pci, a new approach: how to build compliance without rebuilding your network (264646409)

8/9/2019 PCI, A New Approach: How to Build Compliance without Rebuilding Your Network (264646409)

http://slidepdf.com/reader/full/pci-a-new-approach-how-to-build-compliance-without-rebuilding-your-network 1/32

PCI – A new approachHow to build compliance without

rebuilding your network

Copyright (c) 2015 The Trusteesof Columbia ni!ersity in the Cityof "ew #ork

$oel %osenblatt & 'irector Computer "etwork securityColumbia ni!ersity

*ducause +,C 2015 & -ay 5 2015



,ayment Card .ndustry 'ata +ecurity +tandard◦ / set of standards created by the credit card industry

to help ensure the safe handling of sensiti!einformation

,C. '++ is not a law or go!ernment standard◦ .t was created by isa and -asterCard◦ .t is a framework for de!eloping a robust account

data security process

◦ .t will cost you if you are compromised


PCI-DSS – What is it and why do

you care?



3rom the ,C. +ecurity +tandards Council◦ .f you are not compliant it could be disastrous

Compromised data negati!ely a6ects consumers merchants and7nancial institutions

◦ $ust one incident can se!erely damage your reputation and yourability to conduct business e6ecti!ely far into the future

◦ /ccount data breaches can lead to catastrophic loss of salesrelationships and standing in your community and depressed shareprice if yours is a public company

◦ ,ossible negati!e conse8uences also include9awsuits

.nsurance claimsCancelled accounts,ayment card issuer 7nes:o!ernment 7nes

https ;;www<pcisecuritystandards<org;security=standards;why=comply<php


Risk of not doing PCIcomp iance



9arge research uni!ersity'ecentrali>ed management structure?!er 150 000 network nodes?!er @0 000 -/C addresses acti!e on a!erage

'ecentrali>ed computer support"o sniAng traAc or scanning machinesallowedB3ree 9o!e ., address assignments a!ailable

"o uni!ersity wide corporate like 7rewallsDetween 50 000 and E0 000 acti!e emailaccounts


Co um!ia "n#ironment



+e!enteen schools◦ 3our undergraduate◦ Thirteen graduate3our aAliate schools including a large-edical center/partment"et & H+ .nternet sold throughhousing

Twenty 7!e libraries with E<5 million !olumes Twenty thousand employees3orty thousand students


Co um!ia "n#ironmentCo um!ia $ni#ersity wasfounded in %&'( as )ing*sCo ege !y roya charter of )ing+eorge II of "ng and, It is theo dest institution of higher

earning in the state of ew .ork and the /fth o dest in the

$nited States,



"etwork organi>ed geographically & networksegmentation is often done by building orarea not by use◦ *Fample & +.,/ (+chool of .nternational and ,ublic

/6airs) is in the .nternational /6airs Duilding butso is the *conomics department and the ,olitical+cience department & each of these has adi6erent .T organi>ation

Copyright (c) 2015 The Trusteesof Columbia ni!ersity in the City

of "ew #ork




Central .T (C .T) organi>ation only supportscentral .T functions (network email main webser!ers payroll student ser!ices 7nancialser!ices etc<)'epartments schools aAliates get to supportthemsel!es (or can buy support from C .T)

This creates an une!en support model & richdepartments (9aw Dusiness) ha!e goodsupport poor departments (/nthropology,olitical +cience) & not so good<


of "ew #ork




-ade up of four campuses in upper-anhattan◦ -orningside -edical -anhattan!ille 9amont"etwork is laid out geographically◦ "o separate administrati!e and student network

Duildings can be miFed use

9ittle use of "/T◦ 5 ;1G 2 ;20 1 ;21 1 ;22 ;2

Co um!ia etwork


of "ew #ork



Appro0imate y (11 2erchant Accounts• IJ +trictly ,oint of +ale• GJ +trictly -?T?• 2@J +trictly * commerce• 2 J +ome Combination of the abo!e3wo $ni#ersity Wide Appro#ed Processors• Two others for speci c purposes only 3wo $ni#ersity Wide Appro#ed Payment+ateways• Two others for speci c purposes only

umerous 3hird Party Ser#ice Pro#iders


of "ew #ork

Co um!ia4s 2erchantprocessing scope



Se ected 3reasuryStatistics

200 bank accounts◦ K5 .nternational

I00 00 merchantaccounts

10 remote depositcapture (%'C)machinesI 000 wire transfers◦ 2 500 international

500- K00-

150- 200-◦ 00LM transactions

500- G00-◦ 55 000M transactions

500-◦ 100- international


of "ew #ork



Some current Credit Card stats

/lmost 1000 people trained to process CC/pproFimately 200 ,?+ terminalsNe submit a little o!er 100 +/Os signed by

