Given the serious security risks to information technology (IT) assets, managing those risks effectively is an essential task for the University and its departments. The process will benefit both the individual departments and the University as a whole. It is important that management understand what risks exist in their IT environment, and how those risks can be reduced or eliminated. In an increasingly competitive business environment organizations must develop capabilities that will provide them with a sustainable competitive advantage. The universities and colleges big and small – face continued the threat of data theft ranging from finance, heath, intellectual property and other sensitive information. In such a high-risk environment, it’s imperative for universities and colleges to share and collaborate ideas, methods, and technologies to learn how the risks can be addressed. This talk will provide some insights on how to identify the areas for cross – collaboration to stay compliant and reduce risk. The talk also outlines the University of Alaska and Texas A&M synergistic efforts.

1. Leveraging shared IT and
business resources to
maintain PCI compliance

2. • Select Treasury Institute PCI in WiFi settings
• Password
• Goto URL
http://etc.ch/gRV7
• Answer the poll
Online polls

3. Agenda
 Why collaborate?
 Sharing business resources
 Setting up PCI Governance
 Factors to consider
 PCI DSS 3.2
 Implementation
 Sharing IT Resources
 Stay on track
 PCI Maturity model
 Q & A

4. Texas A & M University @ Kingsville
Texas A&M University - Kingsville (TAMUK) is a member of
the Texas A&M University System. A&M System is
comprised of 11 universities & 7 agencies serving over
153,000 students.
TAMUK:
• Established in 1917 (oldest institution of higher ed. in South Texas
• A comprehensive academic/research institution
• 9300 students
• 1400 international students.

5. University of Alaska
America’s Arctic university – land, sea and
space grant system. Geographically
distributed across three major campuses – in
Anchorage, Fairbanks and Juneau with 17
satellite campuses and 28 facilities. As of
2016, total enrollment is 32,000

6. Arctic Circle 65th Parallel

7. • Institutes of higher education are required to maintain PCI
compliance
• At disadvantage compared to other industries like banking,
services and retail
• Have varied types of businesses on campus accepting credit
cards for tuition, student fees, campus cards, events, dining,
housing, athletics, parking, online giving
• Very difficult to have one office with knowledge of all the above
– (mostly one person department)
Introduction

8. PCI DSS
8
8
 Standard that is applied to:
 Merchants
 Service Providers (Third Third‐party vendor, gateways)
 Systems (Hardware, software)
 That:
 Stores cardholder data
 Transmits cardholder data
 Processes cardholder data
 Applies to:
 Electronic Transactions
 Paper Transactions

9. Poll question #1
Who is responsible for PCI

10. Business Challenges
• Many departments want to accept payments by credit cards,
but their needs, resources and business and system maturity
differ
• PCI Governance Team ‐ Texas A & M case
• E‐commerce is complex and is not easy deciding who is ‘in
charge’ of e‐commerce –
• Acquirer banks and credit card companies require the
institution is compliant to the most current standard and non‐
compliance results in penalties and jeopardize reputation
• Centralized policies, education, management support and
communication

11. • PCI – DSS compliance is shared responsibility that
affect many aspects of an institution – financial,
reputational, cultural and technical
• Synergistic effort between all the stakeholders to
stay compliant
Who’s responsibility?

12. • Poll Question #2

13. • Poll Question #3

14. PCI Governance Team
PCI Governance Team is a systemwide advisory team on all
aspects (business, IT, compliance) of PCI and consists;
‐ Chief Finance Officer/VP of Finance
‐ Controller
‐ Cash Manager
‐ Chief Information Technology Officer
‐ Network Ops
‐ Business unit managers
‐ IT Managers
‐ Internal Audit
‐ IT Security
‐ Financial Systems
‐

15. • UA formed e‐commerce committee to centralize and prioritize
payment system
• Recommended by acquirer bank to be complaint with PCI – DSS.
• E‐commerce committee transitioned to PCI Advisory team and
chartered by VP Finance to develop PCI policy
• Hired QSA to advice and conduct vulnerability scans
• PCI Advisory team developed the PCI Administrative policy,
requiring SAQ to be completed for each MID by Oct 31 every year
• PCI Advisory team meets every month to review scan status,
update and prioritize all PCI tasks
University of Alaska’s PCI

16. PCI Governance/Advisory Team
• Deficiency Reports
• SAQ’s
• Scope reduction efforts

17. Business
– Ensuring/monitoring of service providers’ compliance
– Physical protection of capture devices and cardholder data
– Employee awareness training and attestation
– Security Incident Response Plan and annual testing
IT
– Vulnerability Scanning, Penetration Testing
– Firewalls, encryption, software updates, etc.
– Business should be familiar with various IT requirements
Business & IT functions (General)

