Individual Payment Company Credit Card Policy by kbi18197

VIEWS: 16 PAGES: 61

More Info
									 Credit Card Data
Security Compliance

Achieving PCI Compliance
        July 2009
 Kim Ray
 Billing and Payment Services
 Campus Credit Card Coordinator
 Karen Eft
 IT Policy Manager
 Office of the CIO
 Kate Riley
 IT Security Analyst
 Information System Technology
     Who Accepts Credit Cards?

   Departments with a business need for:

    –   Tickets Sales
    –   Enrollment/Registration/Conference Hosting
    –   Donations/Gifts
    –   Gift Shops/Admission Desks/Memberships
    –   Publication Sales
    – Public Services   (e.g., Library, Optometry, Parking, Cal
        Overstock)
     Who Accepts Credit Cards?
   Over 130+ merchant accounts with
    annual sales exceeding $103
    million/year




                                       $43 million/2003
   How we Accept Credit Cards
Obtain Credit Card Number                     System Application Database –
                                              On-campus or Hosted by Vendor




                                                            Internet Gateways




                UC’s Acquiring Bank:
                •Issues Merchant Account Numbers
                •Processes authorizations, sales, credits
How to Accept Credit Cards
      Card Present


Customers making purchases in-person

    – Gifts at the Berkeley Art Museum store
    – Services at the Optometry Clinic
    – Admission to the Botanical Gardens
    – Parking pass at Parking and
      Transportation
How to Accept Credit Cards
    Card Not Present


Customers making purchases by phone
           or mail requests

    – Conference registration by mail
    – Publication purchases over the phone
Accepting Credit Card Data by Fax

Prohibited in University Cash-Handling Policy
                   (BUS 49)
  – Violation of the intent of section 4(a) in the
    Uniform Commercial Code

The Campus Controller may grant a variance
  – Such a request must provide detail of the
    compensating controls in place to secure the
    data
   How we Accept Credit Cards
Obtain Credit Card Number                     System Application Database –
                                              On-campus or Hosted by Vendor




                                                            Internet Gateways




                UC’s Acquiring Bank:
                •Issues Merchant Account Numbers
                •Processes authorizations, sales, credits
How we Accept Credit Cards
    Card Not Present

   Customers making purchases online
  through a department‟s web application
 that interfaces with an Internet Gateway

    – Enroll in a course with University
      Extension
    – Purchase a ticket for an Athletics game
    – Pay a student intent to register fee
    – Pay a Visiting Scholar‟s fee
    Department Web Application
   The department has a business need to
    collect and store personally identifiable
    information
    – Hosted: On-campus or by Vendor


   Must comply with Campus Minimum
    Security Standards:
    – https://security.berkeley.edu/MinStds/
        Networked Devises

        Electronic Information
Campus Minimum Security
      Standards




           Karen Eft
      IT Policy Manager
Office of the Chief Information
             Officer
  Campus IT Security Policy
Each member of the campus community is
responsible for the security and protection of
electronic information resources over which he
or she has control.

Resources to be protected include networks,
computers, software, and data. The physical and
logical integrity of these resources must be
protected against threats such as unauthorized
intrusions, malicious misuse, or inadvertent
compromise.
  UC-wide Business & Finance
  Bulletins, “IS” series

Oversight of Electronic Information:
IS-2, Inventory, Classification, and Release of
University Electronic Information

IS-3, Electronic Information Security

IS-11, Identity and Access Management

IS-12, Continuity Planning and Disaster Recovery
(http://www.ucop.edu/irc/itsec/uc/mgt_guide/guide.html)
Minimum Security Standards

  Minimum      ≠    minimal

 Why do we put you through this?
       Prevent Identity Theft
Horrible consequences for victims of identity theft.

When un-encrypted data of specific types is
“breached” we have to notify the subjects.

Incredible waste of time and effort responding to
security incidents.

Notifications can cost Millions of dollars.

Damage to reputation / good will.

