SlideShare une entreprise Scribd logo

PCIDSS compliance made easier through a collaboration between NC State and UNC-Chapel Hill

J
John Baines
TechnologieBusinessÉconomie & finance
1  sur  29
Télécharger pour lire hors ligne
PCIDSS compliance made easier through collaboration between NC State and UNC-Chapel Hill John Baines AD Policy & Compliance, OIT,NCSU Eva Lorenz ITS Security, UNC Chapel Hill UNC Cause 2013 Wilmington, NC
Outline PCI DSS 2.0 (3.0 soon…) – .edu concerns  Background – Why? Who? What?  Higher Ed and credit card compliance  Similarities  Differences  Hot topics  What next? / Future plans  Conclusion  11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 2
PCI DSS 2.0 (->3.0) .edu concerns  PCI DSS 3.0 to be released 11-7-13, effective 1-1-14 ◦ Required merchant compliance by 1 January , 2015 ◦ Core 12 Security Requirements unchanged, but several new sub-requirements  Service provider status ◦ This can happen to any institution  Scope creep ◦ In a federated environment, this is a constant struggle  CDE planning and maintenance ◦ Universities like changes and reorganizations  Written documentation ◦ How much oversight can be centrally provided? ◦ Vast amount needed (not just Requirement 12) 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 3
Background – Why? Who? What? Two universities with federated set up and flat network  Oversight committee from Finance/Controller and ITS/OIT  PCI Steering Committee and CERTIFI  Gap analysis at NC State in 2011, and UNC in 2012  Expand on existing ISO meetings to focus on PCI DSS and compliance  Subject to State Controller requirements and UNC-GA oversight  11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 4
Organizational Entities - NCSU Controller’s office  OIT Security & Compliance  Other OIT units  Merchants  Organizational Entities – UNC-CH Finance / Controller’s Office  ITS Security + ITS Enterprise Applications  Other ITS units (networking, hosting)  Merchants  11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 5
Controller’s office / Finance  Controller’s office - Manager, Cash Management / Merchant Card Accountant ◦ Single point of entry  Even with a tightly controlled CDE, change management is a struggle, so control the point of entry ◦ Business justification  Consider establishing baseline requirements and balance versus risk to the university ◦ Obtaining a PCI Merchant Account  Yes, there is a State Controller ◦ PCI associated business processes  Consider developing questionnaires, standard workflows and other documentation or requirements, such as training, before the account goes live. 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 6
OIT Security & Compliance - NCSU      Internal Security Assessor (ISA) Initial technical compliance Technical assistance (D merchants & OIT) Annual review by merchant Guidelines for SAQ A & B merchants ITS Security (UNC-CH)      PCI Coordinator – scheduled for ISA exam Initial technical compliance Technical assistance (vuln. and web scanning) POS stations physical security / annual review Maintain enterprise firewalls, access to CDE 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 7
Other IT Units - NCSU & UNC-CH  Cover many different areas ◦ ComTech  network, VOIP phones ◦ Shared hosting  CDE and D merchants ◦ Infrastructure  logging, patching, VMs, etc. ◦ Client Services  end-point protection and compliance – Dedicated Payment Workstation ◦ Enterprise Application Systems  development /implementation of PCI compliant applications, TouchNet/Nelnet 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 8
Merchants – NCSU – 124      SAQ A – Totally outsourced – 72 SAQ B – Simple POS – 23 SAQ C – Virtual Terminal - 3 SAQ D – Complex merchants – 26 ◦ ◦ ◦ ◦ ◦ ◦ Dining (2) Bookstore Transportation (9) Athletics Alumni/Advancement (~5) Mail Order – Telephone Order (MOTOs) (<30…) Shrinking and growing… 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 9
Merchants – UNC-CH 108        New merchants all the time Existing merchants change implementation frequently Then there is an annual review required for each merchant Similar ratio as NCSU, but totally outsourcing done via TouchNet Also no SAQ C – Virtual Terminal Similar set of complex merchants UNC-CH merchant grouping for SAQ attestation ◦ TouchNet outsourced (SAQ-A) ◦ POS terminals (SAQ-B)  all on analog ◦ Complex SAQ-D merchants  Some TouchNet with outsourcing of credit card storage, but accepting credit cards in person  Some merchants have servers with credit card storage on campus 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 10
Service Providers Business UNC NCSU Main Gateway TouchNet (AOC, ROC) Nelnet Cybersource (e-Tix K) Cybersource PayFlowPro PayFlowPro Dining Micros (SP) Micros - CVENT Bookstore Sequoia (version, kiosk) Sequoia Advancement Blackbaud Convio Athletics Paciolan Paciolan Phonathon Ruffalo Cody (version 1) Ruffalo Cody (version 2) Foundation / Fundraising Convio Convio Conference center TouchNet (Kiosk) (Complex) Parking FederalAPD (ScanNet) Data Tran 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 11
Governance - NCSU  PCI Steering Committee ◦ ◦ ◦ ◦  University controller chairs Representatives of four of largest merchants Members of update team participate Meets quarterly and by email PCI Update team ◦ ◦ ◦ ◦ ◦ ◦ External Project Manager Controller’s office OIT Security & Compliance OIT EAS (Enterprise systems development group) Not a dedicated team… Meets bi-weekly 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 12
Organizational Entities – UNC-CH  CERTIFI ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ Finance – Chair Controller’s Office ITS Security ITS EA Merchant representatives IT units Sponsored by CISO and University Controller Meets every two weeks Some voting / decisions by email 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 13
