Overview
All Northwestern University departments that accept credit/debit card payments are considered merchant locations and must process those payments in a secure manner. It is the responsibility of each merchant location to maintain compliance with the NU Merchant Card Processing Policy and the Payment Card Industry Data Security Standard (PCI DSS) established by the Payment Card Industry Security Standards Council (PCI SSC).
Treasury Operations is a central e-commerce administrator and compliance resource for Northwestern University merchant locations. All Northwestern University merchant locations must participate in Northwestern University’s PCI training program and compliance initiatives. Failure to fully participate may result in the merchant account being revoked.
Northwestern’s PCI DSS Compliance Program addresses requirements of the PCI SSC, including:
- Security Awareness Education (required PCI DSS Security Training and Attestation)
- Third Party Service Provider (TPSP) engagement
- System Vulnerability Scans
- System Penetration Testing
- Periodic Reviews and Audits
- Annual PCI SAQ (Self-Assessment Questionnaire)
(1) PCI DSS Security Training and Attestation
Per PCI DSS requirement 12.6, Northwestern University requires all Northwestern merchant location personnel interacting with the Cardholder Data Environment (CDE) in any manner (from the initial entry to the final reconciliation) to complete an annual training and attestation. This mandatory requirement includes student employees, contractors and volunteers.
Employees and those with myHR access should complete training in myHR: (PCI DSS: Payment Card Data Security).
Volunteers and those without myHR access should complete this training at: https://sites.northwestern.edu/pcidss/
- Individuals who have not completed training and attestation are not permitted to process Cardholder Data (CHD) on behalf of Northwestern University interests. Merchant locations using untrained or unattested individuals to process CHD may have their merchant account revoked.
Merchant location personnel should also read and understand the Northwestern PCI DSS Compliance Policy.
Treasury Operations may require individual or group participation in additional PCI security awareness education training as needed.
(2) Third Party Service Provider (TPSP) engagement
NU Merchant locations or their representatives, including vendors and other TPSPs, may not enter into legally binding agreements with TPSPs processing or handling any type of CHD (Cardholder Data), or interacting in any other way with the CDE (Cardholder Data Environment) without proper NU vetting and approval first; including but not limited to Treasury Operations, NU IT Security and Compliance, NU Office of General Counsel and NU Purchasing. All agreements with TPSPs must have specific PCI DSS and liability shift language included.
(3) System Vulnerability Scans
Merchants with non-P2PE, on-campus payment systems connected to the Internet are required to run vulnerability scans against their systems. Northwestern University’s contract with Trustwave includes external vulnerability scans that are scheduled on the TrustKeeper Portal; scan reports are posted on the TrustKeeper Portal as well. It is the responsibility of the Merchant to review the scans and address any vulnerabilities that have been identified. Failure to address identified vulnerabilities can result in the Merchant location, as well as the entire University, falling out of compliance. Merchants with PCI-validated P2PE payment systems are not required to run scans.
(4) System Penetration Testing
Northwestern University is now a PCI Level 3 Merchant based upon exact card processing metrics, and NU Merchants with non-P2PE, on-campus payment systems connected to the Internet are now required to have internally conducted penetration testing performed at least quarterly. Since this service is not currently a part of our Trustwave contract, arrangements need to be made by e-Commerce Operations and NU IT Security and Compliance, coordinated with Merchant onsite Administrators and IT staff. Failure to cooperate with this mandatory requirement may result in your Merchant account being revoked. Merchants with PCI-validated P2PE payment systems are not required to run penetration tests.
(5) Periodic Reviews and Audits
Treasury Operations and Northwestern’s PCI DSS partners or consultants may perform periodic reviews or audits of merchant location operations to ensure that merchants comply with PCI DSS and the University's risk is reduced. Failure to cooperate with such activities may result in merchant account usage being revoked.
Merchant locations should also routinely review their procedures and equipment, including physically inspecting card processing equipment to ensure devices have not been substituted or tampered. This Merchant Location Device Inspection Checklist can be used for your inspections.
Please contact ccard@northwestern.edu with questions or to request assistance.
