1 / 28

LESSONS LEARNED ON THE WAY TO PCI COMPLIANCE

LESSONS LEARNED ON THE WAY TO PCI COMPLIANCE. The University of Western Ontario & McMaster University’s Experiences June 7th, 2011. Agenda. Introductions What is PCI and Why is it Important? Lessons Learned What Lies Ahead?. Introductions.

shania
Download Presentation

LESSONS LEARNED ON THE WAY TO PCI COMPLIANCE

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. LESSONS LEARNED ON THE WAY TO PCI COMPLIANCE The University of Western Ontario & McMaster University’s Experiences June 7th, 2011

  2. Agenda • Introductions • What is PCI and Why is it Important? • Lessons Learned • What Lies Ahead?

  3. Introductions • Sharon Farnell, Director, Internal Audit – The University of Western Ontario • Stacey Farkas – Supervisor, Financial Reporting – McMaster University • Tim Russell – Project Manager, University Technology Services – McMaster University

  4. Introductions • Western • 2010 - $27million in credit card sales • 2011 - $31million in credit card sales • 60 merchants • McMaster • 2010 - $24million in credit card sales • 2011 - $25million in credit card sales - $ 16 million in INTERAC ONLINE transactions • 58 merchants

  5. What is PCI? PCI-DSS: Payment Card Industry – Data Security Standards Standards developed by the credit card companies (Visa, M/C) to protect cardholders PCI Data security requirements apply to all members, merchants, and service providers that store, process or transmit cardholder data EVERY merchant is required to be in compliance with these standards

  6. What is PCI? There are 12 requirements, grouped into six categories for PCI Compliance: Build and Maintain a Secure Network (req. 1 & 2) Protect Cardholder Data (req. 3 & 4) Maintain a Vulnerability Program (req. 5 & 6) Implement Strong Access Control Measures (req. 7,8 & 9) Regularly Monitor and Test Networks (req. 10 & 11) Maintain a Policy that addresses Information Security (req. 12)

  7. Merchant Levels

  8. Merchant Levels

  9. Merchant Types • PCI Security Council Separated out Merchant Types and introduced a SAQ for each type in 2008

  10. Why is PCI Compliance Important? • FINANCIAL RISK • fines from payment processor and/or credit card companies • costs to notify cardholders • repayment of fraudulent charges incurred by end consumer • audit costs by PCI assessor • LOSE THE ABILITY TO PROCESS CREDIT CARDS – CAMPUS WIDE • REPUTATIONAL RISK! • OPPORTUNITY TO ENHANCE SECURITY/IT BEST PRACTICES

  11. Our PCI ‘Approaches’ • Western • Central approach to Self Assessment Questionnaires (SAQs). • McMaster • Centralized management with Individual merchant responsibilities

  12. Lessons Learned 1: Collaboration of stakeholders is key 2: Identify your PCI Scope and environment 3: Minimize Local Payment Processing 4: Centralized Merchant Approval Process 5: Audit Considerations 6: Don’t underestimate your time 7: Breach Escalation process 8: Centralized approach to PCI DSS Self Assessment Questionnaires 9: Include PCI compliance in the RFP and Purchasing Process 10: Funding: Who Pays for this? 11: It’s a learning Journey 12: Risk Management Strategies

  13. Lesson 1 :Collaboration of Stakeholders is Key • Western: Central Bank Card Committee • Financial Services, Internal Audit, IT, Campus Department Representatives • Chaired by AVP, Financial Services • McMaster: PCI Steering Committee • Financial Services, IT, Key Departments, Internal Audit • Chaired jointly by AVP Administration and CIO

  14. Lesson 2 :Identify your PCI Scope and Environment • Western • Pre-RFP Review – Evaluate Environment • IT Code Review • Interviewed all campus departments • McMaster • Had a PCI GAP analysis completed in 2008 • Helped us to focus on high risk areas within the 12 requirements – action plan via PCI Steering Committee

  15. Lesson 3 :Minimize Local Payment Processing • Western • Campus merchants are required to use Western’s internal Payment Page • Currently migrating to an external Pay Page solution • McMaster • Steer merchants to Hosted Pay Page solutions • Place compliance on the software vendors • Moving from Type D to A merchants – less risk

  16. Lesson 4 :Centralized Merchant Approval Process • Western • New e-commerce merchants must be approved by Bank Card Committee • PCI Compliance is a requirement • McMaster • Upfront Approval Process – new merchants must meet PCI DSS requirement before a merchant number is issued • Merchants can be suspended if not in compliance

