PCIDSS compliance made easier through a collaboration between NC State and UNC-Chapel Hill

PCIDSS compliance made easier through collaboration between NC State and UNC-Chapel Hill

UNC Cause 2013 Wilmington, NC

John Baines AD Policy & Compliance, OIT,NCSU

Eva Lorenz ITS Security, UNC Chapel Hill

Outline

PCI DSS 2.0 (3.0 soon…) – .edu concerns Background – Why? Who? What? Higher Ed and credit card compliance Similarities Differences Hot topics What next? / Future plans Conclusion

2 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC

PCI DSS 3.0 to be released 11-7-13, effective 1-1-14 ◦ Required merchant compliance by 1 January , 2015 ◦ Core 12 Security Requirements unchanged, but several

new sub-requirements Service provider status ◦ This can happen to any institution

Scope creep ◦ In a federated environment, this is a constant struggle

CDE planning and maintenance ◦ Universities like changes and reorganizations

Written documentation ◦ How much oversight can be centrally provided? ◦ Vast amount needed (not just Requirement 12)

PCI DSS 2.0 (->3.0) .edu concerns


Background – Why? Who? What? Two universities with federated set up

and flat network Oversight committee from

Finance/Controller and ITS/OIT PCI Steering Committee and CERTIFI Gap analysis at NC State in 2011, and

UNC in 2012 Expand on existing ISO meetings to focus

on PCI DSS and compliance Subject to State Controller requirements

and UNC-GA oversight 4 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC

Organizational Entities - NCSU Controller’s office OIT Security & Compliance Other OIT units Merchants

Organizational Entities – UNC-CH Finance / Controller’s Office ITS Security + ITS Enterprise Applications Other ITS units (networking, hosting) Merchants


Controller’s office / Finance Controller’s office - Manager, Cash Management / Merchant Card

Accountant ◦ Single point of entry Even with a tightly controlled CDE, change management is a

struggle, so control the point of entry ◦ Business justification Consider establishing baseline requirements and balance

versus risk to the university ◦ Obtaining a PCI Merchant Account Yes, there is a State Controller

◦ PCI associated business processes Consider developing questionnaires, standard workflows and

other documentation or requirements, such as training, before the account goes live.


OIT Security & Compliance - NCSU Internal Security Assessor (ISA) Initial technical compliance Technical assistance (D merchants & OIT) Annual review by merchant Guidelines for SAQ A & B merchants

ITS Security (UNC-CH) PCI Coordinator – scheduled for ISA exam Initial technical compliance Technical assistance (vuln. and web scanning) POS stations physical security / annual review Maintain enterprise firewalls, access to CDE


Other IT Units - NCSU & UNC-CH Cover many different areas ◦ ComTech network, VOIP phones ◦ Shared hosting CDE and D merchants ◦ Infrastructure logging, patching, VMs, etc. ◦ Client Services end-point protection and compliance – Dedicated

Payment Workstation ◦ Enterprise Application Systems development /implementation of PCI compliant

applications, TouchNet/Nelnet 8 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC

Merchants – NCSU – 124 SAQ A – Totally outsourced – 72 SAQ B – Simple POS – 23 SAQ C – Virtual Terminal - 3 SAQ D – Complex merchants – 26 ◦ Dining (2) ◦ Bookstore ◦ Transportation (9) ◦ Athletics ◦ Alumni/Advancement (~5) ◦ Mail Order – Telephone Order (MOTOs) (<30…)

Shrinking and growing…


Merchants – UNC-CH 108 New merchants all the time Existing merchants change implementation frequently Then there is an annual review required for each merchant Similar ratio as NCSU, but totally outsourcing done via

TouchNet Also no SAQ C – Virtual Terminal Similar set of complex merchants UNC-CH merchant grouping for SAQ attestation ◦ TouchNet outsourced (SAQ-A) ◦ POS terminals (SAQ-B) all on analog