(6) Annual PCI SAQ (Self- Assessment Questionnaire)
All Northwestern University merchant locations are required to validate PCI-DSS compliance at least annually by completing the appropriate SAQ in a timely manner. A questionnaire must be completed for each Merchant account, and a new questionnaire must be filled out whenever any of the following have occurred:
- - payment processing system changes
- - a year has elapsed since your last SAQ
- - upon Treasury Operations request
The SAQ should be completed through the TrustKeeper Portal which is available in the CardConnect CardPointe gateway.
There are 8 types of SAQ. Treasury Operations or Arrow Payments can help determine which type is required for your merchant location environment:
| SAQ Type | Type of Payment System |
|---|---|
| SAQ A | Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Not applicable to face-to-face channels. |
| SAQ A-EP | Card Not Present, E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Applicable only to e-commerce channels |
| SAQ B | Merchants using only Imprint machines with no electronic cardholder data storage and/or Standalone, dial-out terminals with no electronic cardholder data storage. Not applicable to e-commerce channels. |
| SAQ B-IP | Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage. Not applicable to e-commerce channels. |
| SAQ C | Merchants with payment application systems connected to the Internet, no electronic cardholder data storage. Not applicable to e-commerce channels. |
| SAQ C-VT | Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based Virtual Terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage. Not applicable to e-commerce channels. |
| SAQ D | All other SAQ-Eligible Merchants |
| SAQ P2PE-HW | Merchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage. Not applicable to e-commerce channels. |
Resources:
Postal Center International (PCI), the leading print, mail, fulfillment, signs and marketing solutions partner, announced that several important implemented platforms have been recertified for information security through 2024 by HITRUST.
HITRUST Risk-based, 2-year (r2) Certified status demonstrates that the Company’s Information Technology infrastructure and workflow processes have met key regulations and industry-defined requirements and are appropriately managing risk. This achievement places PCI in an elite group of organizations worldwide that have earned this certification. By including federal and state regulations, standards and frameworks, and incorporating a risk-based approach, the HITRUST Assurance Program helps organizations address security and data protection challenges through a comprehensive and flexible framework of prescriptive and scalable security controls.
“Our organization works to ensure compliance with our HITRUST certification,” said Brian McGrath, Chief Information Officer, Postal Center International. “We have been consistently and steadily improving our overall security posture to ensure we align with the needs of our enterprise clients, operating in regulated industries such as healthcare and financial services. Over the past several years, we have made substantial investments in all information security domains and have plans to continue to prioritize improvements in our Information Security Program.”
“PCI is continuously investing in certifications that align our strategic goals with our clients’ needs,” said Ismael Diaz, President, Postal Center International. “We are pleased to demonstrate to our enterprise clients the highest data protection and information security standards by achieving HITRUST Risk-based, 2-year Certification, once again.”
“The HITRUST Assurance Program is the most rigorous available, consisting of a multitude of quality assurance checks, both automated and manual,” said Bimal Sheth, Executive Vice President, Standards Development & Assurance Operations, HITRUST. “The fact that PCI has achieved HITRUST Risk-based, 2-year Certification attests to the high quality of their information risk management and compliance program.”
The preceding press release was provided by a company unaffiliated with Printing Impressions. The views expressed within do not directly reflect the thoughts or opinions of the staff of Printing Impressions.
The majority of applications in exact years have moved to the cloud, mostly from necessity — the necessity to ensure remote employees can access required tools and companies can stay competitive and agile. With analyst firm Gartner predicting that more than 95% of new cloud workloads will get deployed on cloud-native platforms by 2025 — up from 30% in 2021 — it’s clear that cloud apps and platforms are here to stay.
A few decades earlier, when I was coding, the codebases I worked on were made of code predominantly developed by myself and my team. But there’s been a shift where the average application now consists of 75% open-source components. The access to open-source software (OSS) has been very important to the agile, cloud-native way of development. It lets developers build with greater speed and modularity — and without needing to reinvent the wheel each time they code. Unfortunately, major vulnerabilities, such as Log4j and Equifax, have taught us that open-source software often contains known vulnerabilities.
