Presentation 2009 - PowerPoint Presentation

Document Sample
Presentation 2009 - PowerPoint Presentation Powered By Docstoc
					PAYMENT PROCESSING
        @
MCMASTER UNIVERSITY

   April 22nd & 23rd, 2009

                             1
              Presenters

•   Nancy Gray – Financial Services
•   Stacey Farkas – Financial Services
•   Tim Russell – UTS
•   Theresa Cooke – Financial Services
•   Tawnya Smith – Internal Audit
•   Diane Carment – Conference Services




                                          2
                 Agenda
1.  PCI COMMITTEE (5 min)
2.  REVIEW OF PAYMENT PROCESSING & PCI
    SECURITY STANDARDS (5 min)
3. UPDATES SINCE PREVIOUS WORKSHOP (15 min)
4. COMMON AUDIT FINDINGS (10 min)
5. PCI FEES (10 min)
6. ONLINE CASHIERING (5 min)
7. INTERAC ONLINE (5 min)
                    BREAK (10 min)
8. SUSPICIOUS TRANSACTIONS & SECURITY
    PROTOCOL (15 min)
9. 2009 SAQ QUESTIONAIRES (25 min)
10. CONFERENCE SERVICES-STARREZ DEMO (15min)
11. ACTIONS REQUIRED (5 min)              3
          PCI Steering Committee
Lilian Scime (Co-Chair)
Nancy Gray
Gina Robinson
Rocco Piro
Mike Sowerby
Tim Russell
John McKay
Tawnya Smith
Absent:

Stacey Farkas
Theresa Cooke
John Kearney (Co-Chair)
      OVERVIEW
Payment Processing @ Mac




                           5
   Payment Card Industry Security
            Standards
• Standards developed by the credit card companies (Visa,
  M/C) to protect cardholders
• Standards cover policies, business processes, systems, etc.
• Every merchant is required to be in compliance with these
  standards
• Risk to University as a whole if there is a „breach‟ and
  anyone is found to be non-compliant
   o Lose the ability to accept credit cards
   o FINES
   o Reputation Risk
• Self–attestation is our means to ensure compliance
• INTERNAL audits will occur
• EXTERNAL audits could occur
                                                                6
                  UPDATES
• Growth in Merchants
  o 3 new e-commerce sites
  o New virtual terminal users or moved to large accounts
  o $21million credit card sales in 07/08!


• Important to contact Financial Services when staff
  turn over
   o Fill out new Payment Card Merchant Number
     Approval Form
   o One-on-one training provided
   o Access to system terminated

                                                            7
                       Updates
• AMEX
  o Accepted university wide August 2008 with
    negotiated lower rates
      • 0.5 – 1.20% lower than before w/ no contract
   o Updates required to be made to
     websites/promotional materials
• Changes to Visa & M/C rates
   o Fee structure has changed for Visa and Mastercard
   o Rates are higher based on the type of card
      • Card-present vs. not-present
      • Consumer, corporate, premium
                                                       8
           Updates - Trustwave
   Engaged Trustwave to perform a pre-
    assessment for eCommerce Merchants
    and their High Priority findings were:

   o Staffing to manage on-going PCI compliance
     is insufficient.
Outcome: Security Analyst (Desmond Irvine) commenced
work this week to support Ken Craft.



                                                       9
           Updates - Trustwave
   o Implement central logging and auditing
     server and processes for PCI systems.


Outcome: Space is planned within Gilmour Hall renovation
with on-going discussions with current eCommerce
merchants and external software vendors to work towards
this direction.




                                                       10
            Updates - Trustwave
   o Communicate directives to merchants:
     recurring billing, CVV, PAN storage etc
Outcome: Implemented CVV with eCommerce merchants
in October 2008 and dealt directly with merchants as
required.
   o Review and manage access accounts on all card
     processing systems and apply central account
     to remaining accounts.
Outcome: This is being addressed as part of this training.
All merchants are required to submit a “Payment
Processing Authorized Access Record” with each SAQ.
                                                             11
               Internal Audit
• Overview of an Internal Audit related to Payment
  Processing:
   o Assess PCI Compliance as sub-section of cash
     controls when performing Internal Audits
   o Audit for compliance to policy and the attestations
     made in the Self Assessment Questionnaires
   o Issue report to department management outlining
     situations requiring corrective action
• Serious non-compliance could result in suspension of
  individual merchant privileges
                                                    12
              Internal Audit
           Common Audit Findings
• Generally focus on Access Control Measures
• Hard copy and/or electronic cardholder data should
  not be stored/saved unless there is a legitimate
  business purpose to do so:

