Vince Fusco [00:04:47] All right. I think we are ready to get going. So welcome everyone. My name is Vince Fusco.
Vince Fusco [00:04:57] I am the director of PCI services with true digital security and I will along with a couple of my other team members be walking you through a guy to PCI compliance and the self-assessment questionnaires that many of State agencies that you guys represent our to be filling out over the next few months as part of the state PCI compliance objectives. So we're going to talk through some of the some of the high points of PCI as well as do a quick walkthrough of the portal that we've set up for you guys to answer.
Vince Fusco [00:05:47] Your PCI questions and then we'll have some time for you guys obviously to answer questions as well towards the end. So if you're not aware, there's a little question area that you can type questions in and we can get to them if they're pertinent at the time. I have the little window open. I can answer them as we go if it's something that's going to be better to be left at towards the end. I'll say so and we'll talk about it towards the end.
Vince Fusco [00:06:14] So without any more delay, let's get going.
Vince Fusco [00:06:21] So a little bit about True Digital Security. We're based in mainly in two locations here in Tulsa is where we were founded and then we have also have offices out and West Palm Beach, Florida. We are established in 1985 is one of the original pioneers of IT services. That's our Florida branch. And then the Security Branch here in Tulsa.
Vince Fusco [00:06:48] We merged with IT security provider for talk to you Managed IT provider and anything in the security information security world. If we can't do it we can help you do it. So, you know, that's just kind of a quick brief overview. You can go to our website at truedigitalsecurity.com to learn more about us as an organization, but we've been asked by the treasury Department.
Vince Fusco [00:07:24] Today to talk to you guys about PCI compliance. And so that's what were mainly going to focus on but I thought it would be nice for you guys to have a little quick introduction the presenters today myself Vince Fusco. I'm the director of PCI Services. I've a little bit about myself.
Vince Fusco [00:07:47] I've been a QSA for 6 years now, which is a qualified security assessor, which is the Nice term that PCI uses for auditor. So I've been I don't like to say that I've seen it all but I've seen a lot of it in the PCI world. So I come to you with a lot of experience in the field and hopefully that that is that that helps you guys through your process with me as my colleague Jenna Waters. She's on my PC. I team and she also has a lot of experience. She's been in the it.
Vince Fusco [00:08:24] Security field with the military and in the private sector for many years as well. So she brings a lot of experience as well. Jolly Salehy. He's our senior software architect. He's going to be walking you guys through the portal demo how you guys are to be filling out Garrett questionnaires for PC. I have a login all that fun technical stuff that's later on the presentation and then finally Kayna Kelly.
Vince Fusco [00:08:53] Who's our Sales coordinator for the state and she has a little bit about her efforts and working with the state and some of the other services that we've provided to the state and what we can provide for you moving forward.
Vince Fusco [00:09:15] As far as topics go today. I'm going to do a quick overview on PC. I just in general if a lot of it is just kind of a 10,000 foot view of why what PCI is why it matters, it could it most likely will be information that a lot of you have already heard, but I thought it'd be nice to go.
Vince Fusco [00:09:39] It kind of helps blend into your Obligations and that sort of thing, so to kind of give you a full picture and then we'll go into the types of PCI compliance and the requirements associated with the different types of PCI compliance will also go over some mixing questions as well sort of an FAQ style thing about PCI and the things that you might hear out in the field that we can debunk or validate if you will.
Vince Fusco [00:10:11] So that's kind of the big things and then we'll also have a portal demo at the end, which is probably the more exciting part of this presentation for you guys. So you can get to work on your PCI compliance obligations.
Vince Fusco [00:10:29] So to jump into the PCI overview of a little background on PCI. So PCI is not there's a there is a myth starting with myths that PCI has been a government or a Federal Regulation that is not true.
Vince Fusco [00:10:48] It is set by a compliance requirements for PCI set by a PCI Council and you might ask yourself who is in on the PCI Council well to no surprise to anyone it is the Grants, so the heads of Visa Mastercard American Express discover Diners Club all got together and formed the PCI Council so they not only run the business, but they also set forth security requirements for this business.
Vince Fusco [00:11:17] So it makes sense that they've got a large stake in the game, because if their merchants and service providers aren't secure it makes them look bad and then you know people stop using credit cards and their business starts to fall apart. So they're the ones that kind of run the show. It's an international organization. So if your PCI Compliant in Tulsa, Oklahoma, then you can take your compliance certificate and it's still valid in London England. So that's a that's a good thing about PCI compliance is that it's not different from from anywhere in the world. So it does if that's cross borders.
Vince Fusco [00:12:00] The standards apply to any entity that stores processor transmits cardholder data. So not only is it apply to the banks? Who issue cards?
Vince Fusco [00:12:11] It also applies to the processors who process card transactions to the food trucks that sell you tacos, you know, everybody has a different compliance obligation, you know, the bank's obviously have a different obligation than your food vendors, but everybody has some obligation and a lot of it comes down to how your you as a merchant or a service provider see and interact with that cardholder data. Can you really offend and what ways can you affect the security of the cardholder data?
Vince Fusco [00:12:48] So like that last bullet point says standards do govern all merchants and service providers. So if you're doing any credit card business, if you're taking credit cards in any way, whether you're part of the process like from beginning to end or you're just swiping a card and getting a check from the bank.
Vince Fusco [00:13:10] You still have some compliance obligation might not be much, but you have something and we'll talk about that as we go on and how you decide what your obligation looks like. So there is a myth out there that if I'm only processing five cards a day or five cards a month, how why do I have to be sick plant? Well, if you're taking a card under any of the card Brands Visa in any of the major card Brands, I should say Visa Mastercard American Express those they do require PCI compliance. Now.
Vince Fusco [00:13:44] Another thing is that processors and Banks don't always ask for your Finance reports so as you know, my personal opinion is that you shouldn't really offer your compliance reports until somebody asks for them mainly because once you start reporting your compliance, you're on the clock year in and year out from then on so it's good to be aware of compliance obligations.
Vince Fusco [00:14:12] It's good to meet your compliance obligations, but just have that kind of Of reporting or you know all that stuff in your back pocket when somebody asks, so there's no delay instead of just trying to offer it up because you know, you don't want to be on the hook for something before you need to be kind of, that's just a that's a personal opinion, and it is a lot of QSA scary that opinion, so it's not like we're tricking anyone.
Vince Fusco [00:14:43] It's pretty common knowledge, but like a lot of a lot of the State agencies today might not be getting their door knock down by banks to get their PCI reports, but it's good to be ready when they do come knocking. So that's a lot of what we're going to be working towards today. So the major entities in the PCI chain as they say are the acquirer, which is generally the financial institution oftentimes.
Vince Fusco [00:15:16] It's the bank in a given credit card transaction, they process the settlements chargebacks the actual payments. They are subject to payment brand rules. So, you know, you look at look at a bank. That's getting that the processor talks to they still have to adhere to any of the PCI requirements now, they have a whole different level of PCI requirements.
Vince Fusco [00:15:48] Because they are bank and they handled the bulk of the money at the end of the day. So they have different types of requirements, but they are still subject to the requirements.
Vince Fusco [00:16:01] The next entity is the processor and they're kind of the intermediary between the merchant and the bank or the acquirers. So oftentimes when a merchant swipes that card it doesn't go straight to the bank. It goes to a processor first that connects two different banks and they facilitate their payments through different types of software. You might have heard of things like tokenization or iframes.
Vince Fusco [00:16:31] We'll talk about that a little later on, but generally speaking the processor are it's the one that supplies those, you know, there are some the processor and processor independent solutions as well.
Vince Fusco [00:16:42] But the process are often the both facilitates connections to the acquirer from the merchants, because sometimes different things have different requirements that they have and so not every Merchant is going to know where when. When you know, you have 50 customers, they're all going to have different banks and you know, the merchant has a different bank and you know, so we're all just trying to facilitate that and that's kind of the processors job in whole thing. The next one is the merchant who is, who that's the category of the majority of the attendees today will fall under they're the ones that take card payments. They don't facilitate.
Vince Fusco [00:17:32] You know, they're not part of the card process other than their just happened helping their customers pay basically. So that's technically any entity of that accepts payment card from one or more of these semester card Discover a MX J BX or Diners Club as it falls under their final recipient of settlement and you know, obviously they're the seller of the goods and services. So that's mode.
Vince Fusco [00:18:00] That would that's the majority of entities that have to have PCI compliance. Those are your food trucks and your brick-and-mortar stores or even you know, your e-commerce stores. Those are all merchants. Typically, you can tell that if you have a merchant ID associated with your account, then you are a merchant as PCI to find it. So, you have a merchant ID.
Vince Fusco [00:18:29] You're most merchants except for some very rare cases the other entity in the chain is the service provider. So these are entities that provide a service through the PCI flow. So it's not necessarily a seller of goods and services, but they do see card data.
Vince Fusco [00:18:53] So think about this as somebody one of the most popular and well-known is someone like PayPal Pal all right. So PayPal facilitates credit card transactions on behalf of merchants and so not they're not actually the seller of the goods, but when you sell something on eBay and the buyer wants to use a credit card through PayPal, then it's now a service provider and they have a different set of obligations.