almost 0 +enior Dusiness ?Acers,ayment :ateways◦ *la!on PI00

irtual -erchant P150◦

:lobal ,ayments P100Cyber+ource P50


of "ew #ork

I00 00 merchant accountsQ 150- 200-Q 00LM transactions



.n 200K◦ ,olicy created & no CC numbers on any Columbia networks

ser!ers or machines.n 2010◦ +omeone was using a Columbia web site to !erify credit card

numbers by putting through <10 charges◦ ,ayment !endor indicated that we would be charged 25;month

for each non compliant -.'50 -.'s F 25 F 12 R 1I5 000;year

◦ Treasury policy on CC created◦ Considered dropping all credit card acceptance

,otential loss of @0- E0-;year

Cost to build a ,C. compliant network at Columbia◦ / lot

Dri#ing forces


of "ew #ork



Cha enge

5ow do you comp y with PCIon a non comp iant network?


of "ew #ork



,C. compliance is a Soint proSect between the Treasurydepartment -edical center and computer security3rom Treasury◦ /ssociate Treasurer Cash -anagement ?peration (10J)◦ Treasury -anager (100J)

3rom computer security◦ 'irector Computer "etwork security (10J)◦ /ssociate "etwork +ecurity /nalyst (50J)3rom -edical center◦ /ssistant 'irector .nformation +ecurity (10J)

/lmost forty +D?s 7ll out +/Os for the 00 -.'s◦ :uesstimate of 20J of one 3T*

Training of 1000 people who touch CCs◦ :uesstimate of 50J of one 3T*

PCI Committee – how manypeop e does it take to do PCI?


of "ew #ork



Create ,olicy &◦ .nternet transactions

ni!ersity 'epartments accepting credit cards !ia ecommerce must adhere to the criteria in the C

%*:.+T%/T.?" /"' ,%?T*CT.?" ?3 +#+T*-+,?9.C#< The policy pro!ides that ni!ersity'epartments must not capture store or transmitcardholder data on Columbia ser!ers or networks<

6irst pass – 7utsourcee#erything

Copyright (c) 2015 The Truste esof Columbia ni!ersity in the City

of "ew #ork




of "ew #ork



Connecting to payment processor s websiteon behalf of a customer puts that machinein scope for ,C. (acting as a ser!icingagent)

,ersonal transactions (. own the credit card)on the ni!ersity network are not in scope

for ,C.

It turns out that this is not goodenough


of "ew #ork



,C. +cope◦ /ny machine that is used for transactions◦ /ny machine that touches the network used for transactions

+ince we ha!e a large network set up like an .+,!irtually e!ery system at Columbia would ha!e beenin scope for ,C. (P150 000 nodes)◦ %e8uirements for ,C.

*Fternal scans 8uarterly (eFpensi!e)

9og storage for one year (a lot of data)%estricted and monitored access (impossible for studentmachines)

and lots moreU

P an 8 – Reduce PCI scope


of "ew #ork



Duild a CitriF farm in a (7rewalled) boF◦ /ccess through the 7rewall◦ %3C 1E1K addressing inside◦ /ll traAc inside using "/T;,/T rules,ut DlackDoard ser!ers in same ,C. boF◦ Cash registers that take CC ha!e home runs to

network closet with 7rewall;!pn to ,C. network7rewall & we will be replacing these with ,2,encrypted machines

*Fternal ., (2) scanned by TrustNa!e/ll access to ,C. boF through eFternal .,s

P an 8 – create a PCI Citri0Pro0y network


of "ew #ork



etwork Diagram


of "ew #ork



PCI Citri0 screen


of "ew #ork



-achines must be on the hard wired Columbianetwork"o remote access"o ," access-ust be desktop systems or laptops withwireless network cards remo!ed"o remote login to desktop allowed

Two and V factor authentication◦ /lpha domain user (Nindows systems group)◦ /ccess to CitriF group (Treasury)◦ /ccount on :ateway (Treasury)

etwork restrictions on machinesconnecting to PCI Citri0 ser#er


of "ew #ork



,ayment gateways will only accept logins fromthe eFternal ., address of our ,C. 7rewall◦ Cybersouce dropped as !endor because they could

not support this feature

%efunds on credit cards can only be made◦ To the card that the original charge was made on◦ .n an amount less than or e8ual to the original charge

pdated ,."s from G characters to o!er G0

characters for Neb ser con7gurations forecommerce accounts that use our ,ayment:ateways as a checkout page

