compliance with the pci dss
play

Compliance With The PCI DSS Property of CampusGuard Todays Agenda - PowerPoint PPT Presentation

May 02, 2023 •145 likes •465 views

Compliance With The PCI DSS Property of CampusGuard Todays Agenda PCI DSS Introduction How are Colleges and Universities Affected? How Do You Validate Compliance? Best Practices Q&A Property of CampusGuard CampusGuard

  1. Compliance With The PCI DSS Property of CampusGuard

  2. Today’s Agenda  PCI DSS Introduction  How are Colleges and Universities Affected?  How Do You Validate Compliance?  Best Practices  Q&A Property of CampusGuard

  3. CampusGuard  Full-Service QSA/ASV Firm  We Know Security  Focused Solely on Higher Education Property of CampusGuard

  4. The Target Breach  40 million customers  Insider ?  POS was the vector  Lessons for all… Property of CampusGuard

  5. PCI… MERCHANTS & SOFTWARE MANUFACTURERS PROCESSORS DEVELOPERS PCI Security PCI PTS PCI DSS & Compliance PCI PA-DSS PIN Transaction Payment Application Data Security Security Vendors Standard Ecosystem of payment devices, applications, infrastructure and users Property of CampusGuard

  6. PCI Relationships Responsible for managing the Responsible for enforcing and PCI DSS and certifying QSAs monitoring merchant compliance and ASVs with the PCI DSS CREDIT CARD SECURITY Bank Merchant Communicates and educates Responsible for safeguarding merchants on PCI DSS and credit card data and complying reports compliance status to with the PCI DSS Card Associations Property of CampusGuard

  7. Penalties can be Huge  In the event of a breach the bank can make the merchant responsible for:  Fines from card associations  Up to $500,000  + Cost to notify victims  + Cost to replace cards  + Cost for any fraudulent transactions  + Forensics  + Level 1 certification Bad Publicity – Priceless! Property of CampusGuard

  8. How Much Time Left?  You are assumed to be compliant NOW!  Banks will be requiring your validation SOON! Property of CampusGuard

  9. Higher Ed Is Vulnerable Past 3 Years Government Higher Education Healthcare 6% 8% 33% Financial Services 14% 17% 22% Other Retailers Source: Privacy Rights Clearinghouse Property of CampusGuard

  10. Colleges and Universities are like Cities… Property of CampusGuard

  11. A Campus Is A “City" Challenges for PCI Compliance:  Open networks and systems  Scope conversations complex  Overloaded staff  Fiscal constraints Property of CampusGuard

  12. PCI in Higher Education Source: 2012 Treasury Institute PCI Workshop Property of CampusGuard

  13. PCI in Higher Education Source: 2012 Treasury Institute PCI Workshop Property of CampusGuard

  14. PCI in Higher Education Source: 2012 Treasury Institute PCI Workshop Property of CampusGuard

  15. PCI in Higher Education Source: 2012 Treasury Institute PCI Workshop Property of CampusGuard

  16. PCI DSS: 6 Goals, 12 Requirements Control Objective Requirements 1. Install and maintain a firewall configuration to protect data 1. Build and maintain a secure 2. Change vendor-supplied defaults for system passwords and other network security parameters 3. Protect stored data 4. Encrypt transmission of cardholder magnetic-stripe data and 2. Protect cardholder data sensitive information across public networks 5. Use and regularly update antivirus software 3. Maintain a vulnerability 6. Develop and maintain secure systems and applications management program 7. Restrict access to data to a need-to-know basis 8. Assign a unique ID to each person with computer access 4. Implement strong access 9. Restrict physical access to cardholder data control measures 10. Track and monitor all access to network resources and 5. Regularly monitor and test cardholder data networks 11. Regularly test security systems and processes 6. Maintain an information 12. Maintain a policy that addresses information security security policy Property of CampusGuard

