ECommerce and PCI DSS at University of Waterloo

  • Slides: 17
Download presentation
E-Commerce and PCI DSS at University of Waterloo Web Advisory Committee June 17, 2009

E-Commerce and PCI DSS at University of Waterloo Web Advisory Committee June 17, 2009

Agenda � Implementing E-commerce at UW � Current Status and Future Plans � PCI

Agenda � Implementing E-commerce at UW � Current Status and Future Plans � PCI Data Security Standard � Questions

Implementing A UW E-Commerce Site � Prepare an e-commerce business plan. � Obtain approval

Implementing A UW E-Commerce Site � Prepare an e-commerce business plan. � Obtain approval from Financial Systems Mgmt. Committee. � Organize project. � Obtain bank merchant account & Beanstream account. � Design/build application or install packaged application or configure hosted application according to standards (PCI, Bank, UW). � Integrate with Beanstream if not hosted. � Test. � Review/signoff by Finance and Security. � Go – live.

Business Plan Content � � � � Describe the products or services to be

Business Plan Content � � � � Describe the products or services to be offered and the rationale for offering them via e-commerce. Provide estimated annual transaction and dollar volume. Describe the business process to handle the additional workload from the e-commerce function, including the accounting, maintenance, and reconciliation of general ledger accounts and the credit card operation. Indicate whether the operation currently accepts credit cards. Identify the hardware requirements and hardware location. Identify the source of technical support. Identify areas or departments that need to be involved in the development and implementation of your e-commerce initiative; examples may include Finance, Information Systems and Technology, or Procurement and Contract Services. Identify the working group to develop the initiative.

E-Commerce Site Development � Must use Beanstream for credit card processing. � Beanstream provides

E-Commerce Site Development � Must use Beanstream for credit card processing. � Beanstream provides multiple integration methods. � UW uses Beanstream’s hosted payment page to ensure security, privacy, and for easier PCI compliance. No credit card information is stored on a UW server. � IST provides an e-commerce server to host Linux applications. � Use of other, secure servers is acceptable.

Using Hosted Applications for UW E-commerce �May use a hosted shopping cart / event

Using Hosted Applications for UW E-commerce �May use a hosted shopping cart / event management site. Little experience with this at UW. �Must use Beanstream for credit card payment processing in all cases.

UW E-commerce Sites � Retail Services � Housing ◦ Residence deposits ◦ Off campus

UW E-commerce Sites � Retail Services � Housing ◦ Residence deposits ◦ Off campus housing landlord fees � Watcard � Parking � CEMC � Events and conferences come and go

The Future UW E-commerce Sites Coming �Continuing Education �Conference Centre �Food Services

The Future UW E-commerce Sites Coming �Continuing Education �Conference Centre �Food Services

The Future UW approved site hosting services � UW approved, hosted shopping cart system.

The Future UW approved site hosting services � UW approved, hosted shopping cart system. � UW approved, hosted event/conference system. � Hosting will significantly reduce implementation effort for all UW participants. � Will make small volume e-commerce sites more feasible.

What is PCI? � PCI = Payment Card Industry (Amex, Discover, JCB, MC, Visa)

What is PCI? � PCI = Payment Card Industry (Amex, Discover, JCB, MC, Visa) � PCI Data Security Standard (DSS) � PCI DSS v 1. 2 released October 2008 � 72 page document � Consistent security measures around the processing, storage, and transmission of credit card data � A nice baseline of security measures for any application

Compliance: What does it take? � Depends on how credit card data is handled

Compliance: What does it take? � Depends on how credit card data is handled � SAQ = Self Assessment Questionnaire � Assessment from an external QSA � Regular network scans of ecommerce sites SAQ Validation Type Description SAQ: V 1. 2 1 Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants. A 2 Imprint-only merchants with no electronic cardholder data storage B 3 Stand-alone terminal merchants, no electronic cardholder data storage B 4 Merchants with POS systems connected to the Internet, no electronic cardholder data storage C 5 All other merchants (not included in Types 1 -4 above) and all service providers defined by a payment brand as eligible to complete an SAQ. D

PCI DSS @ UW � Our acquirer requires us to be compliant with PCI

PCI DSS @ UW � Our acquirer requires us to be compliant with PCI DSS � All validation types apply to UW � Security measures for validation type 5 are expensive � Strategy: Eliminate cases where validation type 5 apply

Compliance Strategy � E-commerce websites must not collect, transmit or store credit card information

Compliance Strategy � E-commerce websites must not collect, transmit or store credit card information � Reduce scope: Isolate IP-based Po. S terminals from the rest of the campus network � Include in more general security policies and procedures

Penalties for non-compliance � Heavy fines from the acquiring bank � Bank could suspend

Penalties for non-compliance � Heavy fines from the acquiring bank � Bank could suspend the University’s ability to process any credit card

Links � http: //finance. uwaterloo. ca/ecommerce/ecommain. ht ml � https: //www. pcisecuritystandards. org/security_standa rds/pci_dss.

Links � http: //finance. uwaterloo. ca/ecommerce/ecommain. ht ml � https: //www. pcisecuritystandards. org/security_standa rds/pci_dss. shtml � https: //strobe. uwaterloo. ca/~twiki/bin/view/ISTITSec/ Ecommerce. System. Security. Standards

Questions ? ? ?

Questions ? ? ?

DSS 20081217 DSS 20081217 DSS 20081217 DSS 20081217DSS 20081217 DSS 20081217 DSS 20081217 DSS 20081217
DSS DSS DSS The DSS Influencing the developmentDSS DSS DSS The DSS Influencing the development
DSS SRL Bolivia DSS SRL www dss comDSS SRL Bolivia DSS SRL www dss com
DSS Training Material DSS Installation Training Module DSSDSS Training Material DSS Installation Training Module DSS
PCI DSS The Payment Card Industry PCI DataPCI DSS The Payment Card Industry PCI Data
PCI Tutorial Agenda PCI Fundamentals w PCI LocalPCI Tutorial Agenda PCI Fundamentals w PCI Local
PCIPeripheral Component Interconnect n PCI AGP PCI PCIPCIPeripheral Component Interconnect n PCI AGP PCI PCI
Facilitated PCI rescue PCI Dolly mathew Primary PCIFacilitated PCI rescue PCI Dolly mathew Primary PCI
Waterloo Aerial Robotics Group WARG Mandate The WaterlooWaterloo Aerial Robotics Group WARG Mandate The Waterloo
Peer Mediation At Waterloo School Nic Lawson WaterlooPeer Mediation At Waterloo School Nic Lawson Waterloo
Ecommerce Law Crime and ecommerce Crime and ecommerceEcommerce Law Crime and ecommerce Crime and ecommerce
SelfInspection and the DSS Security Review Process DSSSelfInspection and the DSS Security Review Process DSS
ECommerce 1 Ecommerce Describe ECommerce Identify benefits andECommerce 1 Ecommerce Describe ECommerce Identify benefits and
DSS A DSS is a methodology that supportsDSS A DSS is a methodology that supports
Defense Security Service DSS Update DSS Changing WithDefense Security Service DSS Update DSS Changing With
1 Data Warehouse DSS EIS DSS Data Warehouse1 Data Warehouse DSS EIS DSS Data Warehouse