Payment Card PCI DSS Compliance SAQ-D Training Accounts Receivable Services, Controller’s Office 7/1/2012 SAQ Training At the conclusion of this training, merchant managers should be able to do the following: – Understand the scope of your cardholder data environment – Understand how to complete the SAQ – Understand what the Attestation means – Understand how to accurately answer the SAQ questions – Understand what to do if you are not PCI DSS compliant – Understand resources available for assistance – Complete your SAQ What is PCI DSS? The PCI Data Security Standard represents a common set of industry tools and measurements to help ensure the safe handling of sensitive information. The standard provides an actionable framework for developing a robust account data security process - including preventing, detecting and reacting to security incidents. (https://www.pcisecuritystandards.org/merchants/) PCI security standards are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. The standards apply to all entities that store, process or transmit cardholder data. (PCI DSS Quick Reference Guide; Understanding the Payment Card Industry Data Security Standard version 2.0, page 6) Why is PCI DSS important? A breach or compromise of payment card data has far-reaching consequences, such as: Regulatory notification requirements, Loss of reputation, Loss of customers, Potential financial liabilities (fees and fines), Litigation, and Denial of the University’s privilege to accept certain cards (Visa, MasterCard, American Express, Discover) What is an SAQ? The PCI DSS Self-Assessment Questionnaire (SAQ) is a validation tool to allow merchants to self-evaluate compliance with the Payment Card Industry Data Security Standards (PCI DSS). The SAQ consists of two primary components: 1. Questions about your account that correlate with the 12 PCI DSS requirements. 2. An Attestation of Compliance; your self-certification that you have assessed your unit’s compliance as required in your SAQ form and identified action plans to address areas of non-compliance. SAQs come in several forms based on how a merchant processes, transmits and stores cardholder data. Most University accounts use an SAQ-A, B or D. SAQ completion is required annually by our acquiring bank and card brands. The Standards: 6 Sections; 12 Requirements Build and Maintain a Secure Network Implement Strong Access Control Measures 1: Install and maintain a firewall 2: Do not use vendor defaults 7: Business need-to-know 8: Assign a unique ID to each person 9: Restrict physical access Protect Cardholder Data 3: Protect stored data 4: Encrypt transmission of data Maintain a Vulnerability Management Program 5: Use anti-virus software 6: Secure systems and applications Regularly Monitor &Test Networks 10: Track and monitor access 11: Regularly test security Information Security Policy 12: Maintain a policy SAQ-A: 13 questions from Requirements 9 & 12 SAQ-B: 29 questions from Requirements 3,4,7,9, & 12 SAQ-D : 240+ questions across all 12 Requirements Annual SAQ Process 1. Determine the scope of the review. Go over your department operations and systems with regard to accepting payment cards. This assessment of your “cardholder data environment” helps you to accurately identify the appropriate scope for your review. Document your process to determine scope. Consider, for example: • Where do you take cards? (e.g., multiple locations, front desk, internet) • How do you take cards? (e.g., swipe terminal, Authorize.net, fax, phone, inperson) • Who touches cards and cardholder data? • Is the data recorded anywhere? • Where does it go? 2. Review unit payment card policy & procedures– take a look at your business process involving payment cards. • • Has your business process changed in the last year? Are your policies in agreement with PCI DSS and/or University policy? Annual SAQ Process (continued) 3. Complete Annually-Required University Forms Merchant manager (Form UM 1624) Required for all departments that have a University of Minnesota Payment Card Account. Employee Non-disclosure (Form UM 1623) Required for all employees involved in payment transactions who may have access to confidential cardholder data including card numbers, expiration dates or demographic cardholder information. Hosted Payment Card Account Desktop Usage Agreement (Form UM 1705) – SAQ-A only Required for departments that outsource all cardholder data functions to an approved University of Minnesota on-line, hosted payment gateway that the department manages through a passwordprotected website provided by the payment gateway service provider. This annual agreement sets out the requirements that allow the department to access the password-protected website without establishing a secure desktop. 4. Completion of the SAQ & Attestation SAQ-D SPECIAL INSTRUCTIONS In 2012 you are required to complete an SAQ-D… 1. …Unless you qualify to complete the 13-question SAQ-A because you outsource all cardholder data functions to a third party service provider (e.g. Authorize.net). Note: If you use Authorize.net but also take credit cards in person, via fax, phone, mail, or any other means, and process via the Authorize.net virtual terminal, no matter how infrequently, you must complete an SAQ-D.