  17. Merchant Levels Level 1 > 6 million Visa/MC txns/yr > 2.5 million transactions/yr 2 1 to 6 million Visa/MC txns/yr 50,000 to 2.5 million txns/yr 20,000 to 1 million Visa/MC 3 All other Amex Merchants ecommerce txns/yr Most Colleges and Universities 4 All other Visa/MC merchants N/A Property of CampusGuard

  18. Validation Requirements Level • Annual on-site assessment (QSA) • Annual on-site assessment (QSA) 1 • Quarterly network scan (ASV) • Quarterly network scan (ASV) • Annual penetration test (ASV) • Annual penetration test (ASV) • Annual on-site assessment (QSA) • Quarterly network scan (ASV) 2 • Quarterly network scan (ASV) • Annual penetration test (ASV) • Annual penetration test (ASV) • Annual Self-Assessment • Quarterly network scan (ASV) Questionnaire (SAQ) • Annual penetration test (ASV) 3 • Quarterly network scan (ASV) • Annual penetration test (ASV) • At discretion of acquirer  N/A • Annual SAQ 4 • Quarterly network scan (ASV) • Annual penetration test (ASV) Property of CampusGuard

  19. Self-Assessment Questionnaires Card-Not Imprint Only, No Standalone Dial Payment All other Present, All Cardholder Data Out Terminal, No Application methods Cardholder Data Storage Cardholder Data Systems Functions Storage Connected to Outsourced the Internet SAQ A SAQ B SAQ B SAQ C / VT SAQ D (11 questions) (29 questions) (29 questions) (80/51 questions) (286 questions) 11 286 Move as far to the left as possible! Property of CampusGuard

  20. Can I assess myself?  Short answer: Maybe (but you probably don’t want to)  Long answer: You can assess yourself, provided:  You follow audit procedures  Your acquirer agrees  An approved officer (think President or CFO) signs on the “dotted line” (attesting to the veracity of the results)  You’re absolutely sure you’re going to do it right Property of CampusGuard

  21. What’s in PCI Scope? Office Workstations? Card Swipe Machine? Student in dorm? Shopping Cart? Computer Lab? Phone Transaction? Property of CampusGuard

  22. PCI DSS Assessment Your Campus Service Provider ? PCI DSS PA-DSS Level 1 Internet Payment Application PCI DSS SAQ ? A/B/C/D? Property of CampusGuard

  23. Case Study: The commercial software was PA-DSS certified, but 1 – Firewall configuration 7 – Access to system components and cardholder data 8 – Assign unique ID to each person with computer access 9 – Restrict physical access 11 – Regularly test security systems and processes 12 – Maintain a policy that addresses information security Property of CampusGuard

  24. Managing Compliance Property of CampusGuard

  25. Compliance Finish Line! ? Property of CampusGuard

  26. PCI Compliance Discovery and Remediation Validation Assessment • Payments Analysis • Correct Problems • ROC or SAQ • Quarterly Scanning • Merchant Discovery • Compensating • Penetration Testing Submission • Documentation Controls • Preliminary Scanning Re-Valida Re alidate te • Gap Analysis ever ery y 12 12 mos mos Property of CampusGuard

  27. Awareness Training • PCI DSS • General Info Security • Red Flags • Identity Theft • HIPAA • Clery Act • FERPA • Title IX • GLBA Property of CampusGuard

  28. Online Training: PCI DSS Topics An overview of PCI DSS  PCI DSS objectives and  requirements Costs of non-compliance  Sensitive Authentication Data  Hard-copy storage  Protecting cardholder information  Payment card transactions  Remote access  Good work practices  Security incidents  Restricted computer access  Restricted physical access  Tracking and monitoring  Social engineering  Property of CampusGuard

  29. Online Training: Administration Property of CampusGuard

  30. Closing Thoughts  PCI is a journey  PCI requires partnerships  Requires perseverance  Keep the faith Property of CampusGuard

