Welcome to the 2nd Annual Campus Merchant Awareness Training Meeting

1
Welcome to the 2nd Annual Campus Merchant
Awareness Training Meeting
2
Agenda

• Introductions
• Merchant Account Basics
• FAQs
• What Have We Learned In this case, left is
  always better!
• PCI Compliance Changes
• PCI Compliance Overview
• Resources

3
Merchant Accounts Updates

• System down?- Voice Authorization- 1.800.936.2632
  Need MID.
• Questions on Accounts?
• DST 1.800.228.5882- 24/7 service
• Statement issues
• Authorization Problems
• Supplies
• Bursar Support Services
• Dial Pay
• Wireless Terminal
• POS Terminals

4
Merchant Accounts Updates

• Account /Statement Review
• Review Monthly for errors charges
• Jul VS zero floor limit fee
• Analyze yearly for cost/service assessment
• Minimum Charges on Statements
• Visa EIRFs 2.30- manually entered cards
• Plastic bag around card
• Clean terminal
• Rub card magnetic strip
• Debit pin pads

5
Merchant Accounts Updates

• Sales Calls
• Bank of America Merchant Contact
• Upgrading Pin Devices
• Fraud Control- http//usa.visa.com/merchants/risk_
  management/index.html
• American Express Rate Change-All campus 2.05
  consumer card Discover 1.75
• Staff Training Resources- Many options for the
  front line staff as well as IT and MRPs.

6
Merchant Accounts Updates

• Phishing Alert-
•   Bank of America temporarily suspended your
  account.
• Reason Billing failure.
• We need you to complete an account update so we
  can unlock your account.
• To start the update process follow the link below
   
• http//www.secureyouraccountnow.com 
• Once you have completed the process, we will send
  you an email notifying that your account is
  available again. After that you can access your
  account at any time.
• The information provided will be treated in
  confidence and stored in our secure database.
• If you fail to provide required information your
  account will be automatically deleted from Bank
  of America database.

7
Frequently Asked Questions

• Service Charges
• No- Varied rules between Visa and other card
  brands. Flat fee versus .
• May be some legislation changes
• No service charge encourages prompt payment
  customer response
• Establishing minimum charge amount-
• Card organizations forbid you from establishing
  any transaction dollar limits.

8
More FAQs

• Requiring pictured identification
• Card organizations state the credit card sale
  cannot be turned down due to lack of picture id.
• Phone authorization
• Card not signed
• Suspected counterfeit card
• Fax Machines Laptops
• MOTOs - Virtual Terminals Dial Pay

9
Still More FAQs

• Self Assessment Questionnaire
• Annual
• A great of merchants have completed
• Security Policies/Procedures
• Departmental
• Campus
• Network Configuration
• Abraham Kuo- UITS Security Operations

10
What Have We Learned?- That in this case-Left is
always better!

• Merchant Compromise
• Paper and fax machines
• SAQ C Merchants
• Compliance Failures
• Shopping Cart, Operating Systems and Other
  Patches
• Firewall Rule Review
• Segmentation /flat networks
• Look for an alternative (Move to the left)
• Keep MOTO to Dial Pay or Point of Sale Terminal

11
Compliance Changes

• New Annual third party assessment
• MasterCard Notification of Level 2 Merchants
• Report on Compliance (ROC) assessment
  documentation
• SAQ Specific
• You are not alone, we are right beside you.
• SAQ C Training

12
Questions?
13
PCI Compliance Requirements and Resources

• Sylvia Johnson, University Information Security
  Officer
• Kelley Bogart, Senior Information Security
  Specialist
• October 23, 2009

14
Agenda

• Role of the Information Security Office
• PCI Overview
• InfoSec PCI Web Page Compliance Roadmap
• Payment Methods Validation Requirements
• Ongoing Compliance

15
InfoSec Role

• Information Security Policy Access to UA data,
  computers and network is subject to policies and
  laws.
• PCI compliance is mandated by
• contract with Bank of America
• FRS Policy 8.14.
• Info Security Policy InfoSec will issue
  guidance to assist units in implementing
  information security related policies.

16
What/Who Does PCI Cover?

• PCI security requirements apply to
• all merchants who store, process or transmit
  card holder data
• all system components in or connected to the card
  holder data environment
• network components
• servers
• applications

17
Digital Dozen
18
PCI Requirements

• 225 specifics
• Some technical
• Some operational
• Consequences
• Monetary fines
• Restrictions on merchant processing
• Loss of privilege
• Merchant Responsible Persons are responsible for
  ALL of them

19
http//security.arizona.edu/pci
20
Payment Methods Validation Requirements
21
On-Site Assessment
22
Report on Compliance
23
Process Flow Diagram

• A description of how the credit card information
  moves through the network
• To which systems the data is passed/stored
• Through which network devices the data passes
• Which ports and protocols are used to pass data
• Which and when encryption algorithms are used
• Which data is stored, where and for how long
  (PAN, CVV2/CVC2, expiration date, etc.)
• All inbound sources of CHD to the network
• All outbound flows of CHD (e.g., to a payment
  processor, 3rd parties)

24
Continuous Compliance
PCI DSS compliance is much more than a project
with a beginning and end its an ongoing
process of assessment, remediation and reporting.
Implementing PCI DSS should be part of a sound,
basic enterprise security strategy, which
requires making this activity part of your
ongoing business plan and budget.
25
SAQ A Compliance Timeline
26
SAQ B Compliance Timeline
27
SAQ C Compliance Timeline
28
SAQ D Compliance Timeline
29
Campus Resources

• Abraham Kuo- UITS - 626.9736
• Kelley Bogart ISO - 626.8232
• Robbyn Lennon FSO-Bursars - 621.5781
• Security Metrics Securitymetrics.com
• BankofAmerica.com/merchantsupport
• https//www.pcisecuritystandards.org/
• Prioritized Approach for DSS 1.2
  -https//www.pcisecuritystandards.org/education/pr
  ioritized.shtml
• PCI Quick Reference Guide
• https//www.pcisecuritystandards.org/pdfs/pci_ssc_
  quick_guide.pdf

30
Questions?