View
214
Download
0
Tags:
Embed Size (px)
Citation preview
Property of the University of Notre Dame
Navigating the Regulatory Maze:Notre Dame’s PCI DSS Solution
EDUCAUSE Midwest Regional ConferenceMarch 17, 2008
Property of the University of Notre Dame
Agenda
• PCI DSS Background• Notre Dame’s Environment• Payment Card Environment Design• Networking Infrastructure• Deployment: Departments and Decentralized IT
2
Property of the University of Notre Dame3
Payment Card IndustryData Security Standard(PCI DSS)
Visa CardholderInformation Security Program (CISP)
PCI DSS History
Mastercard SiteData Protection Program (SDP)
Discover InformationSecurity ComplianceProgram (DISC)
American ExpressData Security Standard (DSS)
Property of the University of Notre Dame4
Introducing the Digital Dozen
Build and Maintain a Secure Network
Install and maintain a firewall configuration to protect cardholder dataDo not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder DataProtect stored cardholder data
Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Use and regularly update anti-virus software
Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Restrict access to cardholder data by business need-to-know
Assign a unique ID to each person with computer access
Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Track and monitor all access to network resources and cardholder dataRegularly test security systems and processes
Maintain an Information Security Policy Maintain a policy that addresses information security
Property of the University of Notre Dame5
Who Must Comply?
• “Payment Card Industry (PCI) Data Security requirements apply to all Members, merchants, and service providers that store, process or transmit cardholder data.”
• “Additionally, these security requirements apply to all system components which is defined as any network component, server, or application included in, or connected to, the cardholder data environment.”
That Probably Means You
Property of the University of Notre Dame6
Merchant Levels
Merchant Level
Description
1 Any merchant who processes over 6,000,000 transactions annually.
Any merchant designated Level 1 by Visa
2 Any merchant who processes between 1,000,000 and 6,000,000 transactions annually.
3 Any merchant who processes between 20,000 and 150,000 e-commerce transactions annually.
4 Anyone else
Property of the University of Notre Dame7
Merchant Levels
• All merchants, regardless of level, must comply with all elements of the PCI DSS standard!
• Merchants at different levels have different validation requirements
Property of the University of Notre Dame8
Consequences• Reputational Risk
– What will the impact be on your institution’s brand?– Mandatory involvement of federal law enforcement in
investigation
• Financial Risk– Merchant banks may pass on substantial fines– Up to $500,000 per incident from Visa alone– Civil liability and cost of providing ID theft protection
Property of the University of Notre Dame9
Consequences• Compliance Risk
– Exposure to Level 1 validation requirements
• Operational Risk– Visa-imposed operational restrictions– Potential loss of card processing privileges
Property of the University of Notre Dame
Agenda
• PCI DSS Background• Notre Dame’s Environment• Payment Card Environment Design• Networking Infrastructure• Deployment: Departments and decentralized IT
10
Property of the University of Notre Dame11
Notre Dame’s Environment, Circa 2006
• Over 70 merchant accounts, 15 applications• No central oversight• One day all of that changed…
Property of the University of Notre Dame
BUSINESSES
NOTRE DAME MERCHANT ACCOUNTS (67 TOTAL)
AUTHORIZATION MODULES
ACCEPTANCE MODULES
Virtual Terminals
Pure Web
Mix
Terminal based (19)
Notre Dame
Band (1)
Food Services(13)
DevelopmentEvents (1)
GEM (1)RecSports (1)
The Morris Inn (2)
Athletics TicketOffice (1)
DeBartolo Performing
Arts (2)
A & FS, ISBEE& Journals (1)
ND Magazine (1)
Vital StageOnly (2)
Omni 3750(1)
Tranz 330/380
(4)
Blackberry RIM Wireless
(1)
ProtobaseExpress (1)
Vital (17)VeriSign
Link(17)
VeriSignPro(12)