Vince Fusco [00:19:26] It's generally mapped to the same ones as PCI likes to be much more focused on the service providers as far as they have a lot more that a lot more compliance obligations than the average Merchant mainly because they interact with so many other Merchants. So if you were to think back to the taco truck example, if a taco truck, you know loses a couple cards.
Vince Fusco [00:20:01] In a breach. Yeah, that's to customers that that last card data and that's not a small deal. But at the end of the day we can we can talk to those two customers even and that's that can be settled pretty quickly. Now if PayPal were to be breached and they lost you know, fifty thousand a hundred thousand credit card numbers now, it's a bigger deal and not only does it affect PayPal it affect every merchant that works with.
Vince Fusco [00:20:31] How and which is you know Millions at this point, so that's a much bigger deal. So that's why of PCI is a lot more has a lot more stringent requirements for service providers and you know their levels are a little bit different which we'll get into a little bit later so you can kind of see the difference between merchants and search items.
Vince Fusco [00:21:05] Everybody can hear me. I was getting I'm getting a note that the audio is off.
Vince Fusco [00:21:17] All right. I'm going to kind of roll into an overview of the twelve main requirements for PCI. These are the major goals and requirements.
Vince Fusco [00:21:35] For PCI, not every Merchant or service provider is going to have to adhere to these and we can kind of detail why as we go through it just because every environments different, every card interaction is different, infrastructures different. I might get cards swipe through a USB and that's all I have to worry about. I also on the other hand might have a whole website and backup infrastructure.
Vince Fusco [00:22:03] Which comes with a lot more requirements, you know, so. So the first two kind of fall under the main goal of building and maintaining a secure network. One is to install maintain firewall configurations, protect cardholder data pretty straightforward. Don't use vender defaults for system passwords and security program returns. This falls under, you know network security again. It's pretty uncommon or almost extinct.
Vince Fusco [00:22:33] I think to have any kind of card processing without an internet connection, even the most esoteric card flows that I've seen over the years still have a phone line connected to them.
Vince Fusco [00:22:49] Not many people are doing manual card transactions, even if a car if the internet goes down, you'll find a lot of people picking up the phone and doing card transactions that way so whether you think that you have a network work in scope or not. You have a little bit of networking scope. Now what that means can be different from entity to entity. Obviously, if you're running a huge e-commerce platform say like Amazon or any of the other big box your 8 retailers. You're going to have a lot more in this area because you have a lot of firewalls yellow a lot of configurations you a lot of system passwords and security parameters to look at which is completely different.
Vince Fusco [00:23:33] print then if I have a single card swipe plugged into the wall, and I and you know, I it's kind of hands off, but just making sure that your network is secure and having being aware of who has access to your network and who can be can affect Security in that way.
Vince Fusco [00:23:55] But again, it's the amount that you have to do in these areas can varies widely depending on your scope which is one of the key focuses of the of the day today. So next is to protect cards protect cardholder data number three is probably the biggest bugaboo of all the PCI requirements and it's the number one thing that Q SAS and mini PCI.
Vince Fusco [00:24:24] A consultant will tell you is if you want to reduce your scope and the PCI realm don't store cardholder data. If you don't have to now, we know there's a lot of reasons why you might want to or need to or businesses have to and that's acceptable you can do it, but it comes with a lot of requirements for obvious reasons. If you have a big database sitting on your Network that has millions of card credit cards that can.
Vince Fusco [00:24:54] Just be taken in an instant if an attacker gets into your network, well you've well, that's it. You know, that's the target, you know, Target just had a bunch of credit cards sitting on their network and within minutes it was gone. So if you don't have to store it, please don't do it. If you do have to store it. There's a lot of encryption and security requirements that kind of come with it. A lot of those requirements kind of fall under digital.
Vince Fusco [00:25:24] In storage, I think you know it's not great to write down card holder card numbers, you know, I don't like it when people are just writing on no pads. That's not to say you can't store physical card numbers a lot of entities take nayland payments, which you know people write the card numbers expiration dates all that kind of stuff on it and they you know, they have to hold on to it so they can process the transactions.
Vince Fusco [00:25:52]] That's definitely acceptable, you know, we just asked a lot of times it needs to be secured through a lock and key type mechanism safes that sort of thing. So, it's not easily accessible and you know, you can limit access to those types of things. So, a lot of that's another myth is that you should never write a credit card number down while it's bad practice in a lot of re and a lot of areas to write credit card numbers down. You can definitely keep credit card numbers around.
Vince Fusco [00:26:24] If you need to for business reasons, you know, if all its kind of kind of just like the digital area, you just don't want to keep them out in the public. We need them secured. So and that that kind of just goes into number four and crypt Transit transmission of cardholder data across public networks.
Vince Fusco [00:26:46] The majority of merchants don't have their own private networks to send credit card data through, you know, we work with some pretty big entities that that can afford that kind of infrastructure. It's not very common. It's difficult to set up and maintain and obviously expensive. So the most credit card data goes over public networks and it's and it's pretty uncommon to see cardholder data being sent unencrypted mainly because a lot of the software packages out there and even a lot of the hardware card swipes do encryption on the hardware.
Vince Fusco [00:27:24] Within the software. So it's already encrypted before it gets sent out over the network. That's to protect, you know, man-in-the-middle attacks people fitting between the transactions trying to grab cards through the networks and that sort of thing. It's definitely necessary but a lot of software and Hardware of retaking care of that so that's good.
Vince Fusco [00:27:50] Number five vulnerability Management Programs. So these are systems that are doing the cardholder processing music servers web servers application servers even end-user systems. They need to have regular updates of antivirus software. They need to maintain secure systems and applications. That means before those systems even go on the network before those servers. You can go on the network. They have to have a baseline level of security.
Vince Fusco [00:28:19] Through the PCI requirements so that when you plug it in you don't have to worry about being attacked before you can even secure your system. So that's the PCI wants that to be done, you know as part of your security program as well. Next main section is implementing strong Access Control making sure that your cardholder data environment is restricted for employees to me.
Vince Fusco [00:28:49] To know we've run across some entities that just allow everyone access to their card holder database that's not good practice.
Vince Fusco [00:28:59] You know, the HR team probably doesn't need access to cardholder data, you know, we want to limit that access because all it takes is for one person to have a weak password that gets cracked by an attacker and then boom the cardholder data, is it supposed so let's try to we just try to keep that access to need to know so that we can be aware of who has access and we can secure it as such and then that kind of flows into the assigning a unique ID so we can track access to cardholder data making sure that if there's a breach we can follow up see who had access what user was compromised if there was a compromise might maybe it was an internal attack that also happens very common.
Vince Fusco [00:29:56] So just making sure that there's a trail an audit Trail if you will or access to cardholder data in case of breach or just in general security practice, and then I already kind of touched on this restrict restricting physical access to cardholder data. Not only is this writing cardholder data down, but if you're doing backups of cardholder.
Vince Fusco [00:30:24] Databases even if they're encrypted on too hard Hardware that's like hard drives or tape drives that those are being secured in this in a secure location off-site even in a vault in a safe that sort of thing so that they cannot be removed or you know, just physical reaches its covered as well.
Vince Fusco [00:30:52] Regularly monitor and test networks so tracking and monitoring that's a lot of audit logging and alerting. If you have a big huge Network, you need to have different points of the network that you can monitor.
Vince Fusco [00:31:07] So if a breach happens or if an attack happens or even if some strange Behavior happens that your Security Professionals can be aware as soon as possible and kind of shut it down before something worse happens and then 11 doing our tests of your security systems that's penetration testing vulnerability scanning that sort of thing making sure what the best part of your annual or semiannual process. If you have a large Network in scope getting a test from a security professional to ensure. Yeah, maybe you haven't been breached, but that doesn't mean you aren't vulnerable it just if you are vulnerable, it's just a matter of time.
Vince Fusco [00:31:48] So you want to make sure you're getting that stuff tested, especially if you're making major changes to Our Network everything can be overlooked, you know a password didn't get changed a parameter didn't get changed that sort of thing. So getting that stuff tested regularly is good and then everybody's favorite number 12 maintaining information security policies and procedures.
Vince Fusco [00:32:10] making sure you're writing everything down so that when people access cardholder data or your organization is working with cardholder data. They know how to do it in a secure manner and you can point to policies and procedures as you know, a legal backing that you have your procedures and policies in place. This is usually the last piece that anybody does for obvious reasons.
Vince Fusco [00:32:38] Nobody likes to write policies, but they are important from a lot of you know, your legal team will The number one proponent of these types of things is making sure that you have something written down to to ensure that you are following their security principles and procedures, you know, and in case of a breach that's the first thing that an auditor or a forensic expert is going to want to look at as well. So those are the those are the main requirements. I can probably tell you the majority of these are not going to be in scope.
