OKLAHOMA STATE UNIVERSITY STUDENT UNION HOW IT SERVES OTHERS THROUGH PCI COMPLIANCE

OKLAHOMA STATE UNIVERSITY STUDENT UNION HOW IT SERVES OTHERS THROUGH PCI COMPLIANCE TRACIE BROWN ASSOCIATE DIRECTOR OF ADMINISTRATIVE SERVICES MIKE PEASTER INFORMATION TECHNOLOGY MANAGER

THE QUESTIONS WE HOPE TO ANSWER How can IT serve others through PCI compliance? What exactly is PCI and what does it mean to be compliant? How long does this process take and is it achievable? What happens behind the scenes to ensure that our customer s cardholder data is protected? Why your front line staff should understand the importance of PCI compliance? Why should you care if your organization is PCI compliant?

WHO WE ARE Located in Stillwater, OK Building physically located in the heart of campus Largest in the nation Comprehensive Completed $65 million renovation in September 2012 No. 1 Ranking as the Most Amazing and Comprehensive Union (BestCollegeReviews.org)

Administrative Services IT Marketing Human Resources Accounts Receivable Accounts Payable Financial Reporting Building Operations Maintenance Custodial Parking Retail Operations Bookstore Clothing Supplies Technology Store E-Commerce site AREAS OF RESPONSIBILITY Campus Life Center for Ethical Leadership International Students & Scholars Fraternity & Sorority Affairs Non-Traditional Students Off-Campus Student Association Camp Cowboy Student Government Association Service Learning Volunteer Center Allied Arts/Special Events Student Union Activities Board Parent & Family Relations Student organizations Meeting & Conference Services University Dining Services 32 dining options across campus Full service catering operation

CREDIT CARD PAYMENT CHANNELS Retail Operations (RATEX/Verifone VeriShield) Total Revenue $18.6 million Total Credit Card Sales $5.4 million E-commerce accounts for $1.1 million of these sales University Dining Services (MICROS/Shift4) Total Revenue $21 million Total Credit Card Sales $1.87 million Other (wireless credit card machines)

BASICS OF PCI Background / History Acronyms PCI DSS Requirements Merchant Level Reporting Requirements Validation Requirements

BACKGROUND / HISTORY Prior to 2006 the five major card brands had their own security programs. The goal was similar: to create an additional level of protection for card issuers by ensuring that merchants meet minimum levels of security when they store, process and transmit cardholder data. In 2006, these 5 leading payment brands, American Express, Discover, JCB, Visa, and MasterCard, formed the Payment Card Industry Security Standards Council after several large, well-known institutions and brands had credit card payment data exposed to fraudulent purchases due to inadequate protection. Payment Card Industry Data Security Standards (PCI DSS) were created as a result of these unprecedented assaults on personal and financial data.

ACRONYMS PCI Payment Card Industry PCI DSS Payment Card Industry Data Security Standards QSA Qualified Security Assessor SAQ Self Assessment Questionnaire ROC Report on Compliance ASV Authorized Scan Vendor P2PE Point to Point Encryption POI Point of Interaction AOC Attestation of Compliance

PCI-DSS REQUIREMENTS 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored Cardholder Data 4. Encrypt transmission of cardholder data across open, public networks 5. Protect all systems against malware and regularly update anti-virus 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need to know 8. Identify and authenticate access to system components 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security for all personnel

MERCHANT LEVELS Level / Tier 1 2 3 4 Merchant Criteria Merchants processing over 6 million Visa transactions annually (all channels) or Global merchants identified as Level 1 by any Visa region Merchants processing 1 million to 6 million Visa transactions annually (all channels) Merchants processing 20,000 to 1 million Visa e-commerce transactions annually Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually

VALIDATION REQUIREMENTS Level / Tier 1 2 3 4 Validation Requirements Annual Report on Compliance ( ROC ) by Qualified Security Assessor ( QSA ) or Internal Security Assessor ( ISA ) if signed by officer of the company Quarterly network scan by Approved Scan Vendor ( ASV ) Attestation of Compliance Form Annual Self-Assessment Questionnaire ( SAQ ) Quarterly network scan by ASV Attestation of Compliance Form Annual SAQ Quarterly network scan by ASV Attestation of Compliance Form Annual SAQ recommended Quarterly network scan by ASV if applicable Compliance validation requirements set by merchant bank

