lessons learned on the way to pci compliance the university of western ontario & mcmaster...
Post on 29-Mar-2015
214 Views
Preview:
TRANSCRIPT
LESSONS LEARNED ON THE WAY TO PCI COMPLIANCE
The University of Western Ontario & McMaster University’s Experiences
June 7th, 2011
Agenda
• Introductions• What is PCI and Why is it
Important?• Lessons Learned• What Lies Ahead?
Introductions
• Sharon Farnell, Director, Internal Audit – The University of Western Ontario
• Stacey Farkas – Supervisor, Financial Reporting – McMaster University
• Tim Russell – Project Manager, University Technology Services – McMaster University
Introductions
Western• 2010 - $27million in credit card sales• 2011 - $31million in credit card sales• 60 merchants
McMaster• 2010 - $24million in credit card sales• 2011 - $25million in credit card sales
- $ 16 million in INTERAC ONLINE transactions• 58 merchants
What is PCI?• PCI-DSS: Payment Card Industry – Data
Security Standards• Standards developed by the credit card
companies (Visa, M/C) to protect cardholders• PCI Data security requirements apply to all
members, merchants, and service providers that store, process or transmit cardholder data
• EVERY merchant is required to be in compliance with these standards
What is PCI?There are 12 requirements, grouped into six categories for PCI
Compliance:
• Build and Maintain a Secure Network (req. 1 & 2)
• Protect Cardholder Data (req. 3 & 4)
• Maintain a Vulnerability Program (req. 5 & 6)
• Implement Strong Access Control Measures (req. 7,8 & 9)
• Regularly Monitor and Test Networks (req. 10 & 11)
• Maintain a Policy that addresses Information Security (req. 12)
Merchant LevelsMerchant Level 1 2
Processing Volumes per year
> 6,000,000 Visa transactions
1,000,000 to 6,000,000 Visa transactions
Validation Actions •Annual on-site PCI-DSS Assessment
•Quarterly Network Scan
•Annual PCI-DSS Self Assessment Questionnaire (SAQ)
•Quarterly Network Scan
Validation By •Qualified Security Assessor or Internal Audit if signed by Officer of the company
•Approved Scanning Vendor
•Merchant
•Approved Scanning Vendor
Merchant Level 3 4
Processing Volumes per year
20,000 to 1,000,000 Visa e-commerce transactions
20,000 Visa e-commerce transactions and all other merchants, up to 1,000,000 transactions
Validation Actions •Annual PCI-DSS Self Assessment Questionnaire (SAQ)
•Quarterly Network Scan
•Annual PCI-DSS Self Assessment Questionnaire (SAQ)
•Quarterly Network Scan
Validation By •Merchant
•Approved Scanning Vendor
•Merchant
•Approved Scanning Vendor
Merchant Levels
Merchant Types• PCI Security Council Separated out Merchant Types
and introduced a SAQ for each type in 2008
Why is PCI Compliance Important? FINANCIAL RISK– fines from payment processor and/or credit card
companies– costs to notify cardholders– repayment of fraudulent charges incurred by end
consumer– audit costs by PCI assessor
LOSE THE ABILITY TO PROCESS CREDIT CARDS – CAMPUS WIDE
REPUTATIONAL RISK! OPPORTUNITY TO ENHANCE SECURITY/IT BEST
PRACTICES
Our PCI ‘Approaches’
Western• Central approach to Self Assessment
Questionnaires (SAQs).
McMaster• Centralized management with Individual merchant
responsibilities
Lessons Learned1: Collaboration of stakeholders is key2: Identify your PCI Scope and environment3: Minimize Local Payment Processing4: Centralized Merchant Approval Process5: Audit Considerations6: Don’t underestimate your time7: Breach Escalation process8: Centralized approach to PCI DSS Self Assessment Questionnaires9: Include PCI compliance in the RFP and Purchasing Process10: Funding: Who Pays for this?11: It’s a learning Journey12: Risk Management Strategies
Lesson 1 : Collaboration of Stakeholders is Key
Western: Central Bank Card Committee• Financial Services, Internal Audit, IT, Campus
Department Representatives• Chaired by AVP, Financial Services
McMaster: PCI Steering Committee• Financial Services, IT, Key Departments, Internal
Audit• Chaired jointly by AVP Administration and CIO
Lesson 2 : Identify your PCI Scope and Environment
Western• Pre-RFP Review – Evaluate Environment• IT Code Review• Interviewed all campus departments
McMaster• Had a PCI GAP analysis completed in 2008• Helped us to focus on high risk areas within the 12
requirements – action plan via PCI Steering Committee
Lesson 3 : Minimize Local Payment Processing
Western • Campus merchants are required to use Western’s
internal Payment Page• Currently migrating to an external Pay Page solution