Vince Fusco [00:33:15] Are you guys just because of the amount of scope that you have but it's good to be aware in case you know, things change all the time and or you could go to another organization and be part of their PCI program or what have you and then all of a sudden need to be aware of these things.
Vince Fusco [00:33:37] So it's good to talk about and hopefully we can we can help you reduce your scope as well if some of These things are problem.
Vince Fusco [00:33:54] All right. So finish with the obligation or are finished with the PCI overview, we're going to kind of roll into Merchant obligations kind of talk about you guys as the merchant what you need to do what you need to be aware of kind of where you fall in the compliance world so that you're not doing too much or too little for your compliance objectives.
Vince Fusco [00:34:24] So when you first kind of do that initial Google of PCI compliance a lot of people get this level of a one two, three and four.
Vince Fusco [00:34:37] Now levels are often confused with types of types of PCI reporting so it can be a little confusing, but it is pretty straightforward levels are just mapped to how many car transactions of a particular brand that you do per year.
Vince Fusco [00:35:06] So If you're doing less than 20 thousand transactions of a particular brand meaning Visa Mastercard American Express, you are a level 4 doesn't mean a whole lot level two three and four all kind of have the same compliance obligation. Meaning you're going to have to fill out the same reporting. It's kind of more.
Vince Fusco [00:35:36] For the card Brands to track the growth of a certain Merchants I found so they tend to pay attention more to level one two, and three they do pay attention to all levels, but they put more focus on the higher levels, obviously because of the amount of cards that are could be exposed for / breach.
Vince Fusco [00:36:03] So As you can see on the left the criteria per level. So if you're falling under 6 million transactions per year of a certain brand, which I think the majority of you are we're hoping because that's kind of the portal where we set up you basically fill out a self-assessment questionnaire because I have test station of compliance with that and you do quarterly ASV scanning now.
Vince Fusco [00:36:35] The self-assessment questionnaire is a little bit of a misnomer and that a lot of people will download a self-assessment questionnaire. And as we go through this presentation, I'll review I'll refer to that self-assessment questionnaires and SAQ. A lot of people will download an SAQ and just be completely lost. It seems a lot of PCI knowledge which is where we come in and kind of help you guys understand it.
Vince Fusco [00:37:04] It's not something that's super easy to figure out which SAQ to fill out. There's eight of them. You could kind of just pick one at random. They all kind of seemed like they fit you. It can be a little difficult and each SAQ has varying numbers of requirements from you know, just a handful on the SAQ a to the SAQ date D which has hundreds and you know, we don't want you guys wasting time filling out the wrong one when it doesn't.
Vince Fusco [00:37:34] Even apply so in SAQ requires required annually and SAQ comes with an attestation of compliance, which is just meaning I whoever is filling out the questionnaire is attesting to the compliance from the questionnaire.
Vince Fusco [00:37:53] So if you're checking all the boxes saying you're secure and compliant, you also have to sign your name on it and saying that you're not you're not lying which you know, I know we all want to Be our best selves all the time, but I have come a lot across a lot of s IQs filled out by clients in the past that we're just wise people are just like yeah, that's good. We're signing it, you know, and that's fine. That'll get you your processor happy that they have your compliance reports on file.
Vince Fusco [00:38:24] But when the breach comes you're going to be stuck and you're still going to have to pay those fines because you're lying through the reporting and it will catch back up to you. So it's best to be honest will kind of go through the different the different answers / s AQ. So you can guys can be as efficient and honest as possible on those things. If you do happen to be a level 1 you have to be audited by a third party a qsa,,which is a report on compliance. It's a much larger document. It's hundreds of pages.
Vince Fusco [00:39:04] It's Good job requirements. It's a lot of work. It's interviews its policies and procedures. It takes a couple months at best usually about six months for most it's a long process. It requires on-site author go to come on site and view your physical location. It's something that a lot of companies want to avoid if they can because it's very expensive. It can take a long time. It can take a lot of resources.
Vince Fusco [00:39:34] That would be Acquired annually interesting thing about these levels is that this is only for merchant service providers, which we'll talk about in the second don't have these levels. So this is just for merchants that thing I want to talk about is the ASV scanning which that means if you have an IP address that you your entity manages and owns that is external that is part of your car.
Vince Fusco [00:40:04] Their data environment. So the most common in these situations is there's a website or some sort of external application that is exposed to the internet. Those IP addresses needs to be need to be scanned on a quarterly basis. And any high-level vulnerability is need to be remediated on that basis as well.
Vince Fusco [00:40:30] And that needs to be done by a third party and ASV which Is an accredited scanning vendor, which there's a handful of and if I don't know how many of you guys need this. If you do need this, please reach out to one of the contacts will mention later on and we'll get you set up with some ASV scanning. If you have an external IP address that is part of your cardholder data environment.
Vince Fusco [00:41:00] You do need to be doing quarterly external scans of and again, if you need help with that or you think that might be a part of your environment, you know, we can help with that.
Vince Fusco [00:41:13] All right, so that's kind of the overview of merchants levels. So we'll talk real quick about service provider level. They know there's probably not many any service provider level service providers here as you can see there. There's only two levels it's two or one. So if you're to you do an SA Q, if you're one you do a report on compliance or rock. The level criteria is only 300 thousand transactions pretty low.
Vince Fusco [00:41:44] Again, when I talk about how stringent PCI is with their service providers, they want the majority of their service providers to be having on-site assessments being looked at focused on go through the big long process for the reasons.
Vince Fusco [00:42:02] I mentioned earlier, you know, there's a breach for a large service provider that has a lot of a much wide much larger effect for everyone that Um, then just a single small Merchant or something of that nature. One thing to note too is that an entity can be both a merchant and a service provider meaning they could be selling goods and or they could be selling goods and services themselves and be part of the transaction change. So a good example of that is we have a couple clients that provide software that help the credit card transaction process, but they sell that software as well.
Vince Fusco [00:42:43] So they are then a merchant and a service provider. They take credit cards so you can be both and if you are both you have to do both reporting requirements not very common, but it does happen. So we like to put that up.
Vince Fusco [00:43:01] already So the key thing to know about service providers for you guys and for merchants is that you use one most likely because I doubt that any of you guys created your own Parts whites out of your own Hardware or created your own payment websites from scratch.
Vince Fusco [00:43:29] So anybody that provides, you know a service along the Credit card data flow whether it be a card swipe or payment application or an e-commerce application that you guys use their one of your service providers.
Vince Fusco [00:43:45] So it's very big focus on the PCI Council for merchants to do some due diligence on the review of their service providers because if you're relying on your service provider for Some piece of your compliance. So say I'm just a person that uses PayPal as my service provider.
Vince Fusco [00:44:07] Well, if all my transactions go through PayPal, I want to make sure that PayPal is secure because whether the breach happens on PayPal side or not, the end user is going to remember that it was on my website that they entered their card numbers on and when they get their you know their Bank though at the end of the month, it's not going to say paypal.com. It's going to say, you know, Vince's website and that's where they're going to point the breach at so you might not have to pay.
Vince Fusco [00:44:44] Hey any direct breach fines, but you will pay in some PR right? So it might not have been targets direct fault, but they still had to pay out a billion dollars in PR because people don't care that their service provider was weak. So PCI really wants to make sure that you're doing your due diligence and making sure that your per service providers are compliant as well. And that's part of the big part of your compliance obligations.
Vince Fusco [00:45:14] Location is that you're maintaining your list of service providers that you have their current compliance status and making sure that they're you your team and their team are aware of their responsibilities. Now that last part the responsibilities is is pretty easy because if there or I should say it's generally pretty easy. It's not always easy but most of service providers are aware that they're in the PCI security business. That's kind of their focus.
Vince Fusco [00:45:44] Right. So if I'm selling an encryption package for cardholder data security for you to store your cardholder data securely. I know that that I'm responsible for that and that's going to be in your contractual obligations in that sort of thing.
Vince Fusco [00:46:00 So if you have any contracts with service providers, they need to be reviewed before you sign them to make sure that everybody is aware of their responsibilities and that sort of thing so It's is it behooves everyone to go through the service provider due diligence through the legal process all the way through, you know, when you engage them on this part of your annual review making sure they still have their compliance documentation because they should have their that test stations of compliance as well.
Vince Fusco [00:46:44] And they should have a formal acknowledgment of responsibility that signed by both parties so that You'll find if there is a breach and hopefully there's not a lot of finger-pointing happens and it says well you said this and you said that they did this nobody wants to take responsibility. So PCI really wants to focus on people being aware and responsible or their part that they're playing. So making sure those bases are covered early on will save you a lot of legal heartache and probably Financial heartache.
Vince Fusco [00:47:22] All right.
Vince Fusco [00:47:25] So I am going to take a five minute break before we go into this get a drink of water kind of pause and I'll be right back.
Vince Fusco [00:52:48] All right for that drink water gonna roll into the self-assessment questionnaires. This is going to be important for you guys, too.
Vince Fusco [00:53:03] Help decide which questionnaire to fill out when you get into the portal will be a be a list of questionnaires and you want to make sure you fill out the right one because if you don't you might be looking at requirements and saying wow, I don't I don't know what this is. I don't have this thing in my environment. So we're going to try to save you some time and hopefully some headaches. Bye.