18. • Provides the appropriate level recognition, support and attention
to PCI
• Provides structure and credibility to those charged with PCI
Compliance
• Allows for collaboration among various entities responsible for PCI
Compliance
• Provides accountability
• Assists in protecting the institution in the Audit or in the event of a
breach
• ITS GOOD PRACTICE
Why establish a PCI Governance
Structure

19. We are in the process of formalizing our PCI governance structure:
• The beauty of our industry is our collaborative approach to issues
• In the process of formalizing our PCI governance structure
• Looking to follow the UA model
• Establish an overarching PCI policy and related procedures
• Establish an Oversight Committee with representatives from:
VP for Finance and CFO, Chair
Information Technology
Office of the Provost, Office of the Bursar, Student Services
Risk Management
Financial Reporting
TAMUK’s Approach to PCI

20. • Poll Question #4

21. Compliance Vs Validation
21
21
 Compliance – Means adherence to the standard
 Applies to every merchant regardless of volume
 Technical and business practices
 Validation – Verification that merchant (including its services providers) is
compliant with the standard
 Applies based on Level assigned to merchant & transaction volume
 Two types of Validation
 Self‐Assessment
 Certified by a Qualified Security Assessor (QSA)
 Attestation – Letter to card issuer (bank) signed by both merchant and
acquirer bank attesting that validation has been performed

22. PCI Council – Consortium
22
22
 All merchants are subject to the standard and to card association rules
 No exemption provided to anyone
 Immunity does not apply because
 Requirement is contractual ‐ not regulatory or statutory
 Card associations can be selective who they provide services to
 Merchants accept services on a voluntary basis
 Merchants agree to abide by association rules when they execute e‐merchant
bank agreement
 Merchant banks are prohibited by association rules from indemnifying a
merchant from not being compliant with the standard
 Association Rules require merchant banks to monitor merchants to ensure
their compliance
 Failure of a merchant bank to require compliance jeopardizes the merchant bank
bank’s right to continue to be a merchant banks
 Any fines levied are against the merchant bank, which in turns passes the fines
onto the merchant

23. Two Components to Validation
23
 Annual Assessment Questionnaire
 Required of all merchants – regardless of level
 Applies to both technical and business
 Security Vulnerability Scan ‐ Quarterly
 Required for External facing IP addresses
 Web applications
 POS Software and databases on networks
 Applies even if there is a re‐direction link to third third‐party
 Must be performed by Approved Scanning Vendor (ASV)
 Validation based on Level assigned to merchant, based on
transaction volume

24. Three components to
Compliance
 Self Assessment Questionaires
 All registered MID’s
 Make sure MID is properly categorized (SAQ A‐D)
 Deficiency Reports
 Vulnerability Scans
 Clean Scans
 Assess –what level of risk is acceptable (low‐medium‐high)
 Certified by a Qualified Security Assessor (QSA)
 Update Policy/Procedure
Include all recent changes

25. • Poll Question #5

26. SAQ - PCI DSS Version 3.2Face‐to‐Face and Mail/Telephone Only eCommerce Only
B POS analog not connected to IP * A Card‐not‐present fully outsourced *
B‐IP POS connected to IP * # A‐EP Outsourced, but website redirect can
impact security of payment * #
C‐VT Virtual Terminal IP, dedicated or
segmented, and keyed only * #
C POS Software connected to IP,
dedicated or segmented* #
P2PE‐
HW
POS hardware managed w/ Point to
Point Encryption *
D Cardholder data is stored # D Cardholder data is either processed,
transmitted, or stored #
Combination of Face‐to‐Face and eCommerce
D All merchants not included entirely in any one of the above, or where cardholder data is stored
(Systems are connected / Not segmented) #
* Indicates cardholder data is not stored; # Indicates vulnerability scanning required.-

27. Threat – Detect, Response and Recovery
27
Source: Cisco Threat Report

28. • Poll Question #6

29. 6
Control
Objectives 12
Core
Requirements
290+
Audit
Procedures
Key changes
 Multi factor authentication for admins (8.3.1)
 5 new sub requirements for service providers (3,10,11,12)
 2 new appendices
SSL/TLS migration deadline
Designated entities supplemental validation
 Changing payment and threat
environment
 Breach reports and compromise
trends
 Feedback from industry
PCI DSS 3.2 - Threat is the main driver

