Security Awareness Training - University of...

Security Awareness Training

University of Oregon Security Awareness Training This training is designed for all university employees whose responsibility it is to help safeguard university data assets. It is required annually for university personnel involved in credit card payment acceptance. For more information about credit card policy and procedures see the Business Affairs eCommerce page Please send your questions or suggestions to Mark McCulloch [email protected]

Purpose Verizon 2014 Data Breach Report Security awareness training is an important component of any organizations information security strategy. Employee errors, lost or stolen assets, and privilege misuse, accounted for 43% of security incidents in the education sector in 2013. All university employees share responsibility for protecting sensitive data and preventing system disruption. By participating in security awareness training, employees can prepare do their part.

Instructions This training will take between 60 and 90 minutes to complete.You can take breaks and return where you left off within a two week period. The goal is to understand the material and achieve a perfect score.If you answer incorrectly you will receive a hint and can go back and answer again.

email Please enter your university email address ([email protected]).

UO ID Please enter your University ID number (95#######).

Training Date

Organization This training is organized in eight sections: Why security awareness is important Concepts Best practices Credit Card Concepts Credit Card Best practices University eCommerce policy Point of Sale best practices Annual PCI self assessment process Depending on your role, some sections may be irrelevant and skipped.

Credit Card Security Content Help us determine the content you need. Are you involved (directly or indirectly) with customer credit card processing ? (check all that apply) Credit card acceptance at point of sale (payment card terminal, cash register, pay station

etc.) On-line credit card acceptance (web page with customer payment link) Business manager or IT professional involved in annual PCI self assessment Purchasing, contracting or leasing with third parties who will process credit cards on behalf

of the university or on university premises

Section 1. Why Security Awareness is Important

Information Security Incidents in Higher Ed Information security awareness is important for two reasons. It is required by law or regulation It helps mitigate the real risk of data breach The University of Oregon has information security policies, programs, and controls, in place in order to comply with federal privacy laws FERPA, HIPAA, HHS Title 45 Part 46, and with the global credit card security standard PCI DSS. Compliance, however, is no guarantee. The university has suffered and will again suffer an information security breach, it's just a matter of time. Every year, dozens of universities suffer security incidents and data breaches. The most common breaches in higher education result from: Employee mistakes (lost portable media, inadvertent mailings or web publishing), Compromised employee credentials obtained by phishing email. Theft (laptops, PCs, hard drives), and Web application vulnerabilities exploited by hackers, Every employee at the University of Oregon shares responsibility for information security. Information security is exclusively an IT department responsibility. True or False ? True False

Please go back and try again. Hint: Every employee has a role in safeguarding the university's information assets.

Recent Data Breaches eBay 233M customer records DOB, address (malware) Home Depot 56M credit/debit cards 1800 stores (malware) Target 40M credit/debit cards 2300 stores (malware) U Oregon 20 fraudulent direct deposit (phishing) U Kentucky 1079 patient records (stolen laptop) Loyola Law school 395 student SSNs (inadvertent email) U Maryland 309K student SSNs (malware) Maricopa County CC 2.5M student SSN bank accounts (malware) Apple iCloud Miscellaneous (malware) JP Morgan Chase 76M bank accounts (malware) UC Santa Barbara employee payroll data and SSN (malware) UNC Chapel Hill 6K SSNs (inadvertent web posting) U Chicago 6300 student SSN (stolen faculty laptop) Higher Ed institutions have their fair share of data breaches. Not all publicity is good publicity. True or False ? True False

Please go back and try again. Hint: Universities routinely suffer data breaches. Breaches can damage a university's reputation which in turn can impact its ability to recruit students and solicit donations.

Example Credit Card Breach in Higher Ed Customers are generally not liable for fraudulent credit card charges. Banks monitor accounts for fraudulent activity, reverse charges, and re-issue cards. Merchants who suffer a data breach can be: fined by their bank, ordered to conduct a forensic investigation, required to notify all customers, and lose future business due to damaging editorials in the news media Merchants are also forced to accept charge backs for any goods and services they sell involving fraudulent (stolen) card transactions Who bears the most risk when card data is stolen? Customer Merchant

Please go back and try again. Hint: If the university is deemed responsible for exposing its customers card data, our merchant bank can order an investigation at our expense, and pass on any fines imposed by the card brands. When stolen card data is used to make purchases the banks often charge the value of the sale back to the merchant.

Costs Associated with a Card Data BreachAfter a significant card data breach the card brands typically fine the merchant bank $5,000/month until it is re-mediated. These fines are often passed on from the bank to the responsible merchant.Merchant banks also typically order an independent forensic investigation by a Qualified Security Assessor (QSA) paid for by the merchant. They often designate the merchant level 1 requiring future annual assessments be performed by a QSA. In Oregon, the merchant organization is responsible for immediately notifying affected customers. Notification costs can be considerable.To protect its reputation, merchant organizations often offer free credit monitoring to affected customers. In the event of a data breach, university merchants can incur fines, consulting, notification and other costs. True or False ? True False

Please go back and try again. Hint: University merchants are departments that accept credit card payments. If a university department is deemed responsible for exposing customer card data, they will be incur expenses related to mitigating the breach.

Requirement to Notify Oregon Residents when their 'Identifying' Information is Exposed Oregon's Identity Theft Protection Act requires all organizations to notify customers immediately if there is a security breach and their Personal Identifying Information (PII) is exposed to unauthorized individuals. PII is defined as, a person's name in combination with a Social Security number, Oregon driver license number or Oregon identification card number, passport number, financial account or credit or debit card numbers along with security or access codes or password that would provide access to a financial account. Oregon law does not require customer notification in the event of a breach that exposes PII. True or False ? True False

Please go back and try again. Hint: Oregon's Identity Theft Protection Act requires immediate notification in the event that an organization exposes a persons SSN, Drivers license number, passport number, bank account or credit card numbers to unauthorized individuals.

Congratulations! You have completed section 1. Why Security Awareness is Important: Security awareness training is required by the Payment Card Industry and other bodies. Security awareness training mitigates the risk of data breach, many of which are entirely preventable. Higher Ed has its fair share of data breaches. Data breaches have a financial impact and cause reputational damage. Oregon law requires customer notification if Personal Identifying Information (PII) is exposed.

Section 2. Concepts

Concept: FERPA This federal law was enacted in 1974 to protect the privacy of student education records. Student education records are those records directly related to a student maintained by the university or by a party acting for the university. FERPA requires universities to have a Student Records Policy and define Directory Information. Education records may not be shared with a third party (including parents) without written consent from the student.Directory information such as student name, address, email, and dates of attendance, may be shared without written consent unless the student has filed a directory restriction with the Registrar. Student education records are broadly defined. Written permission from the student is required before sharing these records except in the course of official university business with university officials. True or False ? True False

Please go back and try again. Hint: Education records can be shared with other university officials if there is a business need, without obtaining written consent from the student.

Concept: HIPAA The Health Insurance Portability and Accountability Act (HIPAA) governs the use and disclosure of Protected Health Information (PHI). The university health center maintains PHI for students. PHI is sometimes required to conduct university research. A HIPAA release form must be obtained from a student or research subject authorizing any access to PHI. Access to PHI or protected health information requires written consent. True or False ? True False

Please go back and try again. Hint: A HIPAA release form must be obtained from a patient or research subject before accessing their PHI.

