Payment Card PCI DSS Compliance

SAQ-A Training

Accounts Receivable Services, Controller’s Office7/1/2012

SAQ Training

At the conclusion of this training, merchant managers should be able to do the following:

– Understand the scope of your cardholder data environment– Understand how to complete the SAQ– Understand what the Attestation means– Understand how to accurately answer the SAQ questions– Understand what to do if you are not PCI DSS compliant– Understand resources available for assistance– Complete your SAQ

What is PCI DSS?The PCI Data Security Standard represents a common set of industry tools and measurements to help ensure the safe handling of sensitive information. The standard provides an actionable framework for developing a robust account data security process - including preventing, detecting and reacting to security incidents. (https://www.pcisecuritystandards.org/merchants/)

PCI security standards are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data.

The standards apply to all entities that store, process or transmit cardholder data. (PCI DSS Quick Reference Guide; Understanding the Payment Card Industry Data Security Standard version 2.0, page 6)

Why is PCI DSS important? A breach or compromise of payment card data has

far-reaching consequences, such as:Regulatory notification requirements,Loss of reputation,Loss of customers,Potential financial liabilities (fees and fines), Litigation, and

Denial of the University’s privilege to accept certain cards (Visa, MasterCard, American Express, Discover)

What is an SAQ?The PCI DSS Self-Assessment Questionnaire (SAQ) is a validation tool to allow merchants to self-evaluate compliance with the Payment Card Industry Data Security Standards (PCI DSS).

The SAQ consists of two primary components:

1. Questions about your account that correlate with the 12 PCI DSS requirements.

2. An Attestation of Compliance; your self-certification that you have assessed your unit’s compliance as required in your SAQ form and identified action plans to address areas of non-compliance.

SAQs come in several forms based on how a merchant processes, transmits and stores cardholder data. Most University accounts use an SAQ-A, B or D.

SAQ completion is required annually by our acquiring bank and card brands.

The Standards:6 Sections; 12 Requirements

Build and Maintain a Secure Network1: Install and maintain a firewall 2: Do not use vendor defaults

Protect Cardholder Data3: Protect stored data4: Encrypt transmission of data

Maintain a Vulnerability Management Program5: Use anti-virus software6: Secure systems and applications

Implement Strong Access Control Measures7: Business need-to-know8: Assign a unique ID to each person 9: Restrict physical access

Regularly Monitor &Test Networks10: Track and monitor access11: Regularly test security

Information Security Policy12: Maintain a policy

The SAQ-A addresses Requirements 9 & 12The SAQ-B addresses Requirements 3,4,7,9, & 12The SAQ-D addresses all 12 Requirements

Annual SAQ Process 1. Determine the scope of the review. Go over your department operations

and systems with regard to accepting payment cards. This assessment of your “cardholder data environment” helps you to accurately identify the appropriate scope for your review. Document your process to determine scope. Consider, for example:• Where do you take cards? (e.g., multiple locations, front desk, internet)• How do you take cards? (e.g., swipe terminal, Authorize.net, fax, phone, in-

person) • Who touches cards and cardholder data? • Is the data recorded anywhere? • Where does it go?

2. Review unit payment card policy & procedures– take a look at your business process involving payment cards. • Has your business process changed in the last year?• Are your policies in agreement with PCI DSS and/or University policy?

Annual SAQ Process (continued)

3. Complete Annually-Required University Forms

Merchant manager (Form UM 1624)Required for all departments that have a University of Minnesota Payment Card Account.

Employee Non-disclosure (Form UM 1623)Required for all employees involved in payment transactions who may have access to

confidential cardholder data including card numbers, expiration dates or demographic cardholder information.

Hosted Payment Card Account Desktop Usage Agreement

(Form UM 1705) – SAQ-A onlyRequired for departments that outsource all cardholder data functions to an approved University of

Minnesota on-line, hosted payment gateway that the department manages through a password-protected website provided by the payment gateway service provider. This annual agreement sets out the requirements that allow the department to access the password-protected website without establishing a secure desktop.

4. Completion of the SAQ & Attestation

SAQ-A

SPECIAL INSTRUCTIONS

You are eligible to use the SAQ-A if:• You handle only card-not-present transactions (e-commerce, mail/phone order); and

• You do not store, process, or transmit any cardholder data on University systems or premises but rely entirely on third party service provider(s) such as Authorize.net to handle these functions; and

• You have confirmed that the third party service provider(s) handling storage, processing, and/or transmission of cardholder data is(are) PCI DSS compliant; and

• You do not store any cardholder data in electronic format , and

• Any cardholder data that is stored is retained only in paper reports or copies of receipts and is not received electronically.

If you meet all five requirements you are eligible to complete the

13 question SAQ-A form.

