Payment Card Industry _PCI_ Comp

Document Sample
Payment Card Industry _PCI_ Comp Powered By Docstoc
					                                Payment Card Industry (PCI) Compliance Summary
                                                 May 14, 2010

   Background. Whenever someone clicks a “Pay” button on a University website the payment info is processed in-house
    or by a third-party credit card processing service provider like QuickPay (used to process tuition payments by credit
    card), which then sends info to a credit card association member (such as SunTrust Merchant Services). The member
    then interfaces with the credit card company to eventually get payment into University bank accounts.
   What is PCI Compliance? The PCI Standard is not a law! It’s a regulation created by payment card companies
    (MasterCard and Visa Card being the leaders) and enforceable under contractual obligations with these credit card
    companies. Members and merchants agree to abide by these standards under the terms of their contracts with payment
    card companies. The Payment Card Industry (PCI) Standard outlines the security requirements for transmitting, storing,
    accessing, or processing cardholder data.
   Compliance requirements. Compliance is required on a per-merchant ID (MID)-basis. This means that for
    departments with multiple MIDs (such as the Transportation Department, which has separate MIDs for Internet citation
    payments, Internet parking permit payment, Coliseum parking deck accounts, etc.) each account has to be reviewed to
    ensure cardholder data is being handled correctly. Compliance requirements for each MID depend on the PCI
    classification level of that MID. Level classification for a given MID depends on the annual volume of transactions
    (regardless of acceptance-channel-processing, see Table 1 on page 2 for level definitions). The PCI security
    requirements are inline with current best practice security recommendations, such as the International Standards Code of
    Practice for Information Security Management (ISO 17799).
   Penalties for Non-compliance (Visa). The credit card companies may impose penalties or fines on members,
    merchants, or their agents. Members or merchants are subjected to fines up to $500,000 per incident if there is a
    compromise on their network resulting in the loss or theft of cardholder information, and the network was subsequently
    found to be non-compliant at the time of the compromise. Also, if a member or merchant fails to immediately notify
    credit card companies of suspected or confirmed loss or theft of transaction information, the member or merchant will be
    subject to a penalty of $100,000 per incident.
   Deadlines. The deadline for PCI compliance for levels 2 and 3 was June 30, 2005; however, the Office of the State
    Controller (OSC), who is statutorily charged with implementing and managing the State’s Electronic Commerce and
    Payments Program (see attached memo) did not notify NC State until late July 2005. NC State along with other state
    agencies has been attending monthly OSC-hosted conference calls in which OSC-appointed vendors provide
    explanations of the PCI compliance process. As far as PCI is concerned however, if a security breach occurs today
    resulting in compromise of a NC State customer cardholder account data, the University could be subjected to penalties
    or fines outline herein.

   NC State Responsibilities. Members (e.g., SunTrust) must comply with PCI, and are responsible for ensuring that their
    merchants (e.g., NCSU), service providers, and their merchants' service providers are compliant as well. Consequently
    NC State must comply with PCI and is responsible for ensuring that each of its services providers is complaint as well.
   NCSU Actions/Impact. OSC has entered into a one-year contract with Ambrion TrustWave, who is using their
    TrustKeeper web-portal to assist all merchants under the State’s master contract with SunTrust Merchant Services with
    the completion of annual self-assessment questionnaire and performance of required network scans. The ETSS
    Information Security area is currently working to identify and secure the NC State “cardholder network”, so that the
    appropriate network scans and questionnaires can be done via the TrustKeeper web portal. To date we have identified
    about 14 different MIDs in level-3 or level-4, with possibly one level-2 MID. The MIDs identified so far are as follows:

       1. Transportation (5 MIDs)                    6. NCSU Box Office (Ticket Central in the
       2. Advancement Services (1 MID)                  Student Center) (1MID)

       3. Cashiers Office (1 MID)                    7. Undergraduate Admissions (1 MID)

       4. Institute for Emerging Issues              8. Parent Family Services – PFS (Student
          (Chancellor’s Office) (1 MID)                 Affairs) (1 MID)

       5. University Housing (1 MID)                 9. Grad School (1 MID)
                                                     10. CALS Development Office (1 MID)

                                                                                                                Page 1 of 2
                                    Payment Card Industry (PCI) Compliance Summary
                                                     May 14, 2010

                                       Table 1 – Compliance validation summary Table
Merchant            Description             Compliance Validation               Validated By            Compliance
 Level                                                                                                    Due Date
   1        Over 6,000,000                  Annual On-site security       Independent security          9/30/2004
            transactions per year; or       audit;                        assessor; or
            Any merchant that has           Quarterly Network Scan        Internal audit
            suffered an attack                                            Independent Scan vendor
            causing account data to
            be compromised*
      2      150K to 6,000,000              Annual self-assessment;       Merchant (NCSU);              6/30/2005
             transactions per year          Quarterly Network Scan        Independent Scan vendor
      3      20K to 150K transactions       Annual self-assessment;       Merchant (NCSU);              6/30/2005
             per year                       Quarterly Network Scan        Independent Scan vendor
      4      Less than 20K                  Annual self-assessment        Merchant (NCSU);              TBD
             transactions per year          (recommended);                Independent Scan vendor
                                            Quarterly Network Scan

   There are stringent requirements for level 1 so it’s a huge risk if a successful attack force lower level systems to be treated as level 1
                                                                                                                               Page 2 of 2