PCI Compliance Higher Education - Northwestern University · PCI Non Compliance Implications Members receive “Safe Harbor” for merchants that have been compromised but found to

© Copyright 2006 AmbironTrustWave Confidential

Donnie Otterness

PCI Compliance in

Higher Education


Agenda

• The Problem—Challenges for Higher Ed—Confidential Information—History of PCI—Who does it apply to?—What does it require?—The PCI Data Security Standard—Costs of non-compliance

• Roles and Responsibilities• Best Practices


The Problem“Since January, at least 845,000 people have had sensitive

information jeopardized in 29 security failures at colleges nationwide…

Colleges accounted for…roughly 30% of computer security breaches reported in the media last year, according to ChoicePoint, a consumer data-collecting firm in Georgia.”

Doan, Lynn. "College Door Ajar for Online Criminals." Los Angeles Times 30 May 2006. 5 June 2006

<http://www.latimes.com/technology/la-me-hacks30may30,0,1085392.story?coll=la-home-headlines>.

The InternetThe Internet


Higher Ed’s Security Challenges

• Commitment to open networks—To facilitate the free exchange of ideas

• Payment processes spread over large geographical area—Many times necessitating multiple IT departments

• Dependence on outside state and federal funding

• Myriad of merchants on one campus—Merchant ID management


A Wealth of Personal Information

• Health Records

• Social Security Numbers

• Grades

• Student Loan Information

• Bank Account Information

• Research Information

• Payment Card Information

• Hospitals

• Book stores

• Cafeterias

• Athletics

• Housing

• Parking

From (among others):

Data stored on University Networks:


Payment Card Acceptance

Now, more than ever, a number of “merchants”on a university’s campus are accepting payment cards

And as the Payment Card Industry’s Data Security Standard states:

PCI Data Security Requirements apply to all Members, merchants, and service providers that store, process or transmit cardholder data


20012001

Security Compliance Program Evolution

September 2004: All Visa USA Service Providers and Level 1 Merchants must validate compliance by Sept. 30, 2004

June 2001: Visa USA releases Cardholder Information Security Program (CISP); makes the requirements mandatory

June 2003: MasterCard solicits security vendors to perform SDP scans of e-commerce merchants

June 2004: Visa announces Payment Application Best Practices (PABP) for application developers to validate compliance with CISP

May 2001: MasterCard International announces plans for Site Data Protection (SDP) Program

January 2002: Visa USA begins to target top 100 e-commerce merchants to validate compliance with CISP

July 2004: Discover Network launches Discover Information Security Compliance (DISC) targeting their top 30,000 e-commerce merchants

December 2004: Visa USA and MasterCard International announce PCIDSS; aligning CISP and SDP standards and compliance requirements

20022002

20032003

20042004


Merchant Levels Defined

Any merchant processing less than 20,000 Visa or MasterCard e-commerce transactions per year, and all other merchants processing up to 1 million Visa or MasterCard transactions per year

Merchant Level 4

Any merchant processing 20,000 to 1 million Visa or MasterCard e-commerce transactions per year

Merchant Level 3

Any merchant processing 1 million to 6 million Visa or MasterCard transactions per year

Merchant Level 2

Any merchant processing over 6 million Visa or MasterCard transactions per year, compromised in the last year, or identified by another card brand as Level 1

Merchant Level 1


Merchant Compliance Validation

Merchant

Qualified Independent Scan Vendor

Any systems storing, processing, or transmitting cardholder data

Internet-facing perimeter systems

Annual Self-Assessment Questionnaire Recommended

Network Scan Recommended

4

Merchant

Qualified Independent Scan Vendor

Any systems storing, processing, or transmitting cardholder data


Annual Self-Assessment QuestionnaireAndQuarterly Network Scan

2 and 3

Independent Assessor or internal auditor if signed by officer of companyQualified Independent Scan Vendor

Authorization and Settlement Systems


Annual On-site Security AuditAndQuarterly Network Scan

1

Validated ByScopeValidation ActionsLevel


PCI DSS RequirementsBuild and Maintain a Secure Network1. Install and maintain a firewall configuration to protect data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data3. Protect stored data (use encryption)4. Encrypt transmission of cardholder data and sensitive information across public networks Maintain a Vulnerability Management Program5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures7. Restrict access to data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy12. Maintain a policy that addresses information security


Validation and Documentation

• “Partial compliance” is not accepted by the card associations.

• The amount of effort required and length of assessment is predicated upon a number of factors:

—Remediation required—Resources available to work on internal projects

• Merchants must validate their compliance by submitting the required documentation to their acquirer

• Documentation must be available to card associations upon request


Cost of a Compromise

Average Investigation Cost: $20,000

Average Remediation Cost: $48,000

Average Potential Fines, Fees, etc.: $2,100,000


PCI Non Compliance Implications

Members receive “Safe Harbor” for merchants that have been compromised but found to be PCI compliant at the time of the security breach.

If a merchant does not comply with the security requirements required under PCI standards the associations may:

• Impose fines up to $500,000 per incident• Impose restrictions on card acceptance • Permanently prohibit card acceptance


Roles

&

Responsibilities


• Keep standard—Current—Relevant—Clear

• Examine effects of standard implementation—Ensure it’s feasible

• Govern interpretation of the standard• Define merchant levels and validation

requirements• Determine and issue fines for non-compliance

Card Associations


Acquiring Banks

• Negotiate merchant agreements• Inform merchants of PCI

—Determine merchants’ levels—Validation requirements

• Define liability in the event of a breach


Merchants

• Meet PCI requirements• Complete self-assessment questionnaire

— if necessary

• Hire qualified independent scan vendor — if necessary

• Engage qualified outside assessor — if necessary

• Protect other confidential information


PCIBest

PracticesFor

HigherEd

PCIBest

PracticesFor

HigherEd


Buy-in• Gather relevant information to present to upper

management• Articles/headlines• Liability costs–monetary and reputation

• Create compliance management position or assign project manager

• Develop communications to inform and engage entire university

• Form payment card acceptance review board• Create an administrative payment card acceptance guide• Distribute introductory letter

• Educate on PCI• Identify stakeholders• Explain consequences


• Assign accountability to department heads for their network infrastructure

• Meet with department heads—Determine scope—Which/how departments accept payment cards—Examine IP addresses and merchant IDs

• Engage outside assessor, if necessary• Outline risks and rewards of departments

accepting payment cards

Assessment


Segmentation

• Segment network• Separate open access areas from critical assets• Restrict access• Need-to-know• Use technology to cordon segments

—Firewalls—Intrusion Detection—Intrusion Prevention


Third Parties

• Ensure party signs a third party agreement—Clearly specify/assign liability

• Use a payment application that follows PABP• Visa’s Payment Application Best Practices


Training Staff

Establish yearly training sessions for staff that address:• PCI compliance and its importance• University’s policies and procedures• Accepting payment cards• Requesting a merchant ID• Consequences for failing to follow policy• Incident response plan• Resources


Questions?


Donnie OtternessSenior Business Manager

(312) 629-1111 ext. [email protected]

Documents

PCI Compliance Higher Education - Northwestern University · PCI Non Compliance Implications Members receive “Safe Harbor” for merchants that have been compromised but found to