Concept: Human Subjects 45 CFR 46 the Department of Health and Human Services regulation for protecting human subjects, requires that research involving human subjects be governed by an Institution Review Board (IRB), and that research records are retained for three years in a way that protects the identity of the research subject. University research involving human subjects is managed by Research Compliance Services 45 CFR 46 requires that research records indicating the identity of a research subject be kept confidential. True or False ? True False

Please go back and try again. Hint: HHS Code of Federal Regulations Title 45 Part 46 requires that an IRB evaluate provisions to protect the privacy of research subjects and the confidentiality of data before approving a research activity.

Concept: Protected Data The university's information security policy classifies data assets. Protected data is any information that is protected by law or regulation. We just covered about some federal privacy laws and a global security standard that require us to protect university data. Drag the data item to the appropriate regulation container ?

FERPA PCI DSS HIPAA 45 CFR 46______ Human

Subjects Research Records

______ Human Subjects Research

Records


Records


Records______ Customer

Card Data______ Customer



Card Data______ Student

Education Records______ Student



Education Records______ Personal

Health Information (PHI)

______ Personal Health Information

(PHI)


(PHI)


(PHI)

Concept: Banner Code of ResponsibilityThe university uses Ellucian Banner, commercial software, to manage its finance, HR, payroll and student enrollment functions. There are trained employees using Banner in every university department.The university uses IBM Cognos, and Hyland Singularity for enterprise reporting and document management respectively. Employees using these systems sign a Code of Responsibility for the Security and Confidentiality of Records and Files when obtaining their account. This code requires that employees never: Reveal the content of any record except in the proper conduct of their duties, Make or allow unauthorized use of information, Make inaccurate entries, Expunge a record Share their password (or log another user in using their password), Seek personal benefit, and Remove an original record from the office of record except in the proper conduct of their duties. Violations of the Code of Responsibility must be reported immediately to a violators supervisor and are subject to criminal and civil liability. True or False ? True False

Please go back and try again.Hint: Violations of the code of responsibility, such as knowingly entering inaccurate information into Banner, must be reported to he violators supervisor and are subject to criminal and civil liability.

Concept: Acceptable UseThe UO Acceptable Use of Computing Resources Policy presents guidelines for acceptable use of computing resources.This policy specifically prohibits: Sharing of accounts Commercial use of university resources Violations of electronic privacy Interference with computer use or operations...and specifically requires: Recognition of copyrights Wise use of limited resources Personal responsibility for on-line statements Violations of the Acceptable use Policy constitute a breach of the Student Conduct Code or Faculty Handbook and will be referred to the appropriate authorities. True or False ? True False

Please go back and try again.Hint: Violations of the acceptable use policy, such as installing illegal music sharing programs, or unlicensed software, are a breach of student conduct code and faculty rules, and will be referred to appropriate authorities.

Concept: Records and Records Retention An original document, either paper or electronic, that contains information pertaining to university functions, policies, decisions, procedures, operations, mission, programs, projects or activities, is a university record. The UO Records Retention Schedule lists the various record series maintained by the university and identifies which office must retain the 'record copy' and the length of time the record must be retained before it is destroyed. The record retention period is both a minimum and a maximum after which a record must be destroyed. True or False ? True False

Please go back and try again. Hint: University records must be deleted or confidentially recycled at the end of their retention period.

Concept: Copyright Clearance Students often violate copyright by downloading pirated music or worse, installing software that illegally shares copyrighted works. The latter invites legal action by the RIAA. Faculty frequently violate copyright when adding material to course packets or uploading web content to Blackboard. Sometimes Faculty believe that they do not need consent to borrow from another persons work because they believe the work is in the 'Public Domain' or they are invoking an education based 'Fair Use'. When in doubt, contact University Printing Copyright Clearance. Faculty can use copyrighted material for education purposes without permission from the copyright owner ? Select the best response. True False Depends on: character of the use, nature of the work, portion used in relation to the whole,

and effect on the market for or value of the work.

Please go back and try again. Hint: Fair use is a doctrine in the Copyright Act that is applied by weighing several factors.

Concept: Faculty Records According to the university Faculty Records Policy OAR 571-30 'Ddirectory Information' (information needed to locate an academic staff member such as university catalog, class schedule, telephone directory), records of academic achievement, and salary information may be released without the faculty member’s consent.All other academic staff information is considered ‘Personal Records’ and shall be available to university officials only and not released without written consent. A faculty members personal records may not be released without written consent. True or False ? True False

Please go back and try again.Hint: Written consent is required before a faculty members 'personal records' can be released to a third party.

Concept: Public Records The spirit of Oregon's Public Records Law: The state of Oregon has a policy of openness. The most important advocate for open government is the public itself. The news media often acts on the public’s behalf in seeking public records to inform citizens about the work done in their name. Individual citizens also perform this watchdog function using the public records law to inform themselves about how well the government is functioning. Many items are specifically exempt from public disclosure such as records relating to litigation, trade secrets, investigatory information, test questions, employee discipline, computer programs, audits, security measures and donor information.All public records requests should be referred to the Office of Public Records. All requests for university information from outside entities should be referred to the university Office of Public Records. True or False ? True False

Please go back and try again. Hint: The Office of Public Records handles all requests for university information made by outside entities in accordance with Oregon's public records law.

Congratulations! You have completed section 2.Concepts: HIPAA Health Insurance Portability and Accountability Act protects PHI Personal Health Information. Human Subjects Confidentiality of research records that identify subjects. Protected Data University data that is protected by various laws or regulations. Banner Code of Responsibility Banner users code of conduct. Acceptable Use University system users code of conduct. Records Retention University schedule for retaining then destroying records. Copyright Clearance Office that assists faculty with fair use or permission to use copyrighted works. Faculty Records Directory information versus personal records. Public Records Office that fulfills all requests for university records and determines what is exempt from disclosure under Oregon law.

Section 3. Best Practices

Best Practices Passwords Make sure the passwords you use for email, social networking and banking are different. Facebook's1.3 B accounts are a huge target for hackers. When your FaceBook or Snapchat account is eventually compromised, at least your bank account will remain safe and you will receive email notifications as the hackers reset passwords on your other accounts. Always change vendor default passwords before using systems such as servers or card readers for the first time, even if they are strong. Passwords should be difficult to guess and not based on names, obvious interests or relationships. Weak passwords take minutes to crack. Strong passwords are longer than seven characters and contain a mix of numbers, letters, case, and special characters. Good passwords are easy enough to remember that they do not need to be written down. Never use a password you have seen published. Never share your password. Change passwords at least every 3 months and make them significantly different. Don't just change a number. Routinely check your computer for plugged in devices. Check how strong your password is, visit password meter.Drag each password into the weaker or stronger container.

