Payment Card Industry Data Security Compliance

Document Sample
Payment Card Industry Data Security Compliance Powered By Docstoc
					Payment Card Industry Data
   Security Compliance



  Working Group Project Kickoff

            March 2006
             Agenda

• Objective
    –   Background
    –   Project goals
    –   Scope
    –   Visa Standards
    –   Payment Gateways (Verisign)
    –   Network Configuration
    –   Remediation Strategies
    –   Approach
    –   Milestones




 2/21/2010                        PCI Project   2
              PCI Background

• December 2004 - VISA and MasterCard joined forces to
  expand their security standards, calling them the Payment Card
  Industry Data Security Standards (PCIDSS) and releasing
  version 1.0 of the combined standard
• 12 technical requirements
   – Impact to policies and procedures, application software, hardware, firewall,
     network infrastructure and authentication methods
   – Requirement for annual and quarterly audits and networks scanning by certified
     PCI assessor depending on transaction volume
• Fines up to $500,000 per incident if credit cards are disclosed
  and you are not compliant
• Original compliance date was June 2005 which was
  unreasonable for most institutions to meet. Our new self-
  imposed compliance date is December 2006.

  2/21/2010                            PCI Project                                3
                Project Scope


•   Planning Assumptions
     –   Leverage existing investment in current 3rd party credit card processor (Verisign)
     –   Minimize cost of compliance
     –   Cost of compliance will be born by the school/center owning the merchant account
     –   This project will be fast tracked to minimize risk and cost
•   Project Organization (see appendix A for org chart)
     – The project will be jointly sponsored by Treasurer’s Office in the Division of Finance,
       Information Systems and Computing (ISC) and Office of General Council under the
       leadership of Scott Douglass, Robin Beck and Wendy White.
     – The project will be managed jointly by Michael Harris of the Office of the Executive Vice
       President and Bill Kasenchar from ISC.
     – A core team from Treasurer’s, EVP, OGC and ISC will work to identify and recommend
       options to meet compliance and establish policy.
     – A working team represented by schools and centers will vet remediation strategies and aid
       in the creation and implementation of the recommended solution
     – Every school or center who owns a merchant account must have a representative on the
       working team
•   UPHS is performing a parallel effort under the direction of Andrew DeVoe
    (UPHS Treasurer and CFO)

    2/21/2010                                  PCI Project                                    4
                   Visa’s Categorization of Merchants

                                                                  Merchant levels defined

 Acquirers are responsible for determining the compliance validation levels of their merchants. All merchants will fall into one of the four merchant
 levels based on annual Visa transaction volume. The transaction volume is based on the aggregate number of Visa transactions from a Doing
 Business As (DBA) or a chain of stores (not of a corporation that has several chains). Merchant levels are defined as:
 Merchant Level           Description

                            Any merchant-regardless of acceptance channel-processing over 6,000,000 Visa transactions per year.

             1              Any merchant that has suffered a hack or an attack that resulted in an account data compromise.
                            Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk
                            to the Visa system.
                            Any merchant identified by any other payment card brand as Level 1.
             2              Any merchant processing 150,000 to 6,000,000 Visa e-commerce transactions per year.
             3              Any merchant processing 20,000 to 150,000 Visa e-commerce transactions per year.
                            Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants processing
             4
                            up to 6,000,000 Visa transactions per year.



                                                               Compliance validation basics
 In addition to adhering to the PCI Data Security Standard, compliance validation is required for Level 1, Level 2, and Level 3 merchants, and may be required for
 Level 4 merchants.
 Level                      Validation Action                                                      Validated By                                 Due Date
                              Annual On-site PCI Data Security Assessment                            Qualified Data Security Company or
                                                                                                     Internal Audit if signed by Officer of the
              1                                                                                      company
                            Quarterly Network Scan                                                 Qualified Independent Scan Vendor
                                                                                                                                                  9/30/2004
                            Annual PCI Self-Assessment Questionnaire                               Merchant
         2 and 3            Quarterly Network Scan                                                 Qualified Independent Scan Vendor
                                                                                                                                                  6/30/2005


                                  We are currently out of compliance
2/21/2010                                                                     PCI Project                                                                            5
              Project Goals

• Achieve PCI compliance across all schools and centers for all
  of Penn’s active merchant accounts
   – Consolidate or retire low volume merchant accounts
         • Coordinate with Business Services to determine feasibility and project
           direction for a centralized events/conference service
   – Establish central compliance strategy to reduce cost of compliance and
     exposure to the University.
• Create/Edit policies required to support data security standards
  and PCI compliance
• Coordinate with Schools or Centers to identify third party
  business affiliates using Penn merchant accounts (Verisign,
  Apply Yourself, JSA, etc.) to validate their PCI compliance
• Validate that any third party payment processor, used in
  conjunction with online transactions, are PCI compliant


  2/21/2010                              PCI Project                                6
              Scope of Standards

• These Payment Card Industry (PCI) Data Security
  Requirements apply to all Members, merchants, and service
  providers that store, process or transmit cardholder data.
• These security requirements apply to all “system components”
  which is defined as any
   – Network component
         • include, but are not limited to, firewalls, switches, routers, wireless access
           points, network appliances, and other security appliances
   – Server
         • include, but are not limited to, web, database, authentication, DNS, mail,
           proxy, and NTP
   – Application included in, or connected to, the cardholder data
     environment.
         • include all purchased and custom applications, including internal and
           external (web) applications.

