This is the last in our series on the Path to PCI compliance. First, if you've made it this far...thank you! If you haven't read the previous blogs you can start with the first one here. Taken altogether, sometimes it's hard to see the forest for the trees and the path to PCI compliance becomes overgrown and overwhelming. Let’s review just exactly what steps you need to take in order to successfully navigate PCI compliance with NISC card payment solutions. At the risk of oversimplifying, here is a quick breakdown of steps. First, we discussed that PCI-DSS is the shorthand for Payment Card Industry Data Security Standard, which is a set of standard security practices put in place to ensure that the acceptance of credit card payments, along with the processing, storage and transmission of credit card data, is done in a secure manner. Second, we discussed the 12 PCI requirements that help you control the size and scope of your cardholder data environment or CDE. Third, we discussed the Self-Assessment Questionnaire, or SAQ. The SAQ is a questionnaire for you to fill out based on your own assessment of how well you are abiding by the 12 PCI-DSS requirements. Your answers to the SAQ become your Attestation of Compliance, or AOC. Finally, keep on keeping on. Do not submit your SAQ and think you are finished for the next 365 days. So many of the requirements have what the PCI Security Standards Council has called "Business as usual" and sometimes require daily attention. PCI compliance is complicated, if only because many of the requirements necessitate a change in how we do business, not to mention the certain skill required to understand many of the [...]
Welcome to installment number four on the path to PCI compliance. Previously, we reviewed the 12 PCI requirements, discussed the SAQ and AOC and how different card payment solutions effect which SAQ you should follow. By way of a reminder, SAQ is Self-Assessment Questionnaire and AOC is Attestation of Compliance which are one in the same form. Today we’ll explain how you can submit your SAQ and AOC to your card processor. The SAQ and AOC must be submitted on an annual basis. The due date will coincide with the month you originally submitted your first SAQ. Of course, many of the requirements have much shorter time-intervals which require you to continually track and manage the controls that are in place. There are several ways to submit your SAQ and AOC. For NISC Members, the SAQ and AOC is submitted through First Data, who provides three main methods of submission. You may recall how we compared the PCI-DSS process to the April 15 Federal tax submission - same thing here. You can "e-file" using First Data's free Clover Security Portal, which is by far the simplest and most efficient. You can also download, print and email or snail-mail the SAQ and AOC documents. Or, you can hire a Qualified Security Auditor (QSA), just like you would hire a tax advisor, who can submit it for you, or at least help you fill out the necessary paperwork to "e-file" or manually submit it to First Data. Each approach has its benefits. With level 3 and level 4 merchants – every NISC Member falls into one of those two levels - all that is required is the SAQ and AOC. Hiring a QSA to assist in the [...]
This is the third part in a series on the path to PCI compliance. Previously, we covered scope and the 12 PCI-DSS requirements. In this part, we will discuss the Self-Assessment Questionnaire, or SAQ, and Attestation of Compliance. We’ll also review how to understand which version of the SAQ you need to fill out. The SAQ is a questionnaire for you to fill out based on your own assessment of how well you are abiding by the 12 PCI-DSS requirements. Your answers to the SAQ become your Attestation of Compliance, or AOC. The aim of the PCI-DSS SAQ and AOC (wow - lots of acronyms there) is to secure card data. In the case of a data breach, or a suspected data breach, in which you are allegedly the source of the breach, you will need to prove - with certainty - that you not only kept to the PCI-DSS requirements, but that you also had no lapses in control. Let’s start by explaining what you can't do when answering questions in the SAQ. You cannot answer 'no' to any question and pass. That is not possible*. For the most part, and generally with very few exceptions, for you to be in compliance you will answer 'yes' or 'n/a.' And with every 'n/a' you must have an acceptable explanation of non-applicability. The acquirer - First Data for NISC Members - decides what is acceptable and what is not. Also, they are the judge and jury for which SAQ you should fill out. There are several different SAQs, and exactly how the card data is captured and processed determines which SAQ you need to fill out. The SAQs vary from the SAQ A with 22-responses to [...]
The Path to PCI Compliance – The PCI Requirements Welcome back to the Path to PCI Compliance. In part one of this series we outlined the very high-level path for attaining and maintaining PCI compliance. With that in mind, let's take a quick run through exactly what the Payment Card Industry Data Security Standards (PCI-DSS) expect of you in order to be compliant. Scope. This is a word that gets included in nearly every conversation about PCI. If not, it should. What is Scope? Here is the official definition: The PCI DSS security requirements apply to all system components included in or connected to the cardholder data environment. The cardholder data environment (CDE) is comprised of people, processes and technologies that store, process, or transmit cardholder data or sensitive authentication data. “System components” include network devices, servers, computing devices, and applications. The PCI-DSS gets pretty technical, so let’s define this a bit further. One of the keys to this definition is "cardholder data environment" or CDE. The CDE is where a credit card number can be found. If it is stored on a server (Think scanned Vault images. Think tape and disc backups. Think call recordings), that server is in scope. If it travels unencrypted across a network segment, that network segment is in scope – including the fireware that controls network access. If a keyboard is used to key in a card number, that keyboard and computer are in scope. All of these in-scope components need to be protected. We protect said in-scope components by way of network segmentation, encryption and restricting access. One early objective of the PCI-DSS is to narrow the scope of the CDE as much as reasonably [...]