Similarities POS SAQ B analog phones  Student groups with mobile gadgets  ◦ NCSU now cellular POS device from SunTrust/ Firstdata. Plans to make this a loaner service for conferences and events Conference Center - multi-functional  SAQ D merchants, such as book store, athletics, alumni giving, dining and a conference center.  identical third party software being deployed and similar issues assessing third party compliance.  Oversight of service providers for campus merchants - significant problems and risks – PCI DSS Req 12.8  11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 14
Differences  Choice of third parties ◦ Issues to deal with are complex, including compliance, documentation, oversight  Choice of payment gateway ◦ Select primary one, but make sure it can meet the business needs.  Network ◦ UNC  Will have some duplicate infrastructure for CDE (e.g. DNS, SCCM, AV)  Border Firewall and implications for service provider role ◦ NCSU  Shares infrastructure services for PCI compliance.  No border firewall  Relies logical or administrative control of separation regarding the firewalls, building switches and core routers (VLANs, MPLS).  Dedicated resources include a wireless network at the football stadium  Medical center ◦ Shared network, but two separate entities ◦ Remote locations accepting credit card ◦ Change in payment processing by these entities (UNC-H) 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 15
Hot Topics PCI scope  CDE planning  Enormous need for education  Key business processes to maintain PCI compliance  Service provider reduction  11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 16
PCI scope (NCSU)  Primary scope – anything that transmits, processes or stores the PAN e.g.: ◦ Cardholder Data Environment – store PAN ◦ Any network transmitting PAN ◦ Otherwise non-primary scope, but located in CDE without network control ◦ Mail Order Telephone Order workstations ◦ Intelligent POS devices (e.g. Cash Registers) ◦ Wireless at football stadium only  Secondary scope – ANYTHING that supports or connects to primary scope, e.g.: ◦ Maintenance workstations that connect to CDE (2 factor auth!) ◦ Active Directory, DNS, VMware, etc.  For secondary scope: ◦ Logging and patching are required ◦ But other PCI DSS controls that are needed vary by case 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 17
PCI scope (UNC-CH)  Primary scope – anything that transmits, processes or stores the PAN e.g.: ◦ ◦ ◦ ◦  Cardholder Data Environment –with some PAN storage Any network transmitting PAN (but not vendor vlan!) Any workstation processing cards by phone, fax or mail No wireless transmission of credit cards Secondary scope – ANYTHING that supports or connects to primary scope, e.g.: ◦ Sysadmin Workstations that connect to CDE (2 factor auth!) ◦ Splunk, Firewalls ◦ Supporting infrastructure (AD, DNS, etc ) – duplicated for CDE   For secondary scope: ◦ Logging and patching are required ◦ But other PCI DSS controls that are needed will vary by case NO email! (Basic requirement – NCSU also) 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 18
CDE planning (NCSU)   Started 2005 Dedicated: ◦ Sub-network(s) ◦ CDE for SAQ D’s created early ◦ Physical (now VM) servers    Contains all approved PANs - encrypted Supported by OIT Hosting Services unit All simple Web authorization supported though Nelnet redirection (no NCSU located CDE) 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 19
CDE planning (UNC-CH)   Started 2012 Dedicated: ◦ Segmented vlans with hardware firewalls ◦ Contains servers, desktops, cash registers, payment stations and supporting infrastructure  Possible exceptions: e.g. logging server (Splunk) Contains all approved PANs - encrypted Supported by Windows Systems group and ITS Security  Does not include servers hosting websites that process customer entered payment data with redirection of credit card data to external service provider   11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 20
Enormous Need For Education    12. Maintain an Information Security Policy Found over 100 sub-requirements for doc Multiple audiences for training: ◦ Merchants –  Overall concepts and approach  Process and SAQ forms  Deep dive ◦ Training IT Security staff as ‘professors of PCI’  Make use of existing mailing lists and blogs  Seminars and forums – Treasury Institute & PCI SSC ◦ Getting buy-in and understanding from other OIT units about their responsibilities and how to implement them 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 21
Enormous Need For Education            Teach merchants when PCI becomes an issue Teach IT support staff to work with business staff in departments Teach purchasing staff to spot PCI in agreements Teach legal department PCI-relevant requirements (sequential contract review) Teach merchants what is a PCI-relevant change Teach merchants about associated technologies (VOIP, fax, wireless, email etc.) Reach a consensus on 3.0 changes standard meaning. How to communicate this change and to whom? Teach to write and update workflows Teach incident response Other merchant responsibilities 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 22
Key Business Processes  Maintaining PCI compliance is not a one time project : ◦ PCI compliance is an ongoing process from onboarding new merchants to closing down accounts and every day changes in between  Annual assessment of existing merchants – best done in person with IT and business staff  Try to “centralize and standardize” infrastructure and business processes  Reinforce standardized processes through repetition in training events and in-person visits  Bare bones web-frontends for the payment process to minimize the risk of security holes  Assessing service providers  Monitor physical security (data centers & elsewhere) 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 23