Weaker Password Stronger Password______ GlamGirl ______ GlamGirl

______ GlamGirl8:) ______ GlamGirl8:)______ Rihanna ______ Rihanna

______ R!h@nn@ ______ R!h@nn@______ ILoveMyPiano ______ ILoveMyPiano______ Ilov3MyPi@no ______ Ilov3MyPi@no

______ SmellyCat5 ______ SmellyCat5______ $m3llycat ______ $m3llycat

______ jAck22bauer ______ jAck22bauer______ jA(kBauer ______ jA(kBauer

Best Practices Electronic FilesNever create an electronic document containing a customer credit card number, (email, web page, spreadsheet). Avoid sending Personal Identifying Information, such as SSN, passport number, financial accounts and passwords by email. Avoid storing protected data on portable media (unencrypted USB flash drives), smart phones, laptop computers, and desktop hard drives. Private university file shares have better access controls, and backup protection.Drag the data item into the appropriate container.Never put in an electronic file Avoid sending in email Avoid storing on portable

media, smart phone, laptop comuter, or workstation hard

drive______ Credit card number ______ Credit card number ______ Credit card number______ PII (SSN, Passport

Number, Financial Accounts)______ PII (SSN, Passport

Number, Financial Accounts)______ PII (SSN, Passport

Number, Financial Accounts)______ Student education

records______ Student education

records______ Student education

records

______ Personal Health Information PHI



______ Human subjects data ______ Human subjects data ______ Human subjects data

Best Practices Phishing Phishing is fraudulent communication (phone or email) intended to steal information or money. Some tell tale signs: Unsolicited Poor grammar Urgent Financial reward Asks for personal information such as passwords Generic greetings, dear customer Misleading links. Hover before you click to verify the server name for example uoregon.com Out of character email from a friend (their machine may have malware) Spoofed log in page. Review the URL before entering log in credentials. If unsure, use a trusted link or bookmark instead. Forward suspected phishing emails that are related to university systems to [email protected] Sample email message: "Attention: Mr. Smith, Please click the link below and log in into Duckweb to confirm your salary increase." https://duckweb.uoregon.edu Legitimate or Phishing ? Legitimate Phishing

Please go back and try again. Hint: Hover over the link and evaluate the address. ducksweb.com is not hosted by the university and should not be trusted.

Best Practices Phishing Review the message below to determine if it is phishing. From: Blackboard Alerts [[email protected]] Sent: Wednesday, August 28, 2013 12:31 PM To: Recipient Subject: New Course Form Good Morning, An important course form has been posted to you through the Blackboard Learning System. Please sign in immediately to view the form. Click here to sign in Thank you, Blackboard Learn. Which of the following indicators of phishing do you see? Generic greeting Urgent Asks you to sign in Spoofed login link www.blackboard.uoreegon.com All of the above

Please go back and try again. Hint: The message contains all of the tell tale signs of phishing, generic greeting, urgent, asks you to sign in and spoofed login site address.

Best Practices Cloud Computing Software is often delivered as a service and hosted in the cloud. Drop box and Google Docs are very popular cloud solutions for file sharing and collaboration. Here are some things the university generally considers before contracting with or promoting hosted software solutions: Determine if there is already an established university software solution that can meet this business need ? Evaluate the vendors client references, D&B rating, business continuity plan and contract terms (click through agreement) ? Are we storing any sensitive data ? Are established security measures compliant with SAS 70/SSAE 16 FERPA, HIPAA, GLBA, PCI DSS and other applicable regulations ? Is the privacy policy (stated uses of our data) agreeable ? Are backup and recovery systems adequate ? Is our data physically stored within the continental U.S. If not, will we comply with export regulations? Evaluate Patriot Act privacy implications. Is our data co-mingled with other companies data ? Is 24/7 training and support available by phone or email ? Is the incident classification and max average resolution time adequate ? If this company is purchased or folds, can I export my data. Is the service availability (99.99%) guarantee and reporting adequate ? Are the system failure notification provisions adequate ? Will the university be able to comply with legal obligation for e-discovery ? University employees should check with IT support and PCS before using cloud software services. True or False ? True False

Please go back and try again.Hint: Security, availability, and compliance are a few critical issues that must be evaluated before university records are shared with a cloud service provider.

Best Practices Social EngineeringSocial Engineering is a way of convincing people to share confidential information. It usually involves impersonation and appeals to our natural tendency to trust and desire to help.Some common scenarios: Call from the IT department, noticed that your computer is slow, asking for your password to investigate. Call from merchant bank telling you that your payment card terminal needs critical updates, asking for your merchant ID. Caller sharing personal information they gathered on social media sites, later sends you phishing email. Caller from the phone company asks to inspect phone equipment. Bank representative calls reporting suspicious activity on your account. They ask for your SSN or the home phone number of your CFO. Credit card company calls reporting suspicious activity on your account. They ask for your credit card number.Always be suspicious, verify identity, and refuse to share confidential information.Scenario:Bank representative calls warning that your payment card terminal needs critical updates. They ask for your merchant ID. What should you do ?Provide your Merchant ID or Hang up ? Provide your Merchant ID Hang Up

Please go back and try again. Hint: This is a common scam. These companies either attempt to steal your merchant ID to gain access to cardholder data, or they try to solicit new merchant service business.

Best Practices Mobile Devices Security risks unique to mobile devices: Portable and therefore, easy to lose or steal Wi-Fi hot spots may be insecure, (some public hots pots are fakes hosted by hackers). Malicious apps that control your device and harvest your data. SMS Phishing (urgent text message from seemingly reputable source asking for account credentials) Operating systems and applications designed for convenience not security. University policy strongly discourages the processing of customer card data on a university computer. Due to the risks inherent with mobile devices, university employees who BYOD, should never use a personal mobile device to process customer card data or any other protected university data. Security tips: Never store sensitive data on a mobile device. Use screen lock with strong password. Enable built in encryption (automatic with iOS). Back up device regularly. Use a subscription rather than public Wi-Fi Log out after using a public Wi-Fi to protect info you last accessed. Log out from applications not in use so that hackers can't use them in an open connection. Update to the current (un-deprecated) OS and browser release. Ensure your home wireless connection has WPA/WPA2 security enabled and that the default password was changed. Drag the security item into the corresponding risk container.

Malicious app Depricated OS/Browser

Easy to lose or steal Fake/insecure hot spot

______ Never store sensitive data




______ Use a subscription instead

of public Wi-Fi


of public Wi-Fi


of public Wi-Fi


of public Wi-Fi______ Log out after

using apps______ Log out after



using apps______ Update to the current OS/Browser

______ Update to the current OS/Browser



Best Practices Social Media Risks Security risks unique to social media: Enormous volume of personal information being shared, serves as a target for hackers. Posts and files are instantly shared with large network of users, without ability to undo or delete. Stolen credentials for one site can often be used to access other sites. Direct person to person messages on social media sites are neither private or secure. Security tips: Log out of your social media account when done to limit hacker access. Use different passwords for each account, especially banking accounts. Choose the most secure privacy settings available with each application to limit the number of people who will try to scam you or hack your account. Tailor privacy settings for different groups such as family, friends and colleagues. Don't allow your browser to save your passwords to prevent someone who hacks into your computer from accessing your accounts. Avoid logging in on public Wi-Fi hot spots. Scour the user agreement to see what information will be shared and what software will be installed. Verify identity and motive before accepting connection requests from unknown parties. Use highest level of authentication such as two factor which requires a hacker to know both your password and your pass code for access. Review university guidelines for web communications Clearly distinguish your personal views and opinions from those of your employer. Before each post, consider if: Your post contains sensitive, personal or financial information that should remain private. Your family, co-workers or employer would think negatively. Your post will harm anyone physically, financially or emotionally. Is it racist, sexist, defamatory or otherwise offensive ? You need consent before sharing. Posting pictures of friends and co-workers without consent is a breach of their privacy that may have legal or professional implications. You are comfortable with this information remaining on-line forever. This information (such as likes) could be used to scam me through phishing or social engineering. Add only necessary applications to your social media account to limit attack vectors. Use a strong password to access your computer or mobile device. Evaluate your social media practices. Drag the security item into the one of the three containers.