Able Commerce
(9)NDFSMICROS
(12)
Unify (1)
Paciolan(1)
Patron Edge(1)
Catapult(1) Publishing
ConceptsInc (2)
3rd party software based (18) Web based (30)
PC Charge (2)
StudentShop (1)
AlumniAssociation
(1)
GraduateSchool (1)
Institute forChurch Life
(1)
St Michael’sLaundry
(1)
SolutionCenterBTS (1)
ND Marketplace (9)
Center forContinuingEducation
(1)
Com-mencement
Videos(1)
AlumniAssociation
(1)
DevelopmentDonations
(1)
Patron EdgeOnline
(1)
ACE (1)
O’ShaughnesseyCopy Center
(1)Center forLiturgy (1)
University Press (1)
NDSP (1)
Ice Rink (1)
St Michael’sLaundry (1)
Warren Golf (2)
ComputerStore (1)
Decio Copy Center (1)
Snite (1)
AlumniAssociation
(1)
Domer Dollars (1)
IrishGarden (1)
CCE (1)
Burke Golf(1)
AcademicMedia (1)
Swipe Terminals (17)
Omni 3200(13)
Career Center (1)
Exec Ed (1)
MBA Alumni Relations (1)
MS Acct (1)
Portfolio(1)
GraduateAdmissions (1)
UndergraduateAdmissions (2)
Archives (1)
ID Cards & Domer $ (2)
Special Events (1)
VeriSign PayFlow Link (17)
LaFortuneStudent
Center (1)
ND Band (1)
RCLC (1)
StadiumConcessions
(1)
XD2000 (1)
Vital (2)Vital (1)Vital (13)
MIMICROS
(1)
12
Property of the University of Notre Dame13
Notre Dame’s Approach• Conducted a risk assessment in conjunction
with a PCI consulting firm
• From that, launched a credit card security program– First Goal: Minimize on-campus card processing– Second Goal: Migrate existing systems to a dedicated,
isolated network
• First, reduce our footprint and then secure that footprint to the greatest degree possible
Property of the University of Notre Dame
Agenda
• PCI DSS Background• Notre Dame’s Environment• Payment Card Environment Design• Networking Infrastructure• Deployment: Departments and decentralized IT
14
Property of the University of Notre Dame
Design: ND’s PCI Architecture
15
Log Server
IDS
router1Notre DameInternet
router2
UNTRUSTED BURB
PCI VPN BURB (192.168.x.y/24)
INFRASTRUCTURE BURB (192.168.x.y/24)
DMZ BURB (192.168.x.y/24)
POS BURB (192.168.x.y/24)
ePO
Tripwire App Server
VPN Endpoin t
Encrypted Data Only
POS Site192.168.a.b/24
VPN Concentrators
VPN Endpoin t
Encrypted Data O
nly
POS Site192.168.a.b/24
Application Servers
Public Web Servers
NTP KVM Active Directory
Safeword
DNS
Tripwire Database
IPSentry
Remote Administrator
Encrypted Data Only
SQL Server
NETMGT BURB (192.168.x.y/24)
Network gear interfaces
192.168.x.y/24 – Odyssey Private
a.b.c.d/29 – Odyssey Public
Backup BURB (192.168.x.y/24)
Odyssey Burbs
IDS/IPS Sensor -
All Vlans
Scribe
Scanner BURB (192.168.x.y/29)
scanner
Property of the University of Notre Dame
System and Security Components
• Firewall and VPN• Two factor authentication to infrastructure• Tripwire server integrity assurance• Juniper IDS• POS clients and servers• Infrastructure – NTP, DC, ePO, monitoring,
KVM, central logging, etc.• Device configuration standards
Property of the University of Notre Dame
Firewall and IDS design
• Firewall isolates all PCI traffic• Single External Physical interface• Single Internal interface with multiple VLANs• Zones organized by function• Some special zones for campus systems• Remote Sites connected through VPN concentrator• Passive IDS (tried IPS) monitors all internal traffic
Property of the University of Notre Dame
Sidewinder Firewall
• Application Proxy firewall• Default deny inbound and outbound• Group based VPN, access restricted by job
function• Least privilege rule base • All access explicitly controlled
Property of the University of Notre Dame
Key Internal Zones
DMZ BURB (192.168.5.0/24)
POS BURB (192.168.3.0/24)
Application Servers
Public Web Servers
DNS
NETMGT BURB (192.168.6.0/24)
Network gear interfacesIDS/IPS Sensor -
Property of the University of Notre Dame
Key Internal Zones
192.168.7.0/24 – Odyssey Private
192.168.58.240/29 – Odyssey Public
Backup BURB (192.168.8.0/24)
Odyssey Burbs
Scribe
Scanner BURB (192.168.15.0/29)
scanner
Property of the University of Notre Dame
Isolating Systems
CCSP Protected Zones(Catapult Server)
10.10.x.y
192.168.x.y
Odyssey Server
192.168.x.y
Catapult POS/DCOMAnd Remote
Access
192.168.x.y
192.