SAQ Validation Type A A-EP (NEW) B B-IP (NEW) P2PE-HW REPORTING REQUIREMENTS Description Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions fully outsourced to a PCI-Compliant Service Provider E-commerce merchants re-directing to a third-party website for payment processing, no electronic cardholder data storage Merchants with only imprint machines or only standalone dial-out payment terminals: No e-commerce or electronic cardholder data storage # of Questions 2.0 13 3.0 14 0 139 29 41 Merchants with only standalone IP-connected payment terminals: No e- commerce or electronic cardholder data storage 0 83 Hardware Payment Terminals in a PCI-Listed P2PE Solution Only NO Electronic Data Storage 18 35 C-VT C D Merchants using only web-based virtual terminals, no electronic cardholder data storage Merchants with payment application systems connected to the Internet, no electronic cardholder data storage All other merchants (not included in descriptions for SAQs A-C above) and all service providers defined by a payment brand as eligible to complete a SAQ 51 73 80 139 288 326

WHAT YOU REALLY NEED TO KNOW PCI compliance is going to look differently for everyone in this room based on your environment and the QSAs that you hire. It is important for you to be as knowledgeable about your systems and scope reducing solutions as possible.

2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 PCI WHAT? It was 2006, Life was good Then we became aware of something called PCI

2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 KEY MILESTONES We worked hard to have the best systems available at the time. We relentlessly pushed on our vendors and OSU Network and IT Security departments to help us be compliant. 2007 - Replace our homegrown ecom site with a PCI compliant storefront 2008 Outsourced E-Commerce credit card processing. 2009 Upgraded RATEX POS to gain database CC encryption 2010 Upgraded Micros and RATEX POS systems to PCI compliant versions (Still storing CC number) 2010 Surprise visit from internal audits and Protiviti. They made note of the lack of firewalls and network segmentation 2010 BOA requests that OSU start filing the appropriate SAQ s 2011 OSU finally allows us to install firewalls and VPN s to isolate the PCI environment.

2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 GETTING READY Student Union engages Coalfire to provide advisory services with the goal of designing a SAQ-C environment and filing a completed SAQ- C (2.0)with all 80 elements confirmed to be compliant. To achieve this, we created configuration and build documents for all components. (firewalls, VPN s, POS terminals, servers, etc) Wrote policy and procedure to address all SAQ-C elements Created an employee training program Installed firewalls and VPN s to isolate the PCI environment Implemented point to point encryption systems to remove POS terminals, servers, and applications from PCI scope Once we implemented the Coalfire design, we had them audit it.

2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 COALFIRE SAQ-C (2.0) ASSESSMENT RESULTS

2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 TRUE DIGITAL SAQ-C (2.0) ASSESSMENT RESULTS

2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 WE MADE IT! QSA assessment reports from both companies were submitted to OSU administration. SAQ-C filed with all items compliant! Good times are here again!

2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 HERE S THE GOTCHA.

2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 PROTIVITI ASSESSMENT RESULTS

2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 MORE WORK Added additional policy and procedure Change testing and implementation Configuration documentation for connected-to systems Add process and procedure for user account tracking and approval Installed an RSA SecurID server to centralize authentication, authorization, ID and password rules enforcement Installed a centralized logging server and directed all in-scope systems capable of generating logs to it Configured the logging server to email log exceptions to administrators for review. This alleviates log review requirements. We reported our compliance with the additional 66 elements to OSU Internal Audits and Protiviti. We engage Coalfire to perform a gap analysis of our environment against the full DSS, all 288 elements (2.0).

2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 COALFIRE PCI-DSS ASSESSMENT RESULTS

2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 RINSE AND REPEAT. AGAIN We reported our compliance of 237/288 controls. We started work on the remaining 51 controls: Contracted with an Authorized Scanning Vendor to perform internal and external penetration testing. Added a yearly risk assessment requirement into policy. Instituted yearly PCI awareness training for all Updated PCI policy to address all 170 in-scope elements Developed a more robust incident response plan Created a daily, weekly, monthly, yearly checklist and procedure document of PCI duties Added an internal scan appliance to handle quarterly internal PCI scans. We engage Coalfire to perform an assessment of the remaining 51 controls.

2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 WHERE WE WERE AS OF APRIL 2014

2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 PCI DSS 3.0 288+/326

PCI DSS 3.0: MAJOR CHANGES AND THEMES Strong third-party provider enforcement Maintain a written agreement that acknowledges service provider responsibility. Protecting POS devices from tampering / skimming Maintain an up-to-date detailed list of all devices. Periodically inspect devices to detect tampering. Segmentation and scoping get tougher System components include, any component or device located within, connected to, or that may impact the security of the CDE. Penetration testing requirements are greatly enhanced New SAQ types may change the SAQ that applies to your organization

GENERAL NOTES ABOUT PCI DSS 3.0 3.0 seems to be an attempt to stop checkbox compliance and the assessors that enable it. If you are following the intent of the 2.0 standard, the changes in 3.0 may or may not be as significant to your organization. If you are cutting corners, 3.0 requirements could be painful. Service providers need to get serious about PCI.

