Payment Card Industry Compiance UpdatePresentation Transcript
Penn’s Compliance with Payment Card Industry (PCI) Standards February 7, 2007
Gregory Tausz, Sr. Director of Finance, Office of the EVP
PCI Best Practices and Policy
Bill Kasenchar, Sr. IT Project Leader, ISC
Gary Truhlar, Exec.Director, HR
Conferences Services On-Line Registration
Jeff Barta, Director of Sales and Marketing, Business Services
Types of Data
Social Security Number
Credit Card Data
Email / Other Electronic Data
More than 80 data-theft incidents at colleges and universities over the past two years (1)
Ohio University - holds the record in higher education for sheer number of files that were compromised. Vast computer-security breach of social security data. 367,000 files on students, staff, and alumni exposed to hackers over a 13-month period.
University of Southern California - whose applications database containing files on 270,000 people was hacked in July 2005.
University of Texas at Austin - electronic break-in at the business school in April exposed 197,000 files containing biographical information on students, alumni, and staff members.
University of Kentucky - disclosed that Social Security numbers of 6,500 current or former students were stored on a portable device, called a thumb drive, that had been stolen from a faculty member.
Western Illinois University - hacker may have copied Social Security or credit-card numbers of 200,000 to 240,000 current or former students. The credit cards had been used to purchase textbooks online or for stays in a university hotel.
(1) Source: Chronicle for Higher Education, 9/29/06
PennKey: Ensures that passwords no longer pass over the network in clear text (reducing their likelihood to be comprised); reduce the visibility of social security numbers in core administrative systems and applications.
Records clean up
SPIA – Security and Privacy Risk Assessment - evaluation of electronic information risk in business systems
Payment Card Industry Compliance Initiative
Under what circumstances does Penn accept credit cards?
Annenberg – performances
Athletics – ticket sales
Retail – BSD (e.g. Computer Connection)
Services – Dental and Veterinary Services
Student related – tuition and fee payments
Executive Education – course enrollment
Fund raising – annual fund
Risks associated with accepting credit cards?
Theft of credit card number
Future revenue impact
Payment Card Industry Data Security Compliance Best Practices, Processes and Policy
Payment Card Industry Initiative
University’s security compliance initiative to minimize credit card fraud risks.
Effort led by ISC and the Treasurer, along with HR, Office of the General Counsel and the Schools and Centers affected.
Regulated by an industry body that includes all major credit card companies (e.g. Visa, Mastercard, American Express, etc).
Policies apply to any company that transmits or processes credit or debit card information. Scope includes credit card collected both on-line (online card services) and in-person at point-of-sale (POS) terminals.
Visa and Master Card announce the Payment Card Industry Data Security Standard , also endorsed by Amex, Diners Club and Discover
Requirements include firewalls, encryption, two-factor authentication, anti-virus software, and regular audits by independent, certified vendors (e.g. PwC, Verisign, etc.)
Original Compliance date
Penalties for non-compliance: According to VISA/MC: if we are compromised and not compliant, then fines up to $500,000 per incident
March 1, 2007
Penn Compliance date
125 merchant accounts across 26 schools and centers
The university currently is 89% compliant (111 of 125).
Our report on compliance is required (by Paymentech) to be an aggregate self-assessment that includes all university and UPHS merchant accounts
Our goal it to provide our report on compliance to Paymentech in February
UPHS has contacted all their account holders and is completing their remediation effort. It is unclear at this time if they will be able to meet our goal.
Treasurer’s web site has been modified to reflect compliant processes and best practices.