30. PCI Lifecycle
 Treasury/Controller
 Business unit
 IT Security
 Compliance
 Legal
 Audit
 Risk Services

31. Business Driven
 Focus on 5 key areas:
 Prioritize Assets
 Assess threats
 Quantify Risk Level (assets, threats,
vulnerabilities)
 Remediate Vulnerabilities
 Measure

32. Assess Risk
 The product of:
 Assets
 Vulnerabilities
 Threats
 Based upon the criticality of AVT
 Focus your resources on the true risk
See handout – spreadsheet #1

33. Key IT areas to consider

34. 10 Critical Steps
1. Identify all the assets in your purview
2. Create an Asset Criticality Profile (ACP)
3. Determine exposures and vulnerabilities
4. Track relevant threats – realized and unrealized
5. Determine Risk ‐ product of Assets x Vulnerabilities x Threats
6. Take corrective action if risk > cost to eliminate or mitigate
7. Create meaningful metrics and hold people accountable
8. Identify and address compliance gaps
9. Implement an automated vulnerability management system
10. Convince someone with a budget that vulnerability management is important

35. Vulnerability Vs Threat
35
Vulnerability
Any flaw in the design, implementation or administration of a
system that provides a mechanism for a threat to exploit the
weakness of a system or process
They are weaknesses in networked environments, web
applications and physical premises
Threat
Any person, circumstance or event that has the potential to cause
damage to an organizational asset or business function

36. • Bring Your Own Device: Personnel Vs Professional usage
• Web Exploits: Cross‐site scripting /SQL injection
• Botnets: Updating and modification
• Data loss: Student, finance, health, IP – data theft
• Big Data: Ability to gather & store data equals greater
liability
• Targeted and Persistent attacks
• Sponsored cyber operations: Attacks, espionage
36
Threats follow technology trends

37. Vulnerability/Penetration Test Map

38. Top 15 Tools
# Name License Type Operating System
1 Metasploit Proprietary Vulnerability scanner and exploit Cross‐platform
2 Nessus Proprietary Vulnerability scanner Cross‐platform
3 Kali Linux GPL Collection of various tools Linux
4 Burp Suite Proprietary Web vulnerability scanner Cross‐platform
5 w3af GPL Web vulnerability scanner Cross‐platform
6 OpenVAS GPL Vulnerability scanner Cross‐platform
7 Paros proxy GPL Web vulnerability scanner Cross‐platform
8 Core Impact Proprietary Vulnerability scanner and exploit Windows
9 Nexpose Proprietary Entire vulnerability management lifecycle Linux, Windows
10 GFI LanGuard Proprietary Vulnerability scanner Windows
11 Acunetix WVS Proprietary Web vulnerability scanner Windows
12 QualysGuard Proprietary Vulnerability scanner Cross‐platform
13 MBSA Freeware Vulnerability scanner Windows
14 AppScan Proprietary Web vulnerability scanner Windows
15 Canvas Proprietary Vulnerability scanner and exploit Cross‐platform
GPL – general public license: VAS – Vulnerability assessment software
WVS – web vulnerability scanner, MBSA – Microsoft baseline security analyzer

39. 39

40. PCI Maturity Model
Level Category Description
0 Not performed Complete lack of any recognizable processes. The institution has not even recognized that
there is an issue to be addressed.
1 Performed
Informally:
There is evidence that the institution has recognized that the issues exist and need to be
addressed. There are no standardized processes; instead, there are ad hoc approaches that
tend to be applied on an individual or case‐by‐case basis. The overall approach to
management is disorganized.
2 Planned and
Tracked
Processes have developed to the stage where similar procedures are followed by different
people undertaking the same task. There is no formal training or communication of standard
procedures, and responsibility is left to the individual. There is a high degree of reliance on
the knowledge of individuals and, therefore, errors are likely.
3 Well Defined
and
Communicated
Procedures have been standardized and documented, and communicated through training. It
is mandated that these processes should be followed; however, it is unlikely that deviations
will be detected. The procedures themselves are not sophisticated but are the formalization
of existing practices.
4 Managed and
Measurable
Management monitors and measures compliance with procedures and takes action where
processes appear not to be working effectively. Processes are under constant improvement
and provide good practice. Automation and tools are used in a limited or fragmented way.
5 Continuously
Improved
Processes have been refined to a level of good practice, based on the results of continuous
improvement and maturity as recommended by the most current PCI DSS , providing tools to
improve quality and effectiveness, making the institution quick to adapt.

41. • Poll Question #7