   o POS merchants need to keep the merchant‟s copy
     of payment card receipts when this is the only
     sales record resulting from the transaction
     (Merchant types B and C)

   o Virtual terminal and E-commerce merchants do
     need to maintain custody of the system generated
     receipt and/or the daily sales summary (Merchant
     types A and D)
                                                        13
             Internal Audit
          Common Audit Findings
o When storage of payment card info is necessary than
  all paper and electronic media containing cardholder
  data must be physically secure
   • Secure = Stored in a locked cabinet or room to which access
     is limited and controlled at all times other than when in use
   • Payment card information should not be stored electronically
     i.e. Word, Excel etc.
   • Limit access to “need to know”
o Controlled distribution of data
   • Don‟t distribute via e-mail, distribution tracking,
     confirmation of receipt
o Record retention and destruction
o Password sharing in not permitted
o Review of technical compliance will also be performed
  – scope to be determined
                                                                 14
         McMaster PCI Fees
• Compliance with card data security standards is
  essential
• External assessment (pre-audit) identified 4 high
  risk areas in our payment processing practices
   o KEY weaknesses (GAPS) were the result of lack of
     centralized security, lack of staff to support this
   o Need for ongoing training and support for our
     decentralized environment
• This fee is intended to fund those requirements
  and close those GAPS
• Designed to reflect actual setup and operational
  costs and create incentives to find economies of
  scale
   o 1 FTE in UTS and 0.5 FTE in Financial Services
                                                           15
           McMaster PCI Fees
• Annual „PCI Compliance Levy‟ Base charge:
   o $750 per e-Commerce merchant
   o $350 per Point of Sale (POS) or Virtual Terminal
     merchant
PLUS
• Volume based charge:
   o Commencing September 2009:
       • 0.50% of credit card sales; CAP at max of $7,500
   o Fiscal year 10/11
       • 1% of credit card sales; CAP at max of $10,000
• Rate structure to be reviewed periodically and increased or
  decreased as appropriate to fund the operational needs.
                                                                16
         On-line Cashiering
The internal cash receipt process has…
Two Purposes:
• Posting transactions to your FAS account
• Creating batch data for bank reconciliation
Two Processes:
• Online Cashiering
• Scheduled Uploads
Two Requirements:
• Separate batch for each deposit
• Batch date must equal deposit date
Reminder: an admin fee of $25.00 will be assessed for
  non-compliance of these requirements
                                                        17
          Internal Processing
Online Cashiering
• Used for POS (debit and credit cards), Virtual
    Terminal and E-Commerce
• Secured access through Supersession/IBM
• Can be posted as one transaction or create more
    detailed reporting with multiple receipts and account
    numbers
• Batch will normally be closed upon verification by the
    Cashiers Office.
Scheduled Upload
• Used for “integrated” E-Commerce
• Data comes from both Moneris and integrated system
• Program written to format data and assign batch
    dates/numbers.                                     18
  **NEW**Merchant Codes for
      On-line Cashiering
• The Bank Reconciliation process requires that we
  identify distinct Merchant numbers with the on-
  line cashiering batch.
• We have assigned a 3 digit code to each merchant
  that will be cross referenced with the Merchant
  Name, Visa/MC and AMEX #‟s (note as much as
  13 characters)
• This code will be used in the Cashier Name
  section of the On-line Cashiering Batch screen
  with the following format: 001 TC 24332
• The process becomes effective as soon as you
  receive your code and no later than May 1st.
                                                19
   Batch Screen Example




CASHIER NAME: 001 TC 24332

                             20
         INTERAC Online
• We are working with UTS to be able to
  offer INTERAC Online as a payment
  method. This will allow students to pay
  from a link on the MUGSI website and we
  will have immediate notification.
• Expected to be ready for tuition payments
  in June ‟09.
• Once we are up and running this new
  payment method will be available for use by
  our eCommerce merchants.
                                            21
         INTERAC Online
• It is not compulsory to offer this payment
  method.
• Consumers using INTERAC Online must
  be registered for online banking with their
  financial institution.
• When making a purchase using this
  method, the consumer is redirected to their
  bank to authorize the payment.
• Participating Financial Institutions are:
                                                22
   BREAK
10 MINUTES



