Understanding PCI DSS Compliance in Nebraska
Learn about Payment Card Industry Data Security Standard (PCI DSS), its definitions, Nebraska's setup for ensuring cardholder data security, entities involved, requirements for compliance, and the roles of the PCI Security Standards Council. Discover the importance of maintaining firewall configurations, securing cardholder data, and encryption practices. Stay informed about the responsibilities of merchants, service providers, and the state offices in ensuring PCI compliance.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
Chris Hobbs State of Nebraska Information Security Officer Office of the CIO
What is PCI / DSS? What are the definitions I need to be concerned with? How is Nebraska setup? What do I need to submit? Resources
Payment Card Industry / Data Security Standard A framework of specifications, tools, measurements, and support resources to help agencies ensure the safe handling of cardholder information.
Who makes up the PCI Security Standards Council? The Security Standards Council is a global forum, started in 2006 and is made up of five payment brands including: American Express Discover JCB International MasterCard Visa
Merchant: Any entity that accepts payment cards of the five members of the PCI Security Standards Council, as payment for goods or services. Examples: DMV Revenue Game and Parks
Service Provider: Any entity that is directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. Examples: Treasurer s Office Office of the Chief Information Officer Nebraska.Gov
The Treasurers Office holds a contract with First National Bank and TSYS to process credit cards and are responsible for reporting PCI Compliance The Office of the Chief Information Officer is responsible for ensuring and verifying PCI Compliance on the State s Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks
Requirement 5: Use and regularly update anti-virus software or programs Requirement 6: Develop and maintain secure systems and applications Requirement 7: Restrict access to cardholder data by business need to know Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes. Requirement 12: Maintain a policy that addresses information security for all personnel.
The following should be submitted to the Treasurers Office: Specific Self Assessment Questionnaire (SAQ) Signed Certification Letter Signed Attestation
Fill out Self Assessment Questionnaire A (SAQ A) IF: The Payment Card is not present: Agencies have no physical acceptance of credit cards from cardholders, only ecommerce transactions, phone call transactions or Interactive Voice Response Units (IVR) transactions. All cardholder data does not touch or access the agencies systems, the cardholder data is handled and processed by parties like Nebraska.gov, PayPal Host Based Gateway, Official Payments or Trust Commerce Host Based Gateway.
Fill out Self Assessment Questionnaire B (SAQ B) IF: Agencies that only imprint the physical card with a knuckle buster or imprinter with only imprinted card receipts as records. Agencies that only use the credit card terminal or reader to process card swiped or key entered credit card sales. There is no electronic storage of credit card data on computers or the agency network. The copies of sales slips and the credit card machine batch reports are saved in a secure location.
Fill out Self Assessment Questionnaire C (SAQ C) IF: Agencies that have a payment application connected to the internet that processes credit card data for sales. The payment application does not retain any credit card data after the credit card transaction is processed.
Fill out Self Assessment Questionnaire C-VT (SAQ C-VT) IF: The Agency uses a web/internet virtual terminal(s) to process credit card sales. Examples of a web/internet virtual terminal would include the PayPal Gateway, PayFuse Gateway, Trust Commerce Gateway and other web/internet gateways.
Fill out Self Assessment Questionnaire D (SAQ D) IF: Any Agency that does not fit into one of the previous categories for A, B, C, or C-VT will need to fill out an SAQ D.
PCI Website: www.pcisecuritystandards.org Chris Hobbs: chris.hobbs@nebraska.gov Charles Luginbill: charles.luginbill@nebraska.gov Char Scott: char.scott@nebraska.gov
Chris Hobbs chris.hobbs@nebraska.gov