◦ Complex SAQ-D merchants Some TouchNet with outsourcing of credit card storage,

but accepting credit cards in person Some merchants have servers with credit card storage on

campus


Service Providers

11

Business UNC NCSU

Main Gateway TouchNet (AOC, ROC) Nelnet

Cybersource (e-Tix K) Cybersource

PayFlowPro PayFlowPro

Dining Micros (SP) Micros - CVENT

Bookstore Sequoia (version, kiosk) Sequoia

Advancement Blackbaud Convio

Athletics Paciolan Paciolan

Phonathon Ruffalo Cody (version 1) Ruffalo Cody (version 2)

Foundation / Fundraising Convio Convio

Conference center TouchNet (Kiosk) (Complex)

Parking FederalAPD (ScanNet) Data Tran

11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC

Governance - NCSU PCI Steering Committee ◦ University controller chairs ◦ Representatives of four of largest merchants ◦ Members of update team participate ◦ Meets quarterly and by email

PCI Update team ◦ External Project Manager ◦ Controller’s office ◦ OIT Security & Compliance ◦ OIT EAS (Enterprise systems development group) ◦ Not a dedicated team… ◦ Meets bi-weekly


Organizational Entities – UNC-CH

CERTIFI ◦ Finance – Chair Controller’s Office ◦ ITS Security ◦ ITS EA ◦ Merchant representatives ◦ IT units ◦ Sponsored by CISO and University Controller ◦ Meets every two weeks ◦ Some voting / decisions by email


Similarities POS SAQ B analog phones Student groups with mobile gadgets ◦ NCSU now cellular POS device from SunTrust/

Firstdata. Plans to make this a loaner service for conferences and events

Conference Center - multi-functional SAQ D merchants, such as book store, athletics,

alumni giving, dining and a conference center. identical third party software being deployed and

similar issues assessing third party compliance. Oversight of service providers for campus

merchants - significant problems and risks – PCI DSS Req 12.8


Differences Choice of third parties ◦ Issues to deal with are complex, including compliance, documentation, oversight

Choice of payment gateway ◦ Select primary one, but make sure it can meet the business needs.

Network ◦ UNC Will have some duplicate infrastructure for CDE (e.g. DNS, SCCM, AV) Border Firewall and implications for service provider role

◦ NCSU Shares infrastructure services for PCI compliance. No border firewall Relies logical or administrative control of separation regarding the firewalls,

building switches and core routers (VLANs, MPLS). Dedicated resources include a wireless network at the football stadium

Medical center ◦ Shared network, but two separate entities ◦ Remote locations accepting credit card ◦ Change in payment processing by these entities (UNC-H) 15 11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC

Hot Topics

PCI scope CDE planning Enormous need for education Key business processes to maintain PCI

compliance Service provider reduction


PCI scope (NCSU) Primary scope – anything that transmits, processes or stores

the PAN e.g.: ◦ Cardholder Data Environment – store PAN ◦ Any network transmitting PAN ◦ Otherwise non-primary scope, but located in CDE without

network control ◦ Mail Order Telephone Order workstations ◦ Intelligent POS devices (e.g. Cash Registers) ◦ Wireless at football stadium only

Secondary scope – ANYTHING that supports or connects to primary scope, e.g.: ◦ Maintenance workstations that connect to CDE (2 factor auth!) ◦ Active Directory, DNS, VMware, etc.

