Credit Card Support Program Navigating the Regulatory Maze
- Slides: 38
Credit Card Support Program Navigating the Regulatory Maze: Notre Dame’s PCI DSS Solution EDUCAUSE Midwest Regional Conference March 17, 2008 Property of the University of Notre Dame
Credit Card Support Program Agenda • • • PCI DSS Background Notre Dame’s Environment Payment Card Environment Design Networking Infrastructure Deployment: Departments and Decentralized IT Property of the University of Notre Dame 2
Credit Card Support Program PCI DSS History Visa Cardholder Information Security Program (CISP) Mastercard Site Data Protection Program (SDP) Payment Card Industry Data Security Standard (PCI DSS) Discover Information Security Compliance Program (DISC) Property of the University of Notre Dame American Express Data Security Standard (DSS) 3
Credit Card Support Program Introducing the Digital Dozen Build and Maintain a Secure Network Protect Cardholder Data Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Use and regularly update anti-virus software Management Program Develop and maintain secure systems and applications Restrict access to cardholder data by business need-to-know Implement Strong Access Assign a unique ID to each person with computer access Control Measures Restrict physical access to cardholder data Track and monitor all access to network resources and cardholder Regularly Monitor and data Test Networks Regularly test security systems and processes Maintain an Information Maintain a policy that addresses information security Security Policy Property of the University of Notre Dame 4
Credit Card Support Program Who Must Comply? • “Payment Card Industry (PCI) Data Security requirements apply to all Members, merchants, and service providers that store, process or transmit cardholder data. ” • “Additionally, these security requirements apply to all system components which is defined as any network component, server, or application included in, or connected to, the cardholder data environment. ” That Probably Means You Property of the University of Notre Dame 5
Credit Card Support Program Merchant Levels Merchant Level Description 1 Any merchant who processes over 6, 000 transactions annually. Any merchant designated Level 1 by Visa 2 Any merchant who processes between 1, 000 and 6, 000 transactions annually. 3 Any merchant who processes between 20, 000 and 150, 000 e-commerce transactions annually. 4 Anyone else Property of the University of Notre Dame 6
Credit Card Support Program Merchant Levels • All merchants, regardless of level, must comply with all elements of the PCI DSS standard! • Merchants at different levels have different validation requirements Property of the University of Notre Dame 7
Credit Card Support Program Consequences • Reputational Risk – What will the impact be on your institution’s brand? – Mandatory involvement of federal law enforcement in investigation • Financial Risk – Merchant banks may pass on substantial fines – Up to $500, 000 per incident from Visa alone – Civil liability and cost of providing ID theft protection Property of the University of Notre Dame 8
Credit Card Support Program Consequences • Compliance Risk – Exposure to Level 1 validation requirements • Operational Risk – Visa-imposed operational restrictions – Potential loss of card processing privileges Property of the University of Notre Dame 9
Credit Card Support Program Agenda • • • PCI DSS Background Notre Dame’s Environment Payment Card Environment Design Networking Infrastructure Deployment: Departments and decentralized IT Property of the University of Notre Dame 10
Credit Card Support Program Notre Dame’s Environment, Circa 2006 • Over 70 merchant accounts, 15 applications • No central oversight • One day all of that changed… Property of the University of Notre Dame 11
Credit Card Support Program Property of the University of Notre Dame 12
Credit Card Support Program Notre Dame’s Approach • Conducted a risk assessment in conjunction with a PCI consulting firm • From that, launched a credit card security program – First Goal: Minimize on-campus card processing – Second Goal: Migrate existing systems to a dedicated, isolated network • First, reduce our footprint and then secure that footprint to the greatest degree possible Property of the University of Notre Dame 13
Credit Card Support Program Agenda • • • PCI DSS Background Notre Dame’s Environment Payment Card Environment Design Networking Infrastructure Deployment: Departments and decentralized IT Property of the University of Notre Dame 14
Credit Card Support Program Design: ND’s PCI Architecture Property of the University of Notre Dame 15
Credit Card Support Program System and Security Components Firewall and VPN Two factor authentication to infrastructure Tripwire server integrity assurance Juniper IDS POS clients and servers Infrastructure – NTP, DC, e. PO, monitoring, KVM, central logging, etc. • Device configuration standards • • • Property of the University of Notre Dame
Credit Card Support Program Firewall and IDS design • • Firewall isolates all PCI traffic Single External Physical interface Single Internal interface with multiple VLANs Zones organized by function Some special zones for campus systems Remote Sites connected through VPN concentrator Passive IDS (tried IPS) monitors all internal traffic Property of the University of Notre Dame
Credit Card Support Program Sidewinder Firewall • Application Proxy firewall • Default deny inbound and outbound • Group based VPN, access restricted by job function • Least privilege rule base • All access explicitly controlled Property of the University of Notre Dame
