Upload
sandra4211
View
368
Download
0
Tags:
Embed Size (px)
Citation preview
Welcome to the 2nd Annual Campus
Merchant Awareness Training
Meeting
Agenda
• Introductions• Merchant Account Basics• FAQ’s• What Have We Learned… In this case, left is
always better!• PCI Compliance Changes• PCI Compliance Overview• Resources
Merchant Accounts Updates• System down?- Voice Authorization-
1.800.936.2632 – Need MID.• Questions on Accounts?
– DST 1.800.228.5882- 24/7 service– Statement issues– Authorization Problems– Supplies
• Bursar Support Services– Dial Pay– Wireless Terminal– POS Terminals
Merchant Accounts Updates• Account /Statement Review
– Review Monthly for errors & charges• Jul VS zero floor limit fee
– Analyze yearly for cost/service assessment– Minimum Charges on Statements– Visa EIRF’s 2.30%- manually entered cards
• Plastic bag around card• Clean terminal• Rub card magnetic strip
– Debit pin pads
Merchant Accounts Updates• Sales Calls• Bank of America Merchant Contact
– Upgrading Pin Devices
• Fraud Control- http://usa.visa.com/merchants/risk_management/index.html
• American Express Rate Change-All campus 2.05% consumer card; Discover 1.75%
• Staff Training Resources- Many options for the front line staff as well as IT and MRP’s.
Merchant Accounts Updates• Phishing Alert- Bank of America temporarily suspended your account.
– Reason: Billing failure.– We need you to complete an account update so we can unlock your account.– To start the update process follow the link below : – http://www.secureyouraccountnow.com – Once you have completed the process, we will send you an email notifying that
your account is available again. After that you can access your account at any time.
– The information provided will be treated in confidence and stored in our secure database.
– If you fail to provide required information your account will be automatically deleted from Bank of America database.
Frequently Asked Questions• Service Charges –
– No- Varied rules between Visa and other card brands. Flat fee versus %.
– May be some legislation changes– No service charge encourages prompt payment
customer response
• Establishing minimum charge amount-– Card organizations forbid you from establishing any
transaction dollar limits.
More FAQ’s
• Requiring pictured identification– Card organizations state the credit card sale cannot
be turned down due to lack of picture id.• Phone authorization• Card not signed• Suspected counterfeit card
• Fax Machines & Laptops• MOTO’s - Virtual Terminals & Dial Pay
Still More FAQ’s
• Self Assessment Questionnaire– Annual– A great % of merchants have completed
• Security Policies/Procedures– Departmental– Campus
• Network Configuration– Abraham Kuo- UITS Security Operations
What Have We Learned?- That in
this case-Left is always better!• Merchant Compromise
– Paper and fax machines– SAQ C Merchants
• Compliance Failures– Shopping Cart, Operating Systems and Other
Patches– Firewall Rule Review
• Segmentation /flat networks– Look for an alternative (“Move to the left”)– Keep MOTO to Dial Pay or Point of Sale Terminal
Compliance Changes
• New Annual third party assessment– MasterCard Notification of Level 2 Merchants
• Report on Compliance (ROC) assessment & documentation– SAQ Specific– You are not alone, we are right beside you.
• SAQ C Training
Questions?
Sylvia Johnson, University Information Security OfficerKelley Bogart, Senior Information Security Specialist
October 23, 2009
Role of the Information Security OfficePCI OverviewInfoSec PCI Web Page – Compliance RoadmapPayment Methods & Validation RequirementsOngoing Compliance
Information Security Policy: Access to UA data, computers and network is subject to policies and laws.PCI compliance is mandated by:
contract with Bank of AmericaFRS Policy 8.14.
Info Security Policy: InfoSec will issue guidance to assist units in implementing information security related policies.
PCI security requirements apply to all merchants who store, process or transmit card
holder dataall system components in or connected to the card
holder data environmentnetwork componentsserversapplications
225 specifics
Some technical
Some operational
Consequences: Monetary fines
Restrictions on merchant processing
Loss of privilege
Merchant Responsible Persons are responsible for ALL of them
PCI DSS Requirements Testing ProceduresIn Place
Not inPlace
Target Date/ Comments
1.1 Establish firewall and router configuration standards that include the following:
1.1 Obtain and inspect the firewall and router configuration standards and other documentation specified below to verify that standards are complete. Complete the following:
1.1.1 A formal process for approving and testing all network connections and changes to the firewall and router configurations
1.1.1 Verify that there is a formal process for testing and approval of all network connections and changes to firewall and router configurations.
