Payment Card Industry Compiance Update


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Payment Card Industry Compiance Update

  1. 1. Penn’s Compliance with Payment Card Industry (PCI) Standards February 7, 2007
  2. 2. PCI Overview <ul><li>Data Security </li></ul><ul><ul><li>Gregory Tausz, Sr. Director of Finance, Office of the EVP </li></ul></ul><ul><li>PCI Best Practices and Policy </li></ul><ul><ul><li>Bill Kasenchar, Sr. IT Project Leader, ISC </li></ul></ul><ul><li>Background Checks </li></ul><ul><ul><li>Gary Truhlar, Exec.Director, HR </li></ul></ul><ul><li>Conferences Services On-Line Registration </li></ul><ul><ul><li>Jeff Barta, Director of Sales and Marketing, Business Services </li></ul></ul>
  3. 3. Information Security <ul><li>Types of Data    </li></ul><ul><ul><li>Social Security Number </li></ul></ul><ul><ul><li>Credit Card Data </li></ul></ul><ul><ul><li>Health Information </li></ul></ul><ul><ul><li>Credit Information </li></ul></ul><ul><ul><li>Student Records </li></ul></ul><ul><ul><li>Employee Records </li></ul></ul><ul><ul><li>Alumni Information </li></ul></ul><ul><ul><li>Email / Other Electronic Data   </li></ul></ul><ul><li>  </li></ul>
  4. 4. More than 80 data-theft incidents at colleges and universities over the past two years (1) <ul><li>Ohio University - holds the record in higher education for sheer number of files that were compromised. Vast computer-security breach of social security data. 367,000 files on students, staff, and alumni exposed to hackers over a 13-month period. </li></ul><ul><li>University of Southern California - whose applications database containing files on 270,000 people was hacked in July 2005. </li></ul><ul><li>University of Texas at Austin - electronic break-in at the business school in April exposed 197,000 files containing biographical information on students, alumni, and staff members. </li></ul><ul><li>University of Kentucky - disclosed that Social Security numbers of 6,500 current or former students were stored on a portable device, called a thumb drive, that had been stolen from a faculty member. </li></ul><ul><li>Western Illinois University - hacker may have copied Social Security or credit-card numbers of 200,000 to 240,000 current or former students. The credit cards had been used to purchase textbooks online or for stays in a university hotel. </li></ul>(1) Source: Chronicle for Higher Education, 9/29/06
  5. 5. Select Actions Taken to Reduce Theft of Data <ul><li>ISC </li></ul><ul><ul><li>Monitors virus activity, installs security patches. </li></ul></ul><ul><ul><li>PennKey: Ensures that passwords no longer pass over the network in clear text (reducing their likelihood to be comprised); reduce the visibility of social security numbers in core administrative systems and applications. </li></ul></ul><ul><li>Records clean up </li></ul><ul><li>SPIA – Security and Privacy Risk Assessment - evaluation of electronic information risk in business systems </li></ul><ul><li>Payment Card Industry Compliance Initiative </li></ul>
  6. 6. Under what circumstances does Penn accept credit cards? <ul><li>Annenberg – performances </li></ul><ul><li>Athletics – ticket sales </li></ul><ul><li>Retail – BSD (e.g. Computer Connection) </li></ul><ul><li>Services – Dental and Veterinary Services </li></ul><ul><li>Student related – tuition and fee payments </li></ul><ul><li>Executive Education – course enrollment </li></ul><ul><li>Fund raising – annual fund </li></ul>
  7. 7. Risks associated with accepting credit cards? <ul><li>Theft of credit card number </li></ul><ul><li>Reputational risk </li></ul><ul><li>Legal actions </li></ul><ul><li>Future revenue impact </li></ul>
  8. 8. Payment Card Industry Data Security Compliance Best Practices, Processes and Policy
  9. 9. Payment Card Industry Initiative <ul><li>University’s security compliance initiative to minimize credit card fraud risks. </li></ul><ul><li>Effort led by ISC and the Treasurer, along with HR, Office of the General Counsel and the Schools and Centers affected. </li></ul><ul><li>Regulated by an industry body that includes all major credit card companies (e.g. Visa, Mastercard, American Express, etc). </li></ul><ul><li>Policies apply to any company that transmits or processes credit or debit card information. Scope includes credit card collected both on-line (online card services) and in-person at point-of-sale (POS) terminals. </li></ul>
