A PCI Journey with Wichita State University

A PCI Journey with Wichita State University Blaine Linehan System Software Analyst III Financial Operations & Business Technology Division of Administration & Finance 1

Question #1 How many of you know what PCI is? 2

Question #2 How many of you are involved in becoming PCI compliant on your campus? 3

Glossary PCI Payment Card Industry CDE Cardholder Data Environment SAQ Self Assessment Questionnaire QSA Qualified Security Assessor 4

What is PCI DSS? The PCI Data Security Standard represents a common set of industry tools and measurements to help ensure the safe handling of sensitive information. [ ] 1. Compliance is mandatory, not optional Acquiring bank is ultimately responsible for compliance Acquiring bank answers to card brands (VISA, MasterCard ) 5 1. https://pcissc.secure.force.com/faq/articles/frequently_asked_question/what-is-the-payment-card- Industry-Data-Security-Standard-PCI-DSS/?q=definition+of+PCI+dss&l=en_US&fs=Search&pn=1

Why You Should Be Proactive Compliance with the PCI DSS means that your systems are as secure as possible, and customers can trust you with their sensitive payment card information. Just one incident can severely damage your reputation and your ability to conduct business effectively, far into the future. Account data breaches can lead to catastrophic loss of sales, relationships and standing in your community. Lose the ability to take specific card brands. Lose alumni and foundation donations 6

Target Could be liable for up for $3.6 billion. 1 $90 fine per compromise 40 million compromises 90 x 40,000,000 = 3,600,000,000 2 7 1. http://techcrunch.com/2013/12/23/target-may-be-liable-for-up-to-3-6-billion-from-credit-card-databreach/ 2. http://www.focusonpci.com/site/index.php/penalties-calculator.html

8 First Things First

9 Merchant Levels

The PCI Committee Associate Director of Business Technology Software Analyst Manager of Technical Services Manager of Data Operations and Network Services Manager of Server Teams Department Managers 10

Initial Steps Identified how and where we take credit cards Decided to NOT store any credit card numbers anywhere on campus Determined areas of greatest risk to determine our approach, rather that the compliance requirements order Started working our on scope 11

Scope Scope is comprised of people, processes and technology that handle cardholder data All system components included in or connected to the cardholder data environment All systems involved in managing the security of other in-scope systems (i.e. authentication servers, log management servers, IDS management consoles, etc.) 12 http://www.halock.com/blog/defining-scope-pci-compliance/

Validated Payment Application A Validated Payment Application is an application that has been validated by a Payment Application Qualified Security Assessor. It is validated by them against the current Payment Application Data Security Standard. 1 13 1. https://www.pcisecuritystandards.org/approved_companies_providers/validated_payment_applications.php

What happened? We discovered that installing our Validated Payment Application put most of our network into scope because the payment terminals were layer 2 adjacent to every other PC in the subnet. 14

15 Problem!

16 Problem!

17 Problem!

What did we do? Our solution was to segment the payment terminals away from the regular campus computers. "Without proper network segmentation to isolate the systems that store, process or transmit cardholder data from those that do not, all system components in that network are considered part of the cardholder data environment, the entire network is in scope for PCI DSS, and all PCI DSS requirements apply. 1 1. https://pcissc.secure.force.com/faq/articles/frequently_asked_question/what-is-the-scope-of-a-pci-dssassessment-for-a-network-that-is-not-segmented/?q=what+is+in+scope%3f&l=en_us&fs=search&pn=2 18

19 Solution? Segmentation!

20 Solution? Segmentation!

And then. Any company that stores, processes, or transmits cardholder data on behalf of another entity is defined to be a Service Provider by the Payment Card Industry (PCI) guidelines. 1 21 1. https://www.pcicomplianceguide.org/pci-faqs-2/#14

22

We hired a QSA Went through a gap analysis We ARE a service provider Affiliated business organizations for which we provide network and hardware support Is it a bad thing? SAQ C 139 questions SAQ D-SP 347 questions 23

WSU Today 85 dedicated payment machines on campus Dedicated active directory, DNS, anti-virus, Windows updates Share DHCP with campus All system components included in or connected to the cardholder data environment are in scope 24

25 Associated Devices

26 Associated Devices

27 Associated Devices

After Segmentation Internal & external vulnerability scanning SAQ D-SP 11.2 File integrity monitoring SAQ D-SP 11.5 (A) Event log monitoring SAQ D-SP 10.6 Network connection monitoring 28

Scanning for data at rest The final step in proving the extent of the CDE is for the organization to scan their entire network to confirm that cardholder data is not stored anywhere outside of the CDE. 1 Asset inventory reviews & annual audits 29 1. http://www.infosecisland.com/blogview/18637-pci-compliance-what-is-in-scope.html

On the Horizon P2PE Point to Point Encryption Encrypt cardholder data at the point of swipe 30

What We ve Learned Compliance never ends You have to take it seriously and be proactive Reduce scope as much as possible Centralize services Hire a QSA for questions We re not perfect 31

Contact Information Blaine Linehan Box 32 1845 Fairmount St Wichita KS 67220 316-978-5699 Blaine.linehan@wichita.edu 32