Powerpoint exploring the locations used in television show Time Clash
PCIDSS compliance made easier through a collaboration between NC State and UNC-Chapel Hill
1. PCIDSS compliance made easier
through collaboration between
NC State and UNC-Chapel Hill
John Baines
AD Policy & Compliance, OIT,NCSU
Eva Lorenz
ITS Security, UNC Chapel Hill
UNC Cause 2013 Wilmington, NC
2. Outline
PCI DSS 2.0 (3.0 soon…) – .edu concerns
Background – Why? Who? What?
Higher Ed and credit card compliance
Similarities
Differences
Hot topics
What next? / Future plans
Conclusion
11/20/2013
PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC
2
3. PCI DSS 2.0 (->3.0) .edu concerns
PCI DSS 3.0 to be released 11-7-13, effective 1-1-14
◦ Required merchant compliance by 1 January , 2015
◦ Core 12 Security Requirements unchanged, but several
new sub-requirements
Service provider status
◦ This can happen to any institution
Scope creep
◦ In a federated environment, this is a constant struggle
CDE planning and maintenance
◦ Universities like changes and reorganizations
Written documentation
◦ How much oversight can be centrally provided?
◦ Vast amount needed (not just Requirement 12)
11/20/2013
PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC
3
4. Background – Why? Who? What?
Two universities with federated set up
and flat network
Oversight committee from
Finance/Controller and ITS/OIT
PCI Steering Committee and CERTIFI
Gap analysis at NC State in 2011, and
UNC in 2012
Expand on existing ISO meetings to focus
on PCI DSS and compliance
Subject to State Controller requirements
and UNC-GA oversight
11/20/2013
PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC
4
5. Organizational Entities - NCSU
Controller’s office
OIT Security & Compliance
Other OIT units
Merchants
Organizational Entities – UNC-CH
Finance / Controller’s Office
ITS Security + ITS Enterprise Applications
Other ITS units (networking, hosting)
Merchants
11/20/2013
PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC
5
6. Controller’s office / Finance
Controller’s office - Manager, Cash Management / Merchant Card
Accountant
◦ Single point of entry
Even with a tightly controlled CDE, change management is a
struggle, so control the point of entry
◦ Business justification
Consider establishing baseline requirements and balance
versus risk to the university
◦ Obtaining a PCI Merchant Account
Yes, there is a State Controller
◦ PCI associated business processes
Consider developing questionnaires, standard workflows and
other documentation or requirements, such as training, before
the account goes live.
11/20/2013
PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC
6
7. OIT Security & Compliance - NCSU
Internal Security Assessor (ISA)
Initial technical compliance
Technical assistance (D merchants & OIT)
Annual review by merchant
Guidelines for SAQ A & B merchants
ITS Security (UNC-CH)
PCI Coordinator – scheduled for ISA exam
Initial technical compliance
Technical assistance (vuln. and web scanning)
POS stations physical security / annual review
Maintain enterprise firewalls, access to CDE
11/20/2013
PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC
7
8. Other IT Units - NCSU & UNC-CH
Cover many different areas
◦ ComTech
network, VOIP phones
◦ Shared hosting
CDE and D merchants
◦ Infrastructure
logging, patching, VMs, etc.
