Remediation, a Key Approach to Reducing Scope

Transcription

1 Remediation, a Key Approach to Reducing Scope Keeping it as simple as possible to minimize cost and complexity. Dennis Self, CISSP Director, IT Security & Compliance Samford University Truth is not democratic. Dennis Self, 2013.

2 Session Summary: Based on the success of a comparable institution, Samford University adopted a model for PCI compliance based on remediation of its credit card transactions/merchants to reduce scope. Only Self Assessment Questionnaire A and B were required to attain PCI compliance. The benefits were remarkable in cost and complexity avoidance, though some compromise was required that affected transaction processing efficiency in some areas.

3 Suggested Audience: Small to medium institutions that have low to moderate credit card transaction volume. The presentation will review technical and business considerations.

4 About Samford University: Samford University is a private, Christian university Founded in 1841 Fall 2013 enrollment is 4,833 Carnegie Classification: Master s M

5 Schools: Ten schools: Arts Arts and Sciences Business Divinity Education Law Nursing Pharmacy Health Professions Public Health

6 About Samford s PCI Scope 27 merchants Payment Gateway Vendors: TouchNet Paypal Several third party vendors

7 Disclaimer: I am not a Qualified Security Assessor. Any information presented and any questions answered are for general information and to relate our experience and are provided without guarantee of any kind. You should find answers to your questions through certified resources.

8 Definition Remediate (OED): to provide a remedy for, redress, counteract; to take remedial action against.

9 Self Assessment Qualification: Level 3 and Level 4 merchants qualify for self-assessment. Enforcement by your acquiring bank Levels established by the card brands Definitions can be found on card brand web sites

10 Assessment Qualification: In general, from Visa: Level 1 - over 6 million Visa transactions/yr. Level 2-1 to 6 million transactions/year. Level 3-20,000 to 1 million transactions/year. Level 4 - less than 20,000 Visa transactions/year. Levels 1 & 2 require 3 rd party validation.

11 PCI DSS Getting Started: Based on PCI Data Security Standard Requirements: Step 1: Assess Step 2: Remediate Step 3: Report

12 Initial Surprises: PCI security requirements are stunningly detailed Stunned that credit card companies would demand or expect such effort from enterprises like ours. It takes a lot of work to be compliant at any level.

13 It s About Security It is about security, not compliance. Address the security. Compliance measures your security program.

14 Key Factors at Samford: Objective: Qualify for SAQ A and SAQ B. Complexity driver: Internet involvement. SAQ A, B, and P2PE-HW keep Internet out of scope.

15 About Samford s Compliance Student Accounts e-bill moved to 3 rd party in Compliance efforts on remaining merchants in % compliant - March 30, % compliant - Fall, 2012

16 The PCI Compliance Working Group Key participants: Merchants Departments that support merchants. Meeting participants: 9 to 16.

17 The Compliance Effort Joint effort Accounting Information Technology Merchants Focus: merchant account ownership Removed non-samford merchants Remediated some to reduce reputational risk. Identified all campus merchants. Gap analysis by merchant to comply with SAQ A or B.

18 The Compliance Effort Consulted with other institutions Collected the best policies and models Identified factors that needed normalizing.

19 Particularly Helpful Sources: Auburn University practical experience, organization, processes, and the foundation for our Credit Card Processing and Security Policy. Indiana University Security Incident Kit. Bentley University - remediation: why, how, rationale. Toby Nelson, QSA, Trustwave. All things PCI-DSS. Saint Louis Community College Online PCI training. Many other sources

20 The Compliance Effort The single factor that most affects security and compliance difficulty: Internet involvement. We got the data off our network. If you can, KEEP YOUR NETWORK OUT OF IT.

21 A Painful, Repeated Lesson Vendors are not very interested in your compliance. Vendor compliance does not make you compliant!

22 The Compliance Effort Determined remediation to SAQ A and B the least complex, least costly. Surveyed activities and costs for SAQ C and D. Estimated minimum upfront technology costs at $100,000. Some institutions spent well over $1,000,000. Identified key issues for broad categorization of merchants into SAQ A, B, C or D.

23 The Two Thorniest Issues: 1. Bookstore registers with integrated swipes. 2. Taking credit card information over the phone and keying it into payment applications. Alternatives: 1. Install dial out card swipes. 2. Write the transaction and take it to the Bursar.

24 Two Time-Consuming Issues: 1. Getting the policy done, approved and in effect. 2. Bookstore reaching acceptance of remediation and no longer using the integrated swipes in the registers.

25 And now PCI DSS 3.0?

26 Rationalizing The Chart The following chart was created based on counts of SAQ responses and testing activities. Technical difficulty and business impact were not directly assessed. It is clear that initial and ongoing costs increase sharply as the difficulty of the SAQ increases. All SAQs are more detailed and involved than before.

27 Difficulty Based on Counts 3.0

28 PCI DSS Requirement Samples SAQ A 9.5 SAQ D

29 - Based on Counts 2.0 and 3.0

30 Difficulty Based on Counts

31 PCI DSS 3.0: SAQ D is the default if your merchant cannot precisely fit another SAQ. A-EP invokes major infrastructure requirements. Initial guidance from PCI SSC is not out yet.

32 Outlook for Samford University Several of our SAQ A merchants may face alternatives: 1. Outsource the shopping cart. 2. Host the application with a PCI-DSS 3.0 compliant hosting company. 3. Create a dedicated PCI compliant datacenter. 4. Overhaul to conform to SAQ A-EP or SAQ D.

33 Outlook for Samford University The overall cost for compliance is going up. Review, perform gap analysis between 2.0 and 3.0. Reactivate our PCI Compliance Working Group.

34 Outlook for Samford University Assume there will be no easing of requirements for any SAQ. Prepare for the new requirements. Hold off on major new investments until clarification is available.

35 Questions? Dennis Self, CISSP Director IT Security & Compliance Samford University (205)