Reduced level of donations or research funding.
Minimum Security Standards

 MSS   for Networked Devices


 MSS   for Electronic Information
Minimum Security Standards
for Networked Devices
 1. Keep software patches current
 2. Run approved anti-virus software
 3. Run approved host-based firewall software
 4. Use secure passwords
 5. No unencrypted authentication
 6. No unauthenticated email relays
 7. No unauthenticated proxy services
 8. Ensure physical security
 9. Don‟t run unnecessary services
Minimum Security Standards
for Electronic Information
( MSSEI )
1.   Notice-triggering information
      High Confidentiality - apply all protective
        measures listed in Attachment A


2.   Payment Card Industry Data
      May not be stored without explicit
        approval from UC Berkeley Billing and
        Payment Services
1) MSSEI notice-triggering information:
First name OR first initial AND last name
in combination with one or more of the following:
  – Social Security Number,
  – driver's license number,
  – California Identification Number,
  – financial account number, credit or debit card
    number, in combination with any required
    security code, access code, or password that
    would permit access to an individual's financial
    account,
  – medical information,
  – health insurance information.
Protective Measures for high confidentiality
  information:




  more …
Protective Measures for high confidentiality
  information (cont‟d):




  more ...
Protective Measures for high confidentiality
  information (cont‟d):
2) Payment Card Industry Data
 Security Standard (PCI DSS):

Primary Account Number (PAN) (credit card
number) AND any of the following if stored,
processed, or transmitted with the PAN:

  – Cardholder Name,
  – Service Code,
  – Expiration Date.
MSSEI:
1.   Notice-triggering information
      High Confidentiality - apply all protective
        measures listed in Attachment A


2.   Payment Card Industry Data
      May not be stored without explicit
        approval from UC Berkeley Billing and
        Payment Services
             Compliance:

   Departmental Security Contact Policy

   Guidelines and Procedures for Blocking
    Network Access

   Security Incident Response Procedures
Departmental Security Contact Policy

To implement this policy, each department
needs to appoint a security contact and one or
more backup contacts. Departments may agree
to share contacts for efficiency. …

Contacts need to have some familiarity with the
computers in their department and be able to
determine who a responsible technical person is;
it is not necessary for the contact to have
extensive security expertise.
Guidelines and Procedures for
Blocking Network Access

When computers pose a serious risk to campus
information system resources or the Internet,
their network connection may be blocked.

If the threat is immediate, the offending
computer(s) will be blocked immediately and
notification will be sent to the departmental
security contact(s) via email that the block has
occurred.
 Security Incident Response Procedures
Berkeley Campus Plan Implementing UC Requirements
for Protection of Computerized Personal Information

     1.   Definitions
     2.   Responsibilities
     3.   Incident Response Process
     4.   Notification Procedures
     5.   Reporting Requirements

  Attachment A: Information Practices Act: Sections 1798.29,
    1798.82, 1798.84
  Attachment B: Revision to IS-3 to Cover SB 1386 Requirements
  Attachment C: Draft notification text for a 1386 breach
Security Incident Response Procedures

 Remove the threat.

 Preserve evidence.

 “Maybe” re-build the environment to resume
 operations.

 Determine whether a breach, then whether
 notification is required.
Security Incident Repercussions


     Very costly

     Very intrusive upon regular operations

     Damaging to the department or project,
      to the Berkeley Campus, to the
      University of California, to faculty, to
      staff
           Assistance:

   security@berkeley.edu
   Technical services and tools
   Implementing Guidelines
   Requests for Exception
Campus Minimum Security Standards

Implementing Guidelines:
1. Software patch updates: See the Software patch
   updates FAQ page, which includes examples of "non-
   compliant" operating systems. Also see instructions for:

     * Microsoft Windows Operating System
     * Linux/UNIX Operating System
     * Macintosh Operating System
2. Anti-virus software

     * Updating Firewall/Antivirus

3. Host-based firewall software

                etc., etc.
Campus Minimum Security Standards

Requests for Exception:
    Departments, units, or individuals who
    believe their environments require
    configurations that do not comply with the
    Minimum Standards may request
    exceptions to the Policies.
Minimum Security Standards