Completing Your SAQ1. Answer each question in your SAQ and SAVE it (the form does not auto-

save responses) “Yes” means you are fully compliant with this item “No” indicates your are not compliant with this item. Each “no” must have a

corresponding entry in either: Part 4 “Action Plan for Non-Compliance” to describe your remediation plan for compliance,

or Appendix C “Compensating Controls” to describe how you meet the requirement in a different

way “NA” means the item does not apply in your situation. Use Appendix D to describe why

each “NA” item is non-applicable (required).

2. Complete, print and sign the Attestation page; scan and save an electronic copy.

3. Email the completed SAQ and Attestation to pmtcard@umn.edu

Action Plan• For each area of non-compliance there

MUST be a corresponding Action Plan to to meet the requirement.

– Describe the next steps you will take on the path to compliance.

– Summarize the Action Plan.– Include a target date to achieve remediation.

• Examples: – We do not have a cross-cut shredder but will use

the one in the office down the hall until we buy our own. We will purchase and install cross-cut shredder, and train staff on use and handling of payment cards and disposal of sensitive information by September 30, 2012.

– Compliance remediation is in process; expect completion by July 31, 2012

– Will review current practices to identify & address gaps; will design and deliver training on new procedures by October 31, 2012

Compensating Controls• Wherever you comply with the

requirements through a means different from the method described in the SAQ, you MUST describe the “compensating control” in Appendix C.

• Use one page for each requirement for which you use a compensating control.

• Compensating controls must meet the intent of the specific Requirement. Thus another SAQ Requirement may not be used as a compensating control. Compensating controls are infrequently used at the University.

Non-Applicability• For each NA response you mark in

your SAQ, you MUST provide a descriptive reason why the requirement does not apply to your account.

• The description may be as simple as:

– Data is not shared with service providers.– Containers are not used to temporarily

store paper to be shredded. Cross-cut shredder is used to immediately shred documents no longer needed.

– No media is sent via courier.

• Use additional pages if necessary.

SAQ-A Requirement #9

• All questions on this page are likely to be NA for typical University SAQ-A merchants if:

All credit card numbers are entered by the customer using a website that ties directly to a third-party processor (such as Authorize.net), meaning you have no access to credit card numbers.

• Here is an example NA explanation from one merchant:

“There is no paper or electronic data. No data is received, stored, or processed locally.”

NA

NANANANA

NANA

NA

NA

SAQ-A Requirement #12

• The ‘Service Provider’ in this case is your payment gateway (e.g., Authorize.net)

• 12.8.1 University merchants rarely use more than one service provider so the “list” is your service provider (e.g. Authorize.net).

• 12.8.2 You must verify that the proper language is present in the service provider’s contract. If you use Authorize.net SIM or DPM this is the “Authorize.net Payment Gateway Merchant Service Agreement”

• 12.8.3 YES if (a) you use Authorize.net as they are recommended by our acquiring bank (Wells Fargo), or (b) if you used Purchasing Services to establish the vendor relationship.

• 12.8.4 YES if you use Authorize.net SIM or DPM (see service agreement link above). For other service providers you are responsible for monitoring your vendor's compliance. A quick place to start is to check compliant service provider lists such as Visa’s Global Registry or MasterCard’s Compliant Providers list.

??

??

probably

What is an Attestation?• An attestation clause is frequently found in legal documents that must

be witnessed to be valid, such as signatures by those who “bear witness to the authenticity” of a will or a deed.

• When a merchant makes an Attestation of Compliance they are, in essence, "bearing witness to the authenticity" of the SAQ - in other words the merchant is affirming the SAQ was completed to the best of the merchant’s ability or in collaboration with colleagues who the merchant reasonably believes responded to the best of their ability.

• It means the merchant thought through each requirement, when needed sought assistance to understand and accurately respond, and believes the SAQ accurately reflects their account. The merchant didn't just check the boxes.

Attestation• Complete ALL sections

EXCEPT Part 1b

• Part 2 use only– Retailer– E-commerce– Mail order/phone order

• Part 2a– If you use Authorize.net

or a similar gateway they are a 3rd party.

– Most of the University uses Wells Fargo as the acquirer. Contact Accounts Receivable Services if you believe you work with more than one acquirer.

Attestation – SAQ-APage 2

• Part 2b – You must be able to check each item

• Part 3 - PCI DSS Validation – If you check ‘Non-Compliant’ be sure to include remediation Action Plans in Part 4 (following your signature)

• Part 3a – You must confirm and attest to all three.

• Part 3b – Print, sign, scan, email

Resources Controller’s Office website : Training presentations & links to resources

Accounts Receivable Services for process or general form questions – pmtcard@umn.edu or 612-625-2392

OITSEC: Send technical questions to abuse@umn.edu

University’s Payment Card Policy

Two helpful documents provided by the PCI Security Standards Council:Navigating PCI DSS: Understanding the Intent of the Requirements describes how & why the requirements are relevant

to your payment card process.

Requirements & Security Assessment Procedures provides guidance to determine if you have met a requirement.