PCIDSS compliance made easier
through collaboration between
NC State and UNC-Chapel Hill

John Baines

AD Policy & Complia...
Outline
PCI DSS 2.0 (3.0 soon…) – .edu concerns
 Background – Why? Who? What?
 Higher Ed and credit card compliance
 Si...
PCI DSS 2.0 (->3.0) .edu concerns


PCI DSS 3.0 to be released 11-7-13, effective 1-1-14
◦ Required merchant compliance b...
Background – Why? Who? What?

Two universities with federated set up
and flat network
 Oversight committee from
Finance/C...
Organizational Entities - NCSU
Controller’s office
 OIT Security & Compliance
 Other OIT units
 Merchants


Organizati...
Controller’s office / Finance


Controller’s office - Manager, Cash Management / Merchant Card
Accountant
◦ Single point ...
OIT Security & Compliance - NCSU






Internal Security Assessor (ISA)
Initial technical compliance
Technical assist...
Other IT Units - NCSU & UNC-CH


Cover many different areas
◦ ComTech

 network, VOIP phones

◦ Shared hosting

 CDE an...
Merchants – NCSU – 124







SAQ A – Totally outsourced – 72
SAQ B – Simple POS – 23
SAQ C – Virtual Terminal - 3
SA...
Merchants – UNC-CH 108








New merchants all the time
Existing merchants change implementation frequently
Then ...
Service Providers
Business

UNC

NCSU

Main Gateway

TouchNet (AOC, ROC)

Nelnet

Cybersource (e-Tix K)

Cybersource

PayF...
Governance - NCSU


PCI Steering Committee
◦
◦
◦
◦



University controller chairs
Representatives of four of largest me...
Organizational Entities – UNC-CH


CERTIFI
◦
◦
◦
◦
◦
◦
◦
◦

Finance – Chair Controller’s Office
ITS Security
ITS EA
Merch...
Similarities

POS SAQ B analog phones
 Student groups with mobile gadgets


◦ NCSU now cellular POS device from SunTrust...
Differences


Choice of third parties

◦ Issues to deal with are complex, including compliance, documentation, oversight
...
Hot Topics
PCI scope
 CDE planning
 Enormous need for education
 Key business processes to maintain PCI
compliance
 Se...
PCI scope (NCSU)


Primary scope – anything that transmits, processes or stores
the PAN e.g.:
◦ Cardholder Data Environme...
PCI scope (UNC-CH)


Primary scope – anything that transmits, processes or stores
the PAN e.g.:
◦
◦
◦
◦



Cardholder Da...
CDE planning (NCSU)



Started 2005
Dedicated:

◦ Sub-network(s)
◦ CDE for SAQ D’s created early
◦ Physical (now VM) ser...
CDE planning (UNC-CH)



Started 2012
Dedicated:

◦ Segmented vlans with hardware firewalls
◦ Contains servers, desktops...
Enormous Need For Education




12. Maintain an Information Security Policy
Found over 100 sub-requirements for doc
Mul...
Enormous Need For Education












Teach merchants when PCI becomes an issue
Teach IT support staff to wor...
Key Business Processes


Maintaining PCI compliance is not a one
time project :

◦ PCI compliance is an ongoing process f...
Service Provider Reduction
Can proliferate if not strictly controlled
 Focus on Service Provider Level 1 (>100K) –
listed...
What next? / Future plans
Include more local Higher Ed institutions
 Meet to discuss PCI DSS v3.0
 CDE is top priority
...
Conclusions


Unique challenges for .edu’s because of the
federated environment
◦ Like all merchants in a small town comb...
References


OSC – State Electronic Commerce Program http://www.ncosc.net/SECP/index.html



UNC-CH CERTIFI - http://fin...
Questions?

11/20/2013

PCI DSS Collaboration - UNC Cause 2013
Wilmington, NC

#28
UNC Cause Proposal:
PCIDSS compliance made easier through collaboration between NC State and UNC-Chapel Hill
Abstract:
Bot...
Upcoming SlideShare
Loading in …5
×

PCIDSS compliance made easier through a collaboration between NC State and UNC-Chapel Hill

458 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
458
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
17
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

PCIDSS compliance made easier through a collaboration between NC State and UNC-Chapel Hill

