PCI Compliance:

1

• PCI Compliance
• The Gateway to Paradise

2
Agenda

• Background
• What is PCI-DSS?
• Who must comply?
• Cost of non-compliance
• Digital Dozen
• Higher Education Challenges
• Centralize Compliance

3
Background
???
Cardholder Information Security Program (CISP)
Site Data Protection Program (SDP)
Confused Merchants
Discover Information Security Compliance (DISC)
Data Security Standard (DSS)
4
What is PCC-DSS?

• Payment Card Industry Data Security Standard
  (PCI-DSS)
• Card Associations founded an LLC
  https//www.pcisecuritystandards.org
• One program now
• Mission Enhance payment account data security by
  fostering a broad adoption of PCI-DSS

5
What is PCC-DSS?
Participating organizations provide feedback on
evolution of PCI
Policy decisions made by Executive Committee
6
Who Must Comply?

• Payment Card Industry (PCI) Data security
  requirements apply to all Members, merchants, and
  service providers that store, process or transmit
  cardholder data.
• Payment Card Industry Data Security Standard

7
Who Must Comply?
8
Cost of Non-Compliance

• In the event of the a breach the acquirer CAN
  make the merchant responsible for
• Any fines from PCI-Co
• Up to 500,000 per incident
• Cost to notify victims
• Cost to replace cards (about 10/card)
• Cost for any fraudulent transactions
• Forensics from a QDSC
• Level 1 certification from a QDSC

9
Cost of Non-Compliance

• Example 50,000 credit cards stolen
• PCI Penalty - 100,000 per incident
• 500,000 if you do not have a self-assessment
• Card Replacement - 500,000
• Fraudulent Transaction 61,750,000
• 1,235 - 2004 average fraudulent transaction
• Bad Publicity Priceless!

10
Digital Dozen
11
Higher Education Challenge

• Higher education networks comprise an estimated
  15 of the total advertised Internet address
  space
• Extremely open by tradition and culture
• Highly connected networks to commercial internet,
  regional, national, and international research
  networks
• Communities range from 1,000 to 200,000 people
• Thousands of networked devices
• Departments control local technology and act
  independently
• Understaffed IT department
• University of Indiana

12
Centralize Compliance

• Get executive buy-in
• Define a commerce committee
• IT
• Security
• Internal Audit
• Treasury
• CFO

13
Centralize Compliance

• Define and publish credit card handling policy
• Acceptable payment channels
• Handling of PII (Personally Identifiable
  Information)
• Requesting merchant IDs
• Applicability to University employees, work
  study
• Background and credit checks for employees
  handling credit cards
• Training and acknowledgement
• Use of vendors

14
Centralize Compliance

• Gap analysis
• Review all existing merchants and their
  procedures
• Identify urgent improvements
• Operational remediation plan
• Technical remediation plan
• Compliance maintenance
• Rules will change
• Systems will change

15
Centralize Compliance

• Consider outsourcing
• Get as many credit card numbers off campus as
  possible
• Use a service provider to process credit card
  transactions
• Approved scanning vendors
• Approved hosting centers

16
Questions?

• David R. King
• President
• Nelnet Business Solutions
• dking_at_infinet-inc.com