Yes No Not Applicable______ Always log out ______ Always log out ______ Always log out______ Use different

passwords for each site______ Use different

passwords for each site______ Use different

passwords for each site______ Strictest privacy

settings______ Strictest privacy

settings______ Strictest privacy

settings______ Don't allow browser to

save my passwords______ Don't allow browser to

save my passwords______ Don't allow browser to

save my passwords______ Avoid Public Wi-Fi hot

spots______ Avoid Public Wi-Fi hot

spots______ Avoid Public Wi-Fi hot

spots______ Read user

agreements for privacy or malware

______ Read user agreements for privacy or

malware

______ Read user agreements for privacy or

malware______ Verify identity before

accepting connection requests

______ Verify identity before accepting connection

requests

______ Verify identity before accepting connection

requests______ Use two factor

authentication where available______ Use two factor

authentication where available______ Use two factor

authentication where available

______ Clearly distinguish personal opinions



______ Never post sensitive info



______ Never post offensive info



______ Never post pictures without consent



______ Only post what I am comfortable being on-line

forever


forever


forever______ Enable only

necessary applications______ Enable only

necessary applications______ Enable only

necessary applications______ Use strong

passwords for my computer and phone

______ Use strong passwords for my computer

and phone

______ Use strong passwords for my computer

and phone

Best Practices Working Remotely Advice for employees working remotely The UO Data Access Policy requires that remote access to university data assets be provided through secure means approved by the CIO such as a Virtual Private Network VPN. Be conscious of people sitting nearby who may oversee or overhear confidential information. Engage your screen-saver and move locations if necessary. Avoid personal use of university computers when working remotely. Particularly browsing to un-secure public websites, personal email, social networking, shopping, all of which can result in malware infection. Don't share your work computer with family or friends. This may exposes your private email, confidential information, and credentials for other sites. Other users might download malware, impersonate you, or connect to the Internet on an untrusted network. Don't share your passwords with family, friends or anyone else. Do not disable security settings or anti-virus (AV) software. AV software is designed to detect and remove malware on you computer, on attached devices, in your email, and in files you are downloading or installing. Encrypt the data on your company laptop or tablet computer and install remote wipe software. Do not copy sensitive data from a computer to a USB stick which is easily lost or stolen. Follow the universities remote access policies. Never leave your company computer unattended, for example in an airport, or locked car. Evaluate your working remotely practices. Drag the security item into the one of the three containers.

Yes No Not Applicable______ Use VPN or Wi-Fi

subscription______ Use VPN or Wi-Fi

subscription______ Use VPN or Wi-Fi

subscription______ Conscious of people

sitting nearby______ Conscious of people

sitting nearby______ Conscious of people

sitting nearby______ Avoid personal use of

university computer______ Avoid personal use of

university computer______ Avoid personal use of

university computer______ Don't share work ______ Don't share work ______ Don't share work

computer with family or friends



______ Don't share passwords



______ Don't disable browser or anti-virus security settings



______ Don't copy sensitive data to portable media (USB

stick)


stick)


stick)______ Follow universities

remote access policy______ Follow universities

remote access policy______ Follow universities

remote access policy______ Don't leave university

computer unattended______ Don't leave university

computer unattended______ Don't leave university

computer unattended

Best Practices Avoiding Malware Malware is short for malicious software. It is used to disrupt the operation of a computer or access sensitive data. Types of Malware: Virus (secretly copies itself), Root kit (secretly installed, virtually undetectable, controls your computer), Worm (propagates without user action, relies on system security flaw), Trojan (claims to perform legitimate actions, harms system and communicates with other infected computers forming a robot network or bot net), Spyware (tracks your computer activity), and Adware (displays unwanted advertisements). If you see these symptoms of malware, immediately stop using your computer and contact your IT department: Excessive pop up ads. Computer responding slowly or crashing or hard drive whirling. Increased email spam. Anti-virus warning. Browser home page changes. Contacts report receiving strange email from you that you did not send. How to avoid Malware: Ensure your computer has the latest operating system (OS) and other software updates. Timely OS patching is critical to address specific vulnerabilities as they are discovered. OS updates are often configured by IT support staff to automatically install as soon as they are available. Use an approved browser and a up to date version. Configure anti-virus software to get current definitions and scan downloads. When prompted, don't allow untrusted website to install plug-ins or extensions. Configure browser to block pop up windows and don't click on pop up advertisements. Provide sensitive info only to trusted websites with encryption https:// Hover and inspect links on web pages and email before clicking. Enable only necessary browser add-ons. When prompted, choose to save a file rather than run it from the website. Install approved software from trusted sites. Which of these items would you click on ? Image:Updates Image:Adware Image:Pop-up Image:Phish Image:Quiz Image:Winner

Please go back and try again. Hint: This relatively common pop up probably contains some type of malware. Don't click!

Best Practices Physical Security Physical security measures deny unauthorized individuals access to facilities, equipment and information. Measures: Security personnel. Employee ID cards used for building access. Don't allow unknown individuals to follow you in. Greet unknown visitors and offer assistance. Security cameras. Privacy screens prevent visitors from reading sensitive data from your monitor. Lock your console when you leave your work area and set your screen-saver password. Alarms. File sensitive documents in locked drawers, filing cabinets, or offices. Confidential recycle program. Don't accumulate confidential recycle items. Tether point of sale devices. Secure data center with climate control. Data backups. Never leave laptops, phones, or portable media (USB sticks) unattended. Encrypt sensitive data wherever it is stored especially laptops. Register laptops with registration warranty and affix high risk property control tags. Execute incident response plan in the event of a data breach. Don't leave sensitive data on printers or fax machines. If you find a USB stick, turn it over to your IT department. If you find a phone, turn it over to your administrative staff. Evaluate your physical security practices. Drag each item to the appropriate container.