  10. 10. Timeline <ul><li>January 2005 </li></ul><ul><ul><li>Visa and Master Card announce the Payment Card Industry Data Security Standard , also endorsed by Amex, Diners Club and Discover </li></ul></ul><ul><ul><ul><li>Requirements include firewalls, encryption, two-factor authentication, anti-virus software, and regular audits by independent, certified vendors (e.g. PwC, Verisign, etc.) </li></ul></ul></ul><ul><li>June 2005 </li></ul><ul><ul><li>Original Compliance date </li></ul></ul><ul><ul><ul><li>Penalties for non-compliance: According to VISA/MC: if we are compromised and not compliant, then fines up to $500,000 per incident </li></ul></ul></ul><ul><li>March 1, 2007 </li></ul><ul><ul><li>Penn Compliance date </li></ul></ul>
  11. 11. Schools/Centers Affected <ul><li>125 merchant accounts across 26 schools and centers </li></ul><ul><li>Remediation Summary </li></ul><ul><ul><li>The university currently is 89% compliant (111 of 125). </li></ul></ul><ul><ul><li>Our report on compliance is required (by Paymentech) to be an aggregate self-assessment that includes all university and UPHS merchant accounts </li></ul></ul><ul><ul><ul><li>Our goal it to provide our report on compliance to Paymentech in February </li></ul></ul></ul><ul><ul><ul><li>UPHS has contacted all their account holders and is completing their remediation effort. It is unclear at this time if they will be able to meet our goal. </li></ul></ul></ul><ul><ul><li>Treasurer’s web site has been modified to reflect compliant processes and best practices. </li></ul></ul>
  12. 12. Merchant Accounts by School/Center
  13. 14. Best Practices - Don’ts <ul><li>Do not send credit card data via e-mail </li></ul><ul><li>Do not store track data from credit cards </li></ul><ul><li>Do not use any wireless network to transmit or view credit card data </li></ul><ul><li>Do not store credit card data </li></ul><ul><li>Do not use a POS terminal on a VOIP telephone line </li></ul>
  14. 15. Best Practices – Do’s <ul><li>Train your staff in the appropriate security procedures for handling credit card data </li></ul><ul><li>Configure POS machines to not store credit card data. The full 16 digit credit card number shouldn’t appear on any receipt or end of day summary </li></ul><ul><li>Use payflow link for e-commerce transactions </li></ul><ul><ul><li>Transfer security risk to Verisign or a compliant third party vendor </li></ul></ul><ul><li>Shred any paper containing credit card numbers immediately following processing. Only the transaction id is required to handle disputes or credits/refunds </li></ul><ul><li>Structure any paper forms so that the credit card data can be removed (perforation at bottom of page) and shredded immediately following processing and then the other bio/demo data can be retained for business purposes without restriction </li></ul>
  15. 16. Best Practices – Processes <ul><li>Make sure you read the treasurer’s web site at: ( prior to requesting a merchant account </li></ul><ul><li>Make sure that anyone that may want to set up a merchant account goes through the proper channels within your organization prior to contacting the treasurer’s office. </li></ul><ul><li>Make sure that anyone that will come in contact with credit card data has signed off that they read and understand Penn data security policies. </li></ul><ul><li>Make sure a background check is done for all new hires that will handle credit card data (PIQ and HR Manager have been updated to reflect this requirement) </li></ul><ul><li>Contractually obligate vendors to accept compliance and liability responsibility and vet the contract through OGC prior to signing </li></ul><ul><li>Become familiar with Information Security’s ‘Incident Response Plan’ and all Information Security policies at </li></ul><ul><li>Be aware of the PCI standard at </li></ul>
  16. 17. Background Checks