Vince Fusco [00:53:33] Defining which the different S A Q that you guys can fill out the correct ones.
Vince Fusco [00:53:42] I am going to Introduce my colleague Jenna Waters who's going to kind of walk through some of these with you guys. She is very experienced and feeling at us like use we do this a lot.
Vince Fusco [00:53:59] The majority of our clients are SAQ Merchants, so They these requirements are very.
Vince Fusco [00:54:14] We're very experienced and filling out these questions. So we've seen him a lot.
Vince Fusco [00:54:19] So Jenna if you would Just on mute. I think you can.
Vince Fusco [00:54:32] No hand it off.
Jenna Waters [00:54:35] So when we're filling out SAQ is like you said they're a bunch of different types. There are eight types there is essentially they put them in alphabetical order which is which seems nice at first until you have to go through them all and then each one has its own specific set of requirements different number of requirements and they're very specific and who they pertain to so before you even begin to start filling out an SA cue.
Jenna Waters [00:55:05] Or you have to decide what your scope is and that's what this was. Primarily Forest kind of help. You fill out your scope. So first you have to consider your storage. Are you storing cold? Cardholder data is encrypted is it tokenized is it stored locally is a cloud hosted you have to take that into consideration. Secondly. You also have to ask. So, how are we collecting cardholder data for some people it's going to be through an e-commerce website for others.
Jenna Waters [00:55:34] It's going to be through what's called a present transaction. So that's when a card is actually physically present. This is your brick-and-mortar stores. This is if someone is making like a payment to a state agency, but they're actually at your building making that payment good example, and probably the best one I have is going and paying like a ticket. I know this probably city or county but that's the best example I have right now.
Jenna Waters [00:56:03] But you have to take that in consideration. Also, you have to think about how many payment channels do I have so that can be a varied number between one payment channel. So you only take Card present with the card physically there with a customer so it'd be one payment Channel or you have to payment channels which is your brick and mortar store payment Channel and or and you also take them online.
Jenna Waters [00:56:33] So those are two separate human channels a third that we commonly see is call centers or essentially by telephone. There's also mail orders.
Jenna Waters [00:56:44] There's a few others that are a little more rare but each one is representative of a different card flow and you have to take each one into consideration when when you are deciding how we as an organization and take cardholder data because all of And will be part of your overall scope of the units a day secondly of transmission then just kind of touched on this when we went over the twelve requirements transition is essentially, you know, how is it going coming into our environment?
Jenna Waters [00:57:18] How is it leaving our environment doesn't leave, you know, this really well apply more to e-commerce, but it does apply to brick-and-mortar stores depending on how you take that cart depending on what kind of card interaction device Ace you're using so are using a card swipe or using those steadily pin and Chip where you insert your card and you have to wait 20 seconds and then push in your pin and wait another minute and they take forever. Those are all going to have to go into how cardholder data is transmission is transmitted into your network and then how you transmit it out of your network to your processor to your acquirer for overall processing process.
Jenna Waters [00:58:03] And this is similar to transmission, but this is actually how the payment is processed. So primarily unless you are fully engaged in the entire processing of the cardholder data 9 out of 10. This will probably be through a service provider.
Jenna Waters [00:58:20] But if not, you could also be on the hook for processing which would lead to a larger scope and the biggest indication of who's processing the data would be whose final margin of record. So that's pretty much that in a nutshell about you have to consider all of those.
Jenna Waters [00:58:51] A few other common questions, you're going to really want to ask yourself about your environments. And again, this is all leading to filling out those SA Q. But you do have to do this front-end work because if you don't you will fill out the wrong SAQ or you'll default to one. That's way too long or way too big or doesn't meet your environment. So if you do go through and you really narrow down what your scope is where you take cardholder data.
Jenna Waters [00:59:20] How you take harder cardholder data, where is it stored? How is it encrypted? Is it Cryptid in a database or tokenized taking all of that into consideration? These are a few common questions that I think are really important for you to ask. So the first one is do you have a relationship more than one acquire? So that would be do you process payments through both Bank of America and Wells Fargo. Those are two examples.
Jenna Waters [00:59:50] And understanding who's requires are who those banks are at the end of the day they're going to be issuing you the final payment. Next is does your organization have a relationship with one or more third-party service provider the more service providers you have that are part of your scope.
Jenna Waters [1:00:10] So this isn't necessarily the HVAC service provider, but this will be the per the service provider that does software development for Your payment channel. So keep in mind when you consider service providers it only has to do with your cardholder data environment. It doesn't have to do with anything else have a dozen service providers that have nothing to do with your cardholder data environment. And you don't need to care about those care about the ones that have an impact in any regard on cardholder data and your in scope environment.
Jenna Waters [01:00:46] But you also you know how many they are because you all you have to be able to to say we did our due diligence these service providers are compliant. Here's their attestation of compliance saying that they are.
Jenna Waters [01:01:00] That's for you and that's for them in case of breach happens. So it's a good idea to know who your service providers are and know they're compliant and have a process in place to track that compliance. Every year next is does your organization store process or transmit cardholder data on behalf of another entity or organization? This isn't likely to come up.
Jenna Waters [01:01:27] But if it does cuz it's do we do this on behalf of another organization. It's pretty if you do then that's something to take into consideration as well. And then the last question is where can I find a list of PCI Compliant service providers are applications. So there's two really good resources for this. The first is Visa provides a very comprehensive list on their website.
Jenna Waters [01:01:58] Of service providers of both payment type applications qoc companies and all sorts of service providers and you just can go and search the service you want. The next one is the actual PCI-DSS website. They have also a very comprehensive list of service providers that are PCI compliance. So those are the two primary resources are being compliant service providers if you decide you need one.
Jenna Waters [01:02:28] Can also ask us we interact with a lot of different service providers who are PCI compliance.
Jenna Waters [01:02:41] And now we're going to get into the actual nitty-gritty. This is just a brief overview. And like I said, it's are they were kind enough to put these, you know, alphabetically for us with the exception of the PPE one. So you have your ATP so these are SAQ A and SAQ EP, they're both specifically for card-not-present environments.
Jenna Waters [01:03:05] That means that it's probably card payments are primarily made off. They're not made locally. So they're not there's no card present at the time. The payment is made. So again, this is your mail order your order by phone and your eCommerce channels. And then you have B & B IP. So these are primarily card-present with no e-commerce. No electronics.
Jenna Waters [01:03:36] Orange of cardholder data, so dial out terminals or the really old-school imprint machines. And when I say old, I mean like we're talking 1980s like the swipe machines that people will use is back up sometimes and then you have your IP connect to payment terminals. Once you've probably seen before granted this means you only have those payment terminals.
Jenna Waters [01:04:06] You don't have any digital storage, you know digital processing. You don't have any Commerce website. You don't have any mail ordering or telephone ordering like you are you have one or two old payment terminals. You just swipe the card you're done. It doesn't interact in your network at all with the exception of the line to and from the internet from the tunnel itself.
Jenna Waters [01:04:30] Next you have seq see as the QCD T. So SA QC is an IP connected payment terminal with no electronics storage, and I'm going to go more in depth in these. I just really wanted to give you a brief overview of how many there are because there are a lot and it can feel like a lot but as a QC is a it's primarily used for people with a payment application connect to the internet.
Jenna Waters [01:04:59] but they have no card electric storage of cardholder data. It typically applies to smaller Merchants that have deployed out-of-the-box software to a standalone machine for taking individual payments it the type.
Jenna Waters [01:05:17 So and then the next one is your SAQ C DT as QCD teams developed for a very specific environment and the v t stands for virtual terminal which Can be again really confusing now that we have both cloud hosted virtual terminals. So it would be really confusing, but it's for a very specific environment and it does have a subtle difference to SAQ. See it applied.
Jenna Waters [01:05:45] So this as IQ applies to externally hosted web Payment Solutions for merchants with no cardholder data storage, and essentially these are terminals use dinner payments that are isolated in a single location and are not connected to any other system within the environment what we typically see is the most common implementation is Be Like A Thin Client terminal or individual system with a dedicated internet access and host-based firewall restrictions, but this does not have anything to do with in e-commerce channel.
Jenna Waters [01:06:23] So if you're taking payments over the Web through like a virtual machine on Amazon that's different that does not apply here. Next is going to be your PPE Solution. That's a fairly new as thank you. It was it's meant for merchants you process card data only via payment terminals that are validated. So these are payment terminals that have been validated and you can find them on the PCI.
Jenna Waters [01:06:57] List for point-to-point encrypted Solutions. I want to see a payment terminal. I mean your chip and pin or your swipe machines, but what this but essentially what this applies to are those machines that Vince mentioned earlier where the encryption occurs on the device.
Jenna Waters [01:07:17] So from the point of interaction between the card and the device The encryption occurs and the actual Network behind that terminal only ever sees encrypted cardholder data and for this to apply for this acute apply. This can be this house. You have to have one of those validated PCI listed point-to-point encryption Solutions. Lastly is the catch-all which is as a cube D.