Service Provider Reduction Can proliferate if not strictly controlled  Focus on Service Provider Level 1 (>100K) – listed at VISA web site  SP Level 2 – university is responsible for their compliance  Look for commonalities in applications  ◦ ◦ ◦ ◦  Conference/event management (NCSU 57%) Storefronts – (NCSU 10%) Giving (NCSU – 19%) Mobile devices Outsource as much as possible – e.g. Touchnet 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 24
What next? / Future plans Include more local Higher Ed institutions  Meet to discuss PCI DSS v3.0  CDE is top priority  Something new pops up all the time  Shift to more focused meetings, such as scoping and CDE planning.  11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 25
Conclusions  Unique challenges for .edu’s because of the federated environment ◦ Like all merchants in a small town combined  PCI DSS was not written with higher education institutions in mind ◦ Most resources, such as best practices or whitepapers, are often geared towards corporations usually with just a few merchant profiles ◦ Simplify, standardize and outsource merchant implementations as much as possible  Collaboration of .edu’s is a good way to create a knowledgebase within the UNC system universities to tackle PCI DSS 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 26
References  OSC – State Electronic Commerce Program http://www.ncosc.net/SECP/index.html  UNC-CH CERTIFI - http://finance.unc.edu/files/2013/02/charter_certifi.pdf  UNC-CH Finance policies - http://financepolicy.unc.edu/policyprocedure/308-credit-card-merchant-services/  NCSU REG 07.30.23 - Payment Card Merchant Services | Policies  NCSU Cash Receipts and Credit Card Procedures  PCI Security Standards Council - https://www.pcisecuritystandards.org/  Treasury Institute for Higher Education - http://www.treasuryinstitute.org/  Treasury Institute blog - http://treasuryinstitutepcidss.blogspot.com/  PCI Guru - http://pciguru.wordpress.com/ 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 27
Questions? 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC #28
UNC Cause Proposal: PCIDSS compliance made easier through collaboration between NC State and UNC-Chapel Hill Abstract: Both NC State and UNC Chapel Hill host a significant number of merchants involved in eCommerce on campus and are therefore bound by the Payment Card Industry Data Security Standard (PCIDSS). To facilitate achieving PCIDSS compliance, the universities have started regular meetings to discuss the eCommerce environment on both campuses and to determine how to most efficiently work towards remediating any compliance gaps. The meetings have revealed significant overlap in the eCommerce landscape as well as similarities in what each university sees as major issues towards achieving compliance. The university environment and background: NC State and UNC-Chapel Hill are both large research universities that have more than 100 merchants involved in eCommerce. Merchants cover the range of self-assessment questionnaires (SAQ) from SAQ-A through SAQ-D and employ a number of third party software to process payments. Even though the primary payment gateway selected by each university differs, third party software selected by larger merchants often overlap as do services administered by the Office of the State Controller. Merchant environment: The eCommerce landscape at many universities will have a number of similar merchants, such as book store, athletics, alumni giving, dining and a conference center. These similarities often lead to identical third party software being deployed and similar question when assessing third party compliance. In this context, oversight of service providers for campus merchants may pose significant problems as well as risks to universities under PCIDSS requirement 12.8. A summary of major software by merchants will be presented as well as the compliance issues involving service providers that have arisen at both universities. Technical challenges: One of the main technical challenges faced by both universities involves creating a highly structured cardholder data environment (CDE) that contradicts in many ways the open environment traditionally associated with universities. Additional challenges involve software selection for handling log management, file integrity monitoring and remote authentication to in scope devices. The presentation will involve proposal by either university on how to generate a CDE and which challenges are faced by the IT staff. Future plans So far the meetings have been limited to NC State and UNC Chapel Hill, but we have already gotten a request from another university in the triangle to join. Having established the status quo of eCommerce at both universities, we will shift towards more focused meetings as we proceed on closing remaining PCIDSSS gaps at either university. Conclusion: The unique challenges involved in ensuring compliance in a federated environment such as a large research university can seem overwhelming at times since PCIDSS was not written with higherPCI DSS Collaborationin UNC and best education institutions - mind Cause 2013 practices or whitepapers are also often geared towards highly standardized Wilmington, NC as national chain stores. This 11/20/2013 merchants, such effort started by NC State and UNC Chapel Hill has provided important insights already and could be a model for 29

