PCIDSS

1
PCI-DSS

• Institute of Fundraising
• 8th October 2008
• Sue Maccabe

2
Format

• PCI-DSS Overview
• - What it is
• - How compliance works
• Considerations for charities
• - Technical requirements
• - Business areas

3
What is PCI-DSS?

• A data security standard
• For the handling of payment card data
• To increase security and reduce risk of fraud
  
• Developed by the Payment Card Industry
• Controlled by the PCI Security Standards Council
• First issued in 2004, latest version Oct 2008

4
What is PCI-DSS?

• Compliance is compulsory
• Power to suspend card services and/or levy fines
• Two key principles for business processes
• - Covers electronic and hard copy card data
• - Storage of security codes not permitted

5
Compliance

• Merchants defined by 4 levels
• Based on annual volume of card transactions
• Level 1 gt6m transactions pa
• Level 2 1-6m transactions pa
• Level 3 20,000 1m transactions pa
• Level 4 lt20,000 transactions pa

6
Compliance

• Level 1
• - Annual audit by a PCI QSA
• - Quarterly scans by a PCI ASV
• Levels 2, 3, 4
• - Annual self assessment using PCI SAQ
• - Quarterly/annual scans by a PCI ASV
• - Attestation of compliance

7
Technical Requirements

• IT infrastructure Network configuration
• Access control and logging
• System security firewalls, anti-virus, etc
• Data processing, storage and transmission
• Portable devices wireless technologies

8
Corporate Policy

• Information Security Policy
• Covering all aspects of information security
• Maintain, publish, review annually
• Security awareness programme
• At induction and at least annually thereafter
• Employee acknowledgement

9
Premises

• Visitor procedures
• - Physical token, surrendered on departure
• - Visitor log, retain for 3 months
• Secure areas
• - Entry controls
• - Authorised access logs

10
Direct Marketing

• For one-off card donations/purchases
• Collection of card data
• - On coupons (mail/inserts/OTP)
• - By telephone (outbound/DRA)
• In-house handling
• - Secure processes and audit trails

11
Direct Marketing

• In-house storage
• - Hard copy data (filing/archiving)
• - Electronic data (encryption)
• - Digital images (scans)
• Data transfers
• - Internal (between business areas)
• - External (to/from 3rd party suppliers)

12
Online Marketing

• For one-off card donations/purchases
• Payment applications on website
• - Real-time payment gateways
• - Hosted payment pages
• - Offline
• Data transfers
• - To supporter database/CRM system
• - For fulfilment

13
Regional/Retail/Events

• Payment data collected/handled/stored via
• - Regional premises/staff
• - Retail outlets/staff
• - Events
• - Volunteers
• - F2F Activities
• Falls within remit of PCI-DSS

14
3rd Party Service Providers

• If card functions outsourced
• - Response handling (post/telephone)
• - Web hosting/payment processing
• 3rd party service providers must also be
  compliant
• Self managed or client assessed
• Written acknowledgement
• - Responsibilities compliance

15
Conclusion

• Extent of impact of PCI-DSS based on
• - Scope of activities
• - How activities are managed/executed
• Nominated individual/team to manage compliance
• - Not just technical
• - All business strands

16
Q A

17
Glossary Reference Site

• CHD Card Holder Data (cardholder name, card
  number, expiry date, etc)
• CNP Card Not Present (internet MOTO
  transactions)
• CSC Card Security Code (also CV2/CVV2/CVC2/CID)
• MOTO Mail order and telephone order
• PAN Primary Account Number (card number)
• PCI Payment Card Industry
• PCI-ASV Payment Card Industry Approved
  Scanning Vendor
• PCI-DSS Payment Card Industry Data Security
  Standard
• PCI-QSA Payment Card Industry Qualified
  Security Assessor
• PCI-SSC Payment Card Industry Security
  Standards Council
• PSP Payment Services Provider
• SAD Sensitive Authentication Data (security code,
  magnetic stripe data, PINs)
• SAQ Self Assessment Questionnaire
• https//www.pcisecuritystandards.org/

18

• Sue Maccabe
• Consultant Business Analyst
• t 44 (0)1242 252297
• m 44 (0)7764 852622
• e sue.maccabe_at_dotjoining.co.uk