What you need to know about PCI-DSS

Jane DrewsChief Information Security Officer

Information Security & Policy Officejane-drews@uiowa.edu, 5-5537

Topics

1. PCI-DSS Basics for University of Iowa merchants 2. Point to Point Encryption (P2PE) 3. EMV Credit Cards4. Isolated “PCI Environment” for University CC

operations

PCI-DSS: Basics

1. UI policy requires merchants to comply with PCI-DSS, no exceptions2. Reducing PCI-DSS “scope” is our strategy to reduce UI compliance

requirements, and minimize the institution’s risk of a card data breach3. Scope is about communication between devices

• Any IT device or system involved in processing card payments, or that shares the infrastructure that supports payments, is “in scope” and must comply

• Encryption has been touted by some vendors as a way to avoid the rigor of compliance, however that has not been demonstrated, and is not UI policy

4. It is not the card brands, but the acquiring bank’s decision on how we must validate our compliance

Point to Point Encryption (P2PE):

• P2PE Standard = technology and processes to protect account data from the point of interaction (card reader) to the point of initial decryption (transaction processor)• Card reader establishes encrypted “tunnel” through which PAN is sent

to the processor. Authorization code is returned, and sent to the point of sale cash register or the server• PAN is never seen by the cash register or the server• The merchant is never allowed to perform encryption key

management under the P2PE standard

Point to Point Encryption (P2PE):

• The standard for point-to-point encryption solutions does not supersede the PCI Data Security Standard, PCI PIN Security Requirements, or any other PCI Standards • The P2PE standards are not a recommendation, and do not obligate

merchants, service providers, or financial institutions to purchase or deploy such solutions• P2PE capable devices will be the target for attacks, as the PAN could

be intercepted by malware before encryption occurs• Implementing P2PE doesn’t eliminate need to comply with PCI-DSS

EMV Credit Cards

• Referred to as “chip and pin” or “chip and signature” cards• Smart cards that store data on a chip rather than on a magnetic

stripe, although most cards currently use both for backward compatibility, transition purposes • Can be contact cards (reader) or contactless cards (RFID)• Banks can transfer liability/costs for face-to-face (card present)

fraud to merchants that don’t support EMV cards (Oct 2015)• Supporting EMV cards does not eliminate the need to comply

with PCI-DSS

UI’s Isolated PCI Environment:

1. All peripherals migrate to PCI network (registers, readers, etc):• Any device involved in transaction processing that connects to UI network

2. All servers migrate to ITF data center:A. Level III (high sensitivity) data storage/handling servers, critical operations

servers, and servers with peripherals move to High Security Zone • Secure configuration required, very restricted communications, full logging, monitored

system and data access, etc.B. Non-critical web servers that don’t pass CC information move to Medium

Zone, Co-Managed Zone, or Co-Location Zone• Secure configuration required, no communication with peripherals, full logging, etc.

3. Goal is to simplify compliance responsibilities

ITF Data Center:All Servers

High Security Zone: Critical app servers and L3 databases that communicate with CC peripherals.

Medium, Co-Lo, other zones: Web servers that transfer to payment processing, no CC peripherals.

$

Bank

PCI Network:All CC Peripherals