Recommandé

PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAININGPCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAININGhimalya sharma
 
Pcidss qr gv3_1
Pcidss qr gv3_1Pcidss qr gv3_1
Pcidss qr gv3_1leon bonilla
 
Pcidss
PcidssPcidss
Pcidssyazsapa
 
P0 Pcidss Overview
P0 Pcidss OverviewP0 Pcidss Overview
P0 Pcidss Overviewb28stu
 
Alcumus ISOQAR PCIDSS Compliance Presentation
Alcumus ISOQAR PCIDSS Compliance PresentationAlcumus ISOQAR PCIDSS Compliance Presentation
Alcumus ISOQAR PCIDSS Compliance PresentationBhargav Upadhyay
 
A practical guides to PCI compliance
A practical guides to PCI complianceA practical guides to PCI compliance
A practical guides to PCI complianceJisc
 
PCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should carePCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should careSean D. Goodwin
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overviewokrantz
 

Recommandé

PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAININGPCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAININGhimalya sharma
 
Pcidss qr gv3_1
Pcidss qr gv3_1Pcidss qr gv3_1
Pcidss qr gv3_1leon bonilla
 
Pcidss
PcidssPcidss
Pcidssyazsapa
 
P0 Pcidss Overview
P0 Pcidss OverviewP0 Pcidss Overview
P0 Pcidss Overviewb28stu
 
Alcumus ISOQAR PCIDSS Compliance Presentation
Alcumus ISOQAR PCIDSS Compliance PresentationAlcumus ISOQAR PCIDSS Compliance Presentation
Alcumus ISOQAR PCIDSS Compliance PresentationBhargav Upadhyay
 
A practical guides to PCI compliance
A practical guides to PCI complianceA practical guides to PCI compliance
A practical guides to PCI complianceJisc
 
PCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should carePCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should careSean D. Goodwin
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overviewokrantz
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guideMohammad Makchudul Alam (Arif)
 
Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates VISTA InfoSec
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSSSaumya Vishnoi
 
PCI DSS
PCI DSSPCI DSS
PCI DSSDuy Do Phan
 
Card fraud and compliance training
Card fraud and compliance trainingCard fraud and compliance training
Card fraud and compliance trainingethnos
 
Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptwebhostingguy
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overviewsameh Abulfotooh
 
Webinar - PCI DSS Merchant Levels validations and applicable
Webinar - PCI DSS Merchant Levels validations and applicableWebinar - PCI DSS Merchant Levels validations and applicable
Webinar - PCI DSS Merchant Levels validations and applicableVISTA InfoSec
 
An Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power SystemsAn Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power SystemsHelpSystems
 
Pci dss v3-2-1
Pci dss v3-2-1Pci dss v3-2-1
Pci dss v3-2-1leon bonilla
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualKimberly Simon MBA
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS ComplianceSaumya Vishnoi
 
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarComsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarAriel Ben-Harosh
 
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden WilliamsPCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden WilliamsAnton Chuvakin
 
Approach pci- dss
Approach pci- dssApproach pci- dss
Approach pci- dssVikrant Burbure
 
PCI-DSS explained
PCI-DSS explainedPCI-DSS explained
PCI-DSS explainedEdwin_Bos
 
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONPCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONhimalya sharma
 
PCI DSS Essential Guide
PCI DSS Essential GuidePCI DSS Essential Guide
PCI DSS Essential GuideKim Jensen
 
Quick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security StandardQuick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security Standard- Mark - Fullbright
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSSKimberly Simon MBA
 
PruebaJLF.pptx
PruebaJLF.pptxPruebaJLF.pptx
PruebaJLF.pptxJoseLuna802663
 
Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxgealehegn
 

Contenu connexe

Tendances

Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates VISTA InfoSec
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSSSaumya Vishnoi
 
Card fraud and compliance training
Card fraud and compliance trainingCard fraud and compliance training
Card fraud and compliance trainingethnos
 
Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptwebhostingguy
 
Webinar - PCI DSS Merchant Levels validations and applicable
Webinar - PCI DSS Merchant Levels validations and applicableWebinar - PCI DSS Merchant Levels validations and applicable
Webinar - PCI DSS Merchant Levels validations and applicableVISTA InfoSec
 
An Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power SystemsAn Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power SystemsHelpSystems
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualKimberly Simon MBA
 
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarComsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarAriel Ben-Harosh
 
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden WilliamsPCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden WilliamsAnton Chuvakin
 
PCI-DSS explained
PCI-DSS explainedPCI-DSS explained
PCI-DSS explainedEdwin_Bos
 
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONPCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONhimalya sharma
 
PCI DSS Essential Guide
PCI DSS Essential GuidePCI DSS Essential Guide
PCI DSS Essential GuideKim Jensen
 
Quick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security StandardQuick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security Standard- Mark - Fullbright
 

Tendances (20)

Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guide
 
Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSS
 
PCI DSS
PCI DSSPCI DSS
PCI DSS
 
Card fraud and compliance training
Card fraud and compliance trainingCard fraud and compliance training
Card fraud and compliance training
 
Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.ppt
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overview
 
