navigating the regulatory maze: notre dame’s pci dss solution

Property of the University of Notre Dame

Navigating the Regulatory Maze:Notre Dame’s PCI DSS Solution

EDUCAUSE Midwest Regional ConferenceMarch 17, 2008


Agenda

• PCI DSS Background• Notre Dame’s Environment• Payment Card Environment Design• Networking Infrastructure• Deployment: Departments and Decentralized IT

2

Property of the University of Notre Dame3

Payment Card IndustryData Security Standard(PCI DSS)

Visa CardholderInformation Security Program (CISP)

PCI DSS History

Mastercard SiteData Protection Program (SDP)

Discover InformationSecurity ComplianceProgram (DISC)

American ExpressData Security Standard (DSS)


Introducing the Digital Dozen

Build and Maintain a Secure Network

Install and maintain a firewall configuration to protect cardholder dataDo not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder DataProtect stored cardholder dataEncrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

Use and regularly update anti-virus softwareDevelop and maintain secure systems and applications

Implement Strong Access Control Measures

Restrict access to cardholder data by business need-to-knowAssign a unique ID to each person with computer accessRestrict physical access to cardholder data

Regularly Monitor and Test Networks

Track and monitor all access to network resources and cardholder dataRegularly test security systems and processes

Maintain an Information Security Policy Maintain a policy that addresses information security


Who Must Comply?

• “Payment Card Industry (PCI) Data Security requirements apply to all Members, merchants, and service providers that store, process or transmit cardholder data.”

• “Additionally, these security requirements apply to all system components which is defined as any network component, server, or application included in, or connected to, the cardholder data environment.”

That Probably Means You


Merchant Levels

Merchant Level Description

1 Any merchant who processes over 6,000,000 transactions annually.Any merchant designated Level 1 by Visa

2 Any merchant who processes between 1,000,000 and 6,000,000 transactions annually.

3 Any merchant who processes between 20,000 and 150,000 e-commerce transactions annually.

4 Anyone else


Merchant Levels

• All merchants, regardless of level, must comply with all elements of the PCI DSS standard!

• Merchants at different levels have different validation requirements


Consequences• Reputational Risk

– What will the impact be on your institution’s brand?– Mandatory involvement of federal law enforcement in

investigation

• Financial Risk– Merchant banks may pass on substantial fines– Up to $500,000 per incident from Visa alone– Civil liability and cost of providing ID theft protection


Consequences• Compliance Risk

– Exposure to Level 1 validation requirements

• Operational Risk– Visa-imposed operational restrictions– Potential loss of card processing privileges


Agenda

• PCI DSS Background• Notre Dame’s Environment• Payment Card Environment Design• Networking Infrastructure• Deployment: Departments and decentralized IT

10


Notre Dame’s Environment, Circa 2006

• Over 70 merchant accounts, 15 applications• No central oversight• One day all of that changed…


BUSINESSES

NOTRE DAME MERCHANT ACCOUNTS (67 TOTAL)

AUTHORIZATION MODULES

ACCEPTANCE MODULES

Virtual Terminals

Pure Web

Mix

Terminal based (19)

Notre Dame

Band (1)

Food Services(13)

DevelopmentEvents (1)

GEM (1)RecSports (1)

The Morris Inn (2)

Athletics TicketOffice (1)

DeBartolo Performing

Arts (2)

A & FS, ISBEE& Journals (1)

ND Magazine (1)

Vital StageOnly (2)

Omni 3750(1)

Tranz 330/380

(4)

Blackberry RIM Wireless

(1)

ProtobaseExpress (1)Vital (17)

VeriSignLink(17)

VeriSignPro(12)

Able Commerce

(9)NDFSMICROS

(12)Unify (1)

Paciolan(1)

Patron Edge(1)

Catapult(1) Publishing

ConceptsInc (2)

3rd party software based (18) Web based (30)

PC Charge (2)

StudentShop (1)

AlumniAssociation

(1)

GraduateSchool (1)

Institute forChurch Life

(1)

St Michael’sLaundry

(1)

SolutionCenterBTS (1)

ND Marketplace (9)

Center forContinuingEducation

(1)

Com-mencement

Videos(1)

AlumniAssociation

(1)

DevelopmentDonations

(1)

Patron EdgeOnline

(1)

ACE (1)

O’ShaughnesseyCopy Center

(1)Center forLiturgy (1)

University Press (1)

NDSP (1)

Ice Rink (1)

St Michael’sLaundry (1)

Warren Golf (2)

ComputerStore (1)

Decio Copy Center (1)

Snite (1)

AlumniAssociation

(1)

Domer Dollars (1)

IrishGarden (1)

CCE (1)

Burke Golf(1)

AcademicMedia (1)

Swipe Terminals (17)

Omni 3200(13)

Career Center (1)

Exec Ed (1)

MBA Alumni Relations (1)

MS Acct (1)

Portfolio(1)

GraduateAdmissions (1)

UndergraduateAdmissions (2)

Archives (1)

ID Cards & Domer $ (2)

Special Events (1)

VeriSign PayFlow Link (17)

LaFortuneStudent

Center (1)

ND Band (1)

RCLC (1)

StadiumConcessions

(1)

XD2000 (1)

Vital (2)Vital (1)Vital (13)

MIMICROS

(1)

12


Notre Dame’s Approach• Conducted a risk assessment in conjunction

with a PCI consulting firm

• From that, launched a credit card security program– First Goal: Minimize on-campus card processing– Second Goal: Migrate existing systems to a dedicated,

isolated network

• First, reduce our footprint and then secure that footprint to the greatest degree possible