EMV WHAT IS IT? AKA Chip and PIN Global standard for chip card technology to replace mag stripe Typically a chip inset within a plastic card Chips can contain RFID capabilities to enable tap transactions. Chip stores cardholder and application data more securely EMV provides protection against stolen card fraud as well as card reproduction fraud

EMV WHAT IS IT? Solutions are comprised of two components: Microprocessor, usually embedded in a payment card EMV-enabled contact based POS Contactless EMV-enabled POS

EMV HOW DOES CONTACT TRANSACTION WORK?

EMV HOW DOES A CONTACTLESS TRANSACTION WORK? An EMV chip can be on a contactless card where the chip is tapped or held near the terminal..or. A chip can be inside your smart phone and the phone is waived near the terminal

EMV WHAT IT IS, WHAT IT ISN T, & WHY IT S IMPORTANT EMV only prevents card present fraud Does not protect data in transit or at rest Would not have prevented a Target situation IS an important piece of the puzzle October 2015 fraud liability shift to merchants not using EMV

WHY 3.0 IS CONCERNING? The new focus on connected systems in 3.0 greatly expands the potential number of systems to be considered as in-scope for PCI-DSS. Under 2.0 our e-commerce web server was considered primarily out of scope because we used a hosted payment page. Under 3.0 it s fully inscope! This brings more connected systems into scope Where does the line get drawn now? No single auditor will agree. Potential house of cards scenario for our PCI scope. Expanded PCI scope means more penetration testing and expense Every new device deemed to be in-scope suddenly requires substantially more management overhead

THE IDEAL SOLUTIONS FOR EACH PAYMENT CHANNEL E-Commerce Outsource web hosting and payment processing to a PCI-DSS 3.0 validated third-party service provider Miscellaneous charges Use standalone PTS approved dialup or cellular based credit card terminals Bookstore and Dining POS Terminals Use a combination of: EMV PCI Council approved HW-P2PE Tokenization

THE TRIFECTA EMV, HW-P2PE, TOKENIZATION EMV Chip and Pin Prevents counterfeit and lost or stolen cards Chip and Signature Prevents only counterfeit cards

THE TRIFECTA EMV, HW-P2PE, TOKENIZATION HW-P2PE Account number and card data are protected in transit from the moment of swipe to the payment network Since the merchant has no access to the decryption keys, scope and risk to the merchant are significantly reduced. Council approved HW-P2PE negates the need for network segmentation, firewalls, log management, etc. 35/326 PCI-DSS controls

THE TRIFECTA EMV, HW-P2PE, TOKENIZATION TOKENIZATION Uses a randomly generated unique ID Token in place of the primary account number (PAN) so the actual card number is not stored. Since actual card data is replaced with unique ID s, it can be stored indefinitely and used for important business processes.. Reduces PCI scope by removing card number from systems and databases

THE TRIFECTA EMV, HW-P2PE, TOKENIZATION Prevent Counterfeit Card Use Prevent Lost or Stolen Card Use Protect Card Data In-Transit Protect Card Data At-Rest (Stored) Protect E-Commerce Transactions EMV HW-P2PE TOKENIZATION X X X X X

2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 WHAT WE VE DONE TO ADDRESS PCI-DSS 3.0 MICROS POS (Dining) Affordable non-pci Council approved hardware P2PE available now Hardware P2PE vs software P2PE changes scope At $100 apiece it s worth the investment as an interim device Best thing we can do right now Prevents a Target scenario Non EMV. Most likely replacing in 1 to 2 years E-Commerce (Bookstore) Outsource web hosting and payment processing to a PCI-DSS validated third-party service provider E-Ratex for e-commerce application Cybersource for payment processing Rackspace for web hosting Miscellaneous charges Use standalone PTS approved cellular based credit card terminals

2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 WHAT WE VE DONE TO ADDRESS PCI-DSS 3.0 Had Coalfire perform a scope assessment of the planned state of our Spring 2015 environment This is where it s decided what processes, people, and systems are in-scope for inspection and validation Scope assessment has typically been the most controversial portion of our engagements with auditors. Used whitepapers authored by Coalfire on the vendors solutions to argue scope reduction. We also asked them to make suggestions to further reduce our scope.