  MSS   for Networked Devices


  MSS   for Electronic Information
Data Security on Campus




         Kate Riley
     IT Security Analyst
   IST-Application Services
             Attacks
This campus receives millions
 attacks per day:
 –Attempts to exploit unpatched
  systems
 –Attacks specific to application
  software
 –Phishing attacks
   Motivation for Attacks

 Defacement


 Denial   of Service

 Data   Theft
        Campus Offerings
 RestrictedData Management (RDM)
 Scanning Tools
  – AppScan
  – Nessus
 Aggressive   IP Distribution (AID)
 You
       Credit Card Data Security

   2005: Visa and MasterCard released Payment
    Card Industry: Data Security Standards
    (PCI:DSS 1.0)
   2008: New Standards (PCI:DSS 1.1) made
    compliance with standards even more
    challenging
   2009: PCI:DSS 1.2 just released



   University Cash-Handling Policy (BUS 49)
    requires that all campus merchants comply with
    PCI:DSS
    Credit Card Data Security
General rules:

  – Will not capture or transmit the credit card
    number on the campus network
      Includes   emails, spreadsheets, printers, etc.


  – Will not store credit card numbers
    electronically on campus in any device
  Payment Card Industry Data
     Security Standards
PCI:DSS defines requirements for:
  – Building and maintaining a secure network
  – Protecting cardholder data
  – Maintaining a vulnerability management
    program
  – Implementing strong access control measures
  – Regularly monitoring and testing networks
  – Maintaining an information security policy
    Payment Card Industry Data
       Security Standards
   PCI:DSS requires campus merchants to
    complete an annual self-assessment
    questionnaire to certify your compliance
    with security standards for your
    merchant type
     PCI Merchant Types

There are four PCI:DSS Self Assessment
 Questionnaires depending on acceptance
                 method
  SAQ-B: Sample Compliance


Total: 26 questions similar to:

  – Is the card number masked when displayed?
  – Are policies, procedures and practices in place to
    preclude sending unencrypted card numbers by end-
    user messaging technologies (e.g., email, instant
    message, chat)
  – Is access to system components and cardholder data
    limited to individuals with business need?
  – Are all paper and electronic media with cardholder data
    physically secure?
   SAQ-D: Sample Compliance


Total: 226+ questions cover the topics of:

  – Install and maintain a firewall configuration to protect data
  – Do not use vendor supplied passwords for system defaults and other
    security parameters
  – Protect stored cardholder data
  – Encrypt transmission of cardholder data across open, public networks
  – Use and regularly update anti-virus software or programs
  – Develop and maintain secure systems and applications
  – Restrict access to cardholder data by business need-to-know
  – Perform penetration testing at least once a year and after any
    significant infrastructure or application upgrade or modification
3rd Party Service Agreements
– Service providers are contractually
  required to adhere to the PCI:DSS
  requirements
– All campus credit card operations must
  have a written agreement that has been
  reviewed and approved by the campus
  business contract office
– No click-on agreements!
    PCI Data Security Standards

   PCI:DSS requirements at:
    – https://www.pcisecuritystandards.org/


   Merchants complying with SAQ-C or SAQ-
    D may need quarterly network scans
    – The campus is working to limit the number of
      SAQ-C and SAQ-D merchants
         Reduces our exposure to risk
         Less costly for the merchant
    Campus Certification Vendor

   The University contracted with Trustwave
    to host the questionnaires online and to
    conduct the scans
    – Via their online portal trustkeeper.net


   Each merchant department has a
    designated administrator who oversees
    PCI compliance for their merchant
    accounts
     Merchant Timeline - 2009
July-August:

1.   PCI:DSS Training
     •   PCI Administrators conduct PCI training
         with all staff handling credit card data


2.   Certify PCI:DSS Compliance
     •   PCI Administrators certify compliance via
         the trustkeeper.net portal
         PCI:DSS Training
       PCI:DSS Requirement 12.6
“Is a formal security awareness program in
  place to make all employees aware of the
  importance of cardholder data security?”