* 2. …Unless you qualify to complete the 29-question SAQ-B because you only process credit cards using a standalone dial-out terminal that is connected to a phone line or cellular line. If the standalone terminal is connected to the Internet, you must complete an SAQ-D. *Note: If most of your transactions go through Authorize.net but you accept a small number of fax or telephone orders, one option is to open a second merchant account and use a swipe terminal for those transactions. You would then have one SAQ-A account (fully outsourced to Authorize.net) and one SAQ-B account (swipe terminal). Completing Your SAQ 1. Answer each question in your SAQ and SAVE it (the form does not autosave responses) “Yes” means you are fully compliant with this item “No” indicates your are not compliant with this item. Each “no” must have a corresponding entry in either: Part 4 “Action Plan for Non-Compliance” to describe your remediation plan for compliance, or Appendix C “Compensating Controls” to describe how you meet the requirement in a different way “NA” means the item does not apply in your situation. Use Appendix D to describe why each “NA” item is non-applicable (required). 2. Complete, print and sign the Attestation page; scan and save an electronic copy. 3. Email the completed SAQ and Attestation to email@example.com Action Plan • For each area of non-compliance there MUST be a corresponding Action Plan to to meet the requirement. – – – • Describe the next steps you will take on the path to compliance. Summarize the Action Plan. Include a target date to achieve remediation. Examples: – – – We do not have a cross-cut shredder but will use the one in the office down the hall until we buy our own. We will purchase and install cross-cut shredder, and train staff on use and handling of payment cards and disposal of sensitive information by September 30, 2012. Compliance remediation is in process; expect completion by July 31, 2012 Will review current practices to identify & address gaps; will design and deliver training on new procedures by October 31, 2012 Compensating Controls • Wherever you comply with the requirements through a means different from the method described in the SAQ, you MUST describe the “compensating control” in Appendix C. • Use one page for each requirement for which you use a compensating control. • Compensating controls must meet the intent of the specific Requirement. Thus another SAQ Requirement may not be used as a compensating control. Compensating controls are infrequently used at the University. . • Non-Applicability • For each NA response you mark in your SAQ, you MUST provide a descriptive reason why the requirement does not apply to your account. • The description may be as simple as: – – – • Data is not shared with service providers. Containers are not used to temporarily store paper to be shredded. Cross-cut shredder is used to immediately shred documents no longer needed. No media is sent via courier. Use additional pages if necessary. What is an Attestation? • An attestation clause is frequently found in legal documents that must be witnessed to be valid, such as signatures by those who “bear witness to the authenticity” of a will or a deed. • When a merchant makes an Attestation of Compliance they are, in essence, "bearing witness to the authenticity" of the SAQ - in other words the merchant is affirming the SAQ was completed to the best of the merchant’s ability or in collaboration with colleagues who the merchant reasonably believes responded to the best of their ability. • It means the merchant thought through each requirement, when needed sought assistance to understand and accurately respond, and believes the SAQ accurately reflects their account. The merchant didn't just check the boxes. Attestation • Complete ALL sections, except for 1b • Part 2 use only – Retailer – E-commerce – Mail order/phone order • Part 2a – If you use Authorize.net or a similar gateway they are a 3rd party. – Most of the University uses Wells Fargo as the acquirer. Contact Accounts Receivable Services if you believe you work with more than one acquirer. Part 2b – Complete as applicable to your account • Attestation • Part 3 - PCI DSS Validation – If you check ‘Non-Compliant’ be sure to include remediation Action Plans in Part 4 (following your signature) • Part 3a – You must confirm and attest to all five statements. • Part 3b – Print, sign, scan, email Common PCI DSS violations: • • • • • • • • • Storage of magnetic stripe data (Req 3.2) Inadequate access controls (Reqs 7.1, 7.2, 8.2 and 8.3) Default system settings/passwords not changed (Req 2.1) Unnecessary services not removed (Reqs 2.2.2 and 2.2.4) Poorly coded web applications (Req 6.5) Missing and outdated security patches (Req 6.1) Lack of logging (Req 10) Lack of monitoring (Reqs 10.6, 11.2, 11.4 and 11.5) Poor network segmentation (Reqs 1.2, 1.3 and 1.4) Resources Controller’s Office website : Training presentations & links to resources Accounts Receivable Services for process or general form questions – firstname.lastname@example.org or 612-625-2392 OITSEC: Send technical questions to email@example.com University’s Payment Card Policy Two helpful documents provided by the PCI Security Standards Council: Navigating PCI DSS: Understanding the Intent of the Requirements describes how & why the requirements are relevant to your payment card process. Requirements & Security Assessment Procedures provides guidance to determine if you have met a requirement.