Jenna Waters [01:07:45] It is the by far the largest SAQ it has it goes through almost all. All requirements as well as a couple appendices depending on whether your service provider or not. It applies to any Merchants who don't meet criteria to don't meet the very specific criteria for a three-peat epe. It does again like I said and encompasses a full set of over 200 requirements and it covers the entirety of the DSS compliance. If you're a service provider your required to complete an SAQ D.
Jenna Waters [01:08:21] You don't have the option of competing against others. It is kind of a default catch. Also, there may be parts of an SAQ D that are not applicable, but you still don't meet and a specific requirements for an SAQ A or an SAQ C, but I think he does take a considerable amount of time to complete.
Jenna Waters [01:08:48] Now we're going to dig in quite a bit deeper into these you have an SAQs. We're going to start again with a say QA as a QA what we typically see this apply to our Merchants for that are whose primary means of Taken cardholder data is card-not-present. Like I said your Ecommerce your mail orders your telephone orders. That means that there is no card present at a brick and mortar store.
Jenna Waters [01:09:16] No one is coming in and you know Buying anything and interacting with another human being with the exception of maybe over the telephone.
Jenna Waters [01:09:28] so these functions are typically outsourced to PCI DSS validated third-party providers. So that means that service providers typically take on a bulk of the processing and storing and transmitting of cardholder data. You have very few requirements in this one and you basically have outsourced as a much of the payment processing as possible.
Jenna Waters [01:10:00] A big one with this SAQ is tracking your third-party compliance and making sure that you as Merchants are not keep our you know, if you're storing any cardholder data, whether it's physical or electronic you have processes in place to get rid of it as like you want that off your network and you have those processes in place and you do not actually store it.
Jenna Waters [01:10:27] So a good example is You know you have mail order like Vince brought up the mail order where you get the mail order in your house credit card information you process the credit union the crust credit card into a third-party processing service. And then you have a process in place to take that mail order form and store it in an electron like a secure location until it is shredded or burned or pulped. So that's a really good example of how you could be an SA QA with a mail order.
Jenna Waters [01:11:00] The QEP is Ecommerce. Only that means that is the only payment you feel that you operate under that you don't take nail orders. You don't take phone orders. You don't have brick-and-mortar stores. You have e-commerce only and all of that e-commerce is almost entirely outsourced. So this would be like if you were to take payments through PayPal or through Square online and nothing else. Otherwise, it's very similar to a it's making sure you're not you have a process in place.
Jenna Waters [01:11:30] Stu make sure you're not storing for holder data. You don't have any of our electronic Cardinal holder data stored processor transmitted on your environment. You do have a strong process for to committing due diligence signature third-party compliance. You tracking their compliance. Make sure you have an attestations of compliance every year and also making sure they're all validated.
Jenna Waters [01:11:58] So I'm going to look on ahead and let Vince take For the next sa Q. So that's going to Esa QB and sap bi P. So yeah.
Vince Fusco [01:12:09] Thanks Jenna before I move on. I wanted to kind of point out a main another main difference between a and a EP if you look under the payment Channel Side on a it says the payment pages and functions originated only and directly from a PCI service provider.
Vince Fusco [01:12:25] So in that case you're if you're Or if you have a website, let's say and you want to take a credit card payment. If you go ahead and redirect the user to a third party. That is not you. Don't post the page. You don't touch the page. All you're doing is saying we'll be glad to take your payment. Just go over here to PayPal or a lot of you guys use a government based system for payments that sort of situation. That's a name.
Vince Fusco [01:13:00] QA because you never actually see the cardholder data. It's either being input on another website or on a part of your web page that you don't manage or host. Now an AEP is just slightly different than that in that you could take that cardholder data its input on your page that you host and then you pass it off to a third party. So there's that brief period where they put it in my website.
Vince Fusco [01:13:30] I'm not going to I'm not going to shift it off to a processor. I'm just taking it and then I'm going to pass it off to my third party. So that is a very key difference in something that a lot of clients will get confused about because they're like, well we have this website.
Vince Fusco [01:13:46] We do have a payment page we host the payment page but a lot of vendors now processor specifically and a have what they call an iframe, so That field or the fields associated with the cardholder data is actually hosted on a different service providers site. So even if it looks like I'm going to pay through the Vince's website.com the little area that I actually the put my cardholder data into that's actually being hosted somewhere else. So Vince's website.com never sees the cardholder data.
Vince Fusco [01:14:29 It looks transparent to the user which is great, because then you don't have to redirect or anything because then the clients like well we have that field on our website, but it's actually being hosted by a third party.
Vince Fusco [01:14:43] So you're still able to fill in this a QA and one of the reasons I bring that up is because even though they're both lower scoped SAQ SAQ a and AEP have a large amount of requirement differences like you'll notice just Having that cardholder data for that short period of time before you pass it off to the next party does bring a lot of your systems and networks back in the scope. So just try I wanted to Define that because I know that's a very big piece that people get confused on this too.
Vince Fusco [01:15:17] So I do think that the majority of you guys probably fall under SAQ a I know I talked to some people at the treasury Department saying that a lot of the merchants attending today use a government based payment application solution process all their payments meaning they never see the cardholder data. It's all taken care of by a third party, which is great. That means you can you can comfortably do the SA QA and you know, that's the lowest scope. That's the one we want to fill out because it's just a few requirements there. So hopefully you guys get to get to do that.
Vince Fusco [01:16:00] Also some ways and we'll talk about this as we kind of move through these SAQ that if you have Jenna mention that if you have multiple card data flows say I do have this SAQ a setup, but I also take card swipes, you know here and there if they come into the office, it doesn't mean you have to fill out an SA QD but you still can Mark a lot of the SA QD requirements is not applicable just because sh.
Vince Fusco [01:16:30] HUD is the default Jenna mentioned that that it just because it's the longest doesn't mean at all applies.
Vince Fusco [01:16:35] But you do have to fill it out and one of the ways you can you can kind of track which requirements you need to fill out is to to go and look at the SA QA and whatever other one you applies to so if you have an SA QA and you also have an SA Q CV T, for example, you can On PCI website and look at the requirements and kind of just fill out the requirements from a and CBT under the D. And then every other requirement could be not applicable.
Vince Fusco [01:17:11] And obviously if you have a situation like this, you know, we can we can walk you through how to do that or if you're if you're still confused if you have a lot of different payment channels to which one which requirements you still have to adhere to, you know, that's part of the help we can provide so get too stressed out yet. But hopefully a lot of you only have to fill out as a QA. That's the one that we try to push most of our clients to that have low PCI compliance obligations. So that's the reason I'm kind of spending the most time on this slide because it probably applies the majority of you.
Vince Fusco [01:17:49] So the bees Jenna mentioned these are not very common mainly because well, you know, I talked to a lot of clients and saying well it says this is for merchants that only take physical payments and we do that we just have our swipes they are connected to the internet, but Jenna mentioned that they only have to be connected to the internet.
Vince Fusco [01:18:17] It so if they have a USB plug that plugs into an application or a system then unfortunately, they don't they don't fall under B Because B only applies to suspect to these swipes that only connect to the internet. That means they have one line out. That's either a dial-up or an ethernet connection. And that is it. They are low scoped. There's not a ton in them.
Vince Fusco [01:18:44 ] So if you do have that environment You know, that's great. But majority of the time. I'll go to a client. I said, yeah, we're just SAQ be we just have these this one swipe and you go there and it's actually not even connected to the internet.
Vince Fusco [01:19:02] It's connected to a USB that's thing connected to a system that then goes the system is then connected to the internet and that is not a b it's just for card swipes only connected to the net and the to the difference between the D and the VIP is for that IP based connection and be is with the imprint or Standalone machines either one of these have any kind of e-commerce.
Vince Fusco [01:19:33] There's no data retention either way, obviously because they're just wipes. So yeah, these are not very common. We don't see them a whole lot, but they do exist, especially in some older environments or some very small environments. So it's possible that that you guys have some of these out there. Obviously if that pops up where we will discuss those at a later date.
Vince Fusco [01:19:59] C&C BTW, these are pretty common.
Vince Fusco [01:20:03] Jenna kind of outline the difference between the just the straight see which is you know a payment application.
Vince Fusco [01:20:10] So I think commonly I like to use the example of like a ticketing system, right? So oftentimes ticketing or even hotel and entertainment systems. They have some other functionality than just payments. Right. So somebody comes up to me at a ticket booth or a hotel and say I want two tickets to this concert then application takes me to a seating chart. I pick out the seats. They all have varying prices then it goes through a payment.
Vince Fusco [01:20:46] And that's all kind of housed in the application. That's typically kind of the sea environment. Right? So it's an application that has a payment component but generally speaking it has other components to or it is just a payment application. Sometimes you see this with point-of-sale. I like at a restaurant.