– 12.6.1 “Educate employees upon hire and at
  least annually”
– 12.6.2 “Require employees to acknowledge in
  writing that they have read and understood
  the company‟s security policy and procedures”
Certify PCI:DSS Compliance

   PCI administrator logs into existing
    merchant profile in trustkeeper.net
    – Contact Billing and Payment Services
      Office for PCI administrator changes
 Pays for the contract extension fee via
  departmental BluCard
 Completes and passes the appropriate
  PCI:DSS Self-Assessment
  Questionnaire
Consequences if not compliant

– Visa merchants are subject to fines, up to
  $500,000 per incident, for any merchant or
  service provider that is compromised and not
  compliant at the time of the incident
– FDMS may also impose fines or penalties
– The campus will no longer be able to self-
  certify; we will need to pay for qualified
  auditors to come on-site to document our
  compliance
– Managed response to any breach of sensitive
  data
Campus PCI:DSS Compliance
   Compliance must be documented annually
    with FDMS and UCOP

   Based on our campus wide activity, the
    Controller‟s Office must file a formal
    „Attestation of Compliance” with First Data
    Merchant Services annually

    If one merchant answers „No‟ to one
    question, then the entire campus fails
                 compliance
Campus Compliance Timeline -
          2009
September:

  – Controllers Office files an „Attestation of
    Compliance‟ with University‟s bank

  If one merchant answers „No‟ to one
    question, then the entire campus fails
    compliance
    Other Credit Card Requirements
   Payment Application Data Security
    Standards (PA:DSS) applies to payment
    applications that are sold, distributed or
    licensed to third-parties
    – Designed to help software vendors and others
      develop secure payment applications that:
        Do  not store prohibited data (e.g., full magnetic
         stripe, CVV2 or PIN data)
        Ensure the payment application supports compliance
         with the PCI DSS
        Ensure software development processes for web-
         based applications follow secure coding practices
    Other Credit Card Requirements
    University Cash-Handling Policy (BUS 49)
    requires that relationships with a third
    party vendor to manage credit card
    acceptance be approved by UCOP Banking
    Services
    – The third party‟s background, capabilities,
      financial condition and references are reviewed
    – Contract agreements are required to meet
      minimum levels of protection, regulatory
      compliance, insurance, bonding, and
      accurate/timely handling of credit card data as
      outlined in University policy BUS-49
           Obtaining PCI Compliance
  Are paper records   If we control this connection is it               Is server PCI compliant?
  PCI compliant?      PCI compliant?                                    Is application PCI compliant?




                                                                                  Is this connection
                                                                                  PCI compliant?

Is this
connection PCI
compliant?

                                                                                       PCI compliant UCB
                                                                                       Pre-Approved
                                                                                       Gateways

                                                                                       PCI compliant


                                                            PCI compliant
PCI Compliance Timeline - 2009
 July-August:

   – Campus departments conduct PCI training
     with all staff handling credit card data
   – PCI Administrators obtain and document
     compliance via the trustkeeper.net portal

 September:

   – Controllers Office files an „Attestation of
     Compliance‟ with University‟s bank
         Resources/References
   VISA‟s List of PCI:DSS Compliant
    Applications

    http://usa.visa.com/download/merchants/cisp-
    list-of-pcidss-compliant-service-providers.pdf

   PA:DSS Qualified Applications
    https://www.pcisecuritystandards.org/security_st
    andards/vpa/

   PCI:DSS
    https://www.pcisecuritystandards.org
         Resources/References
   UC Cash-Handling Policy: BUS 49
    http://www.ucop.edu/ucophome/policies/bfb/bus49.pdf


   UCB Minimum Security Standards
    https://security.berkeley.edu/MinStds/
             Contacts
Kim Ray
merchantsupport@berkeley.edu

Karen Eft
itpolicy@berkeley.edu

Technical Questions
security@berkeley.edu

								
To top