Make open-source security a priority
Attackers are increasingly looking at code as a way to penetrate digital environments. Targeting open-source software appeals to bad actors because corrupting a vulnerability can unleash widespread repercussions. A single OSS attack can impact millions of users across hundreds of companies. Log4j, for example, had been downloaded across the globe millions of times prior to the vulnerability surfacing. It inevitably became every security team’s nightmare.
The Biden administration has since acted to protect against open-source software vulnerabilities by issuing guidelines that software producers working with federal agencies must provide a software bill of materials (SBOM) to ensure the software has been checked for code integrity and screened for vulnerabilities.
Attacks like Log4j show the magnitude of vulnerable open-source software, and because we rely so heavily today on OSS, we need to ensure it’s properly secured. As security professionals, we must equip developers with the security tools for them to confidently build applications with speed.
Why existing approaches to open-source security fall short
While software composition analysis (SCA) tools shift security left to scan for known vulnerabilities throughout the application lifecycle, many are point tools that lack the capacity to handle the interconnectedness and complexity of cloud-native applications. This can lead to costly remediation and delays in application deployment. And even if teams could sift through security findings to prioritize vulnerabilities, they’d still have an incomplete view of their open-source risks because many SCA solutions lack the depth of scanning to uncover all open-source risks.
There’s a major disconnect between developers integrating OSS into codebases and security teams trying to find and prevent vulnerabilities. OSS has become so widespread and complex that developers find even determining what OSS exists in a codebase a steep challenge.
Implement true code security
To overcome these challenges, organizations can follow a few best practices to ensure true code security:
- Consolidate to create a context-aware approach: Adopt a consolidated security platform approach to addressing risk throughout the code, build, deploy, and run the application lifecycle. Using the same intelligence stream to identify vulnerabilities delivers consistent and accurate visibility into all vulnerabilities in an environment so that the most critical vulnerabilities are addressed first.
- Strive for visibility and use developer-friendly tools: Open-source software is incredibly dependency-driven. It’s vital to have complete visibility across dependency trees to prevent vulnerabilities from going undetected or unfixed. Implement open-source security that can seamlessly integrate within the tools — such as integrated development environments (IDEs) and version control systems (VCSs) — that developers already use to offer feedback at the right time in the right place. Addressing vulnerabilities during development saves security teams triaging issues while sparing developers the headache of context switching down the line.
- Actively maintain SBOMs: Continuously update and manage the codebase inventory (including open-source license and version information) of every application component used across codebases. If there’s a vulnerability, SBOMs are crucial because they list all the components in a codebase, the license details, and version history, which allows security teams to quickly identify any associated security risks.
Open-source software has become essential for application development, but if there’s one lesson to take away, it’s that securing OSS has become more critical than ever as cloud-native applications have grown more popular and complex. By leveraging a consolidated approach that offers a holistic and continuous view of the application development lifecycle, organizations can achieve true code security and prevent OSS vulnerabilities from the start of development.
Ankur Shah, senior vice president, Prisma Cloud, Palo Alto Networks
The PCI Security Standards Council (PCI SSC) has published a new standard designed to Excellerate the security of mobile-based payments and ease compliance efforts.
The council, a cross-industry payment card group responsible for the ubiquitous PCI DSS standard, said the launch recognizes the different security requirements for regular versus mobile payments.
Its new standard, Mobile Payments on COTS (MPoC), builds on existing standards that cover solutions enabling merchants to accept cardholder PINs or contactless payments using a smartphone or other commercial off-the-shelf (COTS) mobile device. These standards are known as PCI Software-based PIN Entry on COTS (SPoC) and PCI Contactless Payments on COTS (CPoC).
MPoC combines the two by including PIN and contactless entry on the same COTS device. It’s designed to be a more flexible, modular standard supporting different types of payment acceptance channels and consumer verification methods on COTS devices.
“As the payment acceptance landscape continues to grow, merchants, vendors, and solution providers are seeking new ways to accept and process payments,” said Emma Sutcliffe, SVP standards officer at the PCI SSC.