Agenda


14


Design: ND’s PCI Architecture

15

Log Server

IDS

router1Notre DameInternet

router2

UNTRUSTED BURB

PCI VPN BURB (192.168.x.y/24)

INFRASTRUCTURE BURB (192.168.x.y/24)

DMZ BURB (192.168.x.y/24)

POS BURB (192.168.x.y/24)

ePO

Tripwire App Server

VPN Endpoin t

Encrypted Data Only

POS Site192.168.a.b/24

VPN Concentrators

VPN Endpoin t

Encrypted Data Only

POS Site192.168.a.b/24

Application Servers

Public Web Servers

NTP KVM Active Directory

Safeword

DNS

Tripwire Database

IPSentry

Remote Administrator

Encrypted Data Only

SQL Server

NETMGT BURB (192.168.x.y/24)

Network gear interfaces

192.168.x.y/24 – Odyssey Private

a.b.c.d/29 – Odyssey Public

Backup BURB (192.168.x.y/24)

Odyssey Burbs

IDS/IPS Sensor -

All Vlans

ScribeScanner BURB (192.168.x.y/29)

scanner


System and Security Components

• Firewall and VPN• Two factor authentication to infrastructure• Tripwire server integrity assurance• Juniper IDS• POS clients and servers• Infrastructure – NTP, DC, ePO, monitoring,

KVM, central logging, etc.• Device configuration standards


Firewall and IDS design

• Firewall isolates all PCI traffic• Single External Physical interface• Single Internal interface with multiple VLANs• Zones organized by function• Some special zones for campus systems• Remote Sites connected through VPN concentrator• Passive IDS (tried IPS) monitors all internal traffic


Sidewinder Firewall

• Application Proxy firewall• Default deny inbound and outbound• Group based VPN, access restricted by job

function• Least privilege rule base • All access explicitly controlled


Key Internal Zones


Key Internal Zones

DMZ BURB (192.168.5.0/24)

POS BURB (192.168.3.0/24)

Application Servers

Public Web Servers

DNS

NETMGT BURB (192.168.6.0/24)

Network gear interfacesIDS/IPS Sensor -


Key Internal Zones

192.168.7.0/24 – Odyssey Private

192.168.58.240/29 – Odyssey Public

Backup BURB (192.168.8.0/24)

Odyssey Burbs

ScribeScanner BURB (192.168.15.0/29)

scanner


Isolating SystemsCCSP

Protected Zones(Catapult Server)

10.10.x.y

192.168.x.y

Odyssey Server

192.168.x.y

Catapult POS/DCOMAnd Remote

Access

192.168.x.y

192.

168.

2.x

Campus Net 10.10.x.y

VPN

Privilge Devices(vending machines, meal plan, etc.)/port 57/3850/4000

Micros Server/port 2000-2002

NDFS03 - sybase

Workstations/DCOM

Con

nect

ions

to

Ody

ssey


Isolating SystemsInternet/Campus

`

VulnerabilityScanner

DatacenterFirewall

`

Odyssey

`

Central Backup

Private

Private

Public

PCI Firewall

PCI Interface

Datacenter

All system interfaces are on dedicated logical firewall

interfaces


Agenda


24


Network Design

From the PCI Standards Document:

1.Encryption of data over open, public networks2.Follow change control procedures3.Review logs for all system components daily


Challenges

Encryption of data over open, public networks.• Required over ‘secure’ vlans?


Challenges

Follow change control procedures.– Initial design thoughts incorporated ‘secure’ vlans

that we present at each endpoint on campus.– This would have involved implementing change

control on more than 150 network devices, including access layer switches.

Review logs for all system components daily.– On > 150 devices?


Devices requiring change control with ‘secure’ vlan


Our solution: Remote site VPN’s

• Utilizes Cisco 3015 VPN concentrator with Cisco 851 VPN routers for endpoints.

• Extends the PCI network where we need it.• We provide user subnet space based on

customer need:– Stand-alone credit card terminals– POS devices– Single use computers


Additional Benefits of VPN

• The VPN tunnel provides a secure method of managing network devices.

• Provides a means of remote access for system administrators

• Fewer devices to manage.• Provides for easier additions to the PCI

network.


Agenda


31


Deployment: Departments and Decentralized IT

32


Two Types of Support• Central IT

– Fewer technical users.– Existing payment

solutions are often inherited.

– Responsibility for payment system is often not clearly defined.

• Departmental IT– Internal processes and

procedures.– Often very small staff,

broad responsibilities.– Payment solutions are

often provided by external vendors.

– Responsibility for payment system is often inherited.

33


Existing systems• Food Services

– Many terminals– Other services blended

in: vending machines, food service displays, and campus “Domer Dollars”

– Many locations– Blend of commercial and

custom software– Departmental IT

• Theater Ticketing and Events– Single location– Mobile and static

workstations– Web driven– Single commercial

software package– Only standard

transactions– Central IT

34


Deployment Steps

• Review existing architecture• Design solution• Build required resources• Test• Migrate into production

– Often in phases– Often unexpected hurdles due to legacy systems

and applications

35


Challenges

• Process: creating a controlled system for adding new systems and handling changes.

• Lack of vendor documentation of protocols – many large high port groupings, reliance local broadcast for discovery, etc.

• Split system administration• DR for systems designed without DR

capabilities.

36


Lessons Learned

• Review vendor documentation and current implementation.– Historic designs are often still in use.

• Dataflow diagrams are crucial.• Provide a fast troubleshooting process and a

defined support team. • Provide a single point of responsibility with

backup for migrations.

37


Questions

38

navigating the regulatory maze: notre dame’s pci dss solution

Documents

cardholder data environment

cardholder datado

visa2any merchant

merchant designated

merchant levelsall merchants

pci dss standard

secure systems

notre dame band