  1. 1. PCIDSS compliance made easier through collaboration between NC State and UNC-Chapel Hill John Baines AD Policy & Compliance, OIT,NCSU Eva Lorenz ITS Security, UNC Chapel Hill UNC Cause 2013 Wilmington, NC
  2. 2. Outline PCI DSS 2.0 (3.0 soon…) – .edu concerns  Background – Why? Who? What?  Higher Ed and credit card compliance  Similarities  Differences  Hot topics  What next? / Future plans  Conclusion  11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 2
  3. 3. PCI DSS 2.0 (->3.0) .edu concerns  PCI DSS 3.0 to be released 11-7-13, effective 1-1-14 ◦ Required merchant compliance by 1 January , 2015 ◦ Core 12 Security Requirements unchanged, but several new sub-requirements  Service provider status ◦ This can happen to any institution  Scope creep ◦ In a federated environment, this is a constant struggle  CDE planning and maintenance ◦ Universities like changes and reorganizations  Written documentation ◦ How much oversight can be centrally provided? ◦ Vast amount needed (not just Requirement 12) 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 3
  4. 4. Background – Why? Who? What? Two universities with federated set up and flat network  Oversight committee from Finance/Controller and ITS/OIT  PCI Steering Committee and CERTIFI  Gap analysis at NC State in 2011, and UNC in 2012  Expand on existing ISO meetings to focus on PCI DSS and compliance  Subject to State Controller requirements and UNC-GA oversight  11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 4
  5. 5. Organizational Entities - NCSU Controller’s office  OIT Security & Compliance  Other OIT units  Merchants  Organizational Entities – UNC-CH Finance / Controller’s Office  ITS Security + ITS Enterprise Applications  Other ITS units (networking, hosting)  Merchants  11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 5
  6. 6. Controller’s office / Finance  Controller’s office - Manager, Cash Management / Merchant Card Accountant ◦ Single point of entry  Even with a tightly controlled CDE, change management is a struggle, so control the point of entry ◦ Business justification  Consider establishing baseline requirements and balance versus risk to the university ◦ Obtaining a PCI Merchant Account  Yes, there is a State Controller ◦ PCI associated business processes  Consider developing questionnaires, standard workflows and other documentation or requirements, such as training, before the account goes live. 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 6
  7. 7. OIT Security & Compliance - NCSU      Internal Security Assessor (ISA) Initial technical compliance Technical assistance (D merchants & OIT) Annual review by merchant Guidelines for SAQ A & B merchants ITS Security (UNC-CH)      PCI Coordinator – scheduled for ISA exam Initial technical compliance Technical assistance (vuln. and web scanning) POS stations physical security / annual review Maintain enterprise firewalls, access to CDE 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 7
  8. 8. Other IT Units - NCSU & UNC-CH  Cover many different areas ◦ ComTech  network, VOIP phones ◦ Shared hosting  CDE and D merchants ◦ Infrastructure  logging, patching, VMs, etc. ◦ Client Services  end-point protection and compliance – Dedicated Payment Workstation ◦ Enterprise Application Systems  development /implementation of PCI compliant applications, TouchNet/Nelnet 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 8
  9. 9. Merchants – NCSU – 124      SAQ A – Totally outsourced – 72 SAQ B – Simple POS – 23 SAQ C – Virtual Terminal - 3 SAQ D – Complex merchants – 26 ◦ ◦ ◦ ◦ ◦ ◦ Dining (2) Bookstore Transportation (9) Athletics Alumni/Advancement (~5) Mail Order – Telephone Order (MOTOs) (<30…) Shrinking and growing… 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 9
  10. 10. Merchants – UNC-CH 108        New merchants all the time Existing merchants change implementation frequently Then there is an annual review required for each merchant Similar ratio as NCSU, but totally outsourcing done via TouchNet Also no SAQ C – Virtual Terminal Similar set of complex merchants UNC-CH merchant grouping for SAQ attestation ◦ TouchNet outsourced (SAQ-A) ◦ POS terminals (SAQ-B)  all on analog ◦ Complex SAQ-D merchants  Some TouchNet with outsourcing of credit card storage, but accepting credit cards in person  Some merchants have servers with credit card storage on campus 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 10
  11. 11. Service Providers Business UNC NCSU Main Gateway TouchNet (AOC, ROC) Nelnet Cybersource (e-Tix K) Cybersource PayFlowPro PayFlowPro Dining Micros (SP) Micros - CVENT Bookstore Sequoia (version, kiosk) Sequoia Advancement Blackbaud Convio Athletics Paciolan Paciolan Phonathon Ruffalo Cody (version 1) Ruffalo Cody (version 2) Foundation / Fundraising Convio Convio Conference center TouchNet (Kiosk) (Complex) Parking FederalAPD (ScanNet) Data Tran 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 11
  12. 12. Governance - NCSU  PCI Steering Committee ◦ ◦ ◦ ◦  University controller chairs Representatives of four of largest merchants Members of update team participate Meets quarterly and by email PCI Update team ◦ ◦ ◦ ◦ ◦ ◦ External Project Manager Controller’s office OIT Security & Compliance OIT EAS (Enterprise systems development group) Not a dedicated team… Meets bi-weekly 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 12
  13. 13. Organizational Entities – UNC-CH  CERTIFI ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ Finance – Chair Controller’s Office ITS Security ITS EA Merchant representatives IT units Sponsored by CISO and University Controller Meets every two weeks Some voting / decisions by email 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 13