Yes No Not Applicable______ Don't allow unknown persons to follow through a

secure door

______ Don't allow unknown persons to follow through a

secure door

______ Don't allow unknown persons to follow through a

secure door______ Greet unknown

visitors______ Greet unknown

visitors______ Greet unknown

visitors______ File away sensitive documents when not in use

______ File away sensitive documents when not in use

______ File away sensitive documents when not in use

______ Use confidential recycle for sensitive

documents


documents


documents______ Never leave laptop,

phone or portable media unattended

______ Never leave laptop, phone or portable media

unattended

______ Never leave laptop, phone or portable media

unattended______ Affix a property

control tag on laptop computer

______ Affix a property control tag on laptop

computer

______ Affix a property control tag on laptop

computer______ Don't leave sensitive documents on printers or fax

machines

______ Don't leave sensitive documents on printers or fax

machines

______ Don't leave sensitive documents on printers or fax

machines

Best Practices Courtesy Workstations (Kiosks) Courtesy workstations should not be used for credit card payments. If a department hosts kiosk computers or a computer lab, signage should clearly indicate that university systems are not for payment processing. Students often access their Blackboard or Duckweb account on kiosk computers. To protect their authentication data, IT staff should limit software and user permissions on a kiosk computer. Porteous kiosk is a good open source strategy. Students should use university computer kiosks to pay their student bill. True or False ? True False

Please go back and try again.Hint: The university cannot guarantee the security of sensitive information entered on kiosk computers. Students should enter sensitive data on their personal computer. The university takes on additional liability if it instructs students or staff to enter credit card data on a university computer.

Congratulations! You have completed section 3. Best Practices: Passwords, Use strong unique passwords for email, banking and social networking. Electronic Files, Don't put SSN, bank accounts, or credit card numbers in electronic files, on portable media, on unencrypted laptop computers or in email. Phishing, Beware unsolicited, urgent requests, even from people or businesses you know. Hover before to click a link, and inspect the address before you login. Cloud Computing, Don't store protected data in the cloud. Check with PCS and Info Services before you click through a cloud service agreement. Social Engineering, Always be suspicious, verify identity, and refuse to share confidential information. Mobile Devices, Avoid storing sensitive data, password protect and avoid public Wi-Fi. Social Media, Unique strong password, dual factor authentication, strictest privacy settings, and think before you post. Working Remotely, Don't leave your work computer unattended, make sure it is encrypted, don't allow family to use it, be conscious of people sitting nearby. Malware, Report symptoms to IT support, install critical updates and virus definitions, block pop ups, limit plug ins and add add-ons, and check the address before you click. Physical Security, Greet visitors, file documents when not in use, don't leave portable devices unattended, and pick up your copies and faxes. Courtesy Workstations, Avoid entering sensitive data, strictly limit kiosk software.

Section 4. Credit Card Concepts

Concept: Customer Card Data The full 13-16 digit Primary Account Number or PAN is considered customer card data. The cardholder name, expiration date, and service code (code stored in the magnetic stripe that indicates card type 'platinum' or 'gold' etc.) are also considered card data but only in combination with the full PAN. The first 6 and last 4 characters of the PAN are not card data. University merchants can safely record the first 6 and last 4 characters of the PAN in combination with cardholder name and expiration date because they are not considered customer card data. True or False ? True False

Please go back and try again. Hint: Without the full PAN it is not considered card data.

Concept: PCI SSC, PCI DSS, Merchant and Service Provider In 2006 the major card brands, (Visa, MasterCard Worldwide, American Express, Discover Financial Services, and JCB International), formed the PCI Security Standards Council (PCI SSC). The council established PCI DSS, a global data security standard to protect customer card data and reduce card fraud. All entities that store, process or transmit credit card data must comply with PCI DSS. Merchants are businesses that accept credit card payments for goods and services. Merchants must attest their compliance status each year to their merchant bank. University merchants are university departments that accept customer credit card payments. Athletics, EMU, Parking, Housing, Dining and Catering are university merchants. All combined they process about 650,000 card transactions per year worth $50M in revenue. About forty university merchants accept credit card payments in person using card swipe terminals. Service providers are businesses that store, process or transmit cardholder data on behalf of merchants, or provide other services that could impact the security of cardholder data such as hosting or managed firewalls. Service providers must register and validate compliance with Visa annually. Who must comply with PCI DSS ? A. Merchants around the globe who accept credit card payments. B. Service providers around the globe who store, process or transmit card data on behalf of

their customers. C. All of the above.

Please go back and try again. Hint: Both merchants and service providers must comply.

Concept: Sensitive Authentication Data Sensitive authentication data can be used to manufacture fraudulent cards and cannot be stored by the merchant in electronic form after a transaction has been processed. Sensitive authentication data includes: The card verification code (CVV2), Full magnetic stripe information, and PIN. University merchants should never record the card verification code. True or False ? True False

Please go back and try again. Hint: CVV, magnetic stripe data and PIN are sensitive authentication data. Merchants are not permitted to store these.

Congratulations! You have completed section 4.Credit Card Concepts: Customer card data, the PAN or PAN plus cardholder name, expiry date and service code PCI DSS, Payment Card Industry Data Security Standard Merchant, business that accepts credit cards Service Provider, company that stores, processes or transmits card data on behalf of a merchant Sensitive Authentication data, CVV, magnetic stripe data, PIN

Section 5. Credit Card Best Practices

Best Practices On-line Payment Acceptance The university reduces risk by promoting customer on-line payment which is one of the safest card acceptance methods, and by outsourcing credit card processing to PCI compliant service providers. The Business Office provides campus with free custom on-line order forms with secure credit card and/or echeck payment. Advantages: Extremely low risk of data breach. Easy to set up and administer your on-line order form. Fast two day turn around. Revenue automatically deposited to your university index and account the next business day. Access to reports of confirmed product sales and/or event registrations. No need to seek approval for or contract with a third party vendor. No need to apply for a new merchant bank account. Business Affairs completes the annual self-assessment for you.If you need to accept credit card paymentconsideQuikPAYAYAY! Business Affairs will set up on-line payment for event registration or sale of goods for departments at no charge. True or False ? True False

Please go back and try again. Hint: Business Affairs only passes on the bank fees related to your transactions. No charge for site setup.

Best Practices On-line Payment Acceptance Business Affairs creates and hosts many on-line order forms for campus departments. Some departments create and host their own order form. Other departments contract with third party vendors to host their order forms. The following items are required for all university on-line order/registration forms: Business name including UO affiliation Customer service telephone number and email address Warning stating that UO will not process card numbers submitted by email. Return and refund policy Delivery method and time frame (if applicable) Link to University eCommerce Privacy Statement Listing of products and prices in US dollars SSL encryption Domain that is registered to the university merchant English translation (if foreign language site) My department on-line order/registration forms must include a customer service phone number and return policy. True or False ? True False

Please go back and try again.Hint: All on-line order forms must contain a customer service phone number and return/refund policy.

Best Practices On-line Payment Acceptance Department merchants who are using a payment site hosted by a third party such as QuikPAY must never enter credit card information on behalf of a customer using a university computer. This brings the university computer into scope for PCI DSS and invokes many security requirements that are not contained in SAQ A. University merchants using a vendor hosted payment website must never enter card data on a customers behalf. True or False ? True False

Please go back and try again. Hint: By entering card data on a university computer you bring that machine and any other connected to it into scope for PCI DSS.

Best Practices Mobile Payment Acceptance Mobile payment acceptance using a slider device that can be attached to a smart phone or tablet computer is gaining popularity among small merchants. However, the PCI Council has not yet certified any mobile solutions that use a smart phone or tablet computer.The biggest challenge is isolating the card data being swiped from the operating system of the phone or tablet which is typically used for email and social networking with a high risk of malware infection.The university recommends using a cellular, battery powered card swipe terminal, a dedicated single purpose device, available from our merchant bank and certified by the PCI Council. Which of the following mobile payment acceptance methods is the most secure ?