For secondary scope: ◦ Logging and patching are required ◦ But other PCI DSS controls that are needed vary by case


PCI scope (UNC-CH) Primary scope – anything that transmits, processes or stores

the PAN e.g.: ◦ Cardholder Data Environment –with some PAN storage ◦ Any network transmitting PAN (but not vendor vlan!) ◦ Any workstation processing cards by phone, fax or mail ◦ No wireless transmission of credit cards

Secondary scope – ANYTHING that supports or connects to primary scope, e.g.: ◦ Sysadmin Workstations that connect to CDE (2 factor auth!) ◦ Splunk, Firewalls ◦ Supporting infrastructure (AD, DNS, etc ) – duplicated for CDE

For secondary scope: ◦ Logging and patching are required ◦ But other PCI DSS controls that are needed will vary by case

NO email! (Basic requirement – NCSU also)


CDE planning (NCSU) Started 2005 Dedicated: ◦ Sub-network(s) ◦ CDE for SAQ D’s created early ◦ Physical (now VM) servers

Contains all approved PANs - encrypted Supported by OIT Hosting Services unit All simple Web authorization supported

though Nelnet redirection (no NCSU located CDE)


CDE planning (UNC-CH) Started 2012 Dedicated: ◦ Segmented vlans with hardware firewalls ◦ Contains servers, desktops, cash registers, payment

stations and supporting infrastructure Possible exceptions: e.g. logging server (Splunk)

Contains all approved PANs - encrypted Supported by Windows Systems group and ITS

Security Does not include servers hosting websites that

process customer entered payment data with redirection of credit card data to external service provider


Enormous Need For Education 12. Maintain an Information Security Policy Found over 100 sub-requirements for doc Multiple audiences for training: ◦ Merchants – Overall concepts and approach Process and SAQ forms Deep dive

◦ Training IT Security staff as ‘professors of PCI’ Make use of existing mailing lists and blogs Seminars and forums – Treasury Institute & PCI SSC

◦ Getting buy-in and understanding from other OIT units about their responsibilities and how to implement them


Enormous Need For Education Teach merchants when PCI becomes an issue Teach IT support staff to work with business staff in

departments Teach purchasing staff to spot PCI in agreements Teach legal department PCI-relevant requirements

(sequential contract review) Teach merchants what is a PCI-relevant change Teach merchants about associated technologies

(VOIP, fax, wireless, email etc.) Reach a consensus on 3.0 changes standard meaning. How to communicate this change and to whom? Teach to write and update workflows Teach incident response Other merchant responsibilities


Key Business Processes Maintaining PCI compliance is not a one

time project : ◦ PCI compliance is an ongoing process from on-

boarding new merchants to closing down accounts and every day changes in between Annual assessment of existing merchants – best done in

person with IT and business staff Try to “centralize and standardize” infrastructure and

business processes Reinforce standardized processes through repetition in

training events and in-person visits Bare bones web-frontends for the payment process to

minimize the risk of security holes Assessing service providers Monitor physical security (data centers & elsewhere)


Service Provider Reduction Can proliferate if not strictly controlled Focus on Service Provider Level 1 (>100K) –

listed at VISA web site SP Level 2 – university is responsible for their

compliance Look for commonalities in applications ◦ Conference/event management (NCSU 57%) ◦ Storefronts – (NCSU 10%) ◦ Giving (NCSU – 19%) ◦ Mobile devices

Outsource as much as possible – e.g. Touchnet


What next? / Future plans

Include more local Higher Ed institutions Meet to discuss PCI DSS v3.0 CDE is top priority Something new pops up all the time Shift to more focused meetings, such as

scoping and CDE planning.


Conclusions Unique challenges for .edu’s because of the

federated environment ◦ Like all merchants in a small town combined

PCI DSS was not written with higher education institutions in mind ◦ Most resources, such as best practices or

whitepapers, are often geared towards corporations usually with just a few merchant profiles ◦ Simplify, standardize and outsource merchant

implementations as much as possible Collaboration of .edu’s is a good way to

create a knowledgebase within the UNC system universities to tackle PCI DSS


References OSC – State Electronic Commerce Program -

http://www.ncosc.net/SECP/index.html

UNC-CH CERTIFI - http://finance.unc.edu/files/2013/02/charter_certifi.pdf

UNC-CH Finance policies - http://financepolicy.unc.edu/policy-procedure/308-credit-card-merchant-services/