Webinar - PCI DSS Merchant Levels validations and applicable
Webinar - PCI DSS Merchant Levels validations and applicableWebinar - PCI DSS Merchant Levels validations and applicable
Webinar - PCI DSS Merchant Levels validations and applicable
 
An Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power SystemsAn Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power Systems
 
Pci dss v3-2-1
Pci dss v3-2-1Pci dss v3-2-1
Pci dss v3-2-1
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as Usual
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS Compliance
 
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarComsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
 
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden WilliamsPCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
 
Approach pci- dss
Approach pci- dssApproach pci- dss
Approach pci- dss
 
PCI-DSS explained
PCI-DSS explainedPCI-DSS explained
PCI-DSS explained
 
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONPCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
 
PCI DSS Essential Guide
PCI DSS Essential GuidePCI DSS Essential Guide
PCI DSS Essential Guide
 
Quick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security StandardQuick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security Standard
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
 

Similaire à PCIDSS compliance made easier through a collaboration between NC State and UNC-Chapel Hill

Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxgealehegn
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Risk Crew
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveMark Akins
 
How To Sell PCI Compliance (External)
How To Sell PCI Compliance (External)How To Sell PCI Compliance (External)
How To Sell PCI Compliance (External)Greg Naderi
 
101007 How To Sell Pci Compliance (External)
101007 How To Sell Pci Compliance (External)101007 How To Sell Pci Compliance (External)
101007 How To Sell Pci Compliance (External)Greg Naderi
 
PCI Compliance The Circuit
PCI Compliance The Circuit PCI Compliance The Circuit
PCI Compliance The Circuit The Circuit
 
PCI Compliance Fundamentals The Circuit
PCI Compliance Fundamentals The CircuitPCI Compliance Fundamentals The Circuit
PCI Compliance Fundamentals The CircuitThe Circuit
 
Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Crew
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS ComplianceControlCase
 
PCI Solna EDB 101020 FortConsult
PCI Solna EDB 101020 FortConsultPCI Solna EDB 101020 FortConsult
PCI Solna EDB 101020 FortConsultJolin Löf
 
Online_Transactions_PCI
Online_Transactions_PCIOnline_Transactions_PCI
Online_Transactions_PCIKelly Lam
 
PCI DSS: Update on the evolution of the standard. MasterCard WorldWide
PCI DSS: Update on the evolution of the standard. MasterCard WorldWidePCI DSS: Update on the evolution of the standard. MasterCard WorldWide
PCI DSS: Update on the evolution of the standard. MasterCard WorldWideInternet Security Auditors
 
Data center
Data centerData center
Data centergssmedia
 

Similaire à PCIDSS compliance made easier through a collaboration between NC State and UNC-Chapel Hill (20)

PruebaJLF.pptx
PruebaJLF.pptxPruebaJLF.pptx
PruebaJLF.pptx
 
Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptx
 
2016_07_22_can_you_protect_my_cc_data
2016_07_22_can_you_protect_my_cc_data2016_07_22_can_you_protect_my_cc_data
2016_07_22_can_you_protect_my_cc_data
 
PCI-DSS for IDRBT
PCI-DSS for IDRBTPCI-DSS for IDRBT
PCI-DSS for IDRBT
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892
 
Evolution Pci For Pod1
Evolution Pci For Pod1Evolution Pci For Pod1
Evolution Pci For Pod1
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA Perspective
 
How To Sell PCI Compliance (External)
How To Sell PCI Compliance (External)How To Sell PCI Compliance (External)
How To Sell PCI Compliance (External)
 
101007 How To Sell Pci Compliance (External)
101007 How To Sell Pci Compliance (External)101007 How To Sell Pci Compliance (External)
101007 How To Sell Pci Compliance (External)
 
PCI Compliance The Circuit
PCI Compliance The Circuit PCI Compliance The Circuit
PCI Compliance The Circuit
 
PCI Compliance Fundamentals The Circuit
PCI Compliance Fundamentals The CircuitPCI Compliance Fundamentals The Circuit
PCI Compliance Fundamentals The Circuit
 
Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The Essentials
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
PCI Solna EDB 101020 FortConsult
PCI Solna EDB 101020 FortConsultPCI Solna EDB 101020 FortConsult
PCI Solna EDB 101020 FortConsult
 
Online_Transactions_PCI
Online_Transactions_PCIOnline_Transactions_PCI
Online_Transactions_PCI
 
Pci dss intro v2
Pci dss intro v2Pci dss intro v2
Pci dss intro v2
 
Presentation
PresentationPresentation
Presentation
 
PCI DSS: Update on the evolution of the standard. MasterCard WorldWide
PCI DSS: Update on the evolution of the standard. MasterCard WorldWidePCI DSS: Update on the evolution of the standard. MasterCard WorldWide
PCI DSS: Update on the evolution of the standard. MasterCard WorldWide
 
Data center
Data centerData center
Data center
 
PCI DSSand PA DSS
PCI DSSand PA DSSPCI DSSand PA DSS
PCI DSSand PA DSS
 

Dernier

My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 

Dernier (20)