  31. Ron King, CampusGuard rking@campusguard.com (972) 964-8884 Property of CampusGuard

Recommend

Compliance Overview and Compliance by Design [CbD] aka Doing the Right Things at the Right

Compliance Overview and Compliance by Design [CbD] aka Doing the Right Things at the Right

Compliance Overview and Compliance by Design [CbD] aka Doing the Right Things at the Right Time ASQ Meeting, 14 August 2012, Santa Ana, CA Dr. Raymond W. Brullo, DPM Compliance Officer , FDA Los Angeles District Office, Irvine, CA Doctor

516 views • 40 slides
Compliance Plans Kelly S. McIntosh July 20, 2017 Roadmap The importance of compliance and

Compliance Plans Kelly S. McIntosh July 20, 2017 Roadmap The importance of compliance and

Compliance Plans Kelly S. McIntosh July 20, 2017 Roadmap The importance of compliance and compliance programs Common compliance issues know your risk areas! Guidance for drafting or updating your compliance plan Elements of

1.16k views • 50 slides
OFFICE OF UNIVERSITY COMPLIANCE OFFICE OF UNIVERSITY COMPLIANCE Who We Are: Joint Audit and

OFFICE OF UNIVERSITY COMPLIANCE OFFICE OF UNIVERSITY COMPLIANCE Who We Are: Joint Audit and

OFFICE OF UNIVERSITY COMPLIANCE OFFICE OF UNIVERSITY COMPLIANCE Who We Are: Joint Audit and Compliance Committee President Kimberly Fearney Associate Vice President & Chief Compliance Officer Liz Vitullo Executive Assistant Omar

127 views • 8 slides
Education Governance & Compliance Committee April 6, 2018 What is Compliance?

Education Governance & Compliance Committee April 6, 2018 What is Compliance?

Compliance in Higher Education Governance & Compliance Committee April 6, 2018 What is Compliance? Conformity in fulfilling official requirements * Certification or confirmation that the doer of an actionmeets the

506 views • 14 slides
COMPLIANCE 2.0 RANDS CONTRIBUTION TO THE EVOLUTION OF CORPORATE COMPLIANCE AND NEXT STEPS

COMPLIANCE 2.0 RANDS CONTRIBUTION TO THE EVOLUTION OF CORPORATE COMPLIANCE AND NEXT STEPS

COMPLIANCE 2.0 RANDS CONTRIBUTION TO THE EVOLUTION OF CORPORATE COMPLIANCE AND NEXT STEPS PREPARED FOR: RAND CENTER FOR CORPORATE ETHICS AND GOVERNANCE ADVISORY BOARD PANEL : DONNA BOEHME PRINCIPAL, COMPLIANCE STRATEGISTS LLC MICHAEL

526 views • 13 slides
Corporate Compliance Programs: Weaving an Effective Compliance Web Simply put, corporate

Corporate Compliance Programs: Weaving an Effective Compliance Web Simply put, corporate

Corporate Compliance Programs: Weaving an Effective Compliance Web Simply put, corporate compliance programs are designed to prevent and detect violations of the law. Compliance programs make good business sense because they: reduce the

144 views • 12 slides
Fleet Compliance Awareness Workshop Compliance Questions Fleet Compliance Awareness Workshop

Fleet Compliance Awareness Workshop Compliance Questions Fleet Compliance Awareness Workshop

Fleet Compliance Awareness Workshop Compliance Questions Fleet Compliance Awareness Workshop Question 1 Q 1. When is the best time to carry out a daily vehicle check? [ a ] During a break [ b ] When the engine is running [ c ] Upon taking the

1.11k views • 69 slides
Achieving Compliance through Strategic Compliance Planning Symposium on Strategic Compliance in

Achieving Compliance through Strategic Compliance Planning Symposium on Strategic Compliance in

Achieving Compliance through Strategic Compliance Planning Symposium on Strategic Compliance in Indonesia through the Labour Inspection System Nancy Leppink Chief Labour Administration/Labour Inspection/ Occupational Safety and Health

