PCI Compliance Information Chris Hobbs State of Nebraska Information
19 Slides114.02 KB
PCI Compliance Information Chris Hobbs State of Nebraska Information Security Officer Office of the CIO
Agenda: What is PCI / DSS? What are the definitions I need to be concerned with? How is Nebraska setup? What do I need to submit? Resources
PCI / DSS Payment Card Industry / Data Security Standard A framework of specifications, tools, measurements, and support resources to help agencies ensure the safe handling of cardholder information.
PCI / DSS Who makes up the PCI Security Standards Council? The Security Standards Council is a global forum, started in 2006 and is made up of five payment brands including: American Express Discover JCB International MasterCard Visa
Definitions
Definitions Merchant: Any entity that accepts payment cards of the five members of the PCI Security Standards Council, as payment for goods or services. Examples: DMV Revenue Game and Parks
Definitions Service Provider: Any entity that is directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. Examples: Treasurer’s Office Office of the Chief Information Officer Nebraska.Gov
State of Nebraska Organization The Treasurer’s Office holds a contract with First National Bank and TSYS to process credit cards and are responsible for reporting PCI Compliance The Office of the Chief Information Officer is responsible for ensuring and verifying PCI Compliance on the State’s Network
Requirements of PCI Compliance Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks
Requirements of PCI Compliance Requirement 5: Use and regularly update anti-virus software or programs Requirement 6: Develop and maintain secure systems and applications Requirement 7: Restrict access to cardholder data by business need to know Requirement 8: Assign a unique ID to each person with computer access
Requirements of PCI Compliance Requirement 9: Restrict physical access to cardholder data Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes. Requirement 12: Maintain a policy that addresses information security for all personnel.
What do I need to Submit? The following should be submitted to the Treasurer’s Office: Specific Self Assessment Questionnaire (SAQ) Signed Certification Letter Signed Attestation
What do I need to Submit? Fill out Self Assessment Questionnaire A (SAQ A) IF: The Payment Card is not present: Agencies have no physical acceptance of credit cards from cardholders, only ecommerce transactions, phone call transactions or Interactive Voice Response Units (IVR) transactions. All cardholder data does not touch or access the agencies systems, the cardholder data is handled and processed by parties like Nebraska.gov, PayPal Host Based Gateway, Official Payments or Trust Commerce Host Based Gateway.
What do I need to Submit? Fill out Self Assessment Questionnaire B (SAQ B) IF: Agencies that only imprint the physical card with a “knuckle buster” or imprinter with only imprinted card receipts as records. Agencies that only use the credit card terminal or “reader” to process card swiped or key entered credit card sales. There is no electronic storage of credit card data on computers or the agency network. The copies of sales slips and the credit card machine batch reports are saved in a secure location.
What do I need to Submit? Fill out Self Assessment Questionnaire C (SAQ C) IF: Agencies that have a payment application connected to the internet that processes credit card data for sales. The payment application does not retain any credit card data after the credit card transaction is processed.
What do I need to Submit? Fill out Self Assessment Questionnaire C-VT (SAQ C-VT) IF: The Agency uses a web/internet virtual terminal(s) to process credit card sales. Examples of a web/internet virtual terminal would include the PayPal Gateway, PayFuse Gateway, Trust Commerce Gateway and other web/internet gateways.
What do I need to Submit? Fill out Self Assessment Questionnaire D (SAQ D) IF: Any Agency that does not fit into one of the previous categories for A, B, C, or C-VT will need to fill out an SAQ D.
More Information PCI Website: www.pcisecuritystandards.org Chris Hobbs: [email protected] Charles Luginbill: [email protected] Char Scott: [email protected]
Questions? Chris Hobbs [email protected]