◦ Client Services
end-point protection and compliance – Dedicated
Payment Workstation
◦ Enterprise Application Systems
development /implementation of PCI compliant
applications, TouchNet/Nelnet
11/20/2013
PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC
8
9. Merchants – NCSU – 124
SAQ A – Totally outsourced – 72
SAQ B – Simple POS – 23
SAQ C – Virtual Terminal - 3
SAQ D – Complex merchants – 26
◦
◦
◦
◦
◦
◦
Dining (2)
Bookstore
Transportation (9)
Athletics
Alumni/Advancement (~5)
Mail Order – Telephone Order (MOTOs) (<30…)
Shrinking and growing…
11/20/2013
PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC
9
10. Merchants – UNC-CH 108
New merchants all the time
Existing merchants change implementation frequently
Then there is an annual review required for each merchant
Similar ratio as NCSU, but totally outsourcing done via
TouchNet
Also no SAQ C – Virtual Terminal
Similar set of complex merchants
UNC-CH merchant grouping for SAQ attestation
◦ TouchNet outsourced (SAQ-A)
◦ POS terminals (SAQ-B)
all on analog
◦ Complex SAQ-D merchants
Some TouchNet with outsourcing of credit card storage,
but accepting credit cards in person
Some merchants have servers with credit card storage on
campus
11/20/2013
PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC
10
11. Service Providers
Business
UNC
NCSU
Main Gateway
TouchNet (AOC, ROC)
Nelnet
Cybersource (e-Tix K)
Cybersource
PayFlowPro
PayFlowPro
Dining
Micros (SP)
Micros - CVENT
Bookstore
Sequoia (version, kiosk)
Sequoia
Advancement
Blackbaud
Convio
Athletics
Paciolan
Paciolan
Phonathon
Ruffalo Cody (version 1)
Ruffalo Cody (version 2)
Foundation / Fundraising
Convio
Convio
Conference center
TouchNet (Kiosk)
(Complex)
Parking
FederalAPD (ScanNet)
Data Tran
11/20/2013
PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC
11
12. Governance - NCSU
PCI Steering Committee
◦
◦
◦
◦
University controller chairs
Representatives of four of largest merchants
Members of update team participate
Meets quarterly and by email
PCI Update team
◦
◦
◦
◦
◦
◦
External Project Manager
Controller’s office
OIT Security & Compliance
OIT EAS (Enterprise systems development group)
Not a dedicated team…
Meets bi-weekly
11/20/2013
PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC
12
13. Organizational Entities – UNC-CH
CERTIFI
◦
◦
◦
◦
◦
◦
◦
◦
Finance – Chair Controller’s Office
ITS Security
ITS EA
Merchant representatives
IT units
Sponsored by CISO and University Controller
Meets every two weeks
Some voting / decisions by email
11/20/2013
PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC
13
14. Similarities
POS SAQ B analog phones
Student groups with mobile gadgets
◦ NCSU now cellular POS device from SunTrust/
Firstdata. Plans to make this a loaner service for
conferences and events
Conference Center - multi-functional
SAQ D merchants, such as book store, athletics,
alumni giving, dining and a conference center.
identical third party software being deployed and
similar issues assessing third party compliance.
Oversight of service providers for campus
merchants - significant problems and risks – PCI
DSS Req 12.8
11/20/2013
PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC
14
15. Differences
Choice of third parties
◦ Issues to deal with are complex, including compliance, documentation, oversight
Choice of payment gateway
◦ Select primary one, but make sure it can meet the business needs.
Network
◦ UNC
Will have some duplicate infrastructure for CDE (e.g. DNS, SCCM, AV)
Border Firewall and implications for service provider role
◦ NCSU
Shares infrastructure services for PCI compliance.
No border firewall
Relies logical or administrative control of separation regarding the firewalls,
building switches and core routers (VLANs, MPLS).
Dedicated resources include a wireless network at the football stadium
Medical center
◦ Shared network, but two separate entities
◦ Remote locations accepting credit card
◦ Change in payment processing by these entities (UNC-H)
11/20/2013
PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC
15
16. Hot Topics
PCI scope
CDE planning
Enormous need for education
Key business processes to maintain PCI
compliance
Service provider reduction
11/20/2013
PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC
16
17. PCI scope (NCSU)
Primary scope – anything that transmits, processes or stores
the PAN e.g.:
◦ Cardholder Data Environment – store PAN
◦ Any network transmitting PAN
◦ Otherwise non-primary scope, but located in CDE without
network control
◦ Mail Order Telephone Order workstations
◦ Intelligent POS devices (e.g. Cash Registers)
◦ Wireless at football stadium only
Secondary scope – ANYTHING that supports or connects
to primary scope, e.g.:
◦ Maintenance workstations that connect to CDE (2 factor auth!)