605 views • 28 slides
COMPLIANCE CHARTER G A R Y N I M A X A S S I S T A N T V I C E P R E S I D E N T F O R C O

COMPLIANCE CHARTER G A R Y N I M A X A S S I S T A N T V I C E P R E S I D E N T F O R C O

COMPLIANCE CHARTER G A R Y N I M A X A S S I S T A N T V I C E P R E S I D E N T F O R C O M P L I A N C E U.S. Federal Sentencing Guidelines The compliance programs objective is to establish and promote standards that meet these seven

394 views • 4 slides
Compliance for Experts June 27, 2012 Presenters John Misgen, CPA Senior Compliance

Compliance for Experts June 27, 2012 Presenters John Misgen, CPA Senior Compliance

Bank Secrecy Act Compliance for Experts June 27, 2012 Presenters John Misgen, CPA Senior Compliance Consultant with CliftonLarsonAllen LLP for more than six years Has provided regulatory compliance assistance, including

605 views • 41 slides
Conference Jeremy Smith Compliance Manager Erin OHern Director of League Compliance Services

Conference Jeremy Smith Compliance Manager Erin OHern Director of League Compliance Services

NCUL Compliance Conference Jeremy Smith Compliance Manager Erin OHern Director of League Compliance Services Meet the Presenter As Compliance Manager, Jeremy Smith oversees compliance services for PolicyWorks' partner Credit Union

2.25k views • 157 slides
Internal Audit and Compliance Reporting Summary March 14, 2019 1 Compliance Long Range Plan

Internal Audit and Compliance Reporting Summary March 14, 2019 1 Compliance Long Range Plan

Internal Audit and Compliance Reporting Summary March 14, 2019 1 Compliance Long Range Plan One of the core requirements from the Compliance Resource Group (CRG) was that Compliance should develop a 3-5 year strategic plan to model the

793 views • 13 slides
Merchant PCI Compliance - Update PCI Compliance Reminders - Portal Access: www.pciapply.com/NWP

Merchant PCI Compliance - Update PCI Compliance Reminders - Portal Access: www.pciapply.com/NWP

Merchant PCI Compliance - Update PCI Compliance Reminders - Portal Access: www.pciapply.com/NWP - Agents have access to the Aperia Client Management Portal Experience - Get your user credentials! - Support/Compliance Center/Help Desk/QSA

66 views • 6 slides
Building a Culture of Compliance and Ethics Core Elements 1. Compliance standards (policies

Building a Culture of Compliance and Ethics Core Elements 1. Compliance standards (policies

Building a Culture of Compliance and Ethics Core Elements 1. Compliance standards (policies procedures and standards of conduct) 2. Dedicated compliance specialist & committee 3. Conducting training and education 4. Developing open lines

154 views • 11 slides
Compliance Athena Yiallourou AML Committee www.cfa.org.cy www.cfa.org.cy 1 1 AML AND

Compliance Athena Yiallourou AML Committee www.cfa.org.cy www.cfa.org.cy 1 1 AML AND

CYPRUS FIDUCIARY ASSOCIATION Induction Course in Administrative Services Compliance Athena Yiallourou AML Committee www.cfa.org.cy www.cfa.org.cy 1 1 AML AND COMPLIANCE CONTENT The content of the Compliance session will include

594 views • 48 slides
Enforcement: Compliance - Show Cause - Removal by: Sarah Patel Pacheco Crain Caton & James

Enforcement: Compliance - Show Cause - Removal by: Sarah Patel Pacheco Crain Caton & James

Enforcement: Compliance - Show Cause - Removal by: Sarah Patel Pacheco Crain Caton & James P.C . I F YOU THINK COMPLIANCE IS EXPENSIVE TRY NON - COMPLIANCE Former U.S. Deputy Attorney General Paul McNutty COMPLIANCE COMPLIANCE

528 views • 17 slides
10 Reasons Why Compliance Fails Sinead OConnor www.aicp.im Ten reasons why compliance fails