2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 SCOPE ASSESSMENT FINDINGS Significant scope reduction was achieved! Past PCI-DSS 2.0 environment = 170 controls in-scope New PCI-DSS 3.0 environment = 89 controls in-scope Stipulations for the scope reduction granted: Manual card entry on the POS itself is disabled. The VeriFone and Shift4 PTS approved Pin Pads are the only means for accepting card present transactions for MICROS and RATEX. The PTS approved Pin Pads are customer facing where the cashier never handles the card. For payment processing and E-Commerce hosting, we must use PCI-DSS compliant service providers and have a copies of their Attestation of Compliance. Must have an executed agreement with third party service providers detailing the controls managed by the service providers

2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 WHAT THIS MEANS FOR US No networks will be in-scope (P2PE) No cardholder data storage to be in-scope (Tokenization) No critical hardware other than the pin pads in-scope (P2PE) No software in-scope (P2PE) No third party payment applications in-scope (P2PE) No Vulnerability scans No penetration testing No log management

2.0 SCOPE

3.0 SCOPE OSU SERVICE PROVIDERS AGREEMENTS WITH SERVICE PROVIDERS

WHAT WE VE LEARNED AND HOW WE VE CHANGED PCI needs to be a part of the conversation on the front end of purchasing systems and delivering services to our customers. Some recent examples include: Food truck/away game solution Ticketing system selection Meeting and Conference Services Shift4 integration with external P2PE pin pads

OUR SOLUTION

SHIFT4 CHALLENGES Pin pad doesn t have any intelligence and is not integrated with the POS in any way. Constantly displays the same message on the screen no matter the status of the register or reader and causes confusion. Best and only available option for our systems at the time. Stop gap solution to get us through a 3.0 audit. Cashiers needed to be trained to not complain about the shortcomings of the pin pads, but to inform the customer that we are protecting their credit card data. Third party solutions can be a double edged sword. They can address shortcomings that your POS system can t on its own You can end up with a stalemate between the POS system manufacturer and third party when something isn t working as it should.

WHAT YOU SHOULD TAKE AWAY FROM OUR PRESENTATION PCI compliance is a journey. Available technology and changing PCI-DSS specifications make it a moving target. If you re arriving late to the PCI game, you ve got many more options than we had. You should be able to leap frog us and save yourself some pain. You might think about hiring your own QSA before someone else does. It just goes better when the QSA works for you and not the other team. It s all in the interpretation. You can shop around for a QSA. You don t want the low bidder that s just going to say you re compliant though, you need to find one that s reasonable and you can work with. Use a firm with P2PE certified assessors if you re going to rely on P2PE for scope reduction. Others may be less likely to grant you as much scope reduction as the ones that fully understand P2PE.

WHAT YOU SHOULD TAKE AWAY FROM OUR PRESENTATION Scope reducing technologies are worth the investment. Our audits get easier each time we reduce our scope. If you re going to buy EMV terminals, try to buy ones that offer a P2PE and tokenization solution too while you re at it. You re going to spend the money, you might as well. There is no PCI silver bullet. Don t rely solely on what vendors tell you regarding their solution. Scope reduction is up to the bank and the QSA. Our scope has consistently been broader than the vendor claimed. This isn t necessarily the fault of the vendor though, There are a lot of differences of opinion between QSA s

WHAT YOU SHOULD TAKE AWAY FROM OUR PRESENTATION PCI needs to be a part of the conversation on the front end of purchasing systems and delivering services to our customers. Is the system PCI compliant? Is the third party service provider certified by Visa/Mastercard? Can they provide an AOC? Does their contract acknowledge PCI responsibilities? Can they show scan results? Lastly, is this a service we want to offer our customers?

WHAT YOU SHOULD TAKE AWAY FROM OUR PRESENTATION Why should you care about PCI compliance? Compliance with PCI DSS demonstrates our commitment to protecting our customers confidential data which in turn builds trust. Trust means our customers have confidence in doing business with us. Confident customers are more likely to be repeat customers and recommend us to others. Compromised data negatively affects us all. Just one incident can severely damage your reputation and your ability to conduct business effectively into the future. Other negative consequences could include: lawsuits, insurance claims, cancelled accounts, payment card issuer fines, and government fines. More importantly you could lose the ability to accept credit cards for your entire institution, not just your operations, indefinitely.

Questions?

CONTACT INFORMATION Mike Peaster 405-744-7796 mike.peaster@okstate.edu Tracie Brown 405-744-6990 tracie.brown@okstate.edu