1.1.2 Current network diagram with all connections to cardholder data, including any wireless networks
1.1.2.b Verify that the diagram is kept current.
1.1.3 Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone
1.1.3 Verify that firewall configuration standards include requirements for a firewall at each Internet connection and between any DMZ and the internal network zone. Verify that the current network diagram is consistent with the firewall configuration standards.
1.1.4 Description of groups, roles, and responsibilities for logical management of network components
1.1.4 Verify that firewall and router configuration standards include a description of groups, roles, and responsibilities for logical management of network components.
1.1.5 Documentation and business justification for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure
1.1.5.a Verify that firewall and router configuration standards include a documented list of services, protocols and ports necessary for business—for example, hypertext transfer protocol (HTTP) and Secure Sockets Layer (SSL), Secure Shell (SSH), and Virtual Private Network (VPN) protocols.
A description of how the credit card information moves through the network
To which systems the data is passed/storedThrough which network devices the data passesWhich ports and protocols are used to pass dataWhich and when encryption algorithms are usedWhich data is stored, where and for how long (PAN, CVV2/CVC2, expiration date, etc.)
All inbound sources of CHD to the networkAll outbound flows of CHD (e.g., to a payment processor, 3rd parties)
“PCI DSS compliance is much more than a “project” with a beginning and end – it’s an ongoing process of assessment, remediation and reporting.”
“Implementing PCI DSS should be part of a sound, basic enterprise security strategy, which requires making this activity part of your ongoing business plan and budget.”
Electronic CHD
ReviewEmployee Training
Employee Training
Employee Training
Employee Training
Assessment Preparation
Merchant Agreement Acknowl.
Service Provider
Check ASSESSMENT
Hardcopy Retention
Review
Electronic CHD
Search ASSESSMENT
Security Policy
ReviewEmployee Training
Employee Training
Employee Training
Employee Training
Assessment Preparation
Merchant Agreement Acknowl.
Hardcopy Retention
Review
Service Provider
Check
Service Provider Listing
Wireless Access Point
Scan
Vulnerability Scans
Vulnerability Scans
Wireless Access Point
Scan
Employee Training
Service Provider
Check/Listing
Merchant AgreementAcknowl.
Employee Training
Electronic CHD
Search ASSESSMENTEmployee Training
Assessment Preparation
Employee Training
Hardcopy Retention
Review
Policy Review
Wireless Access Point
Scan
Vulnerability Scans
Wireless Access Point
Scan
Vulnerability Scans
Employee Training Inactive Account Disabling
User Password ChangeStored CHD Review
ASSESSMENTPolicy
Review
Assessment Preparation
Risk Assessment
.
Firewall Rule Review
Employee Training Inactive Account Disabling
User Password ChangeStored CHD Review
ElectronicCHD
Search
Back Up Media
Inventory
Employee Training Inactive Account Disabling
User Password ChangeStored CHD Review
Policy Acknowl.
Vulnerability Scans
Vulnerability Scans
Vulnerability Scans
Vulnerability Scans
Wireless Access Point
Scan
Wireless Access Point
Scan
Wireless Access Point
Scan
Wireless Access Point
Scan
Web Application
Scan
Penetration Test
Employee Training Inactive Account Disabling
User Password ChangeStored CHD Review
Firewall Rule Review
Incident Response Plan Test
Abraham Kuo- UITS - 626.9736 Kelley Bogart – ISO - 626.8232Robbyn Lennon – FSO-Bursar’s - 621.5781Security Metrics – Securitymetrics.com BankofAmerica.com/merchantsupporthttps://www.pcisecuritystandards.org/
Prioritized Approach for DSS 1.2 -https://www.pcisecuritystandards.org/education/prioritized.shtml
PCI Quick Reference Guidehttps://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf