pci compliance higher education - northwestern university · pci non compliance implications...
Post on 20-Aug-2020
3 Views
Preview:
TRANSCRIPT
© Copyright 2006 AmbironTrustWave Confidential
Donnie Otterness
PCI Compliance in
Higher Education
© Copyright 2006 AmbironTrustWave Confidential
Agenda
• The Problem—Challenges for Higher Ed—Confidential Information—History of PCI—Who does it apply to?—What does it require?—The PCI Data Security Standard—Costs of non-compliance
• Roles and Responsibilities• Best Practices
© Copyright 2006 AmbironTrustWave Confidential
The Problem“Since January, at least 845,000 people have had sensitive
information jeopardized in 29 security failures at colleges nationwide…
Colleges accounted for…roughly 30% of computer security breaches reported in the media last year, according to ChoicePoint, a consumer data-collecting firm in Georgia.”
Doan, Lynn. "College Door Ajar for Online Criminals." Los Angeles Times 30 May 2006. 5 June 2006
<http://www.latimes.com/technology/la-me-hacks30may30,0,1085392.story?coll=la-home-headlines>.
The InternetThe Internet
© Copyright 2006 AmbironTrustWave Confidential
Higher Ed’s Security Challenges
• Commitment to open networks—To facilitate the free exchange of ideas
• Payment processes spread over large geographical area—Many times necessitating multiple IT departments
• Dependence on outside state and federal funding
• Myriad of merchants on one campus—Merchant ID management
© Copyright 2006 AmbironTrustWave Confidential
A Wealth of Personal Information
• Health Records
• Social Security Numbers
• Grades
• Student Loan Information
• Bank Account Information
• Research Information
• Payment Card Information
• Hospitals
• Book stores
• Cafeterias
• Athletics
• Housing
• Parking
From (among others):
Data stored on University Networks:
© Copyright 2006 AmbironTrustWave Confidential
Payment Card Acceptance
Now, more than ever, a number of “merchants”on a university’s campus are accepting payment cards
And as the Payment Card Industry’s Data Security Standard states:
PCI Data Security Requirements apply to all Members, merchants, and service providers that store, process or transmit cardholder data
© Copyright 2006 AmbironTrustWave Confidential
20012001
Security Compliance Program Evolution
September 2004: All Visa USA Service Providers and Level 1 Merchants must validate compliance by Sept. 30, 2004
June 2001: Visa USA releases Cardholder Information Security Program (CISP); makes the requirements mandatory
June 2003: MasterCard solicits security vendors to perform SDP scans of e-commerce merchants
June 2004: Visa announces Payment Application Best Practices (PABP) for application developers to validate compliance with CISP
May 2001: MasterCard International announces plans for Site Data Protection (SDP) Program
January 2002: Visa USA begins to target top 100 e-commerce merchants to validate compliance with CISP
July 2004: Discover Network launches Discover Information Security Compliance (DISC) targeting their top 30,000 e-commerce merchants
December 2004: Visa USA and MasterCard International announce PCIDSS; aligning CISP and SDP standards and compliance requirements
20022002
20032003
20042004
© Copyright 2006 AmbironTrustWave Confidential
Merchant Levels Defined
Any merchant processing less than 20,000 Visa or MasterCard e-commerce transactions per year, and all other merchants processing up to 1 million Visa or MasterCard transactions per year
Merchant Level 4
Any merchant processing 20,000 to 1 million Visa or MasterCard e-commerce transactions per year
Merchant Level 3
Any merchant processing 1 million to 6 million Visa or MasterCard transactions per year
Merchant Level 2
Any merchant processing over 6 million Visa or MasterCard transactions per year, compromised in the last year, or identified by another card brand as Level 1
Merchant Level 1
© Copyright 2006 AmbironTrustWave Confidential
Merchant Compliance Validation
Merchant
Qualified Independent Scan Vendor
Any systems storing, processing, or transmitting cardholder data
Internet-facing perimeter systems
Annual Self-Assessment Questionnaire Recommended
Network Scan Recommended
4
Merchant
Qualified Independent Scan Vendor
Any systems storing, processing, or transmitting cardholder data
Internet-facing perimeter systems
Annual Self-Assessment QuestionnaireAndQuarterly Network Scan
2 and 3
Independent Assessor or internal auditor if signed by officer of companyQualified Independent Scan Vendor
Authorization and Settlement Systems
Internet-facing perimeter systems
Annual On-site Security AuditAndQuarterly Network Scan
1
Validated ByScopeValidation ActionsLevel
© Copyright 2006 AmbironTrustWave Confidential
PCI DSS RequirementsBuild and Maintain a Secure Network1. Install and maintain a firewall configuration to protect data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data3. Protect stored data (use encryption)4. Encrypt transmission of cardholder data and sensitive information across public networks Maintain a Vulnerability Management Program5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures7. Restrict access to data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy12. Maintain a policy that addresses information security
© Copyright 2006 AmbironTrustWave Confidential
Validation and Documentation
• “Partial compliance” is not accepted by the card associations.
• The amount of effort required and length of assessment is predicated upon a number of factors:
—Remediation required—Resources available to work on internal projects
• Merchants must validate their compliance by submitting the required documentation to their acquirer
• Documentation must be available to card associations upon request
© Copyright 2006 AmbironTrustWave Confidential
Cost of a Compromise
Average Investigation Cost: $20,000
Average Remediation Cost: $48,000
Average Potential Fines, Fees, etc.: $2,100,000
© Copyright 2006 AmbironTrustWave Confidential
PCI Non Compliance Implications
Members receive “Safe Harbor” for merchants that have been compromised but found to be PCI compliant at the time of the security breach.
If a merchant does not comply with the security requirements required under PCI standards the associations may:
• Impose fines up to $500,000 per incident• Impose restrictions on card acceptance • Permanently prohibit card acceptance
© Copyright 2006 AmbironTrustWave Confidential
Roles
&
Responsibilities
© Copyright 2006 AmbironTrustWave Confidential
• Keep standard—Current—Relevant—Clear
• Examine effects of standard implementation—Ensure it’s feasible
• Govern interpretation of the standard• Define merchant levels and validation
requirements• Determine and issue fines for non-compliance
Card Associations
© Copyright 2006 AmbironTrustWave Confidential
Acquiring Banks
• Negotiate merchant agreements• Inform merchants of PCI
—Determine merchants’ levels—Validation requirements
• Define liability in the event of a breach
© Copyright 2006 AmbironTrustWave Confidential
Merchants
• Meet PCI requirements• Complete self-assessment questionnaire
— if necessary
• Hire qualified independent scan vendor — if necessary
• Engage qualified outside assessor — if necessary
• Protect other confidential information
© Copyright 2006 AmbironTrustWave Confidential
PCIBest
PracticesFor
HigherEd
PCIBest
PracticesFor
HigherEd
© Copyright 2006 AmbironTrustWave Confidential
Buy-in• Gather relevant information to present to upper
management• Articles/headlines• Liability costs–monetary and reputation
• Create compliance management position or assign project manager
• Develop communications to inform and engage entire university
• Form payment card acceptance review board• Create an administrative payment card acceptance guide• Distribute introductory letter
• Educate on PCI• Identify stakeholders• Explain consequences
© Copyright 2006 AmbironTrustWave Confidential
• Assign accountability to department heads for their network infrastructure
• Meet with department heads—Determine scope—Which/how departments accept payment cards—Examine IP addresses and merchant IDs
• Engage outside assessor, if necessary• Outline risks and rewards of departments
accepting payment cards
Assessment
© Copyright 2006 AmbironTrustWave Confidential
Segmentation
• Segment network• Separate open access areas from critical assets• Restrict access• Need-to-know• Use technology to cordon segments
—Firewalls—Intrusion Detection—Intrusion Prevention
© Copyright 2006 AmbironTrustWave Confidential
Third Parties
• Ensure party signs a third party agreement—Clearly specify/assign liability
• Use a payment application that follows PABP• Visa’s Payment Application Best Practices
© Copyright 2006 AmbironTrustWave Confidential
Training Staff
Establish yearly training sessions for staff that address:• PCI compliance and its importance• University’s policies and procedures• Accepting payment cards• Requesting a merchant ID• Consequences for failing to follow policy• Incident response plan• Resources
© Copyright 2006 AmbironTrustWave Confidential
Questions?
© Copyright 2006 AmbironTrustWave Confidential
Donnie OtternessSenior Business Manager
(312) 629-1111 ext. 31dotterness@atwcorp.com
top related