McMaster• Steer merchants to Hosted Pay Page solutions• Place compliance on the software vendors• Moving from Type D to A merchants – less risk
Lesson 4 : Centralized Merchant Approval Process
Western• New e-commerce merchants must be approved by
Bank Card Committee• PCI Compliance is a requirement
McMaster• Upfront Approval Process – new merchants must
meet PCI DSS requirement before a merchant number is issued
• Merchants can be suspended if not in compliance
Lesson 5 : Audit Considerations
Western• Limited Scope – Lower Costs• Important for Auditor to apply PCI to a University
setting• Consistency of Auditor key• Demonstration of Compliance
McMaster• Pre-audit in 2008 – helped to limit scope• Focus on individual (Type D) merchants
Lesson 6 : Don’t Underestimate Your Time
Western• Six months became 2+ years• IT Resources – Significant Impact – Documentation• Have people to help keep on track
McMaster• Committee commenced work in 2006, still on-
going• Education and clarification of requirements took a
long time
Lesson 7 : Breach Escalation Process
Western• Requirement of PCI-DSS• Took time to get it ‘right’
McMaster• Developing protocols for front-line workers and
internal response• Escalating communication plan dependent on nature
of the breach
Western Breach ProtocolPerceived
Breach
Types of Breaches1. Receipts compromised2. POS compromised3. Electronic Client data
compromised4. Missing items5. Technical breach6. Unauthorized wireless
device
USER
UWO Policex911
UWO Financex85432
finance@uwo.ca
UWO Legalx84217
jarrett@uwo.ca
UWO NSO IT SECURITY
519 661 3800nso@uwo.ca
POLICE ENGAGE CRIMINALINVESTIGATION AND INFORM NSO
IDENTIFY: INFORM ANDCONTAIN, USER ASCERTAINS RISK AND NOTIFIES ACCORDINGLY
TRANSACTIONAL ITEMSON STOP OR ALERTMoneris: 1-866-319-7450
AFTER RISK ASSESSMENTS ANDVENDOR NOTIFICATION, LEGALIS INFORMED BY IPO IF
NECESSARYUWO
Communications
NSO/CISO ASSESSESDATA RISK ANDCONTAINS, NOTIFIESIPO AND FINANCE
MISSING FILES, MACHINE, DATAType 4
DEVICE THEFT OR DEVICE TAMPERINGTypes 1, 2, 3, 5
LegendIPO – Information Privacy OfficeUWO IT – Western Information TechnologyNSO – Network Security Officer (CISO)CISO – Campus Information Security OfficerMoneris – corporate payment processor
FINANCE ASSESSES FINANCIALRISK AND NOTIFIES NSO ONDATA AND VENDORS FORTRANSACTIONAL ITEMS
UWO IPOx84541
privacy.office@uwo.ca
TRANSACTIONAL ITEMSON STOP OR ALERTMoneris: 1-866-319-7450
IPO INTERFACES WITH NSO, LEGAL AND COMM IF PRIVACYAT RISK
ACT FAST!
CONTAIN THE DAMAGE
PRESERVE EVIDENCE
DO NOT ACCESS COMPROMISED SYSTEM
ITS as initiator
Lesson 8 : Centralized Approach to Self Assessment Questionnaires
Western• Created own internal SAQ to be filled out by
departments• Fill out SAQ for the university as a whole centrally
McMaster• Each merchant is responsible for filling out PCI SAQ • SAQ questionnaires now automated through on-line
submission• 3rd party company for both SAQ submission and
Quarterly scanning
Lesson 9 : Include PCI Compliance in the RFP &
Purchasing processWestern• Push your knowledge to external partners /
vendorsMcMaster• Smaller companies weren’t always aware of PCI
compliance.• Integrated into Policy and Purchasing documents
Lesson 10 : Funding – Who Pays for This?
Western• Funded centrally
McMaster• Yearly internal Merchant ‘PCI Levy’
• Base charge plus volume based charge with caps• Essentially covers the cost of 1 FTE in IT and 0.5 in
Financial Services• Now covers cost of 3rd party assessor
Lesson 11 : It is a Learning Journey
Western• PCI Changes – Helps to have ‘experts’
McMaster• On-going changes: the risks change therefore the
compliance also changes• Adapt to new business processes• Learning journey for software vendors as well
Lesson 12 : Risk Management Strategies
Both Universities:• Governance and oversight • Third-party assessors and PCI advisors• Pro-active compliance by doing more than required• Migration to Hosted Payment Page• Required annual merchant training
What Lies Ahead?
Western:• Keep ahead of PCI – change approaches as you go
McMaster:• Monthly, quarterly and annual activities, based on
merchant type.PCI Security Council
• Three year cycle for standard revisions• Now possible for internal auditors to be certified
to conduct PCI audits
References
PCI Security Council: https://www.pcisecuritystandards.org/index.shtml
University of Western Ontario: http://commerce.uwo.ca/index.html
McMaster University: http://www.mcmaster.ca/bms/BMS_FS_Payment_Card
.htm
Thank you!/ Merci!
Contact Information:Sharon Farnell
sfarnell@uwo.caStacey Farkas
farkas@mcmaster.caTim Russell
trussel@mcmaster.ca
top related