Please go back and try again. Hint: Phone and tablet based card acceptance solutions are not certified by the PCI Standards Council.

Best Practices Written Procedures for Card Processing University merchants with employees who accept customer card payments by mail, fax, phone or in person, must publish and disseminate written procedures for safeguarding customer card data and restricting access to employees with a specific job classification and business need. Written procedures are audit-able records that provide a ready reference for new and existing staff who perform card processing functions infrequently. At a minimum unit procedures should: Warn not to create electronic records containing full card numbers, Instruct how to secure, inventory and destroy paper records that contain full card numbers, Identify personnel permitted to access systems and equipment, Detail proper care and physical security of equipment, Detail how to process customer refunds, Detail how to respond to email containing card numbers, Instruct how to detect fraudulent transactions (card inspection, customer behavior) Departments can rely on the university ecommerce policy. Unit level procedures are not required. True or False ? True False

Please go back and try again. Hint: Each unit with staff who accept customer credit card payments must have written standard operating procedures..

Congratulations! You have completed section 5.Credit Card Best Practices: On-line payment acceptance, Use QuikPAY, make sure your order form has privacy statement and customer service contact. Mobile payment acceptance, Use wireless card terminal instead of phone or tablet computers. Written procedures, Staff handling card data must have written operating procedures.

Section 6. University eCommerce Policy

University eCommerce Policy The university ecommerce policy informs university personnel about the sensitivity of customer card data and sets forth rules and responsibilities for protecting it. In accordance with PCI DSS requirement 12.1, the university ecommerce policy is disseminated, reviewed and updated annually. Each year Business Affairs asks campus merchants to ensure their employees review and become familiar with the policy. Employees involved in credit card processing must review the university ecommerce policy each year. True or False ? True False

Please go back and try again. Hint: Each year university employee involved with card acceptance must familiarize themselves with the university's ecommerce policy. They must also participate in security awareness training.

University Rule 1 BAO Approves all New Credit Card Activity All university credit card activity must be approved by Business Affairs. University departments can request assistance and approval by submitting the Credit Card and ePayment Activity Request form to Business Affairs. This form identifies the business purpose, preferred payment method, business and technical contacts, and deposit accounting information. By signing the form the requesting department head agrees to follow university policy and remain PCI compliant. For assistance with credit card processing, university departments should complete the Credit Card and ePayment Activity Request form. True or False ? True False

Please go back and try again. Hint: The business office requires this form to provide card processing services and equipment.

University Rule 2 Merchants Must Attest Compliance Status Annually University merchants must attest their compliance status each year to Business Affairs. University merchants must complete the specific Self Assessment Questionnaire (SAQ) that their payment method qualifies for. Self assessment questionnaires are due to Business Affairs on December 31st each year. The dean, director or department head must sign as 'Merchant Executive Officer' in Part 3 Merchant Attestation. By signing the dean, director or department head attests that they have read and understand PCI DSS. The PCI Standards Council Quick Reference Guide is a good resource for busy executives seeking to understand PCI DSS. University merchants must complete Part 4 Action Plan for Non-Compliant Requirements, for any requirement they are not in compliance with, and must show progress toward compliance in the subsequent year. The self assessment process is a team effort led by the college or department business manager with assistance from: Staff directly involved in card acceptance, Technical staff in the department, and Technical staff in central Information Services. Completing the annual self assessment is a team effort involving the business manager, department IT, and central IS. True or False ? True False

Please go back and try again. Hint: We ask the business manager to complete the SAQ with assistance of their departmental IT since many of the requirements are technical in nature.

University Rule 3 BAO Approves all Service Providers Many companies offer on-line payment services for a fee. Most claim to be PCI compliant. Few actually are. Most will deposit university sales revenue into their merchant bank and transfer funds to the university every week or two. Third parties who will provide card processing services to the university, or process credit cards on university premises, must be approved by Business Affairs before contracting or leasing of space. The university manages risk by only allowing departments to contract with companies that: Are listed as a level 1 service provider on Visa's Global Registry, and Handle public funds appropriately, and Bill/invoice for any fees, (the university does not allow debits to its bank accounts). Service providers must include language in their contracts acknowledging that they are responsible for the security of cardholder data they store, process or transmit. Often multiple service providers are involved in card processing. Business Affairs must record which PCI DSS requirements each service provider, and the university will manage. Third parties who will process credit cards for the university or on university premises, must be approved by Business Affairs True or False ? True False

Please go back and try again. Hint: Purchasing and Contracting services will solicit input from Business Affairs for any contract that involves credit card processing. We evaluate the business need for card processing, obtain evidence that the the vendor is PCI compliant and that the flow of public funds is compliant with Oregon law.

University Rule 4 Never Create an Electronic File University employees shall not create an electronic file (web page, email, spreadsheet, database, text document) containing a customer credit card number on the university network.It is OK to put credit card numbers in a spreadsheet if I delete the file once they are processed. True or False ? True False

Please go back and try again. Hint: The university ecommerce policy prohibits the creation of an electronic file containing a full PAN on the university network.

University Rule 5 Avoid Creating Paper Records Creation of paper records that contain a customers full Primary Account Number (PAN) is strongly discouraged. Paper receipts should never contain the full PAN. It is best to process card information relayed in person or by phone immediately without creating a paper record. In some situations card information must be collected on a paper form by US mail or fax. Paper forms should be designed so that the card number can easily be separated and confidentially recycled immediately after processing. Remaining form information can then be filed for future reference. Paper records containing the full PAN must be inventoried every six months, retained no longer than three years and confidentially recycled. Paper records containing the full PAN must be appropriately classified, securely stored in a locked office or file cabinet, and sent by secure delivery method. University merchants should avoid creating paper records that contain customer card data. True or False ? True False

Please go back and try again. Hint: There is seldom a valid business reason for storing paper records that contain full card numbers. If you do, you must regularly inventory and then confidentially recycle the records. Our policy says avoid storing it in the first place.

University Rule 6 Never Accept Card Data by email University employees shall not send or receive customer credit card numbers by email instant message or Chat unless it is protected by strong cryptography. University email is transmitted in plain text and can be intercepted. University on-line payment sites must clearly state that card information is not accepted by email. If your receive an email message containing a customer card number, reply and state that the university is not able to process this transaction. Delete the card number before replying to the message then delete the original message. I can process a card number received by email as long as I inform the customer that email is not secure. True or False ? True False

Please go back and try again. Hint: University payment sites must instruct customers that we will not process card data received by email. If they send it by email, do not process it.

