UC SAN DIEGO 2018 MERCHANT PCI DSS CYCLE

AGENDA Where we are headed What is the PCI DSS? What are the consequences of not complying with the PCI DSS? 2018 Compliance cycle calendar Merchant processing methods and SAQ type Expectations for each SAQ Live Demo of CoalfireOne compliance portal UCSD Compliance Team Contacts

WHAT IS THE PCI DSS? PCI DSS = Payment Card Industry Data Security Standard Set of minimum security requirements for processing card payments and handling cardholder data Contractually agreed to by the UC Office of the President on behalf of the campuses Acquiring Bank is Bank of America Merchant Services (BAMS), who is responsible for enforcing the PCI DSS with the campus Coalfire Systems has been hired by the campus to help demonstrate to the bank that the campus is compliant with the standard

ORGANIZATION OF THE PCI DSS The Payment Card Industry Data Security Standard (PCI DSS) is built on the NIST 800-53 IT Security control framework Do you have the appropriate security policies in place to safeguard the precious information that you have? Do you have the appropriate procedures in place to support that overall security policy? Do you have the appropriate secure equipment configuration standards in place to support the security policy? Do you actually follow the procedures and use the configuration standards? Procedures Security Policy Trust but Verify Configurations

PCI VOCABULARY Self-Assessment Questionnaire = SAQ The technical security and business controls that apply to a particular method of processing card payments Each merchant is required to complete their individual SAQ and be compliant All campus SAQs are rolled up into a single SAQ for presentation to BAMS Cardholder Data Environment = CDE The environment in which cardholder data is received, processed, or transmitted In general this is where the PCI DSS applies Attestation of Compliance = AOC Evidence that a service provider has gone through the PCI compliance assessment process and is compliant with the PCI DSS Every service provider involved with your cardholder data must ANNUALLY provide an AOC to their customers

WHY SHOULD WE CARE? If you are not compliant: High probability of fines Possibility that the department would lose the ability to accept all card payments Possibility that the entire campus would lose the ability to accept all card payments If you have a breach: Certainty of fines Very high probability that merchant would be responsible for all fraud losses on compromised cards High cost of obtaining a Report on Compliance (ROC) to demonstrate remediation completed Bad publicity for campus, loss of customer trust

2018 UCSD PCI COMPLIANCE CALENDAR Task Date(s) Begin working in CoalfireOne portal SAQs completed NO LATER THAN 12/4/2018 (immediately!) 1/26/2018 Merchant interviews 1/22/2018 through 2/2/2018 Merchant site visits 2/19/2018 through 2/23/2018

MERCHANT PROCESSING METHODS How you process payments determines which SAQ version you must complete Fully Outsourced to someone else Web site redirects to a compliant third party processor Point-to-Point Encrypted devices Non-listed P2PE solution Chipcard terminal Virtual Terminal Networked Kiosks Everything else

FULLY OUTSOURCED SAQ A Merchant hires a third party service provider to do everything Even web site is managed by third party Expectations: Third party service provider gives you evidence of PCI compliance (annually) There are no business processes where cardholder data is handled outside of the service provider Service providers managed Incident response plan in place

WEB SITE REDIRECT SAQ A Merchant web site is (minimally) in scope Payment processing redirects to compliant third party processor Expectations: Documentation of full web stack (Operating System, database, shopping cart, CMS system, applications) Documentation of who administers each layer of the web stack Documentation of Requirements 2 and 8 controls Service providers managed Incident response plan in place

LISTED P2PE SOLUTION SAQ P2PE Uses a validated / listed Point-to-Point Encryption (P2PE) solution listed on the PCI Council s website Consider each Point Of Interaction (POI) device to be its own micro-cde, needing appropriate protection and inspection Expectations: POI device physical security, tampering inspection Back office alert-monitoring Appropriate business processes in place to control / secure / destroy cardholder data on paper

NON-LISTED P2PE SOLUTION Reduced-scope SAQ D Similar to P2PE requirements but with more documentation Expectations: POI device physical security, tampering inspection Back office alert-monitoring Appropriate business processes in place to control / secure / destroy cardholder data on paper

CHIPCARD TERMINAL SAQ B All transactions processed using chipcard terminal Cardholder data on paper protected, shredded when transaction processed Terminals are regularly inspected for tampering Physically secure environment Security policy in place, staff security awareness Service providers managed Incident response plan in place

POI DEVICE INSPECTION SAQs B, C-VT, P2PE, Reduced-scope D Regular inspection of Point of Interaction (POI) devices Look for tampering, additional cables, keyboard overlays, etc. Staff should at least look at their POI device when they come on shift Requirement to document official inspection of device in an inspection log Staff must know what to do if they see anything suspicious ( Call for help! )

STAFF TRAINING SAQs (A), B, C-VT, P2PE, Reduced-scope D All staff need to know that cardholder data is sensitive data that must be protected and securely processed All staff must have annual PCI security training For merchants with POI devices, staff trained on how to detect tampering For all staff, they must be trained in what to do if something is wrong See something, say something Could be as simple as Call for help

VIRTUAL TERMINAL SAQ C-VT Use browser to key-enter payments in third party processor virtual terminal Workstation / laptop / tablet must be devoted to card payment processing only Single-purpose device Cannot be used for email, accounting, spreadsheets, web surfing, or anything else Workstation must be securely configured and administered Workstation(s) must be isolated on their own network segment Expectations: Minimally functional secure configuration across all workstations, including browser

NETWORKED KIOSKS SAQ C Card accepting kiosks / devices transmitting cardholder data to third party for processing Some of the SAQ C controls may not apply One merchant in this category

EVERYTHING ELSE SAQs B-IP, D Currently no merchants in these environments on campus SAQ B-IP similar to a mixture of SAQs B and C-VT SAQ D requires all PCI controls to be met (>330 controls) If you store cardholder data electronically, you are in this environment

COALFIREONE COMPLIANCE PORTAL DEMO Overview / Dashboard Environment Requirements Gap Report Evidence Library Resources

UCSD COMPLIANCE TEAM UCSD Compliance Portal on Blink: http://blink.ucsd.edu/finance/cash/credit-debit-cards/pci-dss/index.html Armando Carlsson acarlsson@ucsd.edu Matt Linzer mlinzer@ucsd.edu Joe Tinucci joseph.tinucci@coalfire.com Steve Durham steven.durham@coalfire.com

QUESTIONS