Though NISC has always aimed to have a small-company feel, it’s no doubt that we are growing, and our Membership is growing as well. Though each of our four offices are based in the midwestern United States, we represent Members in all 50, as well as American Samoa, Canada and Palau. It’s incredible to see how we’ve expanded to become a true international organization over the course of our 50-year history. Kaua’i Island Utility Cooperative (KIUC) has been an NISC Member for 15 years. Contrasted to the scenery surrounding NISC’s offices, KIUC is engulfed by palm trees and lush greens – an oasis among oasis’s. For Mailer Alfiler, manager of Member Services for KIUC, it’s a scene all too familiar as she was born and raised on the beautiful island of Kaua’i in Hawaii. Despite a five-hour time difference, Maile said receiving support and help from NISC has never been an issue for the co-op. “It’s been a really fluid process managing the time difference,” Maile said. “We certainly prioritize and decide what can wait until the next morning, and what needs to be done now. But the after-hours support at NISC has been readily available to us. In the beginning when we first went live, we were using the after-hours support a lot but now, not so much so.” Just before becoming an NISC Member in 2003, Kaua’i Electric, as KIUC was formerly known, went up for sale with much uncertainty as to what was ahead. “I’ve been working here for 29 years,” Maile said. “We used to be a for-profit owned by Citizens Utilities. Kaua’i Electric went up for sale with the intent for it to become purely a telecommunications company, divesting its [...]
Hello and welcome to the first in a five-part series of blog posts on the topic of PCI-DSS. PCI-DSS is the shorthand for Payment Card Industry Data Security Standard, which is a set of standard security practices put in place to ensure that the acceptance of credit card payments, along with the processing, storage and transmission of credit card data, is done in a secure manner. This series of blogs is meant to help provide some insight on PCI and to help you navigate the path to PCI compliance.
As NISC celebrates 50 years, we celebrate the people who built us – our Members and employees. In that same spirit, it is new minds, ideas and innovations that will usher us into the next 50 years. To commemorate our 50th, NISC’s employees invested in that future workforce through our “Giving 50@50” campaign, and today, we’re seeing the tangible ways those funds are changing lives. The Foundation for Rural Service (FRS) was one organization that received “Giving 50@50” funds. Dedicated to providing educational resources and enhancing the lives of rural Americans, FRS provides grants to rural communities and scholarships for rural youth, encouraging them to build up their communities. Oftentimes, receiving a scholarship can be the deciding factor in whether students are able to afford college. Earlier this month, FRS hosted another successful Youth Tour in Washington, D.C., where high school students from across rural America traveled to our national’s capitol to learn about rural telecommunications and to tell their community’s story. Students are chosen and sponsored by an NTCA member, and are often chosen for their work ethic and success in school. With the funds raised by NISC, FRS was able to honor students across the country for their commitment to leadership and service. FRS recognized five outstanding students with the NISC Leadership and Service Award and a $100 prize. These students were voted on by Youth Tour chaperones and were chosen for showcasing inclusion, kindness and service to others throughout the week. There were also 10 honorable mentions who received $25. “We can’t thank NISC enough for their support of FRS and our mission,” said FRS Executive Director Jessica Golden. “The Youth Tour is an incredible experience for these students, and we were [...]
Each spring, Arbor Day is observed annually to celebrate trees and encourage tree planting. Many communities around the world gather on this day to plant trees and take care of their parks. At the Arbor Day celebration in the new Co-op Park in Shawano, Wis., NISC was awarded the 2018 Commercial ‘Nature’s Friend Award’ by the Shawano Tree Advisory Board for its outstanding property. The facility features a well-manicured lot and an abundance of trees. The Mayor and City Forester of Shawano were pleased with NISC’s mindfulness of nature during the construction of this facility. “We look for outstanding properties, with trees that are taken care of,” said Tree Advisory Committee Chairman Bill Erdmann in explaining how the winners are chosen. NISC employees also appreciate the forest of trees that surround the property. “I especially appreciate the trees in our lot when I sit out on the back patio during lunch,” said NISC Lead Senior Technical Systems Specialist Rich Lemons. “They offer a sense of privacy and a nice escape from nearby traffic. I also enjoy the beautiful scenery and watching the animals, including birds, squirrels, and even an occasional muskrat.” The City of Shawano was given $160,000 by United Cooperative to create Co-op Park, and with the support and donations from other members in the community – like Belmark Inc. and the Shawano Rotary – the park will be undergoing many additions this summer, including a playground as well as a bike path that will connect the park to the adjacent Mountain Bay Trail. “It’s an example of how people in this community work together,” said Park and Recreation Director Matt Hendricks. Like the City of Shawano, NISC truly works together for sustainable development [...]
You don't use a slide rule anymore. Why would you only look at your distribution system using monthly usage data? With NISC Operations Analytics (OA), learn how to leverage interval readings to better manage your distribution system.
Utility broadband is an important topic in the industry, and questions surrounding the rollout and adoption, among other aspects of the technology, are at the forefront of many minds in the utility industry. Maybe none more so than the Boards of Directors at utility cooperatives across the country.