             23
 Suspicious Transactions and
      Security Protocol
• Several types of suspicious transactions:
  o Successful credit card transactions repeated
    several times
Notify Moneris, noting the date and time when this occurs
and who you spoke with.
Inform UTS IT Security (c-uts-security@mcmaster.ca)
  o Unsuccessful attempts to process transactions
  o Transactions from unexpected locations

Notify UTS IT Security and follow their directions

                                                            24
Suspicious Transactions and
     Security Protocol
A Virus is detected on a PC that is used to process
credit card transactions
Notify UTS IT Security immediately
Do not attempt to cleanse the PC at all.
Shut down the PC immediately.

UTS IT Security may need to seize the PC and perform an
investigation on the system to determine the nature of
potential issues and possible breach
A new end point security solution is being
implemented shortly which will assist with
preventative measures.                                    25
   PCI Compliance:
Self Assessment Types




                        26
               Web site location:
http://www.mcmaster.ca/bms/BMS_FS_Payment_Card.htm
PCI Self-Attestation Questionnaires
• New version – 1.2
• Better definitions and clearer
  documentation, including „Not Applicable‟
  fields.
• Partially completed documents were issued
  to the Merchant Signing Authority.
• POS: Stand-alone terminals are IP lines in
  Canada. A ruling from Trustwave stated we
  could use SAQ Version B (rather than C)
  for these merchants.
                                           28
            PCI SAQ – Part 1




As a Level 4 merchant (less than 20,000 eCommerce Visa
transactions via eCommerce per year) we are not required
to use a Qualified Security Assessor Company.



                                                           29
             PCI SAQ –Part 2




Section 2 comprises Merchant information. This varies for
each SAQ type (A-D), especially with Part 2D which
addresses why each merchant is completing a specific
SAQ.                                                        30
             PCI SAQ – Part 4




• Non-compliance status is required to be addressed by each
  merchant by a specific date.
• The number of sections addressed depends on the SAQ
  Type.
                                                              31
PCI SAQ – Part 4, Requirement 4




• Addressed within the “Policy for Acceptance of
  Payment Cards”
• Re-iterated within this training




                                                   32
PCI SAQ – Part 4, Requirement 12
• Addressed by
University-wide IT
Security policy and
specific activities as
required by PCI
Steering Committee.
• It is the
responsibility of
each merchant to
implement policy
and directives.

                               33
             PCI SAQ – Part 3




Non-Compliancy is based on not completing the SAQ or
not meeting requirements. We do not always need a Scan.   34
                 PCI SAQ’s

• Completed SAQ‟s are due May 30th 2009. Send
  these to Financial Services, DTC 414.
• As indicated earlier, if an SAQ is not submitted by
  a merchant, it will result in suspension of their
  merchant account, due to the reputational and
  financial risk to the University.




                                                    35
Conference Services
STARREZ DEMO


   Diane Carment




                      36
              Actions required
• Complete Self Assessment Questionnaires DUE:
  MAY 30, 2009
• Complete the “Payment Processing Authorized
  Access Record” (for each merchant number)
• Start using the new Merchant Codes in online
  cashiering as soon as you receive your code
• Follow the Security Protocol when issues arise.
• Please fill out the evaluation forms!

Please call if you have questions or concerns surrounding
   your business processes or security – see Key Contacts
                                                            37
                        Key Contacts
•   Technical problems with processing
     o Moneris help desk – 1-866-319-7450
     o Moneris e-select help – 1-866-562-4354
•   PCI standards/Security (c-uts-security@mcmaster.ca)
     o Desmond Irvine X 21649 (irvined@mcmaster.ca)
     o Ken Craft x23763 (craftk@mcmaster.ca)
     o Tim Russell x28688(trussel@mcmaster.ca)
•   Physical, Network and Telecom Security
     o Via UTS Service Desk x24357 (uts@mcmaster.ca)
•   Internal Audit
     o Tawnya Smith x23872 (tsmith@mcmaster.ca)
•   All other concerns
     o Stacey Farkas – x23654 (farkas@mcmaster.ca)
•   Moneris website: www.moneris.com
•   Online services and support
     o http://www.moneris.com/index.php?context=/onlineservice/downloads
•   Faculty of Health Sciences Merchants
     o CSU Help Desk X 20848 (Verify)
                                                                       38

				
DOCUMENT INFO