◦ Active Directory, DNS, VMware, etc.
For secondary scope:
◦ Logging and patching are required
◦ But other PCI DSS controls that are needed vary by case
11/20/2013
PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC
17
18. PCI scope (UNC-CH)
Primary scope – anything that transmits, processes or stores
the PAN e.g.:
◦
◦
◦
◦
Cardholder Data Environment –with some PAN storage
Any network transmitting PAN (but not vendor vlan!)
Any workstation processing cards by phone, fax or mail
No wireless transmission of credit cards
Secondary scope – ANYTHING that supports or connects
to primary scope, e.g.:
◦ Sysadmin Workstations that connect to CDE (2 factor auth!)
◦ Splunk, Firewalls
◦ Supporting infrastructure (AD, DNS, etc ) – duplicated for CDE
For secondary scope:
◦ Logging and patching are required
◦ But other PCI DSS controls that are needed will vary by case
NO email! (Basic requirement – NCSU also)
11/20/2013
PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC
18
19. CDE planning (NCSU)
Started 2005
Dedicated:
◦ Sub-network(s)
◦ CDE for SAQ D’s created early
◦ Physical (now VM) servers
Contains all approved PANs - encrypted
Supported by OIT Hosting Services unit
All simple Web authorization supported
though Nelnet redirection (no NCSU
located CDE)
11/20/2013
PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC
19
20. CDE planning (UNC-CH)
Started 2012
Dedicated:
◦ Segmented vlans with hardware firewalls
◦ Contains servers, desktops, cash registers, payment
stations and supporting infrastructure
Possible exceptions: e.g. logging server (Splunk)
Contains all approved PANs - encrypted
Supported by Windows Systems group and ITS
Security
Does not include servers hosting websites that
process customer entered payment data with
redirection of credit card data to external service
provider
11/20/2013
PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC
20
21. Enormous Need For Education
12. Maintain an Information Security Policy
Found over 100 sub-requirements for doc
Multiple audiences for training:
◦ Merchants –
Overall concepts and approach
Process and SAQ forms
Deep dive
◦ Training IT Security staff as ‘professors of PCI’
Make use of existing mailing lists and blogs
Seminars and forums – Treasury Institute & PCI SSC
◦ Getting buy-in and understanding from other OIT
units about their responsibilities and how to
implement them
11/20/2013
PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC
21
22. Enormous Need For Education
Teach merchants when PCI becomes an issue
Teach IT support staff to work with business staff in
departments
Teach purchasing staff to spot PCI in agreements
Teach legal department PCI-relevant requirements
(sequential contract review)
Teach merchants what is a PCI-relevant change
Teach merchants about associated technologies
(VOIP, fax, wireless, email etc.)
Reach a consensus on 3.0 changes standard meaning.
How to communicate this change and to whom?
Teach to write and update workflows
Teach incident response
Other merchant responsibilities
11/20/2013
PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC
22
23. Key Business Processes
Maintaining PCI compliance is not a one
time project :
◦ PCI compliance is an ongoing process from onboarding new merchants to closing down
accounts and every day changes in between
Annual assessment of existing merchants – best done in
person with IT and business staff
Try to “centralize and standardize” infrastructure and
business processes
Reinforce standardized processes through repetition in
training events and in-person visits
Bare bones web-frontends for the payment process to
minimize the risk of security holes
Assessing service providers
Monitor physical security (data centers & elsewhere)
11/20/2013
PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC
23
24. Service Provider Reduction
Can proliferate if not strictly controlled
Focus on Service Provider Level 1 (>100K) –
listed at VISA web site
SP Level 2 – university is responsible for their
compliance
Look for commonalities in applications
◦
◦
◦
◦
Conference/event management (NCSU 57%)
Storefronts – (NCSU 10%)
Giving (NCSU – 19%)
Mobile devices
Outsource as much as possible – e.g. Touchnet
11/20/2013
PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC
24
25. What next? / Future plans
Include more local Higher Ed institutions
Meet to discuss PCI DSS v3.0
CDE is top priority
Something new pops up all the time
Shift to more focused meetings, such as
scoping and CDE planning.