10 Reasons Why Compliance Fails Sinead OConnor www.aicp.im Ten reasons why compliance fails

10 Reasons Why Compliance Fails Sinead OConnor www.aicp.im Ten reasons why compliance fails Sinead OConnor Head of Regulatory & Compliance services Lack of leadership Compliance comply dont they? What do the rules actually

482 views • 13 slides
Compliance and TeleHealth Julie Bell, MED Compliance Program Manager Objectives: Introduce you

Compliance and TeleHealth Julie Bell, MED Compliance Program Manager Objectives: Introduce you

Compliance and TeleHealth Julie Bell, MED Compliance Program Manager Objectives: Introduce you to Intermountains Compliance Program Identify some potential compliance risks for TeleHealth projects Understand that there is not a

413 views • 14 slides
Financial Compliance USDA RUS ReConnect Program Tim Frantz Deputy Director External Compliance

Financial Compliance USDA RUS ReConnect Program Tim Frantz Deputy Director External Compliance

Financial Compliance USDA RUS ReConnect Program Tim Frantz Deputy Director External Compliance Division Rural Development Business Center Agenda Compliance Resources RUS Right to Inspect Eligible Costs Reporting Requirements

986 views • 66 slides
FCPA Compliance is No Longer Enough Understanding Key Provisions, Ensuring Compliance and

FCPA Compliance is No Longer Enough Understanding Key Provisions, Ensuring Compliance and

Presenting a live 90-minute webinar with interactive Q&A Anti-Corruption Reform in Mexico: FCPA Compliance is No Longer Enough Understanding Key Provisions, Ensuring Compliance and Mitigating Legal Risks WEDNESDAY, DECEMBER 9, 2015 1pm

420 views • 27 slides
Compliance T Training: g: Under nderstanding t the he Revi view P Process ess Compliance

Compliance T Training: g: Under nderstanding t the he Revi view P Process ess Compliance

Compliance T Training: g: Under nderstanding t the he Revi view P Process ess Compliance and Security Division U.S. Agricultural Export Development Council Monday, November 18, 2019 Overview ew Welcome Global Programs: Curt Alt

386 views • 34 slides
Compliance TODAY December 2013 A PUBLICATION OF THE HEALTH CARE COMPLIANCE ASSOCIATION WWW . HCCA

Compliance TODAY December 2013 A PUBLICATION OF THE HEALTH CARE COMPLIANCE ASSOCIATION WWW . HCCA

Compliance TODAY December 2013 A PUBLICATION OF THE HEALTH CARE COMPLIANCE ASSOCIATION WWW . HCCA - INFO . ORG Timothy Ferriss Jan Cunningham Compliance Specialist Privacy Director of Risk Management Alaska Native Tribal Health Consortium

228 views • 5 slides
Compliance Plan & GFE TAMELA SALDANA, PH.D. COMPLIANCE OFFICER 2 Objectives Provide a

Compliance Plan & GFE TAMELA SALDANA, PH.D. COMPLIANCE OFFICER 2 Objectives Provide a

M/WBE 1 Compliance Plan & GFE TAMELA SALDANA, PH.D. COMPLIANCE OFFICER 2 Objectives Provide a general overview of SMBR Review MBE/WBE Compliance Plan Review specific City of Austin GFE Requirements What is the MBE/WBE

538 views • 26 slides
Regulatory Compliance Update NAFCUs Regulatory Compliance Update Webcast Wednesday, November

Regulatory Compliance Update NAFCUs Regulatory Compliance Update Webcast Wednesday, November

Regulatory Compliance Update NAFCUs Regulatory Compliance Update Webcast Wednesday, November 18, 2015 Presented By: Brandy Bruyere, NCCO, NAFCU Director of Regulatory Compliance Eliott C. Ponte, NCCO, NAFCU Regulatory Compliance Counsel

1.03k views • 68 slides

More recommend