Merchant Accounts by School/Center
Best Practices - Don’ts
Do not send credit card data via e-mail
Do not store track data from credit cards
Do not use any wireless network to transmit or view credit card data
Do not store credit card data
Do not use a POS terminal on a VOIP telephone line
Best Practices – Do’s
Train your staff in the appropriate security procedures for handling credit card data
Configure POS machines to not store credit card data. The full 16 digit credit card number shouldn’t appear on any receipt or end of day summary
Use payflow link for e-commerce transactions
Transfer security risk to Verisign or a compliant third party vendor
Shred any paper containing credit card numbers immediately following processing. Only the transaction id is required to handle disputes or credits/refunds
Structure any paper forms so that the credit card data can be removed (perforation at bottom of page) and shredded immediately following processing and then the other bio/demo data can be retained for business purposes without restriction
Best Practices – Processes
Make sure you read the treasurer’s web site at: (http://www.finance.upenn.edu/treasurer/cashman/ccprocessing.shtml) prior to requesting a merchant account
Make sure that anyone that may want to set up a merchant account goes through the proper channels within your organization prior to contacting the treasurer’s office.
Make sure that anyone that will come in contact with credit card data has signed off that they read and understand Penn data security policies.
Make sure a background check is done for all new hires that will handle credit card data (PIQ and HR Manager have been updated to reflect this requirement)
Contractually obligate vendors to accept compliance and liability responsibility and vet the contract through OGC prior to signing
Become familiar with Information Security’s ‘Incident Response Plan’ and all Information Security policies at http://www.upenn.edu/computing/policy/index.html#security
Be aware of the PCI standard at http://www.pcisecuritystandards.org/
Background Check History
In January 2001, the University implemented a prototype criminal background check program for new staff hired in the:
Executive Vice President’s divisions
Engineering & Applied Sciences
Additional units participating:
School of Medicine
College of Arts & Sciences
Units reporting to the Provost
Computing jobs across the University
Approximately 66% of the academic staff positions are covered by the current background check policy
Who Performs the Check?
A Division of Automatic Data Processing (ADP)
University’s sole source provider
Federal law precludes University Police from conducting routine background checks
Background checks are initiated by Recruitment & Staffing through the ADP web site
What checks will be run?
Social security number check
Criminal records search
Criminal convictions only
Arrests are blocked and not considered
For those handling cash or credit card data
PCI – Background Check Guidelines
“ Screen potential employees to minimize the risk of attacks from internal sources.”
“ Inquire of Human Resource department management and verify that background checks are conducted (within the constraints of local laws) on potential employees who will have access to cardholder data or the cardholder data environment.” (Security Audit Procedures v 1.1)
PCI Background Checks
Required under PCI Standards
“ The primary focus of the PCI Security Standards is to help merchants improve the safekeeping of cardholder information by tightening their overall security standards, which in turn reduces their chances of experiencing security breaches, fraud, and potential catastrophic financial losses.”
Effective 1/01/2007 for new Penn hires only ( not existing staff, transfers, etc.)
HR Hiring Issues – Credit Card Responsibilities
Properly document job responsibilities in PIQ’s
Job Posting must notify of Background Check
Complete Background Check form, including selecting “Credit Check”
HR Manager will be modified to automate Credit Card Posting Process
Conference Services On-line Registration
Evolution In collaboration with ISC’s PCI Team, Conference Services is compliant with PCI standards developed for web-based transactions -Setup, hosting, and maintenance is managed by Seattle Technology Group, Inc. on their secure servers -Payments are securely processed via a PayFlow Pro account -Registrants enter their conference registration information and submit their payment using 128bit SSL Basic Features -Require a payment in order to submit a registration for any or all conferences, or make payment optional -All registration and event charges are automatically calculated/displayed to the registrants and payments are securely processed/immediately displayed on a confirmation web page -Registration and/or payment confirmations can be automatically emailed to registrants
Details In January 2007, Conference Services made this application available to the entire University community -For schools/centers/departments who require occasional use merchant accounts -A customizable web-based Event Management application that both facilitates the collection of customer data relative to an event and supports processing of web-based credit card payments -Conference Services facilitates journaling payments to the general ledger and to individual departmental accounts, thereby reducing time and expense of setting up one-use merchant accounts -Reduces the overall number of merchant accounts the University maintains -Can be used as a stand alone web application or embedded into an existing web application tailored to a specific conference offered. Contact Jeff Barta in Conference Services for more information at 215-898-9319 or firstname.lastname@example.org Web site: www.destinationpenn.com/merchantaccount (work in progress)