The sign-in area is located at the back of the room. Grab a name tag and let us know who you are! Annual PCI Overview

Transcription

1 The sign-in area is located at the back of the room. Grab a name tag and let us know who you are!

2 Annual PCI DSS Compliance Overview Presented March 2017 By CERTIFI (Compliant Electronic Receipts Transactions through Innovation and Financial Integrity) March 2017

3 Agenda Introductions and networking PCI DSS & role at UNC CH CERTIFI organizational chart & highlights Why PCI DSS Compliance Merchant role Self-Assessment Questionnaires (SAQ) Reminders & Questions

4 What is PCI DSS? The Payment Card Industry Data Security Standard or PCI DSS, was created in 2006 by the five major card brands to: Encourage and enhance cardholder data security Facilitate the broad adoption of consistent data security measures globally The fundamental purpose of PCI DSS is to protect the confidentiality of payment card information.

5 How does PCI DSS work? Six Control Objectives of PCI-DSS Build and maintain a secure network Install and maintain firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other parameters Regularly test security systems and processes Maintain a policy that addresses information security for all personnel Maintain an information security policy Protect cardholder data Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks Track and monitor all access to network resources and cardholder data Regularly monitor and test networks Maintain a vulnerability management program Use and regularly update antivirus software or programs Develop and maintain secure systems and applications Implement strong access control measures Restrict cardholder information by business need to know Assign a unique ID to each person with computer access Restrict physical access to cardholder data

6 What is UNC CH s Role? The University supports the compliant acceptance of credit cards as payment for goods and services in order to improve customer service, bring efficiencies to UNC-CH s cash management process, and increase volume of certain types of transactions. These activities are all performed under the guidance of Payment Card Industry Data Security Standards (PCI DSS), University policies and procedures, and state/federal law. Oversight for Merchant Services is provided by the CERTIFI Committee (Compliant Electronic Receipt Transactions through Innovation and Financial Integrity). PCI DSS Compliance is a process not an event.

7 What is UNC CH s Role? The University is a Level 2 merchant which means we process between 1 and 6 million transactions a year UNC CH processed 2.8 million transactions in 2016 worth $95.8 million (2.6 million/$66 million in 2015) The Office of State Controller (OSC) administers the contract with SunTrust/First Data, the university s acquiring bank Office of State Controller (OSC) SunTrust/First Data UNC Chapel Hill CERTIFI PCI DSS Compliance is a process not an event. Finance/ITS/Merchants

8 How does it all fit together? Legal Operations Education/Training Communication Purchasing Finance CERTIFI* ITS Information Security Networks Processing Merchants Departments Third Party Vendors Equipment *Compliant Electronic Receipt Transactions through Innovation and Financial Integrity

9 CERTIFI Organizational Chart Matt Fajack Vice Chancellor for Finance & Administration Executive Sponsors Chris Kielt Vice Chancellor-Information Technology & CIO Sponsors Brian Smith Senior Assistant Vice Chancellor & Treasurer Kevin Lanning Chief Information Security Officer CERTIFI Chair DeAhn Baucom University Cashier Loretta Hester * Senior Auditor, Internal Audit Advisory Mark Ingram* Infrastructure & Tech Mgr UNC Development Office Beau Jimmerson * Executive Director Payment Services Finance Brooke O Neal Merchant Services Manager Information Technology Services Mechelle Clayton Director, University Services Portfolio (Vacant) IT Security Specialist Wil Steen * Co-Chair Finance Council Subcommittee, Policy & Communication Austin Gold * Assistant Director Carolina Union Melinda Bakken * Director, OneCard Operations Auxiliary Services Dale Poole * IT Contracts Manager Purchasing Services Andrew Chow * University Cash Manager Cash Management Jon Manlove PCI Compliance Manager Kim Orr Head Teller, Office of University Cashier (Vacant) Business Analyst ecommerce Applications ITS Enterprise Applications ITS Information Security

10 CERTIFI Highlights CERTIFI s website has been updated with additional information and planning more updates before the end of the year Reduced the number of SAQ D s from 8 to 4 during Remaining SAQ D s will be remediated by 7/31/17 Carolina Union came on board to offer event registration and day of merchant services Team will be implementing CRM database to better manage merchant data and communications Training opportunities for 2017 will include webinars, a newsletter and more frequent communication Goal is to be fully PCI DSS compliant by 7/31/17

11 Why PCI DSS Compliance Beyond the fact that credit card companies require compliance, why is it important? Fosters continued trust in the UNC Chapel Hill brand Protects our consumer s information Reduces payment transaction risk Builds consumer confidence in the broader payment card system Continuous Compliance de-emphasizes compliance as a periodic challenge to be overcome, and accentuates a culture of compliance through day-to-day user behaviors... Sam Pfanstiel - Coalfire

12 PCI DSS is a Contractual Obligation PCI DSS compliance is a contractual obligation accepted as part of a merchant s card account agreement. Failure to comply with PCI DSS may result in fines, penalties, and/or fees. In extreme cases, a merchant may lose its ability to process credit cards. For more information visit

13 Merchant Application and Renewal Form (MAR) CERTIFI has developed a new and improved form Requesting that all merchants complete updated form Available online and easy to complete Here s how it works

14 The Self-Assessment Questionnaire Merchants convey their compliance status through an annual self-assessment questionnaire, or SAQ (pronounced sack ). There are four versions of the SAQ; a merchant s applicable SAQ depends on how they interact with credit cards. Lower risk requires less controls, while higher risk requires more controls. Your SAQs are due April 30, 2017

15 SAQ Risk Chart SAQ D (326 Questions) Merchant not included in descriptions listed below SAQ B (41 Questions) SAQ P2PE (35 Questions) SAQ A (14 Questions) Accepts CNP transactions not protected by P2PE solution Transactions protected by a PCI-listed P2PE solution E-commerce transactions fully outsourced to service provider Image Source: Coalfire slide from OSC s NC Kick-off Presentation from January, 2015

16 SAQ Completion Meetings Monday Tuesday Wednesday Thursday Friday March 29 SAQ B 10 11:30 am April 5 SAQ A SAQ B 10 11:30 am 2 3:30 pm SAQ P2PE SAQ D By Appointment April 11 SAQ A 2-3:30 pm *All sessions take place in Dey Hall, Toy Lounge * invitations will be sent mid-march

17 Coming up! Thanks for all of your efforts over the past year The goal? Be completely compliant by end of July Compliance The letter and the spirit In person visits and ongoing educational opportunities Making compliance a process not an event!

18 Latest Training Opportunities Team has developed new online PCI Compliance training. We need staff names and PIDs in order to kick off training. Team members will receive an to the training. Requesting that everyone retake even if you recently completed the module The goal is for this initial training to become an annual event

19 Miscellaneous Reminders Utilize quarterly ID Finder Scans (sensitive information) No VOIP for POS terminals or credit card fax requests (SAQ B Only) Penetration Test scheduled for March 21 Check terminals for tampering every day (SAQ B Only) Complete the annual ITS Awareness Training everyone must take Complete the new MAR (Merchant Application and Renewal) form today!

20 QUESTIONS

21 Want more information or have additional questions? Inbox is checked daily This presentation will be available for download on the Merchants Services and PCI Compliance webpage