“The PCI MPoC Standard recognizes that there are different ways in which a card-based payment may be accepted in face-to-face environments through the use of COTS products, such as mobile phones and tablets.”
Compliance with the standard should be relatively straightforward to those familiar with PCI SPoC and PCI CPoC, as many of the requirements are the same, the PCI SSC said.
MPoC has also been designed to separate the ‘technical’ or ‘development’ elements from the ‘operational,’ enabling the standard to evolve to address market needs more seamlessly, it added.
This is often a criticism of standards in the technology and security space – that they fail to keep pace with the speed of innovation in the market.
The announcement will be of interest to both vendors of card present payment acceptance technologies and the acquirers and merchants which buy and deploy the solutions.
“It’s hard to say what the future of payments will be, but we know that payments can’t be a one-size-fits-all,” said Andrew Jamieson, VP of solutions at the PCI SSC.
“At the council, we want to allow for innovation, flexibility, and agility in how our standards address these new payment acceptance methods. At the same time, this innovation needs to support a sufficient level of security that allows for the confidence in these solutions that is required for their broad adoption.”
Led by Google Pay and Apple Pay, use of mobile wallets surged during the pandemic, according to the US National Retail Federation (NRF).
Today the PCI Security Standards Council (PCI SSC) published a new standard designed to support the evolution of mobile payment acceptance solutions.
PCI MPoC is a new, flexible mobile standard and program for payment solution development. It provides a modular, objective-based, security standard that supports various types of payment acceptance channels and consumer verification methods on COTS devices. PCI MPoC combines many of the aspects of the existing PCI SPoC and PCI CPoC standards, primarily by including the entry of both PIN and contactless cardholder data on the same COTS device.
“As the payment acceptance landscape continues to grow, merchants, vendors, and solution providers are seeking new ways to accept and process payments,” said Emma Sutcliffe, SVP Standards Officer, PCI SSC. “The PCI MPoC Standard recognizes that there are different ways in which a card-based payment may be accepted in face-to face-environments through the use of commercial off-the-shelf (COTS) products, such as mobile phones and tablets.”
Many of the requirements within the standard will be familiar to those who were already working with the existing PCI SPoC and PCI CPoC standards; however, MPoC is structured to provide a separation of the ‘technical’ or ‘development’ aspects from the ‘operational’ aspects. This allows for MPoC to add flexibility by creating the ability to address market needs which may otherwise have been infeasible under existing PCI SPoC or PCI CPoC programs.
“It’s hard to say what the future of payments will be, but we know that payments can’t be a one-size-fits-all. There will continue to be a place for dedicated payment terminals, but increasingly there is a place for other types of solutions as well,” said Andrew Jamieson, Vice President Solutions, PCI SSC. “At the Council, we want to allow for innovation, flexibility, and agility in how our standards address these new payment acceptance methods. At the same time, this innovation needs to support a sufficient level of security that allows for the confidence in these solutions that is required for their broad adoption. It is the goal of MPoC to strike this balance.”
Vendors of card present payment acceptance technologies and solutions will be interested in the PCI MPoC standard as it may provide new types of solutions for them to address in their markets. Similarly, entities who deploy or use terminals - acquirers and merchants - may be interested to see what controls are put into place to secure the technologies they may well be using next year and into the future.
The PCI MPoC Standard was developed with input from the global payments industry over two Request for Comments (RFC) periods this year, yielding approximately 900 pieces of feedback from 37 companies. The RFCs provided insight into how the market may seek to use COTS-based payment acceptance solutions, and these comments were adopted into the standard, materially affecting the requirements and how they are to be assessed.
The PCI MPoC Standard is now available in the Document Library on the PCI SSC website. The PCI MPoC Program Guide is expected to be published in the coming months.
Long time payment security expert to lead Asia-Pacific efforts for the PCI SSC
WAKEFIELD, Mass., Nov. 7, 2022 /PRNewswire/ -- The PCI Security Standards Council, a global standards body for the payment card industry has announced Yew Kuann Cheng as the new Regional Vice President for Asia-Pacific. This role will seek to expand outreach efforts to educate and promote the importance of the PCI Security Standards throughout the region.