My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 

PCIDSS compliance made easier through a collaboration between NC State and UNC-Chapel Hill

  • 1. PCIDSS compliance made easier through collaboration between NC State and UNC-Chapel Hill John Baines AD Policy & Compliance, OIT,NCSU Eva Lorenz ITS Security, UNC Chapel Hill UNC Cause 2013 Wilmington, NC
  • 2. Outline PCI DSS 2.0 (3.0 soon…) – .edu concerns  Background – Why? Who? What?  Higher Ed and credit card compliance  Similarities  Differences  Hot topics  What next? / Future plans  Conclusion  11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 2
  • 3. PCI DSS 2.0 (->3.0) .edu concerns  PCI DSS 3.0 to be released 11-7-13, effective 1-1-14 ◦ Required merchant compliance by 1 January , 2015 ◦ Core 12 Security Requirements unchanged, but several new sub-requirements  Service provider status ◦ This can happen to any institution  Scope creep ◦ In a federated environment, this is a constant struggle  CDE planning and maintenance ◦ Universities like changes and reorganizations  Written documentation ◦ How much oversight can be centrally provided? ◦ Vast amount needed (not just Requirement 12) 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 3
  • 4. Background – Why? Who? What? Two universities with federated set up and flat network  Oversight committee from Finance/Controller and ITS/OIT  PCI Steering Committee and CERTIFI  Gap analysis at NC State in 2011, and UNC in 2012  Expand on existing ISO meetings to focus on PCI DSS and compliance  Subject to State Controller requirements and UNC-GA oversight  11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 4
  • 5. Organizational Entities - NCSU Controller’s office  OIT Security & Compliance  Other OIT units  Merchants  Organizational Entities – UNC-CH Finance / Controller’s Office  ITS Security + ITS Enterprise Applications  Other ITS units (networking, hosting)  Merchants  11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 5
  • 6. Controller’s office / Finance  Controller’s office - Manager, Cash Management / Merchant Card Accountant ◦ Single point of entry  Even with a tightly controlled CDE, change management is a struggle, so control the point of entry ◦ Business justification  Consider establishing baseline requirements and balance versus risk to the university ◦ Obtaining a PCI Merchant Account  Yes, there is a State Controller ◦ PCI associated business processes  Consider developing questionnaires, standard workflows and other documentation or requirements, such as training, before the account goes live. 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 6
  • 7. OIT Security & Compliance - NCSU      Internal Security Assessor (ISA) Initial technical compliance Technical assistance (D merchants & OIT) Annual review by merchant Guidelines for SAQ A & B merchants ITS Security (UNC-CH)      PCI Coordinator – scheduled for ISA exam Initial technical compliance Technical assistance (vuln. and web scanning) POS stations physical security / annual review Maintain enterprise firewalls, access to CDE 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 7
  • 8. Other IT Units - NCSU & UNC-CH  Cover many different areas ◦ ComTech  network, VOIP phones ◦ Shared hosting  CDE and D merchants ◦ Infrastructure  logging, patching, VMs, etc. ◦ Client Services  end-point protection and compliance – Dedicated Payment Workstation ◦ Enterprise Application Systems  development /implementation of PCI compliant applications, TouchNet/Nelnet 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 8
  • 9. Merchants – NCSU – 124      SAQ A – Totally outsourced – 72 SAQ B – Simple POS – 23 SAQ C – Virtual Terminal - 3 SAQ D – Complex merchants – 26 ◦ ◦ ◦ ◦ ◦ ◦ Dining (2) Bookstore Transportation (9) Athletics Alumni/Advancement (~5) Mail Order – Telephone Order (MOTOs) (<30…) Shrinking and growing… 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 9
  • 10. Merchants – UNC-CH 108        New merchants all the time Existing merchants change implementation frequently Then there is an annual review required for each merchant Similar ratio as NCSU, but totally outsourcing done via TouchNet Also no SAQ C – Virtual Terminal Similar set of complex merchants UNC-CH merchant grouping for SAQ attestation ◦ TouchNet outsourced (SAQ-A) ◦ POS terminals (SAQ-B)  all on analog ◦ Complex SAQ-D merchants  Some TouchNet with outsourcing of credit card storage, but accepting credit cards in person  Some merchants have servers with credit card storage on campus 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 10
  • 11. Service Providers Business UNC NCSU Main Gateway TouchNet (AOC, ROC) Nelnet Cybersource (e-Tix K) Cybersource PayFlowPro PayFlowPro Dining Micros (SP) Micros - CVENT Bookstore Sequoia (version, kiosk) Sequoia Advancement Blackbaud Convio Athletics Paciolan Paciolan Phonathon Ruffalo Cody (version 1) Ruffalo Cody (version 2) Foundation / Fundraising Convio Convio Conference center TouchNet (Kiosk) (Complex) Parking FederalAPD (ScanNet) Data Tran 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 11
  • 12. Governance - NCSU  PCI Steering Committee ◦ ◦ ◦ ◦  University controller chairs Representatives of four of largest merchants Members of update team participate Meets quarterly and by email PCI Update team ◦ ◦ ◦ ◦ ◦ ◦ External Project Manager Controller’s office OIT Security & Compliance OIT EAS (Enterprise systems development group) Not a dedicated team… Meets bi-weekly 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 12
  • 13. Organizational Entities – UNC-CH  CERTIFI ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ Finance – Chair Controller’s Office ITS Security ITS EA Merchant representatives IT units Sponsored by CISO and University Controller Meets every two weeks Some voting / decisions by email 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 13
