone (IVR) or web processing; • SAQ B: standalone POS terminal; • SAQ C: card processing via a 3rd party payment

application.

Eligibility Criteria

Self Assessment Questionnaire (SAQ)

• Questions on the SAQ’s are derived from the PCI Requirements relevant to merchant type. SAQ A covers Requirements 9 (physical

storage of data) and 12 (familiarity with Cash Control Policy) only. SAQ B adds Requirements 3 and 7 SAQ C adds Requirement 8

Process going forward

• The assigned SAQ and Attestation of Compliance forms will be sent to each merchant owner for completion, within the next week.

• The requested completion date is Nov 30th. • Forward the completed documents, soft and

hard copies, to Alicia Bressani in RCGA for compilation.

Self Assessment Questionnaire for POS Merchants (SAQ B) Requirement 3: Protect stored cardholder data In general, no cardholder data should ever be stored unless it’s necessary to meet the needs of the business. Sensitive data on the magnetic stripe or chip must never be stored. If your organization stores PAN, it is crucial to render it unreadable (see 3.3).

QUESTION RESPONSE: YES NO N/A 3.2 Do all systems adhere to the following requirements regarding storage of sensitive authentication data after authorization (even if encrypted)?

3.2.1 Do not store the full contents of any track from the magnetic stripe (located on the back of a card, contained in a chip, or elsewhere). This data is alternatively called full track, track, track 1, track 2, and magnetic-stripe data. In the normal course of business, the following data elements from the magnetic stripe may need to be retained:

• The cardholder’s name, • Primary account number (PAN), • Expiration date, and • Service code

To minimize risk, store only these data elements as needed for business. NEVER store the card verification code (CVV2) or value or PIN verification value data elements.

3.2.2 NEVER store the card-validation code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions.

3.2.3 Do not store the personal identification number (PIN) or the encrypted PIN block.

3.3 Is the PAN masked when displayed? The cardholder receipt generated by all electronic POS terminals, whether attended or unattended, must reflect only the last four (4) digits of the PAN. All preceding digits of the PAN must be replaced with fill characters, such as “X,” “*,” or “#,” that are neither blank spaces nor numeric characters.

Note: This requirement does not apply to employees and other parties with a specific need to see the full PAN;

Requirement 7: Restrict access to cardholder data by business need-to-know To ensure critical data can only be accessed by authorized personnel, systems and processes must be in place to limit access based on need-to-know and according to job responsibilities. Need-to-know is when access rights are granted to only the least amount of data and privileges needed to perform a job. QUESTION RESPONSE YES NO N/A

7.1 Is access to system components and cardholder data limited to only those individuals whose jobs require such access?

Requirement 9: Restrict physical access to cardholder data. Any physical access to data or systems that house cardholder data provides the

opportunity for individuals to access devices or data and to remove systems or hardcopies, and should be appropriately restricted.

QUESTION RESPONSE: YES NO N/A 9.6 Are all paper and electronic media that contain cardholder data physically secure? (including computers, removable electronic media, networking, and communications hardware, telecommunication lines, paper receipts, paper reports, and faxes).

9.7 (a) Is strict control maintained over the internal or external distribution of any kind of media that contains cardholder data? (b) Do controls include the following:

9.7.1 Is the media classified so it can be identified as confidential?

9.7.2 Is the media sent by secured courier or other delivery method that can be accurately tracked?

9.8 Are processes and procedures in place to ensure management approval is obtained prior to moving any and all media containing cardholder data from a secured area (especially when media is distributed to individuals)?

9.9 Is strict control maintained over the storage and accessibility of media that contains cardholder data? 9.10 Is media containing cardholder data destroyed when it is no longer needed for business or legal reasons? Destruction should be as follows:

9.10.1 Are hardcopy materials cross-cut shredded, incinerated, or pulped so that cardholder data cannot be reconstructed?

Requirement 12: Maintain a policy that addresses information security. The University’s Cash Control policy and procedures reference the acceptance and handling of payment cards. Adherence to the terms of these documents is required to ensure information security. *A new information security policy that will address protection of electronic cardholder data is currently being developed by IST.*

UM Cash Control Policy and Procedure Requirements Additional Information YES NO

Excerpt from Policy Document: Section 2.2: All departments of the University whose activities include the acceptance and handling of cash on the University’s behalf are responsible for ensuring that: (a) adequate controls and procedures are in

place to safeguard cash from time of receipt to time of deposit to a University authorized bank account through Financial Services;

(b) all cash and receipts are properly recorded and accounted for; and

(c) customer payment information is stored in a secure manner.

All employees entrusted with handling cash and credit card payment are familiar with the Cash Control Policy. Full document available at: http://www.umanitoba.ca/admin/governance/governing_documents/financial/389.htm

Excerpts from Cash Control Procedures Document: 2.3.10 Departments are required to use University of Manitoba merchant services providers and may request information in this regard from RCGA.

Full document available at: http://www.umanitoba.ca/admin/governance/governing_documents/financial/863.htm The University contracts with TD Merchant Services for the provision of its Visa and Master Card merchant services. All payment card revenue must be deposited to the University’s main bank account. Departments must advise Financial Services of any situation where this is not the case.

For informa-tion only

Attestation of Compliance

• After completing the SAQ, the merchant must complete the Attestation of Compliance to confirm that: 1. the merchant qualified for the SAQ 2. the merchant is in compliance

• This document must be signed by one of: the unit’s Business Manager, Department Head, Director, or equivalent.

