Penn’s Compliance with Payment Card Industry (PCI) Standards - PowerPoint PPT Presentation


PPT – Penn’s Compliance with Payment Card Industry (PCI) Standards PowerPoint presentation | free to download - id: 3b4d53-MGUyZ


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

Penn’s Compliance with Payment Card Industry (PCI) Standards


Penn s Compliance with Payment Card Industry (PCI) Standards February 7, 2007 PCI Overview Data Security Gregory Tausz, Sr. Director of Finance, Office of the EVP ... – PowerPoint PPT presentation

Number of Views:51
Avg rating:3.0/5.0
Slides: 34
Provided by: financeUp1


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Penn’s Compliance with Payment Card Industry (PCI) Standards

Penns Compliance with Payment Card Industry
(PCI) Standards
  • February 7, 2007

PCI Overview
  • Data Security
  • Gregory Tausz, Sr. Director of Finance, Office
    of the EVP
  • PCI Best Practices and Policy
  • Bill Kasenchar, Sr. IT Project Leader, ISC
  • Background Checks
  • Gary Truhlar, Exec.Director, HR
  • Conferences Services On-Line Registration
  • Jeff Barta, Director of Sales and Marketing,
    Business Services

Information Security
  • Types of Data  
  • Social Security Number
  • Credit Card Data
  • Health Information
  • Credit Information
  • Student Records
  • Employee Records
  • Alumni Information
  • Email / Other Electronic Data 

More than 80 data-theft incidents at colleges and
universities over the past two years (1)
  • Ohio University - holds the record in higher
    education for sheer number of files that were
    compromised. Vast computer-security breach of
    social security data. 367,000 files on students,
    staff, and alumni exposed to hackers over a
    13-month period.
  • University of Southern California - whose
    applications database containing files on 270,000
    people was hacked in July 2005.
  • University of Texas at Austin - electronic
    break-in at the business school in April exposed
    197,000 files containing biographical information
    on students, alumni, and staff members.
  • University of Kentucky - disclosed that Social
    Security numbers of 6,500 current or former
    students were stored on a portable device, called
    a thumb drive, that had been stolen from a
    faculty member.
  • Western Illinois University - hacker may have
    copied Social Security or credit-card numbers of
    200,000 to 240,000 current or former students.
    The credit cards had been used to purchase
    textbooks online or for stays in a university

(1) Source Chronicle for Higher Education,
Select Actions Taken to Reduce Theft of Data
  • ISC
  • Monitors virus activity, installs security
  • PennKey Ensures that passwords no longer pass
    over the network in clear text (reducing their
    likelihood to be comprised) reduce the
    visibility of social security numbers in core
    administrative systems and applications.
  • Records clean up
  • SPIA Security and Privacy Risk Assessment -
    evaluation of electronic information risk in
    business systems
  • Payment Card Industry Compliance Initiative

Under what circumstances does Penn accept credit
  • Annenberg performances
  • Athletics ticket sales
  • Retail BSD (e.g. Computer Connection)
  • Services Dental and Veterinary Services
  • Student related tuition and fee payments
  • Executive Education course enrollment
  • Fund raising annual fund

Risks associated with accepting credit cards?
  • Theft of credit card number
  • Reputational risk
  • Legal actions
  • Future revenue impact

Payment Card Industry Data Security Compliance
  • Best Practices, Processes and Policy

Payment Card Industry Initiative
  • Universitys security compliance initiative to
    minimize credit card fraud risks.
  • Effort led by ISC and the Treasurer, along with
    HR, Office of the General Counsel and the Schools
    and Centers affected.
  • Regulated by an industry body that includes all
    major credit card companies (e.g. Visa,
    Mastercard, American Express, etc).
  • Policies apply to any company that transmits or
    processes credit or debit card information. Scope
    includes credit card collected both on-line
    (online card services) and in-person at
    point-of-sale (POS) terminals.

  • January 2005
  • Visa and Master Card announce the Payment Card
    Industry Data Security Standard, also endorsed by
    Amex, Diners Club and Discover
  • Requirements include firewalls, encryption,
    two-factor authentication, anti-virus software,
    and regular audits by independent, certified
    vendors (e.g. PwC, Verisign, etc.)
  • June 2005
  • Original Compliance date
  • Penalties for non-compliance According to
    VISA/MC if we are compromised and not compliant,
    then fines up to 500,000 per incident
  • March 1, 2007
  • Penn Compliance date

Schools/Centers Affected
  • 125 merchant accounts across 26 schools and
  • Remediation Summary
  • The university currently is 89 compliant (111 of
  • Our report on compliance is required (by
    Paymentech) to be an aggregate self-assessment
    that includes all university and UPHS merchant
  • Our goal it to provide our report on compliance
    to Paymentech in February
  • UPHS has contacted all their account holders and
    is completing their remediation effort. It is
    unclear at this time if they will be able to meet
    our goal.
  • Treasurers web site has been modified to reflect
    compliant processes and best practices.