Vince Fusco [01:21:10] It's just for payments but as you know that a lot of point of sale systems have functionality such as menu operations and all that sort of thing, you know houses prices and that sort of that type of software. So that's generally what we're speaking with the sea as Jenna mention.
Vince Fusco [01:21:29] The CVT is when you have that virtual terminal specific kind of set up, you know, not very common a lot of thin clients if you think you might be as a cue CBT, you might want to run that by us for Just so we can validate that so you don't go out the wrong SAQ because it's very confusing distinction and we don't want to we don't want you guys to fill out the wrong ones. See it's the longest SAQ outside of the default so you don't want to have to go through those extra steps if you're not a CSU team.
Vince Fusco [01:22:13] PTFE is A nice low scoped SAQ. It is for paid point-to-point encryption. But with that one specific note that it has to fall under a validated key to PE. Now. That's not always the case.
Vince Fusco [01:22:38] Sometimes processors will let a merchant fill out a PVP PVE SAQ if Environment reflects a pita PE environment and the qsa believes that the environment serves all the functionality of a PPE but it's not listed.
Vince Fusco [01:23:00 ]Sometimes the processor will say go ahead you can you can fill out an SA qp2 PE, but you need to have the processors thumbs up on that before you go doing anything and a lot of times if you feel like you're filling out an SA q and a non-standard sort of way.
Vince Fusco [01:23:19] It's always good to check with the processor before you do it and we can we can definitely help you with how to work with processors in that way because at the end of the day, they're the ones that can that can say yay or nay on those things and generally they say yeah, as long as you have a qsa involved that's knowledgeable and experienced because if you go and look at the P2P list, It's just not a very long list of accredited at accredited P2P Solutions. So we want to make sure that if an organization does fit a lot of the criteria, we can go ahead and have them fill out a little script PPE or in a lot of cases. We can fill out an SAQ D and only mark the PTFE requirements. That's generally the tack. I think so.
Vince Fusco [01:24:16] Just making sure that if you're going to go jump into the P2P World make sure that the solution is has been approved on the on the website. Not a lot of them out there. So I know I don't expect we'll see a ton of these but if you think you might have one or you know, for sure you have one you can you can fill that one on this one.
Vince Fusco [01:24:36] And then the G as we mentioned before it's the catch-all. So a lot of processors will just tell their Merchants to fill out an SA QD so they don't have to worry about figuring it out because there is such Nuance to which SAQ you fill out. So you might find that you filled out an SA QD in the past and your processors told you to fill in s AQ D. That's a lot of times. I don't want to say it's laziness it.
Vince Fusco [01:25:05] It's to cover all bases. It's saying well, we don't want to have to worry about you filling out the wrong seq and D is always the right answer if you don't know the right answer so they go ahead and just have their Merchants do that. It's easier for them. But a merchant who gets the 200 question list or requirement list is going to be very overwhelmed.
Vince Fusco [01:25:29] In actuality they end up not filling it out or they fill it out incorrectly. I don't believe it's the best way to go about filling out sa Hughes. It's kind of a standard.
Vince Fusco [01:25:39] It's kind of annoying for a lot of Auditors and assessors because its just oh it wastes a lot of the merchants time to just push in that way it overwhelms people they get really stressed out and then they have a bad idea of what PC I should let go or Or they just do way too much work and it's been way too much effort and resources on something they don't need to do so we try to avoid that. We try to spend a lot of time making sure you're filling out the right one and like Jenna said earlier you can still fill out a low scoped d as we call them and and marked some of the requirements not applicable that's perfectly acceptable and we're going to go over some of the responses for SAQ is here.
Vince Fusco [01:26:30] Right now we're going to do that. So and when you fill out your SAQ it - generally ask you some personal gym, very general information up top explain how you guys take credit cards explain your environment. Do you have any service providers? Please list them that sort of thing stuff. That's pretty general just kind of filling out the blanks and then you'll get to the requirements and each requirement is going to have you're going to have the ability to have one of these.
Vince Fusco [01:26:58] It's right. So if you have the requirement in place basically, lets will use one of the more common requirements. Do you have an information security policy if you have it click yes move on if you don't have it and you don't plan on having it before you finish your SA Q click. No because it's not one of those requirements that that that specific requirement is applicable to everyone.
Vince Fusco [01:27:28] You can't skip out on information security policy the ones that aren't applicable generally our technology they so if they're saying make sure your firewalls can figured, you know on an annual or on a semi-annual basis, you're reviewing configurations while it's like well, we already decided early on that our firewalls not in scope so that can be not applicable.
Vince Fusco [01:27:51] So don't confuse know for not applicable if There is a question that you truly know that is not in your environment generally speaking when you can confidently click not a full don't click. No because no equals not compliant. So the way that PCI works is if you have 50 requirements and you meet 49 of them and one of them is Mark, no, you are not compliant. You don't get partial credit. So make sure that you're aware of what you're doing when you click no.
Vince Fusco [01:28:28] In the difference between that and not applicable going back up. Yes with a compensating control. That's not super common compensating controls are basically where you're not specifically meeting a requirement, but you are meeting the spirit of the requirements and you're also going above and beyond that requirement. These are very specific cases.
Vince Fusco [01:28:57] And I don't like to use a ton of examples here because it can be kind of confusing. I think if you believe you have a compensating control for requirement, it would be best to kind of pass it through us first so we can help you through the compensating control worksheet because you have to attach that as part of your SAQ PCI makes it difficult to go through the compensating Control process because they don't really like it.
Vince Fusco [01:29:28] So we want to make sure that you are.
Vince Fusco [01:29:32] Filling it out correctly and you know what you're doing. The last one is not tested meaning you're just not even going to look at the requirement. I don't ever click not tested because it's just not, it also kind of from pci's perspective. It also kind of meets the know.
Vince Fusco [01:29:57] It you know, if you click not tested that's an equal to an o in pci's world. So to try not to do that.
Vince Fusco [01:30:05] That means you just didn't even look at the requirement and you're not gonna. So usually if you think you're not it doesn't apply to you click that one set of nuts instead. So those are the main responses. Typically we want to see guesses and not applicable 's if there's any of the other three we want to make sure that that's been discussed or you guys know that you are saying that you're not compliant in some way or with the compensating control that you are filling out the worksheet correctly.
Vince Fusco [01:30:38] So Hopefully we see yeses and not apples. That's what we want because that's when you go compliance.
Vince Fusco [01:30:46] So now after we kind of discuss all that stuff, we're going to kind of walk through the portal for you guys. So you guys can start working on these questionnaires. So I'm going to hand that over to Jolly the I think in to change the prison ter.
Vince Fusco [01:31:12] Jolly are you ready?
Jolly Salehy [01:31:15] I'm ready.
Jolly Salehy [01:31:38] All right. You see my screen Vince.
Vince Fusco [01:31:46] Yes, ma'am.
Jolly Salehy [01:31:47] Awesome Okay, so Also some time subsequent to this call you'll all be receiving credentials. I think from the straight version state treasurer's office. So you'll get a log in a password and a link to the SAQ portal. So this is the first thing you'll see when you when you come to the portal. It's very nondescript.
Jolly Salehy [01:32:21] Ripped and purposefully so we don't we didn't really want to advertise that this is the state of Oklahoma PCI as if you portal this is a public URL it's secure but it is a public URL. So we're trying to keep it in order to script or intentionally. So the first time that you you login the very first thing it's going to have you do is change your password.
Jolly Salehy [01:32:48 ]so It'll ask you to change your password, so you'll be putting in your current password and setting up a new password only requirements are that it is between 8 and 30 characters long include at least one number and optionally and preferably include one of the following special characters. So if you have a password manager and can generate kind of a random password, that would be ideal.
Jolly Salehy [01:33:29] If not Make sure your password is is relatively secure and take note of it now if you forget your password for some reason or you can't log in for some reason, please just let us know we can correct that without much issue. If you try to log into many times with an incorrect password. Your account will be locked. Just also not a big deal. Just let us know and we can get.
Jolly Salehy [01:34:00] Resolved is just some things that we're doing to secure the portal.
Jolly Salehy [01:34:18] Okay.
Jolly Salehy [01:34:21] so when you first login once you've changed your password, you'll see something like this.
Jolly Salehy [01:34:30] so Just a few helpful Links at the top. There's a link to the PCI SAQ document Library where you can find guidance on all of the SA Q and additional instruction. Now one thing I will mention is that not all of the SA Q are listed here. So we talked about a SA Q.
Jolly Salehy [01:34:58] We kind of set the system up by default using the lowest common denominator and we the PDP is in there just because it's a fairly small one. But if you think you if you think you need an SAQ or need to fill out an SA q that is not listed here.
Jolly Salehy [01:35:21] Let us know and we can set it up for you. We were just trying to keep it a little more simple.
Jolly Salehy [01:35:27] We didn't want to include some of the less common ones and some of the ones we thought were less likely less likely that you would fall into so so SAQ a ATP PPE and then the to sa Q DS are there.