Yew Kuann will serve as Regional Vice President and will be responsible for driving adoption of the PCI Security Standards for payment security throughout Asia-Pacific. Based in Singapore, Yew Kuann will serve as the senior representative and relationship manager for the PCI SSC in Asia Pacific. In this new role he will help to drive awareness and growth of the Council with an emphasis on educating stakeholders on the importance of data security for payments, growing participation, and supporting the adoption of PCI SSC standards within the AP region.
"Yew Kuann brings a unique set of skills and knowledge to the PCI SSC and we are excited to have him join the PCI family" said Lance Johnson, Executive Director of the PCI Security Standards Council. "Yew Kuann will play a key role in our continued focus on Asia-Pacific as a priority region for payment security."
"I am thrilled to tackle this new challenge and look forward to working with payment industry stakeholders throughout the region" said Yew Kuann Cheng. "My background in payments, fraud risk management and compliance, and my passion for security can help organizations understand the importance of what the PCI SSC does and why it matters. We all need to be working together to combat the threats that are out there today."
Yew Kuann holds a Bachelor's degree in Computing from Monash University in Australia. He spent 15 years as the Senior Director, Risk Strategy and Operations in Asia-Pacific for Visa.
Yew Kuann is a resident of Singapore and enjoys spending time with his family, memorizing and walking his dogs.
About the PCI Security Standards Council
The PCI Security Standards Council (PCI SSC) leads a global, cross-industry effort to increase payment security by providing industry-driven, flexible, and effective data security standards and programs that help businesses detect, mitigate and prevent cyberattacks and breaches. Connect with the PCI SSC on LinkedIn. Join the conversation on Twitter @PCISSC. Subscribe to the PCI Perspectives Blog.
SOURCE PCI Security Standards Council
Long time payment security expert to lead Asia-Pacific efforts for the PCI SSC
WAKEFIELD, Mass., Nov. 7, 2022 /PRNewswire/ -- The PCI Security Standards Council, a global standards body for the payment card industry has announced Yew Kuann Cheng as the new Regional Vice President for Asia-Pacific. This role will seek to expand outreach efforts to educate and promote the importance of the PCI Security Standards throughout the region.
Yew Kuann will serve as Regional Vice President and will be responsible for driving adoption of the PCI Security Standards for payment security throughout Asia-Pacific. Based in Singapore, Yew Kuann will serve as the senior representative and relationship manager for the PCI SSC in Asia Pacific. In this new role he will help to drive awareness and growth of the Council with an emphasis on educating stakeholders on the importance of data security for payments, growing participation, and supporting the adoption of PCI SSC standards within the AP region.
"Yew Kuann brings a unique set of skills and knowledge to the PCI SSC and we are excited to have him join the PCI family" said Lance Johnson, Executive Director of the PCI Security Standards Council. "Yew Kuann will play a key role in our continued focus on Asia-Pacific as a priority region for payment security."
"I am thrilled to tackle this new challenge and look forward to working with payment industry stakeholders throughout the region" said Yew Kuann Cheng. "My background in payments, fraud risk management and compliance, and my passion for security can help organizations understand the importance of what the PCI SSC does and why it matters. We all need to be working together to combat the threats that are out there today."
Yew Kuann holds a Bachelor's degree in Computing from Monash University in Australia. He spent 15 years as the Senior Director, Risk Strategy and Operations in Asia-Pacific for Visa.
Yew Kuann is a resident of Singapore and enjoys spending time with his family, memorizing and walking his dogs.
About the PCI Security Standards Council
The PCI Security Standards Council (PCI SSC) leads a global, cross-industry effort to increase payment security by providing industry-driven, flexible, and effective data security standards and programs that help businesses detect, mitigate and prevent cyberattacks and breaches. Connect with the PCI SSC on LinkedIn. Join the conversation on Twitter @PCISSC. Subscribe to the PCI Perspectives Blog.
SOURCE PCI Security Standards Council