NCSU REG 07.30.23 - Payment Card Merchant Services | Policies

NCSU Cash Receipts and Credit Card Procedures

PCI Security Standards Council - https://www.pcisecuritystandards.org/

Treasury Institute for Higher Education - http://www.treasuryinstitute.org/

Treasury Institute blog - http://treasuryinstitutepcidss.blogspot.com/

PCI Guru - http://pciguru.wordpress.com/


http://www.ncosc.net/SECP/index.html

http://finance.unc.edu/files/2013/02/charter_certifi.pdf

http://financepolicy.unc.edu/policy-procedure/308-credit-card-merchant-services/

http://financepolicy.unc.edu/policy-procedure/308-credit-card-merchant-services/

http://policies.ncsu.edu/regulation/reg-07-30-23

https://www.google.com/url?q=http://www.fis.ncsu.edu/controller/cash_receipts/credit_card.asp&sa=U&ei=unKJUqi_D-nJsQT44IDgDw&ved=0CAsQFjAD&client=internal-uds-cse&usg=AFQjCNGGD7aDI-tUrMFPU_y5q3FRUEKnFw

https://www.pcisecuritystandards.org/

http://www.treasuryinstitute.org/

http://treasuryinstitutepcidss.blogspot.com/

http://pciguru.wordpress.com/

Questions?

11/20/2013 PCI DSS Collaboration - UNC Cause 2013 Wilmington, NC #28

UNC Cause Proposal: PCIDSS compliance made easier through collaboration between NC State and UNC-Chapel Hill Abstract: Both NC State and UNC Chapel Hill host a significant number of merchants involved in eCommerce on campus and are therefore bound by the Payment Card Industry Data Security Standard (PCIDSS). To facilitate achieving PCIDSS compliance, the universities have started regular meetings to discuss the eCommerce environment on both campuses and to determine how to most efficiently work towards remediating any compliance gaps. The meetings have revealed significant overlap in the eCommerce landscape as well as similarities in what each university sees as major issues towards achieving compliance. The university environment and background: NC State and UNC-Chapel Hill are both large research universities that have more than 100 merchants involved in eCommerce. Merchants cover the range of self-assessment questionnaires (SAQ) from SAQ-A through SAQ-D and employ a number of third party software to process payments. Even though the primary payment gateway selected by each university differs, third party software selected by larger merchants often overlap as do services administered by the Office of the State Controller. Merchant environment: The eCommerce landscape at many universities will have a number of similar merchants, such as book store, athletics, alumni giving, dining and a conference center. These similarities often lead to identical third party software being deployed and similar question when assessing third party compliance. In this context, oversight of service providers for campus merchants may pose significant problems as well as risks to universities under PCIDSS requirement 12.8. A summary of major software by merchants will be presented as well as the compliance issues involving service providers that have arisen at both universities. Technical challenges: One of the main technical challenges faced by both universities involves creating a highly structured cardholder data environment (CDE) that contradicts in many ways the open environment traditionally associated with universities. Additional challenges involve software selection for handling log management, file integrity monitoring and remote authentication to in scope devices. The presentation will involve proposal by either university on how to generate a CDE and which challenges are faced by the IT staff. Future plans So far the meetings have been limited to NC State and UNC Chapel Hill, but we have already gotten a request from another university in the triangle to join. Having established the status quo of eCommerce at both universities, we will shift towards more focused meetings as we proceed on closing remaining PCIDSSS gaps at either university. Conclusion: The unique challenges involved in ensuring compliance in a federated environment such as a large research university can seem overwhelming at times since PCIDSS was not written with higher education institutions in mind and best practices or whitepapers are also often geared towards highly standardized merchants, such as national chain stores. This effort started by NC State and UNC Chapel Hill has provided important insights already and could be a model for


Technology

PCIDSS compliance made easier through a collaboration between NC State and UNC-Chapel Hill