Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
UC SAN DIEGO2018 MERCHANT PCI DSS CYCLE
AGENDAWhere we are headed
• What is the PCI DSS?• What are the consequences of not complying with the PCI DSS?• 2018 Compliance cycle calendar• Merchant processing methods and SAQ type– Expectations for each SAQ
• Live Demo of CoalfireOne compliance portal• UCSD Compliance Team Contacts
WHAT IS THE PCI DSS?PCI DSS = Payment Card Industry Data Security Standard
• Set of minimum security requirements for processing card payments and handlingcardholder data
• Contractually agreed to by the UC Office of the President on behalf of the campuses
• Acquiring Bank is Bank of America Merchant Services (BAMS), who is responsible forenforcing the PCI DSS with the campus
• Coalfire Systems has been hired by the campus to help demonstrate to the bank thatthe campus is compliant with the standard
ORGANIZATION OF THE PCI DSSThe Payment Card Industry Data Security Standard (PCI DSS) is built on the NIST800-53 IT Security control framework
• Do you have the appropriate security policies in placeto safeguard the precious information that you have?
• Do you have the appropriate procedures in place tosupport that overall security policy?
• Do you have the appropriate secure equipmentconfiguration standards in place to support thesecurity policy?
• Do you actually follow the procedures and usethe configuration standards?
ProceduresProcedures ConfigurationsConfigurations
Trust but VerifyTrust but Verify
Security PolicySecurity Policy
PCI VOCABULARYSelf-Assessment Questionnaire = SAQ• The technical security and business controls that apply to a particular method of processing
card payments• Each merchant is required to complete their individual SAQ and be compliant• All campus SAQs are rolled up into a single SAQ for presentation to BAMSCardholder Data Environment = CDE• The environment in which cardholder data is received, processed, or transmitted• In general this is where the PCI DSS appliesAttestation of Compliance = AOC• Evidence that a service provider has gone through the PCI compliance assessment process
and is compliant with the PCI DSS• Every service provider involved with your cardholder data must ANNUALLY provide an AOC
to their customers
WHY SHOULD WE CARE?If you are not compliant:• High probability of fines• Possibility that the department would lose the ability to accept all card payments• Possibility that the entire campus would lose the ability to accept all card payments
If you have a breach:• Certainty of fines• Very high probability that merchant would be responsible for all fraud losses on
compromised cards• High cost of obtaining a Report on Compliance (ROC) to demonstrate remediation
completed• Bad publicity for campus, loss of customer trust
2018 UCSD PCI COMPLIANCE CALENDARTask Date(s)
Begin working in CoalfireOneportal
12/4/2018 (immediately!)
SAQs completed NO LATERTHAN
1/26/2018
Merchant interviews 1/22/2018 through 2/2/2018
Merchant site visits 2/19/2018 through 2/23/2018
MERCHANT PROCESSING METHODSHow you process payments determines which SAQ version you must complete• Fully Outsourced to someone else• Web site redirects to a compliant third party processor• Point-to-Point Encrypted devices• Non-listed P2PE solution• Chipcard terminal• Virtual Terminal• Networked Kiosks• Everything else
FULLY OUTSOURCEDSAQ A• Merchant hires a third party service provider to do everything• Even web site is managed by third party• Expectations:– Third party service provider gives you evidence of PCI compliance (annually)– There are no business processes where cardholder data is handled outside of the
service provider– Service providers managed– Incident response plan in place
WEB SITE REDIRECTSAQ A• Merchant web site is (minimally) in scope• Payment processing redirects to compliant third party processor• Expectations:– Documentation of full web stack (Operating System, database, shopping cart, CMS
system, applications)– Documentation of who administers each layer of the web stack– Documentation of Requirements 2 and 8 controls– Service providers managed– Incident response plan in place
LISTED P2PE SOLUTIONSAQ P2PE• Uses a validated / listed Point-to-Point Encryption (P2PE) solution listed on the PCI
Council’s website• Consider each Point Of Interaction (POI) device to be its own micro-CDE, needing
appropriate protection and inspection• Expectations:– POI device physical security, tampering inspection– Back office alert-monitoring– Appropriate business processes in place to control / secure / destroy cardholder data
on paper
NON-LISTED P2PE SOLUTIONReduced-scope SAQ D• Similar to P2PE requirements but with more documentation• Expectations:– POI device physical security, tampering inspection– Back office alert-monitoring– Appropriate business processes in place to control / secure / destroy cardholder data on paper
CHIPCARD TERMINALSAQ B• All transactions processed using chipcard terminal• Cardholder data on paper protected, shredded when transaction processed• Terminals are regularly inspected for tampering• Physically secure environment• Security policy in place, staff security awareness• Service providers managed• Incident response plan in place
POI DEVICE INSPECTIONSAQs B, C-VT, P2PE, Reduced-scope D• Regular inspection of Point of Interaction (POI) devices• Look for tampering, additional cables, keyboard overlays, etc.• Staff should at least look at their POI device when they come on shift• Requirement to document “official” inspection of device in an inspection log• Staff must know what to do if they see anything suspicious (“Call for help!”)
STAFF TRAININGSAQs (A), B, C-VT, P2PE, Reduced-scope D• All staff need to know that cardholder data is sensitive data that must be protected and
securely processed• All staff must have annual PCI security training• For merchants with POI devices, staff trained on how to detect tampering• For all staff, they must be trained in what to do if something is wrong– “See something, say something”– Could be as simple as “Call for help”
VIRTUAL TERMINALSAQ C-VT• Use browser to key-enter payments in third party processor virtual terminal• Workstation / laptop / tablet must be devoted to card payment processing only– Single-purpose device– Cannot be used for email, accounting, spreadsheets, web surfing, or anything else
• Workstation must be securely configured and administered• Workstation(s) must be isolated on their own network segment• Expectations:– Minimally functional secure configuration across all workstations, including browser
NETWORKED KIOSKSSAQ C• Card accepting kiosks / devices transmitting cardholder data to third party for
processing• Some of the SAQ C controls may not apply• One merchant in this category
EVERYTHING ELSESAQs B-IP, D• Currently no merchants in these environments on campus• SAQ B-IP similar to a mixture of SAQs B and C-VT• SAQ D requires all PCI controls to be met (>330 controls)– If you store cardholder data electronically, you are in this environment
COALFIREONE COMPLIANCE PORTALDEMO
• Overview / Dashboard• Environment• Requirements• Gap Report• Evidence Library• Resources
UCSD COMPLIANCE TEAMUCSD Compliance Portal on Blink:http://blink.ucsd.edu/finance/cash/credit-debit-cards/pci-dss/index.html
Armando Carlsson• [email protected] Linzer• [email protected]
Joe Tinucci• [email protected] Durham• [email protected]
2018 UCSD PCI COMPLIANCE CALENDARTask Date(s)
Begin working in CoalfireOneportal
12/4/2018 (immediately!)
SAQs completed NO LATERTHAN
1/26/2018
Merchant interviews 1/22/2018 through 2/2/2018
Merchant site visits 2/19/2018 through 2/23/2018
QUESTIONS