  14. 14. Similarities POS SAQ B analog phones  Student groups with mobile gadgets  ◦ NCSU now cellular POS device from SunTrust/ Firstdata. Plans to make this a loaner service for conferences and events Conference Center - multi-functional  SAQ D merchants, such as book store, athletics, alumni giving, dining and a conference center.  identical third party software being deployed and similar issues assessing third party compliance.  Oversight of service providers for campus merchants - significant problems and risks – PCI DSS Req 12.8  11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 14
  15. 15. Differences  Choice of third parties ◦ Issues to deal with are complex, including compliance, documentation, oversight  Choice of payment gateway ◦ Select primary one, but make sure it can meet the business needs.  Network ◦ UNC  Will have some duplicate infrastructure for CDE (e.g. DNS, SCCM, AV)  Border Firewall and implications for service provider role ◦ NCSU  Shares infrastructure services for PCI compliance.  No border firewall  Relies logical or administrative control of separation regarding the firewalls, building switches and core routers (VLANs, MPLS).  Dedicated resources include a wireless network at the football stadium  Medical center ◦ Shared network, but two separate entities ◦ Remote locations accepting credit card ◦ Change in payment processing by these entities (UNC-H) 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 15
  16. 16. Hot Topics PCI scope  CDE planning  Enormous need for education  Key business processes to maintain PCI compliance  Service provider reduction  11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 16
  17. 17. PCI scope (NCSU)  Primary scope – anything that transmits, processes or stores the PAN e.g.: ◦ Cardholder Data Environment – store PAN ◦ Any network transmitting PAN ◦ Otherwise non-primary scope, but located in CDE without network control ◦ Mail Order Telephone Order workstations ◦ Intelligent POS devices (e.g. Cash Registers) ◦ Wireless at football stadium only  Secondary scope – ANYTHING that supports or connects to primary scope, e.g.: ◦ Maintenance workstations that connect to CDE (2 factor auth!) ◦ Active Directory, DNS, VMware, etc.  For secondary scope: ◦ Logging and patching are required ◦ But other PCI DSS controls that are needed vary by case 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 17
  18. 18. PCI scope (UNC-CH)  Primary scope – anything that transmits, processes or stores the PAN e.g.: ◦ ◦ ◦ ◦  Cardholder Data Environment –with some PAN storage Any network transmitting PAN (but not vendor vlan!) Any workstation processing cards by phone, fax or mail No wireless transmission of credit cards Secondary scope – ANYTHING that supports or connects to primary scope, e.g.: ◦ Sysadmin Workstations that connect to CDE (2 factor auth!) ◦ Splunk, Firewalls ◦ Supporting infrastructure (AD, DNS, etc ) – duplicated for CDE   For secondary scope: ◦ Logging and patching are required ◦ But other PCI DSS controls that are needed will vary by case NO email! (Basic requirement – NCSU also) 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 18
  19. 19. CDE planning (NCSU)   Started 2005 Dedicated: ◦ Sub-network(s) ◦ CDE for SAQ D’s created early ◦ Physical (now VM) servers    Contains all approved PANs - encrypted Supported by OIT Hosting Services unit All simple Web authorization supported though Nelnet redirection (no NCSU located CDE) 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 19
  20. 20. CDE planning (UNC-CH)   Started 2012 Dedicated: ◦ Segmented vlans with hardware firewalls ◦ Contains servers, desktops, cash registers, payment stations and supporting infrastructure  Possible exceptions: e.g. logging server (Splunk) Contains all approved PANs - encrypted Supported by Windows Systems group and ITS Security  Does not include servers hosting websites that process customer entered payment data with redirection of credit card data to external service provider   11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 20
  21. 21. Enormous Need For Education    12. Maintain an Information Security Policy Found over 100 sub-requirements for doc Multiple audiences for training: ◦ Merchants –  Overall concepts and approach  Process and SAQ forms  Deep dive ◦ Training IT Security staff as ‘professors of PCI’  Make use of existing mailing lists and blogs  Seminars and forums – Treasury Institute & PCI SSC ◦ Getting buy-in and understanding from other OIT units about their responsibilities and how to implement them 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 21
  22. 22. Enormous Need For Education            Teach merchants when PCI becomes an issue Teach IT support staff to work with business staff in departments Teach purchasing staff to spot PCI in agreements Teach legal department PCI-relevant requirements (sequential contract review) Teach merchants what is a PCI-relevant change Teach merchants about associated technologies (VOIP, fax, wireless, email etc.) Reach a consensus on 3.0 changes standard meaning. How to communicate this change and to whom? Teach to write and update workflows Teach incident response Other merchant responsibilities 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 22
  23. 23. Key Business Processes  Maintaining PCI compliance is not a one time project : ◦ PCI compliance is an ongoing process from onboarding new merchants to closing down accounts and every day changes in between  Annual assessment of existing merchants – best done in person with IT and business staff  Try to “centralize and standardize” infrastructure and business processes  Reinforce standardized processes through repetition in training events and in-person visits  Bare bones web-frontends for the payment process to minimize the risk of security holes  Assessing service providers  Monitor physical security (data centers & elsewhere) 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 23
