PCI Compliance Crissy Sampier, Longwood University Edward Ko, CampusGuard
Agenda Introductions PCI DSS 101 Chip Cards (EMV) Longwood s PCI DSS Journey Breach Statistics Shortcuts to PCI DSS Compliance 2
Approximately 5000 students Rural campus in Farmville, VA Systems Used: CS Gold/MICROS Simphony 1.x Banner RMS UniversityTickets (Athletics/Theatre) BlackBaud (Foundation) Ruffalo Noel Levitz (Phone-a-thon) Reservation Nexus (Bed and Breakfast) 3
CampusGuard A Merchant Preservation Services Company Full-Service QSA/ASV Firm for PCI Compliance Focused Solely on the Campus Environment We Understand the PCI DSS We Understand the Campus Environment 4
PCI = Multiple Standards MANUFACTURER PCI-PTS PIN Transaction Security SOFTWARE DEVELOPERS PCI PA-DSS Payment Application Vendors P2PE MERCHANTS & PROCESSORS PCI DSS Data Security Standard Ecosystem of payment devices, applications, infrastructure and users 5
Payment Card Industry Data Security Standard (PCI DSS) 6
PCI DSS: 6 Goals, 12 Requirements Control Objective 1. Build and maintain a secure network 2. Protect cardholder data 3. Maintain a vulnerability management program 4. Implement strong access control measures 5. Regularly monitor and test networks 6. Maintain an information security policy Requirements 1. Install and maintain a firewall configuration to protect data 2. Change vendor-supplied defaults for system passwords and other security parameters 3. Protect stored data 4. Encrypt transmission of cardholder magnetic-stripe data and sensitive information across public networks 5. Use and regularly update antivirus software 6. Develop and maintain secure systems and applications 7. Restrict access to data to a need-to-know basis 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security 7
What is the PCI DSS trying to protect? 8
Covered Data Elements 9
Merchant Levels and Validation Level 1 2 3 Annual on-site assessment (QSA) Quarterly network scan (ASV) Annual on-site assessment (QSA/ISA) Quarterly network scan (ASV) Annual Self-Assessment Questionnaire (SAQ) Quarterly network scan (ASV) Annual on-site assessment (QSA) Quarterly network scan (ASV) Quarterly network scan (ASV) Quarterly network scan (ASV) 4 At discretion of acquirer Annual SAQ Quarterly network scan (ASV) N/A 10
Payment Methods & Validation Requirements SAQ Type Questions Payment Method A 14 Card-not-present Merchants, All Cardholder Data Functions Fully Outsourced A-EP 139 Partially Outsourced E-commerce Merchants Using a Third-Party Website for Payment Processing B 41 Merchants with Only Imprint Machines or Only Standalone, Dial-out Terminals No Electronic Cardholder Data Storage B-IP 83 C 139 C-VT 73 Merchants with Standalone, IP-Connected PTS Point-of-Interaction (POI) Terminals No Electronic Cardholder Data Storage Merchants with Payment Application Systems Connected to the Internet No Electronic Cardholder Data Storage Merchants with Web-Based Virtual Payment Terminals No Electronic Cardholder Data Storage D 326 All other SAQ-Eligible Merchants P2PE-HW 35 Hardware Payment Terminals in a PCI-Listed P2PE Solution Only No Electronic Cardholder Data Storage 11
New in PCI DSS 3.x Clarification re: scope Business-as-Usual Policies and procedures Removal of SSL and early TLS (2.2.3, 2.3, 4.1) Protect points of physical interaction from tampering and substitution (9.9) Maintain information about which PCI DSS requirements are managed by each service provider (12.8.5) Service providers must provide written acknowledgement (12.9) PCI DSS 3.2 (draft released 04/15/16) Enhancements to change control and multi-factor authentication Changes for Service Providers 12
Defining Your PCI DSS Scope People, processes and technologies that store, process, or transmit cardholder data, or that could affect the security of those components that do touch the data. Simple, right? Servers (web, database, virtual, etc.), and workstations Firewalls, IDS/IPS Network switches, routers, load balancers, etc. Network attached storage or connected arrays Name resolution, time sync, authorization. 13
Other Scoping Considerations The best first steps are to: Complete and maintain an accurate inventory Complete and maintain an accurate cardholder dataflow diagram Once you know exactly where and why cardholder data flows and lives, consider opportunities to streamline, centralize, and eliminate Segment all card activity from other campus networks P2PE holds promise; understand the difference between P2PE and E2EE. 14
PCI Non-Compliance In the event of a data breach, the card brands can: Assess fines Up to $500,000 per brand per breach Require that you notify victims Require that you pay card replacement costs Require that you reimburse fraudulent transactions Require forensic investigations be performed by a PCI approved firm Require that you validate as a Level 1 merchant (QSA) 15
EMV: How Does it Fit? EMV is a separate standard Chip & PIN vs. Chip & Signature Supports PCI DSS in a layered security approach Protects against card fraud Affects only physical points of interaction Does not encrypt the primary account number Pushes fraud to other payment channels Liability Shift: October 1, 2015 16
Longwood s Credit Card Locations Lancer Card Center in person and online Dining locations networked Verifone readers Athletics in person, online and over the phone Theatre Box Office in person and online University Foundation in person, over the phone, online giving and phone-a-thon Bed & Breakfast in person, online and over the phone 17
Challenges Wanted to avoid the dreaded SAQ D!! Try to reduce scope Anticipate growth and future regulations 18
In The Beginning Gap analysis (December 2013) Created Policies and Procedures Required training and documentation Daily inspection of equipment Locking up devices or limiting access 19
Lancer Card Center Hosted 3 rd party solution for online deposits Analog Verifone for in-person transactions SAQ B 20
Dining Services Outsourced to Aramark SAQ A Using Longwood s network for the Verifone devices SAQ D for service providers MICROS Simphony/WK5A registers Partnered with FreedomPay for P2PE SAQ A 21
FreedomPay Setup 22
Congratulations!? Complying with the PCI DSS is NOT a project. It is an evolving, continuous process that has no end. 23
Verizon Data Breach Investigations Report Each year, the most prevalent attack vectors shift, but certain threat actions persist. 24
Verizon Data Breach Investigative Report Attacks by type: 25
Why Requirement 9.9? Device skimming is sadly not rare Images from www.krebsonsecurity.com 26
Securing Points of Interaction Requirement 9.9 took effect July 1, 2015. Maintain an inventory list of devices Periodically inspect devices to look for tampering or substitution Train personnel to be aware of suspicious behavior and to report tampering/substitution 27
Shortcuts to Compliance Reduce scope Segmentation P2PE Outsource Use PCI-listed solutions Use validated service providers 28
Some Mobile Solutions Cellular-based PTS POI terminal Integrated POS + P2PE PIN pad + Jetpack Mobile P2PE POI (ios/android) 29
Crissy Sampier sampiercm@longwood.edu Edward Ko edko@campusguard.com Crissy Sampier sampiercm@longwood.edu Edward Ko edko@campusguard.com 30