Payment +ateway tuning


of "ew #ork

PCI C i R 9 i t f 27 37



,C. '++ compliance re8uires any computer used to submit -?;T?transactions at Columbia ni!ersity to pass all of the re8uirements of,C. '++◦ https ;;www<pcisecuritystandards<org;security=standards;indeF<php

The following hardware and software settings are re8uired to be in

compliance with ,C. '++< "? *WC*,T.?"+ C/" D* /99?N*'< .f theseconditions cannot be met by the standard desktop used for thisfunction additional hardware that meets these conditions must beac8uired< .f these conditions are not followed the ability to accept creditcards will be disabled<

The following re8uirements must be met in addition to all applicablere8uirements in◦ http ;;www<columbia<edu;acis;security;articles;data; desktopJ20security

J20accessingJ20sensiti!eJ20dataJ20checklistJ20MJ20,?+J20re8uirements<pdf

PCI Comp iance Re9uirement for 27:37

machines connecting to PCI Citri0

ser#er


of "ew #ork

http://www.columbia.edu/acis/security/articles/data/

http://www.columbia.edu/acis/security/articles/data/



-achine cannot ha!e /"# wireless de!ices installedand must not be a laptop (unless wireless cardsremo!ed) (i<e< no wireless keyboards or mice nowireless card canXt be plugged into a wireless routeretc<)◦ -achine must be physically inspected 8uarterly to !erify this

-achine must be hard wired to a network Sack ("?TN.%*9*++ & see 1)

ser .' of each person performing -?;T?transactions cannot ha!e pri!ileges higher than +*%

Continued;


of "ew #ork



sers cannot share .'s & each userperforming -?;T? transactions must usetheir own .'s◦ ,asswords must be changed e!ery E0 days◦ -inimum password length is K◦ ,asswords must be miFed case numbers and

letters◦ ,asswords cannot be reused on a 5 password

cycle◦ ser .' will be locked out after G bad passwords

for at least I0 minutes

Continued;


of "ew #ork



3irewall with inbound and outbound blocking mustbe installed (i<e< +ymantec) with default deny set<"o port should be open unless absolutely re8uiredby a business application running on the system<

"o non business applications are allowed to run onthe system"o remote access (remote desktop gotomypc etc<)allowed to any system used to access the ,C.gatewayNe will be installing whitelisting software (+a!ant)on these machines as mitigating control for notusing 3.-

Continued;


of "ew #ork



Nhen a machine connects to the ,C. CitriF boF◦ / "eFpose scan is triggered (8uarterly) and results

are stored for one year◦ /ll "etYow (network log) data (in and out) of the

machine is collected and stored for one year◦ /ll +ymantec output is collected and stored for one

year◦ /ll : 9, (authentication) data in!ol!ing the machine

are stored and kept for one year+cans are read by ,C. security person and anyimperfect scores are resol!ed

<ogging and Scanning


of "ew #ork



Training◦ .n order to get an .' to access the payment gateway

the user must be registered to take the online ,C.training which needs to be repeated annually

?ne +/O must be 7lled out for each -.'◦ we 7ll out a +/O ' for each -.' using the ,C. CitriF

farm and has a web site<◦ -?;T? only 7ll out an +/O /◦ 'ialup users 7ll out a +/O DNe are using Courseworks to managedocumentation +/Os and communications to+D?s (+enior Dusiness ?Acers)

3raining and SA=s


of "ew #ork



?nsite Compliance isits◦ Trust but !erifyU Con7rm

"o e!idence of track data C/ 2 C C2 C.' C 2 or,." data is stored after authori>ation/ccess is truly restricted

,rocessors are educated on ,C./ll information within submitted +/Os and attestationsfairly represents their processing en!ironment

sing CourseNorks has made this process moremanageable

.mportance of 'ocumentation◦ 15G mentions in the ,C. '++U

'ocument documented documentation


of "ew #ork

And the !eat goes on ;



.t took almost siF years and a lot of work to fullyimplement our current ,C. solution+ome challenges we are still working on◦ *!ents in open spaces (athletics and registration)

Ne are using cellular ,?+ systems using ,2, encryption◦ ?6 campus medical oAces

Ne will be using ,2, encrypted de!ices◦ Things that we donXt know,C. ! I<1 has clari7ed some of the use ofencryption"o mater how you do ,C. it is a large consumerof resources

Summary


of "ew #ork



=uestions


$oel %osenblatt SoelZcolumbia<edu

pci, a new approach: how to build compliance without rebuilding your network (264646409)

Documents