Credit Card Support Program Key Internal Zones Property of the University of Notre Dame
Credit Card Support Program Key Internal Zones Property of the University of Notre Dame
Credit Card Support Program Key Internal Zones Property of the University of Notre Dame
Credit Card Support Program Isolating Systems Property of the University of Notre Dame
Credit Card Support Program Isolating Systems Property of the University of Notre Dame
Credit Card Support Program Agenda • • • PCI DSS Background Notre Dame’s Environment Payment Card Environment Design Networking Infrastructure Deployment: Departments and decentralized IT Property of the University of Notre Dame 24
Credit Card Support Program Network Design From the PCI Standards Document: 1. Encryption of data over open, public networks 2. Follow change control procedures 3. Review logs for all system components daily Property of the University of Notre Dame
Credit Card Support Program Challenges Encryption of data over open, public networks. • Required over ‘secure’ vlans? Property of the University of Notre Dame
Credit Card Support Program Challenges Follow change control procedures. – Initial design thoughts incorporated ‘secure’ vlans that we present at each endpoint on campus. – This would have involved implementing change control on more than 150 network devices, including access layer switches. Review logs for all system components daily. – On > 150 devices? Property of the University of Notre Dame
Credit Card Support Program Devices requiring change control with ‘secure’ vlan Property of the University of Notre Dame
Credit Card Support Program Our solution: Remote site VPN’s • Utilizes Cisco 3015 VPN concentrator with Cisco 851 VPN routers for endpoints. • Extends the PCI network where we need it. • We provide user subnet space based on customer need: – Stand-alone credit card terminals – POS devices – Single use computers Property of the University of Notre Dame
Credit Card Support Program Additional Benefits of VPN • The VPN tunnel provides a secure method of managing network devices. • Provides a means of remote access for system administrators • Fewer devices to manage. • Provides for easier additions to the PCI network. Property of the University of Notre Dame
Credit Card Support Program Agenda • • • PCI DSS Background Notre Dame’s Environment Payment Card Environment Design Networking Infrastructure Deployment: Departments and decentralized IT Property of the University of Notre Dame 31
Credit Card Support Program Deployment: Departments and Decentralized IT Property of the University of Notre Dame 32
Credit Card Support Program Two Types of Support • Central IT • Departmental IT – Fewer technical users. – Existing payment solutions are often inherited. – Responsibility for payment system is often not clearly defined. Property of the University of Notre Dame – Internal processes and procedures. – Often very small staff, broad responsibilities. – Payment solutions are often provided by external vendors. – Responsibility for payment system is often inherited. 33
Credit Card Support Program Existing systems • Food Services • Theater Ticketing and Events – Many terminals – Other services blended in: vending machines, food service displays, and campus “Domer Dollars” – Many locations – Blend of commercial and custom software – Departmental IT Property of the University of Notre Dame – Single location – Mobile and static workstations – Web driven – Single commercial software package – Only standard transactions – Central IT 34
Credit Card Support Program Deployment Steps • • • Review existing architecture Design solution Build required resources Test Migrate into production – Often in phases – Often unexpected hurdles due to legacy systems and applications Property of the University of Notre Dame 35
Credit Card Support Program Challenges • Process: creating a controlled system for adding new systems and handling changes. • Lack of vendor documentation of protocols – many large high port groupings, reliance local broadcast for discovery, etc. • Split system administration • DR for systems designed without DR capabilities. Property of the University of Notre Dame 36
Credit Card Support Program Lessons Learned • Review vendor documentation and current implementation. – Historic designs are often still in use. • Dataflow diagrams are crucial. • Provide a fast troubleshooting process and a defined support team. • Provide a single point of responsibility with backup for migrations. Property of the University of Notre Dame 37
Credit Card Support Program Questions Property of the University of Notre Dame 38
Checkbook simulation answers
Debit card disadvantages
Navigating the body skeletal system #1
Digital landscape model
Primatic compass
From a granite post proceed
Amazon web services gdpr
Navigating the art world
Navigating gdpr compliance on aws
This can be avoided by giving credit where credit is due.
University of washington credit card
Randolph brooks secured credit card
Mythbusters credit card
Wells fargo pos system
Ravi credit card
Credit card knowledge
Raspberry pi credit card
Credit card activity worksheet
What is upc
Tomika's credit rating was lowered
Credit cards 101
Vnotify
Objectives of credit card
Monique buys a $4 700
3-5 credit cards financial algebra
Ucfin card credit
Wearesantander
Pivotal merchant services
Credit cards 101
Citibank commercial credit card
Citi commercial credit card
Crutchfield credit card
Travel entertainment card
Piqst
Freedom pay credit card processing
Credit card vocabulary
Moneysmart credit card
Lanpass credit card
Cornell credit card