  • 14. Similarities POS SAQ B analog phones  Student groups with mobile gadgets  ◦ NCSU now cellular POS device from SunTrust/ Firstdata. Plans to make this a loaner service for conferences and events Conference Center - multi-functional  SAQ D merchants, such as book store, athletics, alumni giving, dining and a conference center.  identical third party software being deployed and similar issues assessing third party compliance.  Oversight of service providers for campus merchants - significant problems and risks – PCI DSS Req 12.8  11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 14
  • 15. Differences  Choice of third parties ◦ Issues to deal with are complex, including compliance, documentation, oversight  Choice of payment gateway ◦ Select primary one, but make sure it can meet the business needs.  Network ◦ UNC  Will have some duplicate infrastructure for CDE (e.g. DNS, SCCM, AV)  Border Firewall and implications for service provider role ◦ NCSU  Shares infrastructure services for PCI compliance.  No border firewall  Relies logical or administrative control of separation regarding the firewalls, building switches and core routers (VLANs, MPLS).  Dedicated resources include a wireless network at the football stadium  Medical center ◦ Shared network, but two separate entities ◦ Remote locations accepting credit card ◦ Change in payment processing by these entities (UNC-H) 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 15
  • 16. Hot Topics PCI scope  CDE planning  Enormous need for education  Key business processes to maintain PCI compliance  Service provider reduction  11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 16
  • 17. PCI scope (NCSU)  Primary scope – anything that transmits, processes or stores the PAN e.g.: ◦ Cardholder Data Environment – store PAN ◦ Any network transmitting PAN ◦ Otherwise non-primary scope, but located in CDE without network control ◦ Mail Order Telephone Order workstations ◦ Intelligent POS devices (e.g. Cash Registers) ◦ Wireless at football stadium only  Secondary scope – ANYTHING that supports or connects to primary scope, e.g.: ◦ Maintenance workstations that connect to CDE (2 factor auth!) ◦ Active Directory, DNS, VMware, etc.  For secondary scope: ◦ Logging and patching are required ◦ But other PCI DSS controls that are needed vary by case 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 17
  • 18. PCI scope (UNC-CH)  Primary scope – anything that transmits, processes or stores the PAN e.g.: ◦ ◦ ◦ ◦  Cardholder Data Environment –with some PAN storage Any network transmitting PAN (but not vendor vlan!) Any workstation processing cards by phone, fax or mail No wireless transmission of credit cards Secondary scope – ANYTHING that supports or connects to primary scope, e.g.: ◦ Sysadmin Workstations that connect to CDE (2 factor auth!) ◦ Splunk, Firewalls ◦ Supporting infrastructure (AD, DNS, etc ) – duplicated for CDE   For secondary scope: ◦ Logging and patching are required ◦ But other PCI DSS controls that are needed will vary by case NO email! (Basic requirement – NCSU also) 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 18
  • 19. CDE planning (NCSU)   Started 2005 Dedicated: ◦ Sub-network(s) ◦ CDE for SAQ D’s created early ◦ Physical (now VM) servers    Contains all approved PANs - encrypted Supported by OIT Hosting Services unit All simple Web authorization supported though Nelnet redirection (no NCSU located CDE) 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 19
  • 20. CDE planning (UNC-CH)   Started 2012 Dedicated: ◦ Segmented vlans with hardware firewalls ◦ Contains servers, desktops, cash registers, payment stations and supporting infrastructure  Possible exceptions: e.g. logging server (Splunk) Contains all approved PANs - encrypted Supported by Windows Systems group and ITS Security  Does not include servers hosting websites that process customer entered payment data with redirection of credit card data to external service provider   11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 20
  • 21. Enormous Need For Education    12. Maintain an Information Security Policy Found over 100 sub-requirements for doc Multiple audiences for training: ◦ Merchants –  Overall concepts and approach  Process and SAQ forms  Deep dive ◦ Training IT Security staff as ‘professors of PCI’  Make use of existing mailing lists and blogs  Seminars and forums – Treasury Institute & PCI SSC ◦ Getting buy-in and understanding from other OIT units about their responsibilities and how to implement them 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 21
  • 22. Enormous Need For Education            Teach merchants when PCI becomes an issue Teach IT support staff to work with business staff in departments Teach purchasing staff to spot PCI in agreements Teach legal department PCI-relevant requirements (sequential contract review) Teach merchants what is a PCI-relevant change Teach merchants about associated technologies (VOIP, fax, wireless, email etc.) Reach a consensus on 3.0 changes standard meaning. How to communicate this change and to whom? Teach to write and update workflows Teach incident response Other merchant responsibilities 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 22
  • 23. Key Business Processes  Maintaining PCI compliance is not a one time project : ◦ PCI compliance is an ongoing process from onboarding new merchants to closing down accounts and every day changes in between  Annual assessment of existing merchants – best done in person with IT and business staff  Try to “centralize and standardize” infrastructure and business processes  Reinforce standardized processes through repetition in training events and in-person visits  Bare bones web-frontends for the payment process to minimize the risk of security holes  Assessing service providers  Monitor physical security (data centers & elsewhere) 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 23