  24. 24. Service Provider Reduction Can proliferate if not strictly controlled  Focus on Service Provider Level 1 (>100K) – listed at VISA web site  SP Level 2 – university is responsible for their compliance  Look for commonalities in applications  ◦ ◦ ◦ ◦  Conference/event management (NCSU 57%) Storefronts – (NCSU 10%) Giving (NCSU – 19%) Mobile devices Outsource as much as possible – e.g. Touchnet 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 24
  25. 25. What next? / Future plans Include more local Higher Ed institutions  Meet to discuss PCI DSS v3.0  CDE is top priority  Something new pops up all the time  Shift to more focused meetings, such as scoping and CDE planning.  11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 25
  26. 26. Conclusions  Unique challenges for .edu’s because of the federated environment ◦ Like all merchants in a small town combined  PCI DSS was not written with higher education institutions in mind ◦ Most resources, such as best practices or whitepapers, are often geared towards corporations usually with just a few merchant profiles ◦ Simplify, standardize and outsource merchant implementations as much as possible  Collaboration of .edu’s is a good way to create a knowledgebase within the UNC system universities to tackle PCI DSS 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 26
  27. 27. References  OSC – State Electronic Commerce Program http://www.ncosc.net/SECP/index.html  UNC-CH CERTIFI - http://finance.unc.edu/files/2013/02/charter_certifi.pdf  UNC-CH Finance policies - http://financepolicy.unc.edu/policyprocedure/308-credit-card-merchant-services/  NCSU REG 07.30.23 - Payment Card Merchant Services | Policies  NCSU Cash Receipts and Credit Card Procedures  PCI Security Standards Council - https://www.pcisecuritystandards.org/  Treasury Institute for Higher Education - http://www.treasuryinstitute.org/  Treasury Institute blog - http://treasuryinstitutepcidss.blogspot.com/  PCI Guru - http://pciguru.wordpress.com/ 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 27
  28. 28. Questions? 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC #28
  29. 29. UNC Cause Proposal: PCIDSS compliance made easier through collaboration between NC State and UNC-Chapel Hill Abstract: Both NC State and UNC Chapel Hill host a significant number of merchants involved in eCommerce on campus and are therefore bound by the Payment Card Industry Data Security Standard (PCIDSS). To facilitate achieving PCIDSS compliance, the universities have started regular meetings to discuss the eCommerce environment on both campuses and to determine how to most efficiently work towards remediating any compliance gaps. The meetings have revealed significant overlap in the eCommerce landscape as well as similarities in what each university sees as major issues towards achieving compliance. The university environment and background: NC State and UNC-Chapel Hill are both large research universities that have more than 100 merchants involved in eCommerce. Merchants cover the range of self-assessment questionnaires (SAQ) from SAQ-A through SAQ-D and employ a number of third party software to process payments. Even though the primary payment gateway selected by each university differs, third party software selected by larger merchants often overlap as do services administered by the Office of the State Controller. Merchant environment: The eCommerce landscape at many universities will have a number of similar merchants, such as book store, athletics, alumni giving, dining and a conference center. These similarities often lead to identical third party software being deployed and similar question when assessing third party compliance. In this context, oversight of service providers for campus merchants may pose significant problems as well as risks to universities under PCIDSS requirement 12.8. A summary of major software by merchants will be presented as well as the compliance issues involving service providers that have arisen at both universities. Technical challenges: One of the main technical challenges faced by both universities involves creating a highly structured cardholder data environment (CDE) that contradicts in many ways the open environment traditionally associated with universities. Additional challenges involve software selection for handling log management, file integrity monitoring and remote authentication to in scope devices. The presentation will involve proposal by either university on how to generate a CDE and which challenges are faced by the IT staff. Future plans So far the meetings have been limited to NC State and UNC Chapel Hill, but we have already gotten a request from another university in the triangle to join. Having established the status quo of eCommerce at both universities, we will shift towards more focused meetings as we proceed on closing remaining PCIDSSS gaps at either university. Conclusion: The unique challenges involved in ensuring compliance in a federated environment such as a large research university can seem overwhelming at times since PCIDSS was not written with higherPCI DSS Collaborationin UNC and best education institutions - mind Cause 2013 practices or whitepapers are also often geared towards highly standardized Wilmington, NC as national chain stores. This 11/20/2013 merchants, such effort started by NC State and UNC Chapel Hill has provided important insights already and could be a model for 29

×