University Rule 7 Use Low Risk Card Processing MethodsUniversity merchants shall avoid processing customer card data on university computers. University merchants shall favor low risk payment acceptance methods such as fully hosted customer on-line payment and purpose built single use card swipe terminals over high risk methods such as entering card numbers on university computers.POS systems and payment applications that transmit card data on the university network, are a target for hackers, especially where payment volumes are high. They require a broad range of resource intensive security practices.Rank these methods of accepting credit cards from lowest to highest in terms of risk of data breach...______ Point of sale system, (multiple cash registers connected to a server). Card data traverses a firewalled segment of the university network before being encrypted and transmitted to an off site processor.______ Customer on-line payment using a web page that is fully hosted by a trusted third party. Card data never traverses the university network.______ Card swipe terminal connected via Ethernet with firewall, analog phone line or cell network. Single purpose device transmits encrypted data and is segmented from other devices by a firewall.______ Employee enters card number on university computer that is also used for email, web browsing, and social networking. Computers are often infected by information stealing malware by clicking links in email messages, browsing unsafe sites or using social media.

University Rule 8 Participate Annually in Security Awareness Training The following personnel are required to complete PCI security awareness training on an annual basis: University employees directly involved in credit card processing, Managers of employees involved in card processing, and Information technology professionals supporting card processing systems or networks Procurement professionals involved in contracting with third parties who provide card processing services Agents involved in lending or leasing university property to third parties who will accept credit card payments Who must participate in PCI security awareness training each year? A. University employees authorized to use the department procurement card. B. University employees accepting cash and check payments. C. University employees directly involved in accepting customer credit card payments, their

supervisors, IT personnel who support card processing systems and networks, procurement professionals involved in contracting with third parties who may provide card processing services, and agents involved in lending or leasing university property to third parties who may accept credit card payments.

Please go back and try again. Hint: PCI DSS does not apply to the procurement card program or to cash or electronic check payments.

University Rule 9 Annual Risk Assessment of Card Processing Activities In accordance with PCI DSS requirement 12.2, the university will maintain a risk assessment program that identifies assets, threats, and vulnerabilities related to university credit card processing policy, training and security practices. A formal risk assessment will be undertaken each year. The university will conduct a formal risk assessment of card processing policy, training and security practices each year. True or False ? True False

Please go back and try again.Hint: PCI risk assessment will be a component of the university's internal IT audit program.

University Rule 10 Incident Response PlanIn the event that customer card data is potentially exposed to unauthorized individuals, Business Affairs and Information Services will engage the UO incident response team and execute the University Incident Response Plan.The affected campus merchant has an important role in responding to the incident. They will: Immediately contain and limit the exposure of data. Alert the appropriate Records Custodian (Registrar, AVP HR, Dir Business Affairs, Dir Health Center, or Dir Human Research Protection Program) and General Counsel. Conduct an immediate and thorough investigation of the suspected exposure or theft of personal information. Not access or alter compromised systems (e.g., do not log on or change passwords; do not log in as ROOT). Not turn off the compromised machine. Instead, isolate compromised systems from the network (e.g., unplug the cable). Work with Network Services to preserve logs and examine electronic evidence and if using a wireless network, change SSID on the AP and other machines that may be using this connection. Maintain a log all actions taken. Provide the records custodian and General Counsel with an incident report containing: all information at risk and the source and time frame of the compromise. Notify affected customers if directed by General Counsel. Re-mediate as directed by the Records Custodian.University merchants have an important role in re-mediating a data breach. True or False ? True False

Please go back and try again.Hint: In the event of a breach the university merchant must: Immediately contain and limit the exposure, Alert the relevant records custodian(s), Conduct an investigation, Isolate the system and prevent user access, Work with NTS Maintain a log of all actions taken, Prepare a report for the records custodians, and Notify affected customers if directed by Counsel.

Congratulations! You have completed section 6. University eCommerce Policy: The ecommerce policy must be reviewed each year. BAO approves all campus credit card activity Campus merchants must complete an SAQ each year signed by the Dean/Dept Head/Dir Never create an electronic record containing a full PAN Avoid creating paper records containing a full PAN Don't process a card number received by email. Avoid processing card data on a university computer. Participate in security awareness training annually. A risk assessment addressing card processing will be conducted each year. Merchants will help execute the incident response plan in the event of a breach.

Section 7. Point of Sale Best Practices

Best Practices Unsigned Cards The university's merchant bank agreement does not allow acceptance of unsigned credit cards. Some cardholders write "See Photo ID" instead of signing their card. It is in the best interest of the customers to sign their card and thereby execute their card agreement which typically includes fraud protection. Cardholders can add see ID beside their signature. When accepting credit cards in person, university employees must verify that each card has been signed by the cardholder. True or False ? True False

Please go back and try again. Hint:The university's merchant bank agreement does not allow acceptance of unsigned cards.

Best Practices Detecting Card Fraud To detect fraudulent card present transactions, while waiting for card authorization staff should hold and inspect the card: Is the first digit of the account number 3 American Express 4 Visa 5 MC 6 Discover Does signature appear unaltered and match that on the receipt ? Does the card number on the terminal match that on the card ? Has the card expired ? (Transaction may still be authorized if recently expired.) Do the holograms reflect light and appear three dimensional ? (Visa dove) Has the signature panel been altered ? Was the authorization response 'approved', 'declined', 'call' or 'pick up' Other warning signs: Purchase lots of merchandise without regard for size, style, price. Ask no questions on major purchase. Try to distract or rush during sale Make purchase and return for more Major purchase on store opening or closing Refuse free delivery of large items If something doesn't feel right cashiering staff should notify their supervisor. Staff should be trained to detect card fraud. True or False ? True False

Please go back and try again.Hint: Staff accepting card payments should be trained to recognize a fraudulent card and behaviors indicative of a fraudulent transaction.

Best Practices Card Present Transactions To comply with PCI DSS: Card swipe terminals must be physically secured when not in use. For example they must be placed in a locked office or file cabinet. Card swipe terminals must be configured to require a password to prevent unauthorized individuals from using it to process fraudulent refunds. The make and model of terminal must be listed on the PCI Council list of approved PIN Transaction Devices. Card swipe terminals are often in a public area when in use. When not in use they should be placed in a locked office or cabinet. True or False ? True False

Please go back and try again. Hint: Terminals should be physically secured when not in use to prevent tampering and theft.

Best Practices EMVEffective October 1st 2015, all point of sale devices in the united states must be EMV (Europay Mastercard Visa) compliant.EMV or 'Chip and PIN' reduces card fraud at the point of sale. EMV uses a PIN and cryptographic algorithms for authentication, iinstead of relying on unencrypted magnetic stripe data and physical inspection of the card.EMV is already the norm in Europe and Canada. U.S. merchants unable to accept a 'chip and pin' transactions will be held responsible for any fraudulent transactions and may pay higher discount fees.The terminal shown above has the slot where an EMV card can be 'dipped'. University merchants need to have EMV compliant card terminals October 1st 2015. True or False ? True False

Please go back and try again. Hint: After October 1st 2015, merchants who accept an EMV card payment without processing the chip and pin, are liable for the loss if the payment is deemed fraudulent.

Best Practices Card Present Transactions Criminals sometimes add card skimmers, break open a payment terminal and install information stealing hardware, or substitute a device of their own. PCI DSS standard 9.9 requires that merchants maintain a list of Point of Sale (POS) devices (make, model, location, serial number) and users, and physically inspect their devices periodically for tampering or substitution. Merchants must keep a list of payment terminals and inspect their devices for signs of tampering or replacement. True or False ? True False

Please go back and try again. Hint: Merchants must maintain a list of card terminals and visually inspect them for tampering.