168.
2.x
Campus Net
10.10.x.y
VPN
Privilge Devices(vending machines, meal plan, etc.)/port 57/3850/4000
Micros Server/port 2000-2002
NDFS03 - sybase
Workstations/DCOM
Con
nect
ions
to
Ody
ssey
Property of the University of Notre Dame
Isolating SystemsInternet/Campus
`
VulnerabilityScanner
DatacenterFirewall
`
Odyssey
`
Central Backup
Private
Private
Public
PCI Firewall
PCI Interface
Datacenter
All system interfaces are on dedicated logical firewall
interfaces
Property of the University of Notre Dame
Agenda
• PCI DSS Background• Notre Dame’s Environment• Payment Card Environment Design• Networking Infrastructure• Deployment: Departments and decentralized IT
24
Property of the University of Notre Dame
Network Design
From the PCI Standards Document:
1.Encryption of data over open, public networks2.Follow change control procedures3.Review logs for all system components daily
Property of the University of Notre Dame
Challenges
Encryption of data over open, public networks.• Required over ‘secure’ vlans?
Property of the University of Notre Dame
Challenges
Follow change control procedures.– Initial design thoughts incorporated ‘secure’ vlans
that we present at each endpoint on campus.– This would have involved implementing change
control on more than 150 network devices, including access layer switches.
Review logs for all system components daily.– On > 150 devices?
Property of the University of Notre Dame
Our solution: Remote site VPN’s
• Utilizes Cisco 3015 VPN concentrator with Cisco 851 VPN routers for endpoints.
• Extends the PCI network where we need it.• We provide user subnet space based on
customer need:– Stand-alone credit card terminals– POS devices– Single use computers
Property of the University of Notre Dame
Additional Benefits of VPN
• The VPN tunnel provides a secure method of managing network devices.
• Provides a means of remote access for system administrators
• Fewer devices to manage.• Provides for easier additions to the PCI
network.
Property of the University of Notre Dame
Agenda
• PCI DSS Background• Notre Dame’s Environment• Payment Card Environment Design• Networking Infrastructure• Deployment: Departments and decentralized IT
31
Property of the University of Notre Dame
Two Types of Support• Central IT
– Fewer technical users.– Existing payment
solutions are often inherited.
– Responsibility for payment system is often not clearly defined.
• Departmental IT– Internal processes and
procedures.– Often very small staff,
broad responsibilities.– Payment solutions are
often provided by external vendors.
– Responsibility for payment system is often inherited.
33
Property of the University of Notre Dame
Existing systems• Food Services
– Many terminals– Other services blended
in: vending machines, food service displays, and campus “Domer Dollars”
– Many locations– Blend of commercial and
custom software– Departmental IT
• Theater Ticketing and Events– Single location– Mobile and static
workstations– Web driven– Single commercial
software package– Only standard
transactions– Central IT
34
Property of the University of Notre Dame
Deployment Steps
• Review existing architecture• Design solution• Build required resources• Test• Migrate into production
– Often in phases– Often unexpected hurdles due to legacy systems
and applications
35
Property of the University of Notre Dame
Challenges
• Process: creating a controlled system for adding new systems and handling changes.
• Lack of vendor documentation of protocols – many large high port groupings, reliance local broadcast for discovery, etc.
• Split system administration• DR for systems designed without DR
capabilities.
36
Property of the University of Notre Dame
Lessons Learned
• Review vendor documentation and current implementation.– Historic designs are often still in use.
• Dataflow diagrams are crucial.• Provide a fast troubleshooting process and a
defined support team. • Provide a single point of responsibility with
backup for migrations.
37