Jolly Salehy [01:35:47] So they're not mutually exclusive you can actually fill out multiple don't do that. But the reason I say that is if you start filling one out and you realize at some point that you're filling out the wrong one or it starts to become obvious that yeah. This doesn't really apply to me. It's not a big deal. You can just go back and start filling out the correct one.
Jolly Salehy [01:36:19] And you know, if you have some that are half finished, it's really not an issue. It's just the one that you submit will be the one that that that we care about.
Jolly Salehy [01:36:32] So from this page, you can select an one of the SA Q to fill out.
Jolly Salehy [01:36:40] So say you please.
Jolly Salehy [01:36:51] Okay. So this is what the actual SAQ looks like so over on the left and the top section you can kind of see your progress and you'll first thing you'll notice is that the submit button is unselectable. It stemmed out so you can't actually submit anything until you've answered all of the questions.
Jolly Salehy [01:37:18] And on the left over here, you can you can see a list of all the requirements requirement categories and it will show you kind of your progress or what questions you've answered in each category and over here in the main section. It's just a long list of all the requirements, but you can click on one of these guys you can kind of expand my screen a little bit.
Jolly Salehy [01:37:49] You can filter based on a particular requirement. You can also do the same thing this header up here. You can filter by one of the requirements. You can also filter by if you just want to see the questions that you've answered or not answered. You can also do that.
Jolly Salehy [01:38:09] So there is no there is no safe functionality. So everything is saved as you go. So as you kind of answer these questions.
Jolly Salehy [01:38:20] Your progress is saved and you know, if your machine crashes or anything goes wrong or you accidentally close your browser window. It's not a problem. You can just come right back in and pick up. Are you where you left off? So everything is saved as you go.
Jolly Salehy [01:38:40] and back up to the Main page you actually filled everything out then it looks like this.
Jolly Salehy [01:38:54] So you can kind of see that you've answered all the questions this becomes selectable and you can submit your your completed answers. So each question as the responses that Vince talked about you also have the ability to attach comments or attachments to each each answer.
Jolly Salehy [01:39:21] So for example if there's a compensating control worksheet or some other attestation that you need to attach you can do so here if you need to make a comment you can also do so.
Jolly Salehy [01:39:38] If you have a question on one of these items you can use the comments to ask a question and we'll see those on our end and you can actually to you directly via the portal so we can we can respond to your question in the portal, but it might be just as fast to send an email so lost my train of thought anyway, so once you've once you've completed the assessment you can submit it and we can kind of monitor your progress on on our end so we can see we can see where you are.
Jolly Salehy [01:40:33] Once you once you submit it, then we'll be able to review the answers and if there are any if there are any discrepancies or if there are any issues with any of the answers what kind of be able to flag those and let you know or let you know that you know, hey, you answered. Yes with CCW on this question, but there's no compensating control so we can kind of flag those and let you know that you need to take some further action, but that's pretty much it. It's very straightforward. The hard part is figuring out which SAQ you need to fill out.
Jolly Salehy [01:41:13] So once you've kind of figured that out then the portal is pretty straightforward from there. You can't really screw anything up. There's nothing really you can do that. Will that will cause a problem if you get yourself into trouble or if you if you even if you accidentally submit, but you realize that some of your answers were may be incorrect. We can kind of unlock it for you and then you can go back in and fix your answers.
Jolly Salehy [01:41:45] So there's nothing really you can do that will that cause a problem or that will break anything. So don't be afraid to kind of hit that submit button. It's not like a one-time thing. So that's pretty much it. It's fairly. It's fairly straightforward. Vince, was there anything else you wanted me to cover?
Vince Fusco [01:42:00] No, I think that's good. I did want to mention, you know.
Vince Fusco [01:42:15] Obviously, we have the treasury support manager. If you have any questions, you know, click that link to Victor. Send him an email, you know, he's going to be pretty well trained up in this with us. So hopefully he can answer some of the more basic questions if it's a question about which SAQ or it's a more in-depth PCI question.
Vince Fusco [01:42:40] He can forward those to us, but he's going to try to handle some of the the basic stuff. So if there is like Jolly said you can use the comment section and we will see it, but it might just be as efficient to email Victor directly. You know, we will also have this presentation or Victor's gonna have this presentation. He's going to send it out. So you guys can use that it's reference that that document library link is invaluable. There's a lot of good little sheets.
Vince Fusco [01:43:15] It's that PCI has put out there to help you guys kind of figure this out. But again, you know, we want to make sure you're doing the right thing and filling out the right SAQ. So don't hesitate to ask a question if you're not quite sure. So yeah, that's pretty much it. Thanks, Jolly. I'm going to go back to the presentation if you want to hand over control.
Vince Fusco [01:43:56] Back to where I was.
Vince Fusco [01:44:04] All right. So kind of next question is would be to be relatively short little section will kind of wanted to cover a lot of this stuff. We kind of covered already but like some myths about PCI and some of the things that we hear out in the field that we kind of just want to not to Bunk but just kind of clarify I guess would be the best the best word for that. So the first one we see a lot is one vendor and one.
Vince Fusco [01:44:33] Next we'll make is compliant while there is a lot of vendors out there that kind of Promise compliance in a box. And while those vendors do take a lot of the burden off your shoulders. Maybe they move you from an SA QE2 an SA QA, which is great. We love that.
Vince Fusco [01:44:50] There's still some things that you're going to have to do internally such as policies and procedures, you know access controls type things might still be managed by internal so just because they're saying they will make you compliant. They will make some of the hard Parts easier on you, but that doesn't mean you're not going to have to do anything at all.
Vince Fusco [01:45:17] As long as I should I should I should Note 8 that that's as long as you're a merchant of record. Now, there are some products out there like the square that you see a lot of Street vendors use at festivals and food trucks and stuff. He's a little square readers. They are a fully compliant solution, but they also have changed the set.
Vince Fusco [01:45:46] Up a little bit and then they're the actual Merchant of Records. So that's how they kind of get around that and so they're actually handling all the merchants obligation for the vendor and that that would make them comply in but if you're a merchant if you haven't reached an ID you're going to have to do at least something so that kind of covers myth 1 and myth to myth 3 PCI compliance has an IT project. Yes.
Vince Fusco [01:46:16] Are a lot of it pieces to it a lot of security pieces, but as we've also mentioned there's this big legal component. There's an HR component for some larger organizations where they have to do background checks, you know security is kind of everybody's project as we like to say as an information security firm. Nobody gets to kind of skirt the security issue.
Vince Fusco [01:46:41] So if you if your if your organization Take security. Seriously, then everyone in the organization should have some parts by PCI, whether it's I I'm not part of the cardholder data environment. So I need to take myself out of scope or you know, make sure that I know how to go through the right channels. If I do come into contact with credit card whole cardholder data and training that sort of thing. So, it's not just an IT project that's in everyone project.
Vince Fusco [01:47:16] PC I will make a secure that Smith for it's it's not a full full-fledged solution to security. It does a really good job of covering a lot of the pieces of security. I think it's a very good not just because I am a PCI assessor, but because I've worked before I was a PCI SSC. I worked with a lot of different compliance requirements and a lot of different compliance areas.
Vince Fusco [01:47:46] No socks hip and that sort of thing. I think PCI does a very good job of kind of spelling out in very specific terms what they want from you. So I see sometimes in other another compliance areas. It's just says, you know, the requirement is to make sure your firewall is secure and it's like that can mean a lot of things. You know PCI goes a little bit above and beyond and saying like this is how we believe you need to make your firewall secure.
Vince Fusco [01:48:12] So I think back to a point I think PCI does a good job of making you secure but it only cares about PCI Data.
Vince Fusco [01:48:22] So if you want to look at personal identifiable information PII, it doesn't really, you know, you can apply some of these requirements to PII and that will help your security posture, but it is not a Silver Bullet by any means Myth 5 PC is unreasonable or requires too much while as we've already discussed really depends on your scope. If you can if you can lower your scope, it doesn't require much at all.
Vince Fusco [01:48:50] It's not unreasonable because you know, if you if you interact with cardholder data on a very large scale, then they're going to ask a lot of for you and security because it's and it's expensive if a security breach happens, so it's not unreasonable if you're going to be handling large amounts of Our folder data, if you're not, you know, your scope can be lower and it is very reasonable. Myth 6. It's not tests not in scope. We've already covered that. That's just not an answer. I like to see it. All that just means you've ignored the requirements. So I think we just we just don't do not tested and that does not mean it's not in scope not applicable generally means it's not in scope. So that's what we will stick with that. It's seven. We don't take enough cards to require compliance.
Vince Fusco [01:49:38] That's completely All's you take one card once a year. You still have some compliance burden. Now the bank's probably not knocking down your door for your compliance reporting, but technically by the standards and do have a require compliance requirements myth 8, we've completed sa huge. So we're compliant that's kind of a half-truth if you completed an SAQ the correct acidic you with and you filled it out correctly.
Vince Fusco [01:50:09] Lee then you're compliant meaning that you've marked everything within a yes or in a you can be noted as compliant, but if you just filled out an SA Q you've marked knows my mark not tested you are not going to be compliant and that's going to that your processor. Whomever is asking for your compliance reporting is going to note that real quick. You'll find out if 9 PCI makes a store cardholder data.