Merchant Accounts by School/Center
(No Transcript)
Best Practices - Donts
  • Do not send credit card data via e-mail
  • Do not store track data from credit cards
  • Do not use any wireless network to transmit or
    view credit card data
  • Do not store credit card data
  • Do not use a POS terminal on a VOIP telephone

Best Practices Dos
  • Train your staff in the appropriate security
    procedures for handling credit card data
  • Configure POS machines to not store credit card
    data. The full 16 digit credit card number
    shouldnt appear on any receipt or end of day
  • Use payflow link for e-commerce transactions
  • Transfer security risk to Verisign or a compliant
    third party vendor
  • Shred any paper containing credit card numbers
    immediately following processing. Only the
    transaction id is required to handle disputes or
  • Structure any paper forms so that the credit card
    data can be removed (perforation at bottom of
    page) and shredded immediately following
    processing and then the other bio/demo data can
    be retained for business purposes without

Best Practices Processes
  • Make sure you read the treasurers web site at
    processing.shtml) prior to requesting a merchant
  • Make sure that anyone that may want to set up a
    merchant account goes through the proper channels
    within your organization prior to contacting the
    treasurers office.
  • Make sure that anyone that will come in contact
    with credit card data has signed off that they
    read and understand Penn data security policies.
  • Make sure a background check is done for all new
    hires that will handle credit card data (PIQ and
    HR Manager have been updated to reflect this
  • Contractually obligate vendors to accept
    compliance and liability responsibility and vet
    the contract through OGC prior to signing
  • Become familiar with Information Securitys
    Incident Response Plan and all Information
    Security policies at http//
  • Be aware of the PCI standard at

Background Checks
Background Check History
  • In January 2001, the University implemented a
    prototype criminal background check program for
    new staff hired in the
  • Executive Vice Presidents divisions
  • Engineering Applied Sciences
  • University Museum
  • Additional units participating
  • School of Medicine
  • Wharton
  • College of Arts Sciences
  • Units reporting to the Provost
  • Computing jobs across the University
  • Approximately 66 of the academic staff positions
    are covered by the current background check policy

Who Performs the Check?
  • A Division of Automatic Data Processing (ADP)
  • Why ADP?
  • Universitys sole source provider
  • Federal law precludes University Police from
    conducting routine background checks
  • Background checks are initiated by Recruitment
    Staffing through the ADP web site

What checks will be run?
  • Social security number check
  • Criminal records search
  • Criminal convictions only
  • Arrests are blocked and not considered
  • Credit Check
  • For those handling cash or credit card data

PCI Background Check Guidelines
  • Screen potential employees to minimize the risk
    of attacks from internal sources.
  • Inquire of Human Resource department management
    and verify that background checks are conducted
    (within the constraints of local laws) on
    potential employees who will have access to
    cardholder data or the cardholder data
    environment. (Security Audit Procedures v 1.1)

PCI Background Checks
  • Required under PCI Standards
  • The primary focus of the PCI Security Standards
    is to help merchants improve the safekeeping of
    cardholder information by tightening their
    overall security standards, which in turn reduces
    their chances of experiencing security breaches,
    fraud, and potential catastrophic financial
  • Effective 1/01/2007 for new Penn hires only (not
    existing staff, transfers, etc.)

HR Hiring Issues Credit Card Responsibilities
  • Properly document job responsibilities in PIQs
  • Job Posting must notify of Background Check
  • Complete Background Check form, including
    selecting Credit Check
  • HR Manager will be modified to automate Credit
    Card Posting Process

Conference Services On-line Registration
Evolution In collaboration with ISCs PCI Team,
Conference Services is compliant with PCI
standards developed for web-based
transactions -Setup, hosting, and maintenance is
managed by Seattle Technology Group, Inc. on
their secure servers -Payments are securely
processed via a PayFlow Pro account
-Registrants enter their conference
registration information and submit their payment
using 128bit SSL Basic Features -Require a
payment in order to submit a registration for any
or all conferences, or make payment optional
-All registration and event charges are
automatically calculated/displayed to the
registrants and payments are securely
processed/immediately displayed on a
confirmation web page -Registration and/or
payment confirmations can be automatically
emailed to registrants
(No Transcript)
(No Transcript)
(No Transcript)
(No Transcript)
(No Transcript)
(No Transcript)
Details In January 2007, Conference Services made
this application available to the entire
University community -For schools/centers/departm
ents who require occasional use merchant accounts
-A customizable web-based Event Management
application that both facilitates the collection
of customer data relative to an event and
supports processing of web-based credit card
payments -Conference Services facilitates
journaling payments to the general ledger and to
individual departmental accounts, thereby
reducing time and expense of setting up one-use
merchant accounts -Reduces the overall number
of merchant accounts the University
maintains -Can be used as a stand alone web
application or embedded into an existing web
application tailored to a specific conference
offered. Contact Jeff Barta in Conference
Services for more information at 215-898-9319 or Web site (work in