Part 2. Eligibility to Complete SAQ B Complete this section to confirm your eligibility to use SAQ B: __Yes Merchant uses only standalone, dial-up terminals; and the standalone, dial-up terminals __No are not connected to the Internet or any other systems within the merchant environment; __Yes Merchant does not store cardholder data in electronic format; and __No __Yes If Merchant does store cardholder data, such data is only paper reports or copies of paper __No receipts and is not received electronically. Part 3. PCI DSS Validation Based on the results noted in the SAQ dated Nov 30, 2013, Merchant 123 asserts the following compliance status (check one): __Compliant: All sections of the PCI SAQ are complete and all questions answered “yes”. Therefore Merchant 123 has demonstrated full compliance with the PCI DSS. __Non-Compliant: Not all sections of the PCI SAQ are complete or some questions are answered “no”, resulting in an overall NON- COMPLIANT rating, thereby Merchant 123 has not demonstrated full compliance with the PCI DSS. Target Date for Compliance: ___________________________

Part 3a. Confirmation of Compliant Status Merchant confirms:

Yes No

PCI DSS Self-Assessment Questionnaire B, was completed according to the instructions therein.

Yes No All information within the above-referenced SAQ and in this attestation fairly represents the

results of my assessment.

Yes No N/A

I have confirmed with my payment application vendor that my payment system does not store sensitive authentication data after authorization. (if applicable)

Yes No

I have read the PCI DSS and I recognize that I must maintain full PCI DSS compliance at all times.

Yes No No evidence of magnetic stripe (i.e., track) data1, CAV2, CVC2, CID, or CVV2 data2, or PIN

data3 storage after transaction authorization was found on ANY systems reviewed during this assessment. (applicable only if Merchant is storing data electronically)

•Part 3b. Merchant Acknowledgement •Print Name of Department Head or Business Manager _________________________________________________ Title _______________________________________________________ Signature ________________________________ Date _________________________________ •Unit /Merchant Represented _________________________________________________

What if Merchant is Non Compliant?

• If your responses indicate that you are not in

compliance, please complete Part 4 of the Attestation of Compliance to indicate where compliance has not been achieved and provide the steps to be taken within your unit to meet the requirement.

Part 4. Action Plan for Non-Compliant Status Please select the appropriate “Compliance Status” for each requirement. If you answer “No” to any of

the requirements, you are required to provide the date this Merchant will be compliant with the requirement and a brief description of the actions being taken to meet the requirement.

PCI Requirement Description

Compliance Status

(Select One) Remediation Date and Actions (if Compliance Status is “No”)

3 Protect stored cardholder data Yes No

7 Restrict access to cardholder data by business need to know

Yes No

9 Restrict physical access to cardholder data.

Yes No

12 Adhere to University policy that addresses information security.

Yes No

What if Merchant is Non Compliant?

• Where non-compliance is indicated, further follow up

will be scheduled by either IST or RCGA, depending on the area of vulnerability.

• Non compliant products must be upgraded, replaced, or discontinued within a reasonable time frame. Depending on the nature of non compliance, discontinuance may be immediate.

3rd Party Compliance

Most of our processing partners are already in compliance with PCI DSS: TD Bank POS terminals (Freedom IV and

Freedom V) are compliant, provided all software upgrades have been completed by the merchant. Beanstream is compliant (web merchants) Certain vendor software used by UM merchants

(for example, Class, used by Faculty of Kinesiology) is certified as PCI compliant.

The Compliance Cycle

Assess Identify cardholder data, take an inventory

of your IT assets and business processes for payment card processing, and analyze them for vulnerabilities that could expose

cardholder data.

Remediate Fix vulnerabilities and do not store cardholder data

unless you need it.

Report Compile and submit

required remediation validation records (if

applicable), the SAQ’s

Steps in the Annual Compliance Cycle

1. Create an inventory of all campus merchants and confirm merchant contact information.

2. Promote awareness of the PCI requirements and the consequences of non compliance to all UM merchants.

3. Request that each merchant review and sign off on the appropriate self-assessment questionnaire (SAQ). Determine areas of non compliance and establish plan to correct.

Steps in the Compliance Cycle cont.

4. Develop a policy that addresses storage of electronic data (IST/RCGA).

5. Obtain statements from all 3rd party vendors/partners confirming that they are also in compliance.

6. Develop processes that ensure continued compliance.

Helpful Tips

• Treat cardholder data like cash- keep it secure and if it need to be stored, deposit it right away.

• If you don’t need it, don’t store it! • Never store the CVV2 or PIN • Data storage requirements are 12 months for

VISA, 18 months for Master Card.

Helpful Tips- continued

• Read and understand the Merchant Operating Guide for information on items such issuing refunds, receipt requirements (for example, never issue a refund by cash or cheque for a purchase made by credit card).

• Read the TD Fraud Prevention brochures • Never “lend” your merchant number to another

unit. This could expose you to unwanted liability and increased merchant fees.

Where can I find more information

•RCGA web site : http://umanitoba.ca/admin/financial_services/revcap/staff_info.html

•TD Merchant Services Resource Center: http://www.tdcanadatrust.com/merchantservices/resource_centre.jsp

•PCI Security Standards Council: https://www.pcisecuritystandards.org/index.shtml

•Guidelines set by the University’s IST department for hosting a web application: http://umanitoba.ca/computing/ist/internal/admin_sys/director/guidelines/index.html

QUESTIONS?

• RCGA – Merchant Administration: – Rhonda Chorney 474-8727 – Alicia Bressani 474-9574 – Anna Chugunova 290-5809

• IST - Technical: – David Treble 474-8340

If you’re not sure, ask!

Questions