Vince Fusco [01:50:39] No, I've never seen that. In fact, they're so far the opposite. They don't want they want as few entities storing harp older data as possible. I think in pci's perfect Utopia, they would love it. If five service providers sword are all the cardholder data, so they only have the track 5 service providers to that extent, you know, that's not the reality but it's definitely not the fact that they want you to stroke our folder.
Vince Fusco [01:51:07] They want the exact opposite they Want you to find a vendor who has been validated at storing cardholder data and utilize them if it's necessary and with 10 PCI is not is too hard. It is not too hard that goes kind of back with myth 5 where it's saying it's unreasonable, you know, if you're doing it with low scope and you're in you're doing it efficiently, it can be a very especially after the first year.
Vince Fusco [01:51:36] I tell a lot of clients that that first compliance here is the toughest because that's when you have to get everything kind of organized and then you kind of can put it into a program management system saying, okay. Well after that first year, all we need to do is making sure we get our scans done on a schedule making sure our policies are updated annually and then you know, it's pretty easy as long as you're not changing stuff a lot.
Vince Fusco [01:52:06] But that first year can be a little tough getting it all the program.
Vince Fusco [01:52:09] I'll set up but after that, you know, it's a pretty easy compliance objective, especially if you have a low scope if you're in SAQ a type of merchants pretty easy to continually work through All right. So or our final slide, I'm going to hand it over to Kayna who's kind of kind of talk directly about some of the work that True Digital does with the state and how you guys can work with us as we kind of work through this process after this slide.
Vince Fusco [01:52:47] We're going to kind of move more into questions if you guys have any. So Kayna if you are ready you can start whenever.
Kayna Kelley [01:52:57] You are right. I am ready. Thank you, Vince. My name is Kayna Kelly, and I'm the account manager at true for all of our state agencies, and I also manage our Statewide contracts. If any of you are feeling overwhelmed, and you still have questions about your PCI requirements. Do not worry. The treasurer's office has secured some true Consulting time for agencies in your shoes.
Kayna Kelley [01:53:17] So if you would like to schedule an advisory session with true at no cost to your agency, please reach out to Victor Castillo at the treasurer's office will be Scheduling these sessions in allocating time between the agencies. We really encourage you to take advantage of these sessions. Let us help you with compliance and make sure that that you've selected the right SAQ and you are responding correctly based on based on your environment.
Kayna Kelley [01:53:47] True has two Statewide contracts. We have SW, 10:42, and we also have a one net manage contract. If you are needing other support for PCI and in particular we can do SAQ assessments ASV scanning PC. I pin testing policy development and other consulting. We've also been very busy lately with SB 584 audits. If you have an upcoming audit do and are looking for someone to perform that service for you. We are here to help.
Kayna Kelley [01:54:15] Help we want to help you reach your security and compliance goals. And if we can help you out, please reach out to me. You already have Victor's contact information.
Kayna Kelley [01:54:26] You saw its pasted in the portal and within the communication for this particular training session as well. And I think my information is I think listed on the next slide of this presentation. So we appreciate your time today and now I'm going to turn it back over to Vince.
Vince Fusco [01:54:52] All right. Thanks, Kayna quick that over. So there's your contacts.
Vince Fusco [01:54:5]4 So Frontline contact we'd like you to go through Victor so that he can kind of work with you guys directly obviously like Kayna has stated if there's a bigger issue or you would like to secure sometime directly with us to talk through some of this stuff and help you guys work through any issues.
Vince Fusco [01:55:15] You can work through Victor and who can help schedule that if your state agency has other issues outside of PCI, or you have some curiosities about what else true digital can provide or has provided for State contracts you can contact them their directly. We put another link to the PCI documentation here and another link to our website where you can read some of our blogs and things we try to keep that up to date up to date, you know, there's a lot of news and a lot of security stuff coming out constantly. So we try to keep our part here the ground and Jenna who you heard earlier is one of our more prolific blogger. So I'm sure you can read some of her stuff on there too if you'd like.
Vince Fusco [01:56:00] Right now, you know with some of the extra time that we have. I'd like to open it up to questions. If anybody has some I don't mind getting into like some specific scenarios if it's very detailed and you think it's going to take a longer conversation. Maybe we can hold off and work through that offline. If not, no. All right. I'll just answer these questions.
Vince Fusco [01:56:30] As we see them. Okay, the first one I'm Christopher Gay if we have multiple ways to take card information should we just defaulted SAQ B? Yes, but as I'm as I mentioned earlier go ahead and take a look at the card data flow. So as an example, if you have an SAQ A and maybe an SAQ B, look at those requirements and you can just fill out the requirements from A and B.
Vince Fusco [01:57:00] Be and then mark everything else in the SAQ D as not applicable. That is a fully acceptable solution. That's actually the way that that PC. I would like you to fill out a SAQ Ds. You have multiple card close.
Vince Fusco [01:57:15] Some processors would like you to fill out a separate SAQ for each card flow. I have not. I don't see that very often. Most of them are fine with just the one SAQ D as we talked about earlier if you have had are having issues kind of defining which requirements you should be marking that applicable.
Vince Fusco [01:57:40] You can always kind of I just like to do a little like a little cross section.
Vince Fusco [01:57:47] So hopefully that answered your question.
Vince Fusco [01:57:51] Next question from Bob Richardson, what are the requirements for card numbers sent in my clients are included with permit applications. I'm assuming you're talking about mail in applications. So for physical storage, that's generally we like to you know, before you process the card data. So in the commas common scenario, you know, you receive the mail.
Vince Fusco [01:58:18] Maybe you don't all you don't perform all the transactions right when you get the mail. So you have to store the mail somewhere. So typically a safe is good an electronic saves even better with like a little pin pad so that you can manage different access codes, but making sure that only the people who need access to that have access making sure it's stored.
Vince Fusco [01:58:48] Safely until it's true until the transaction is completed. Once the transaction is completed those physical card form should be destroyed as Dennis said shredded pulse or that sort of thing. So it's storage and short answer storm securely until you perform the transaction and then secure the get rid of the forms as that's needed.
Vince Fusco [01:59:18] Next question who will be responsible for Purchase Card transactions. I need I'm not sure what I purchased card transaction is so I will need clarification on that.
Vince Fusco [01:59:36] If that's like a if that is another agency or another, you know, whomever that might be a good might be a good question for Victor. That's more of an internal question.
Vince Fusco [01:59:58] one else questions. It's perched harder usually internet corporate cards for state if they are cards that state employees are using for expenses or that sort of thing that does not cut that is not count in the PCI world. So that's a key distinction to make and I'm glad I got brought up actually, so in the corporate world, you know, it's the cards that you take as a merchant that means to pay for the goods and services you offer Jenna mention, you know.
Vince Fusco [02:00:34] Tickets, you know bills for water and electricity of that sort of thing. That's all that's all part of the merchant transaction for corporate accounts for expenses. That's just that's just if you were to you know me as a person. I'm not I'm not responsible for PCI compliance for my debit card. And that's kind of the same way. It should be treated for corporate or expense cards.
Vince Fusco [02:01:02] So hopefully that answers your questions. So you don't have any PCI compliance obligations for cars that you're using to purchase goods or services, you know, that's just you know, however, however the government and the state government wants to handle security of access to those cards, but there's no PCI compliance obligation in that Realm.
Vince Fusco [02:01:31] anything else the questions obviously, if you're if you're kind of you might you might be overwhelmed by the material or you know, this this webinar is being recorded So and we're going to give Victor a link to share out to that if you can want to go back and if you if you need some help and if you want to go back and review some of the material and you have questions later, you know, obviously we can answer those down the line as well because I know it's a lot of information we Cover a lot of a lot of the stuff from beginning to end for PCI. We want to make sure we are thorough as possible. So obviously they might be some questions later on or if you're you know, you jump into the portal and you're like, I forgot all this stuff and I don't remember and I can't I can't quite recall, you know send an email to Victor and we can do things like that.
Vince Fusco [02:02:28] All right. Oh, it's about 12 o'clock. So maybe give a couple more minutes for questions again, you know, we have a bunch of resources here to help you guys. We've worked with a lot of state agencies in the past. So we're very familiar with the most common setups. I tried not to get too specific because I know there's a lot of you guys out there that are that we haven't worked.
Vince Fusco [02:02:58] And so, you know, I haven't seen everything so I'm not gonna to claim everything but I wanted to make sure that we're kind of touched on the most broad pieces of PCI today. So doesn't look like there's any more questions coming in. So I'm going to go ahead and close this out again. You should you should see some follow-up information from Victor some login credentials for the portal.
Vince Fusco [02:03:29] As well as a link to this this webinar and the presentation itself, and hopefully we can get you guys through this quickly and painless as possible and hope everybody's staying safe out there and look forward to working with you guys. Everyone has a good rest of your day. Thank you.
Contact Us Today!
Let us know your business needs and we will make sure to get back with you promptly!* denotes required fields