PCI 3.0 Making Payment Security Business As Usual

Transcription

1 PCI 3.0 Making Payment Security Business As Usual Katie Todd, Office of the Treasurer, Columbia University Ruth Harpool, Managing Director, Treasury Operations, Indiana University Joseph Goodman, Outreach Information Services, Virginia Tech

2 AGENDA Survey Results: What does Business As Usual mean to you? Columbia University & Virginia Tech Current Environments What does Business As Usual Really Mean? How does PCI DSS 3.0 help organizations focus on Security, not Compliance? Challenges Suggestions Best Practices Risks

3 Survey Results: What does PCI DSS Business as Usual mean to your school? Incorporating and maintaining PCI guidelines into credit card acceptance policies & procedures. The day to day management of PCI Compliance with internal constituents. Third party vendor management. Monthly/quarterly scans, penetration testing, and annual SAQ completion. Being proactive, not reactive. Ongoing security awareness training. Steady as she goes. Scheduled and routine actions. No surprises.

4 Survey Results: Business As Usual: Are You There Now? No, we hope we will be there by the end of the year. We are just this year working to get our act together. No. Getting close. Close but not perfect. For the most part, yes.

5 Survey Results: What One Area Needs Work? Merchant day to day operations (includes departmental procedures) (aka merchant compliance). University Policies and Procedures (if this is done right it will push the others). We are looking into centrally provided IT services. Third Party Vendor Management. Policies and Procedures that enforce PCI. Merchant set ups. Centrally provided IT services. Can t afford resources necessary for full compliance. Centrally provided IT Security services this is the area that most departments would like more direction and support.

6 Columbia University In the City of New York Columbia University was founded in 1754 as King's College by royal charter of King George II of England. It is the oldest institution of higher learning in the state of New York and the fifth oldest in the United States. 17 Schools, including large Medical Center 25 Libraries with 9.5 million volumes 20 thousand employees 40 thousand students Over $9.0 billion endowment Approx. $800 million research grants and contracts Global operations including 8 global centers

7 Columbia s Scope of Merchant Accounts Approximately 400 Merchant Accounts 43% Strictly Point of Sale 6% Strictly MOTO 27% Strictly E-commerce 24% Some Combination of the above Two University Wide Approved Processors Two others for specific purposes only Two University Wide Approved Payment Gateways Two others for specific purposes only Numerous Third Party Service Providers

8 Columbia s Information Technology Environment Over 150,000 network nodes Over 65,000 MAC addresses active on average Between 50,000 and 90,000 active accounts Local support is organized geographically, not by use Example SIPA (School of International and Public Affairs) is in the International Affairs Building, but so is the Economics department and the Political Science department each of these has a different IT organization Central IT (CUIT) organization provides central IT functions (security and identity & access management; technology infrastructure; enterprise solutions; instructional support systems; IT business services; client support services) Departments, schools, affiliates support themselves locally (or can buy support from CUIT)

9 Columbia s Key Players in PCI Governance PCI-DSS Governance Committee Office of the Treasurer CU & CUMC Information Security Offices CUMC Office of the Controller Identify Theft Prevention Committee (Red Flags) Senior Business Officers Procurement Assessor

10 Virginia Tech Virginia Polytechnic Institute and State University Founded in 1872 Motto Ut Prosim (That I may Serve) Fall 2014 enrollment of 29,173 Corps of Cadets 1, operating budget $1.35 billion 7,448 employees

11 Virginia Tech Information Technology Services Facts 100, th 100% Connected network devices Ranking in the world for IPv6 deployment Percentage of main network that is publicly routable Year College of Engineering started computer requirement Number of border firewalls restricting traffic (does not include IDS or IPS)

12 Virginia Tech PCI Governance

13 So what does Business as Usual Really Mean? One of the most notable aspects of PCI 3.0 is it s emphasis on making PCI Compliance Business as Usual Proper PCI compliance means making security a proactive instead of reactive process For many, fostering a new, much more security-aware approach, means an end to business as usual.

14 How does PCI DSS 3.0 help organizations focus on Security, not Compliance? By making Payment Security Business As Usual Increased and Ongoing Education & Awareness Best Practices for implementing security into BAU activities to maintain ongoing PCI DSS compliance Req. 8.4 Password education Req. 9.9 POS security training & education Greater Flexibility There is more than one way to do security Req Allows to choose appropriate password strength Req More flexibility to prioritize log reviews Security as a Shared Responsibility Guidance on outsourcing PCI Responsibilities Req Responsibilities for service Providers

15 How Columbia is making Payment Security Business as Usual Increased & Ongoing education & awareness. Updated password policies. Increased policy review and enforcement. Increased coordination with Procurement and Information Technology. Limited Payment Gateways and Processors, with limited access to each. Implemented encrypted tunnels by way of our Citrix server to isolate traffic on shared network to protect machines connecting to payment gateways. Implemented rigorous review and approval for new MIDs. Creating centralized document/reference repository, enhancing accountability. Incorporating PCI into Columbia s overall security strategy.