  • 24. Service Provider Reduction Can proliferate if not strictly controlled  Focus on Service Provider Level 1 (>100K) – listed at VISA web site  SP Level 2 – university is responsible for their compliance  Look for commonalities in applications  ◦ ◦ ◦ ◦  Conference/event management (NCSU 57%) Storefronts – (NCSU 10%) Giving (NCSU – 19%) Mobile devices Outsource as much as possible – e.g. Touchnet 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 24
  • 25. What next? / Future plans Include more local Higher Ed institutions  Meet to discuss PCI DSS v3.0  CDE is top priority  Something new pops up all the time  Shift to more focused meetings, such as scoping and CDE planning.  11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 25
  • 26. Conclusions  Unique challenges for .edu’s because of the federated environment ◦ Like all merchants in a small town combined  PCI DSS was not written with higher education institutions in mind ◦ Most resources, such as best practices or whitepapers, are often geared towards corporations usually with just a few merchant profiles ◦ Simplify, standardize and outsource merchant implementations as much as possible  Collaboration of .edu’s is a good way to create a knowledgebase within the UNC system universities to tackle PCI DSS 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 26
  • 27. References  OSC – State Electronic Commerce Program http://www.ncosc.net/SECP/index.html  UNC-CH CERTIFI - http://finance.unc.edu/files/2013/02/charter_certifi.pdf  UNC-CH Finance policies - http://financepolicy.unc.edu/policyprocedure/308-credit-card-merchant-services/  NCSU REG 07.30.23 - Payment Card Merchant Services | Policies  NCSU Cash Receipts and Credit Card Procedures  PCI Security Standards Council - https://www.pcisecuritystandards.org/  Treasury Institute for Higher Education - http://www.treasuryinstitute.org/  Treasury Institute blog - http://treasuryinstitutepcidss.blogspot.com/  PCI Guru - http://pciguru.wordpress.com/ 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC 27
  • 28. Questions? 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC #28
  • 29. UNC Cause Proposal: PCIDSS compliance made easier through collaboration between NC State and UNC-Chapel Hill Abstract: Both NC State and UNC Chapel Hill host a significant number of merchants involved in eCommerce on campus and are therefore bound by the Payment Card Industry Data Security Standard (PCIDSS). To facilitate achieving PCIDSS compliance, the universities have started regular meetings to discuss the eCommerce environment on both campuses and to determine how to most efficiently work towards remediating any compliance gaps. The meetings have revealed significant overlap in the eCommerce landscape as well as similarities in what each university sees as major issues towards achieving compliance. The university environment and background: NC State and UNC-Chapel Hill are both large research universities that have more than 100 merchants involved in eCommerce. Merchants cover the range of self-assessment questionnaires (SAQ) from SAQ-A through SAQ-D and employ a number of third party software to process payments. Even though the primary payment gateway selected by each university differs, third party software selected by larger merchants often overlap as do services administered by the Office of the State Controller. Merchant environment: The eCommerce landscape at many universities will have a number of similar merchants, such as book store, athletics, alumni giving, dining and a conference center. These similarities often lead to identical third party software being deployed and similar question when assessing third party compliance. In this context, oversight of service providers for campus merchants may pose significant problems as well as risks to universities under PCIDSS requirement 12.8. A summary of major software by merchants will be presented as well as the compliance issues involving service providers that have arisen at both universities. Technical challenges: One of the main technical challenges faced by both universities involves creating a highly structured cardholder data environment (CDE) that contradicts in many ways the open environment traditionally associated with universities. Additional challenges involve software selection for handling log management, file integrity monitoring and remote authentication to in scope devices. The presentation will involve proposal by either university on how to generate a CDE and which challenges are faced by the IT staff. Future plans So far the meetings have been limited to NC State and UNC Chapel Hill, but we have already gotten a request from another university in the triangle to join. Having established the status quo of eCommerce at both universities, we will shift towards more focused meetings as we proceed on closing remaining PCIDSSS gaps at either university. Conclusion: The unique challenges involved in ensuring compliance in a federated environment such as a large research university can seem overwhelming at times since PCIDSS was not written with higherPCI DSS Collaborationin UNC and best education institutions - mind Cause 2013 practices or whitepapers are also often geared towards highly standardized Wilmington, NC as national chain stores. This 11/20/2013 merchants, such effort started by NC State and UNC Chapel Hill has provided important insights already and could be a model for 29