  17. 18. Background Check History <ul><li>In January 2001, the University implemented a prototype criminal background check program for new staff hired in the: </li></ul><ul><ul><li>Executive Vice President’s divisions </li></ul></ul><ul><ul><li>Engineering & Applied Sciences </li></ul></ul><ul><ul><li>University Museum </li></ul></ul><ul><li>Additional units participating: </li></ul><ul><ul><li>School of Medicine </li></ul></ul><ul><ul><li>Wharton </li></ul></ul><ul><ul><li>College of Arts & Sciences </li></ul></ul><ul><ul><li>Units reporting to the Provost </li></ul></ul><ul><ul><li>Computing jobs across the University </li></ul></ul><ul><li>Approximately 66% of the academic staff positions are covered by the current background check policy </li></ul>
  18. 19. Who Performs the Check? <ul><li>A Division of Automatic Data Processing (ADP) </li></ul><ul><ul><li>Why ADP? </li></ul></ul><ul><ul><li>University’s sole source provider </li></ul></ul><ul><li>Federal law precludes University Police from conducting routine background checks </li></ul><ul><li>Background checks are initiated by Recruitment & Staffing through the ADP web site </li></ul>
  19. 20. What checks will be run? <ul><li>Social security number check </li></ul><ul><li>Criminal records search </li></ul><ul><ul><li>Criminal convictions only </li></ul></ul><ul><ul><li>Arrests are blocked and not considered </li></ul></ul><ul><li>Credit Check </li></ul><ul><ul><li>For those handling cash or credit card data </li></ul></ul>
  20. 21. PCI – Background Check Guidelines <ul><li>“ Screen potential employees to minimize the risk of attacks from internal sources.” </li></ul><ul><li>“ Inquire of Human Resource department management and verify that background checks are conducted (within the constraints of local laws) on potential employees who will have access to cardholder data or the cardholder data environment.” (Security Audit Procedures v 1.1) </li></ul>
  21. 22. PCI Background Checks <ul><li>Required under PCI Standards </li></ul><ul><ul><li>“ The primary focus of the PCI Security Standards is to help merchants improve the safekeeping of cardholder information by tightening their overall security standards, which in turn reduces their chances of experiencing security breaches, fraud, and potential catastrophic financial losses.” </li></ul></ul><ul><li>Effective 1/01/2007 for new Penn hires only ( not existing staff, transfers, etc.) </li></ul>
  22. 23. HR Hiring Issues – Credit Card Responsibilities <ul><li>Properly document job responsibilities in PIQ’s </li></ul><ul><li>Job Posting must notify of Background Check </li></ul><ul><li>Complete Background Check form, including selecting “Credit Check” </li></ul><ul><li>HR Manager will be modified to automate Credit Card Posting Process </li></ul>
  23. 24. Conference Services On-line Registration
  24. 25. Evolution In collaboration with ISC’s PCI Team, Conference Services is compliant with PCI standards developed for web-based transactions -Setup, hosting, and maintenance is managed by Seattle Technology Group, Inc. on their secure servers -Payments are securely processed via a PayFlow Pro account -Registrants enter their conference registration information and submit their payment using 128bit SSL Basic Features -Require a payment in order to submit a registration for any or all conferences, or make payment optional -All registration and event charges are automatically calculated/displayed to the registrants and payments are securely processed/immediately displayed on a confirmation web page -Registration and/or payment confirmations can be automatically emailed to registrants
  25. 32. Details In January 2007, Conference Services made this application available to the entire University community -For schools/centers/departments who require occasional use merchant accounts -A customizable web-based Event Management application that both facilitates the collection of customer data relative to an event and supports processing of web-based credit card payments -Conference Services facilitates journaling payments to the general ledger and to individual departmental accounts, thereby reducing time and expense of setting up one-use merchant accounts -Reduces the overall number of merchant accounts the University maintains -Can be used as a stand alone web application or embedded into an existing web application tailored to a specific conference offered. Contact Jeff Barta in Conference Services for more information at 215-898-9319 or Web site: (work in progress)
  26. 33. Questions?