What is PCI DSS?
The Payment Card Industry Data Security Standard, or PCI DSS, is a set of comprehensive requirements for enhancing payment account data security. It was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. International, to help facilitate the broad adoption of consistent data security measures on a global basis.1
The PCI DSS is a security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data. It contains over 200 specific security requirements, broken down into 12 different categories.
Who does PCI DSS apply to?
All merchants and service providers who process, store, or transmit cardholder data are required to adhere to PCI DSS. This is enforced through contractual requirements passed down from the card brands to all merchants through their merchant (acquiring) banks.
Why is it important to comply with the PCI DSS?
There are contractual, ethical, and financial reasons for adhering to the PCI DSS.
- Contractual: Notre Dame's acquiring bank mandates that all merchants not only comply with the PCI DSS at all times, but also validate that compliance. In order to validate compliance with the standard, a "Self Assessment Questionnaire" (SAQ) must be completed annually. If a merchant does not adhere to all PCI requirements, and/or does not validate that those requirements are being met in a timely fashion, then the University is in breach of its contract and the merchant bank may choose to close the offending merchant account immediately, restricting the merchant from collecting any credit card information as a form of payment.
- Ethical: When a merchant accepts a credit card, the customer trusts that their sensitive personal data is being protected. Only by complying with PCI DSS can merchants ensure that they are adequately protecting that data.
Financial: A 2011 Ponemon Institute study estimates that data compromises cost merchants on average $204 per affected customer.2 Since a payment application (especially a non-compliant one) may have years worth of sensitive customer data, the number of affected customers, and the cost of a breach, can be very large. It is impossible to identify the exact cost of a breach before it happens though. Instead, we can identify the types of costs that you as merchant and the university as a whole would incur.
- Incident Response and Cleanup: This includes lost employee productivity as university resources are reallocated to analyze what happened, contain the problem, repair information systems, and collect forensic evidence.
- Notification Costs: All customers who may have been affected by the data compromise must be notified, and the university may need to offer each of these customers credit monitoring services for a minimum of one year.
- Regulatory fines: The card brands levy fines on the acquiring banks for mismanaging customer data, which the acquiring bank then will pass onto the responsible merchant. These fines could range from several thousand to several million dollars, depending on the size and the severity of the breach.
- Opportunity Costs: Forrester Research estimates that 10-20% of potential customers will be lost due to a security breach in a given year.
- Audit Costs: After a breach, merchants may be required to be audited by a qualified third party assessor for a minimum of one year. The cost of this outside assessment is significantly higher than the cost of assessing ourselves internally.
- Other liabilities: Credit card replacement and civil penalties for those affected can potentially add to the already significant costs of a breach.3
It's possible to view the importance of PCI Compliance from several different perspectives, but only by looking at the issues from contractual, ethical, and financial perspectives can you begin to see the big picture of why it is so important for all of us as an institution to adhere to the PCI DSS.
What is the role of the Credit Card Support Program (CCSP)?
The PCI DSS is cross-functional by its very nature. In order to fully protect credit card data, both technical and business related requirements must be followed. For example, from the business side, proper mail and paper handling procedures must be followed, and employees must receive background checks prior to employment; from the technical side, proper network encryption and firewall settings must be followed. These cross-functional requirements make it understandably difficult for a single merchant to ensure and verify all aspects of their compliance.
The Credit Card Support Program oversees several activities that help merchants maintain their PCI DSS Compliance. The CCSP centrally manages the following:
- Account Management: Computer accounts for individuals that can access cardholder data must be managed to a strict standard, and require multi-factor authentication for access. The CCSP manages these accounts and assists users with their accounts, passwords, or tokens.
- SAQ Submission: The CCSP helps to coordinate all of the activities required for merchants to validate PCI DSS compliance and submit SAQs. Rather than requiring that each individual merchant work with HR, Information Security, and other departments to answer the SAQs in full, the CCSP Office has divided the SAQs into department specific assessments. (Some of these assessments can be found in Section 5 of this document.) This way, the merchant only needs to answer applicable questions, while the other assessments are answered by the appropriate subject matter experts. The CCSP office aggregates all of the assessment answers into the SAQ, requests approval from the appropriate officer responsible for the merchant activity, and then submits the SAQ to the bank. This process occurs once per year for every merchant at the University. (Some departments manage more than one merchant account.) The timing of this process will vary depending on your merchant account.
- New Merchant Approval: Before the University's merchant bank will permit any funds to flow though a new merchant account, they must verify that certain security measures consistent with PCI DSS are in place. The CCSP facilitates this new account setup and ensures that the merchant can and will comply with PCI DSS. As part of this process, all proposed merchant activity is reviewed by the Information Governance Committee and approved by the Vice President Finance.
- Payment Environment Change Approval: Because a merchant's payment environment is typically not static and can require changes to scope, technology, location, etc, it is possible for a merchant that was once meeting the PCI DSS to become non-compliant. To prevent this from happening, the Information Governance Committee must review all proposed changes to the campus payment environment.
- PCI DSS Awareness: The CCSP oversees a multifaceted security awareness program, which includes, among other things, online training, an informational website, merchant meetings, and this manual. In addition to the clear benefit of educating campus merchants about credit card security, having such an awareness program is a requirement of the PCI DSS.
Who is the Information Governance Committee?
The purpose of the Information Governance Committee is to ensure that all requirements of the PCI DSS are met, and to guarantee that all necessary stakeholders review any card processing activity or change in card processing activity before implementation. The Committee ensures that merchant activities are aligned with University goals and policies.
The IGC membership shall consist of individuals appointed by the following units:
|Office of the Provost||Joe Lyphout|
|Office of the Executive Vice President||Matthew Blazejewski|
|Finance Division||Drew Paluf|
|Office of General Counsel||Tim Flanagan|
|Office of Human Resources||Tammy Freeman|
|Office of Information Technologies||Mike Chapple, Augie Freda, Todd Hill, Jason Williams,|
|Office of the Registrar||Chuck Hurley|
|Office of Research||Liz Rulli|
|Office of Strategic Planning and Institutional Research||David Bailey|
|Office of University Relations||Micki Kidder|
|Audit and Advisory Services||Roger Mahoney|
1: PCI Security Standards Council, About the PCI Data Security Standard (PCI DSS), available from https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml; Internet; accessed February 2009.
2: Ponemon Institute, LLC. 2011 Annual Study: Cost of a Data Breach, Understanding Financial Impact, Customer Turnover, and Preventative Solutions, December 2011, p 4.
3: Secure Works, Security 101: Cost of a Breach, available from http://www.secureworks.com/research/newsletter/2007/10/; Internet; accessed February 2009.