Best Practices Card Present Transactions PCI DSS standard 9.9.3 requires that all personnel who operate a point of sale terminal be trained to do the following: Verify the identity of unknown persons before allowing them to service a terminal. Contact the university cashier before installing, replacing, upgrading or returning a terminal. Be aware of suspicious behavior around devices such as attempts to tamper with or replace devices. Report suspicious behavior around devices to the university cashier. All staff who operate a point of sale terminal must be trained to be aware of suspicious behaviour and signs of terminal tampering and replacement. True or False ? True False

Please go back and try again. Hint: Staff must be trained to identify signs of terminal tampering or replacement.

Best Practices Mail, Telephone, Fax Orders Campus merchants sometimes processes 'card not present' transactions.The best way to receive card data is by phone. Phone lines are difficult to harvest volumes of data from. If the transaction can be processed while on the call there is no need to create a paper document containing the full PAN.Fax is a secure alternative. It is encrypted in transit but it generate a paper record containing the full PAN which should not be left on the machine and must be securely stored, inventoried and confidentially recycle.Mail is acceptable but also creates a paper record that may be handled and accessed by multiple staff members.For card not present transactions, it is safest to process the transaction while on the phone. True or False ? True False

Please go back and try again. Hint: Merchants that process card transactions while the customer is on the phone, do not need to put controls in place for paper records that contain full card numbers.

Congratulations! You have completed section 7. Point of Sale Best Practices: Make sure the customer has signed their card, Know the fraud warning signs, Physically secure card terminals, Card terminals must accept chip and PIN (EMV) by Oct 1st 2015, Merchants must keep a detailed list of payment terminals. Staff operating point of sale terminals must be trained to watch for suspicious behaviour and signs of device tampering and replacement. Card number can be accepted over the phone or by fax. Phone avoids the paper record.

Section 8. Annual PCI Self-Assessment Process

The dirty dozen PCI DSS contains 12 requirements. Thou shalt... 1. Install and maintain a firewall configuration to protect cardholder data 2. Not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks 5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need to know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security for all personnel Each of these 12 requirements has many sub-requirements. Depending on your processing method some of these requirements may not apply. For example if you process credit cards using a card swipe terminal connected via a phone line, requirements 1,2, 5, 6, 8, 10, and 11 do not apply. Many of the PCI DSS requirements are standard security measures such as changing default passwords, and actively managing anti virus software. Some entail documentation of policy and procedure. Some entail training, testing and monitoring. PCI DSS contains 12 main requirements. True or False ? True False

Please go back and try again. Hint: PCI DSS version 3.0 consists of 12 main requirements and 326 sub requirements.

Annual merchant self assessment Each year entities world wide that store, process, or transmit card data must validate their compliance status. Merchants who process less than 6M transactions per year can self assess. Merchants with over 6M transactions must hire a Qualified Security Assessor QSA to perform a Report on Compliance ROC. Business Affairs manages the university's banking relationship and the provision of all merchant accounts (MIDs) where credit card proceeds are deposited. The PCI Council created seven Self Assessment Questionnaires SAQs each containing a different subset of requirements relevant to different payment processing methods. University merchants must validate compliance status each year in December by completing the appropriate SAQ(s). Security and PCI compliance is a process not an end state. Merchants must work at it throughout the year in order to check the yes boxes on the self assessment in December. Business Affairs completes the PCI self assessment questionnaire for university merchants. True or False ? True False

Please go back and try again. Hint: Business Affairs co-ordinates the self-assessment process. University merchants are responsible for preparing their annual self-assessment. The budget manager typically works together with IT support to select the appropriate SAQ and answer all the questions.

Which SAQ for my department ? The version of SAQ university merchants must complete depends on their payment acceptance method. Some SAQs have more requirements than others. Some require vulnerability scans. Some require penetration testing which can be expensive. Which payment methods is your department involved with ? (Check all that apply) E-commerce, customer pays on-line using their own device. University site redirects

customer to a vendor hosted payment form. Or the university site presents the vendor hosted payment form in an iFrame. Note: Merchant site does not host the payment form or send scripts that help render the payment form or transmit card data. Note: BAO will prepare this SAQ A on behalf of all departments using QuikPAY. SAQ A 14 Requirements No scans

E-commerce, customer pays on-line using their own device. University site delivers portions of the payment page (example, direct post, java, etc.) Example: Authorize.NET Direct Post Method DPM Note: Merchant site creates the payment form and the payment data is delivered directly to the payment processor (Direct Post). Or merchant site delivers script that runs in customer browser which supports the creation of the payment page, or the transmission of data to payment processor. SAQ A-EP 139 Requirements Internal scans

Card swipe terminal connected via analog phone line or cell phone network, no electronic cardholder data storage. SAQ B 41 Requirements No Scans

Card swipe terminal connected via Ethernet/IP, no electronic cardholder data storage. SAQ B-IP 83 Requirements External Scans

Web-based virtual terminal, no electronic cardholder data storage. Typically a PC running a web browser to connect to a payment site hosted by a third party. Card data must be entered using the keyboard, not a magnetic strip reader. SAQ C-VT 73 Requirements External Scans

Payment application (point of sale) systems connected to the Internet, no electronic cardholder data storage. The payment application must be segmented from other devices on the university network. The physical location of the POS environment is not connected to other premises or locations. SAQ C 139 Requirements External Scans and Penetration Testing

Payment method not eligible for SAQ A thru C. For example, electronic cardholder data storage, or POS with multiple physical locations. SAQ D 326 Requirements External Scans and Penetration Testing

External vulnerability scans PCI DSS requirement 11.2 requires quarterly internal and external vulnerability scans. This scanning requirement applies if the university merchant: Uses a card swipe terminal connected via IP (SAQ B-IP) Uses a university PC as a virtual terminal (SAQ C-VT) Uses a university hosted payment application/point of sale system (SAQ C or D) Internal scans are performed by Information Services. External scans must be performed by an PCI Standards Council Approved Scan Vendor (ASV). Business Affairs contracted with Campus Guard, an ASV, to perform quarterly vulnerability scans for university merchants. University merchants transmitting card data on a university system can request external scanning through Business Affairs. Business Affairs will pass the cost for scanning on to the university merchant. University merchants transmitting card data on the university network must arrange for quarterly external vulnerability scans by an Approved Scan Vendor (ASV). True or False ? True False

Please go back and try again. Hint: Business Affairs has a contract with Campus Guard an Approved Scan Vendor. University merchants with systems that transmit card data must contact Business Affairs to have their external facing IP scanned each quarter.

Congratulations! You have completed section 8.Annual PCI Self-Assessment Process: There are 12 main PCI DSS requirements and 326 sub requirements SAQ A thru C are shorted questionnaires for specific processing methods and environments. SAQ D includes all 326 requirements. If card data is being transmitted by a machine on the UO network then that external facing IP needs to be scanned by Campus Guard, the university's ASV.

Date post:	29-Jul-2019
Category:	Documents
Upload:	hoanghanh
View:	214 times
Download:	0 times

Security Awareness Training - University of...

Documents