11/20/2013
PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC
25
26. Conclusions
Unique challenges for .edu’s because of the
federated environment
◦ Like all merchants in a small town combined
PCI DSS was not written with higher
education institutions in mind
◦ Most resources, such as best practices or
whitepapers, are often geared towards
corporations usually with just a few merchant
profiles
◦ Simplify, standardize and outsource merchant
implementations as much as possible
Collaboration of .edu’s is a good way to
create a knowledgebase within the UNC
system universities to tackle PCI DSS
11/20/2013
PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC
26
27. References
OSC – State Electronic Commerce Program http://www.ncosc.net/SECP/index.html
UNC-CH CERTIFI - http://finance.unc.edu/files/2013/02/charter_certifi.pdf
UNC-CH Finance policies - http://financepolicy.unc.edu/policyprocedure/308-credit-card-merchant-services/
NCSU REG 07.30.23 - Payment Card Merchant Services | Policies
NCSU Cash Receipts and Credit Card Procedures
PCI Security Standards Council - https://www.pcisecuritystandards.org/
Treasury Institute for Higher Education - http://www.treasuryinstitute.org/
Treasury Institute blog - http://treasuryinstitutepcidss.blogspot.com/
PCI Guru - http://pciguru.wordpress.com/
11/20/2013
PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC
27
29. UNC Cause Proposal:
PCIDSS compliance made easier through collaboration between NC State and UNC-Chapel Hill
Abstract:
Both NC State and UNC Chapel Hill host a significant number of merchants involved in eCommerce on campus and are
therefore bound by the Payment Card Industry Data Security Standard (PCIDSS). To facilitate achieving PCIDSS
compliance, the universities have started regular meetings to discuss the eCommerce environment on both campuses
and to determine how to most efficiently work towards remediating any compliance gaps. The meetings have revealed
significant overlap in the eCommerce landscape as well as similarities in what each university sees as major issues
towards achieving compliance.
The university environment and background:
NC State and UNC-Chapel Hill are both large research universities that have more than 100 merchants involved in
eCommerce. Merchants cover the range of self-assessment questionnaires (SAQ) from SAQ-A through SAQ-D and
employ a number of third party software to process payments. Even though the primary payment gateway selected by
each university differs, third party software selected by larger merchants often overlap as do services administered by
the Office of the State Controller.
Merchant environment:
The eCommerce landscape at many universities will have a number of similar merchants, such as book store, athletics,
alumni giving, dining and a conference center. These similarities often lead to identical third party software being
deployed and similar question when assessing third party compliance. In this context, oversight of service providers for
campus merchants may pose significant problems as well as risks to universities under PCIDSS requirement 12.8. A
summary of major software by merchants will be presented as well as the compliance issues involving service providers
that have arisen at both universities.
Technical challenges:
One of the main technical challenges faced by both universities involves creating a highly structured cardholder data
environment (CDE) that contradicts in many ways the open environment traditionally associated with universities.
Additional challenges involve software selection for handling log management, file integrity monitoring and remote
authentication to in scope devices. The presentation will involve proposal by either university on how to generate a
CDE and which challenges are faced by the IT staff.
Future plans
So far the meetings have been limited to NC State and UNC Chapel Hill, but we have already gotten a request from
another university in the triangle to join. Having established the status quo of eCommerce at both universities, we will
shift towards more focused meetings as we proceed on closing remaining PCIDSSS gaps at either university.
Conclusion:
The unique challenges involved in ensuring compliance in a federated environment such as a large research university
can seem overwhelming at times since PCIDSS was not written with higherPCI DSS Collaborationin UNC and best
education institutions - mind Cause 2013
practices or whitepapers are also often geared towards highly standardized Wilmington, NC as national chain stores. This
11/20/2013 merchants, such
effort started by NC State and UNC Chapel Hill has provided important insights already and could be a model for
29