  17. Lesson 5 :Audit Considerations • Western • Limited Scope – Lower Costs • Important for Auditor to apply PCI to a University setting • Consistency of Auditor key • Demonstration of Compliance • McMaster • Pre-audit in 2008 – helped to limit scope • Focus on individual (Type D) merchants

  18. Lesson 6 :Don’t Underestimate Your Time • Western • Six months became 2+ years • IT Resources – Significant Impact – Documentation • Have people to help keep on track • McMaster • Committee commenced work in 2006, still on-going • Education and clarification of requirements took a long time

  19. Lesson 7 :Breach Escalation Process • Western • Requirement of PCI-DSS • Took time to get it ‘right’ • McMaster • Developing protocols for front-line workers and internal response • Escalating communication plan dependent on nature of the breach

  20. Western Breach Protocol Perceived Breach • Types of Breaches • Receipts compromised • POS compromised • Electronic Client data compromised • Missing items • Technical breach • Unauthorized wireless device Legend IPO – Information Privacy Office UWO IT – Western Information Technology NSO – Network Security Officer (CISO) CISO – Campus Information Security Officer Moneris – corporate payment processor USER UWO Police x911 POLICE ENGAGE CRIMINAL INVESTIGATION AND INFORM NSO IDENTIFY: INFORM AND CONTAIN, USER ASCERTAINS RISK AND NOTIFIES ACCORDINGLY DEVICE THEFT OR DEVICE TAMPERING Types 1, 2, 3, 5 TRANSACTIONAL ITEMS ON STOP OR ALERT Moneris: 1-866-319-7450 ACT FAST! CONTAIN THE DAMAGE PRESERVE EVIDENCE DO NOT ACCESS COMPROMISED SYSTEM MISSING FILES, MACHINE, DATA Type 4 ITS as initiator UWO NSO IT SECURITY 519 661 3800 nso@uwo.ca NSO/CISO ASSESSES DATA RISK AND CONTAINS, NOTIFIES IPO AND FINANCE TRANSACTIONAL ITEMS ON STOP OR ALERT Moneris: 1-866-319-7450 FINANCE ASSESSES FINANCIAL RISK AND NOTIFIES NSO ON DATA AND VENDORS FOR TRANSACTIONAL ITEMS UWO Finance x85432 finance@uwo.ca UWO IPO x84541 privacy.office@uwo.ca IPO INTERFACES WITH NSO, LEGAL AND COMM IF PRIVACY AT RISK AFTER RISK ASSESSMENTS AND VENDOR NOTIFICATION, LEGAL IS INFORMED BY IPO IF NECESSARY UWO Legal x84217 jarrett@uwo.ca UWO Communications

  21. Lesson 8 :Centralized Approach to Self Assessment Questionnaires • Western • Created own internal SAQ to be filled out by departments • Fill out SAQ for the university as a whole centrally • McMaster • Each merchant is responsible for filling out PCI SAQ • SAQ questionnaires now automated through on-line submission • 3rd party company for both SAQ submission and Quarterly scanning

  22. Lesson 9 :Include PCI Compliance in the RFP & Purchasing process • Western • Push your knowledge to external partners / vendors • McMaster • Smaller companies weren’t always aware of PCI compliance. • Integrated into Policy and Purchasing documents

  23. Lesson 10 :Funding – Who Pays for This? • Western • Funded centrally • McMaster • Yearly internal Merchant ‘PCI Levy’ • Base charge plus volume based charge with caps • Essentially covers the cost of 1 FTE in IT and 0.5 in Financial Services • Now covers cost of 3rd party assessor

  24. Lesson 11 :It is a Learning Journey • Western • PCI Changes – Helps to have ‘experts’ • McMaster • On-going changes: the risks change therefore the compliance also changes • Adapt to new business processes • Learning journey for software vendors as well

  25. Lesson 12 :Risk Management Strategies • BothUniversities: • Governance and oversight • Third-party assessors and PCI advisors • Pro-active compliance by doing more than required • Migration to Hosted Payment Page • Required annual merchant training

  26. What Lies Ahead? • Western: • Keep ahead of PCI – change approaches as you go • McMaster: • Monthly, quarterly and annual activities, based on merchant type. • PCI Security Council • Three year cycle for standard revisions • Now possible for internal auditors to be certified to conduct PCI audits

  27. References • PCI Security Council: • https://www.pcisecuritystandards.org/index.shtml • University of Western Ontario: • http://commerce.uwo.ca/index.html • McMaster University: • http://www.mcmaster.ca/bms/BMS_FS_Payment_Card.htm

  28. Thank you!/ Merci! Contact Information: Sharon Farnell sfarnell@uwo.ca Stacey Farkas farkas@mcmaster.ca Tim Russell trussel@mcmaster.ca

More Related