16 Repeatability Annual Formal Reviews Daily Compliance Duties IU Credit Card Processing: Business as Usual Designated Fiscal Officer and PCI Coordinator Routine System Reviews and Security Analysis

17 IT SERVICES: Some Challenges Who is responsible for what? Central IT services Auxiliary IT services Department IT services Some units lacking IT services Vendor Management: What area is responsible for keeping all documents? Purchasing Legal Departments Treasury Security Office

18 Some Suggestions to Improve Consistency Ensure Effective, Ongoing and Timely Communication & Coordination Online training, in person visits, presentations, provide a resource abundant website Clearly Defined Roles and Responsibilities for All Players Departments, Procurement, IT, Treasury, Third Party Service Providers Develop and use checklists Merchant set up PCI reviews Vendor reviews

19 Best Practices for Implementing PCI DSS into Business as Usual Processes Implementing PCI DSS into BAU activities let s us monitor the effectiveness of our security controls on an ongoing basis and maintain our PCI DSS compliant environment in between PCI DSS assessments.

20 Best Practices for Implementing PCI DSS into Business as Usual Processes Monitoring of security controls Such as: Firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), File-integrity monitoring (FIM), anti-virus, access controls, etc. to ensure they are operating effectively and as intended Ensuring that all failures in security controls are detected and responded to in a timely manner. Restoring the security control Identifying the cause of failure Identifying and addressing any security issues that arose during the failure of the security control Implementing mitigation (such as process or technical controls) to prevent the cause of the failure recurring Resuming monitoring of the security control, perhaps with enhanced monitoring for a period of time, to verify the control is operating effectively

21 Best Practices for Implementing PCI DSS into Business as Usual Processes Review changes to the environment (for example, addition of new systems, changes in system or network configurations) prior to completion of the change, and perform the following: Determine the potential impact to PCI DSS scope (for example, a new firewall rule that permits connectivity between a system in the CDE and another system could bring additional systems or networks into scope for PCI DSS). Identify PCI DSS requirements applicable to systems and networks affected by the changes (for example, if a new system is in scope for PCI DSS, it would need to be configured per system configuration standards, including FIM, AV, patches, audit logging, etc., and would need to be added to the quarterly vulnerability scan schedule). Update PCI DSS scope and implement security controls as appropriate.

22 Best Practices for Implementing PCI DSS into Business as Usual Processes Changes to organizational structure (for example, a company merger or acquisition) should result in formal review of the impact to PCI DSS scope and requirements. Periodic reviews and communications should be performed to confirm that PCI DSS requirements continue to be in place and personnel are following secure processes. These periodic reviews should cover all facilities and locations, including retail outlets, data centers, etc., and include reviewing system components (or samples of system components), to verify that PCI DSS requirements continue to be in place for example, configuration standards have been applied, patches and AV are up to date, audit logs are being reviewed, and so on. The frequency of periodic reviews should be determined by the entity as appropriate for the size and complexity of their environment.

23 Best Practices for Implementing PCI DSS into Business as Usual Processes Review hardware and software technologies at least annually to confirm that they continue to be supported by the vendor and can meet the entity s security requirements, including PCI DSS. If it is discovered that technologies are no longer supported by the vendor or cannot meet the entity s security needs, the entity should prepare a remediation plan, up to and including replacement of the technology, as necessary.

24 Best Practice Vendor Management Department consults with Treasury about options Department and Purchasing issue RFP (RFP not always issued) RFP (or business) is awarded. Vendor should complete Data Security questionnaire Before contract is signed, IT Security and Treasury review data security posture, contract language, compliance posture Vendor required to submit evidence of PCI compliance annually Documentation of Vendors on file and up to date Utilize the Visa Global Registry of Service Providers

25 Virginia Tech PCI Quarterly Checklist Department head, fiscal and IT contacts Service providers, AOC and AOSC dates Changes to CDE New employees in the CDE Name, job title, PCI training and PCI agreement Quarterly ASV, wireless and Identity Finder scans Last date, performed by and method/custodian of data

26 What s the Risk of Not Making PCI Business As Usual? Just one incident can severely damage your reputation and your ability to conduct business effectively, far into the future Reputational risk Current estimates of the cost of a breach run between $200 and $300 per compromised card Litigation Expenses Suspension of credit card acceptance by providers Remediation Costs Lost Revenue

27