  2/21/2010                                PCI Project                                      7
                Data Security Standards

•   Build and Maintain a Secure Network
     – Requirement 1: Install and maintain a firewall configuration to protect data
     – Requirement 2: Do not use vendor-supplied defaults for system passwords and other
     – security parameters
•   Protect Cardholder Data
     – Requirement 3: Protect stored data
     – Requirement 4: Encrypt transmission of cardholder data and sensitive information across
     – public networks
•   Maintain a Vulnerability Management Program
     – Requirement 5: Use and regularly update anti-virus software
     – Requirement 6: Develop and maintain secure systems and applications
•   Implement Strong Access Control Measures
     – Requirement 7: Restrict access to data by business need-to-know
     – Requirement 8: Assign a unique ID to each person with computer access
     – Requirement 9: Restrict physical access to cardholder data
•   Regularly Monitor and Test Networks
     – Requirement 10: Track and monitor all access to network resources and cardholder data
     – Requirement 11: Regularly test security systems and processes.
•   Maintain an Information Security Policy
     – Requirement 12: Maintain a policy that addresses information security


    2/21/2010                                PCI Project                                       8
                  Payment Gateway

•       The payment gateway stores, processes and/or transmits cardholder data
•       Verisign is Penn’s gateway vendor
•       Two basic architectures

        •   External from the application                    •       Integral to the application
        •   Verisign Payflow Link                            •       Verisign Payflow Pro
              –   The burden of a secure environment is               –   The burden of secure environment
                  placed on the gateway vendor                            is placed on the hosting provider
              –   Our PCI initiative must ensure that the             –   Our PCI initiative must ensure that
                  vendor maintains compliance                             the hosting facility maintains
                                                                          compliance




    •       Reference - Protect Cardholder Data
             – Requirement 3: Protect stored data
             – Requirement 4: Encrypt transmission of cardholder data and sensitive information across
                public networks
2/21/2010                                              PCI Project                                              9
            Secure Network Diagram
                                         Secure Network
                                                             Per PCI Standards

             Internet
                                                                                 VPN




                                                               Web Server
                                                             VPN
                                                                                             Database servers
                        VPN                                                            VPN




                                               Port 80/443
                                                               Web Server

                              PennNet

                                   VPN

                                         VPN

                                                               FTP server




                                                               App Server



                                                                     VPN


•   Reference - Build and Maintain a Secure Network
     – Requirement 1: Install and maintain a firewall configuration to protect data
2/21/2010                                                      PCI Project                                      10
              Proposed Remediation Strategies for Web Based
              Applications

Option 1 – Modify Penn Built or Custom Built Applications
   – PayFlow Link
         • Annual audit still required to maintain compliance
         • Payflow Link provides a means for payment data to be collected outside of
           Penn
         • Making a switch requires a code change and you have to validate that all
           historical data is purged
• Option 2 - Third Party Applications
   – Secure Hosting by vendor
         • Ensure that the vendor is PCI compliant
         • Amend contracts to reflect continued compliance




  2/21/2010                              PCI Project                               11
               Remediation Strategies for Web Based Applications

• Option 3 – Custom Compliant Hosting at Penn
    – Expensive and forces the most strict adherence to the following requirements
          • Build and Maintain a Secure Network
               – Requirement 1: Install and maintain a firewall configuration to protect data
          • Protect Cardholder Data
               –   Requirement 3: Protect stored data
               –   Requirement 4: Encrypt transmission of cardholder data and sensitive information across
               –   public networks
               –   Requirement 9: Restrict physical access to cardholder data
          • Regularly Monitor and Test Networks
               – Requirement 10: Track and monitor all access to network resources and cardholder data
               – Requirement 11: Regularly test security systems and processes.
    – Explore alternative means/vendors to process transactions
          • Determine need to have cardholder data pass through or be stored on a Penn Server
          • Establish business need to host the application in-house
    – Create logistical configuration of compliant hosting environment and estimate
      cost
    – Relocate the hosted web application and database servers to the secure and
      compliant network configuration.


   2/21/2010                                        PCI Project                                              12
              Three Phased Approach

 – Discovery phase
       • Identify and retain consulting expertise to provide guidance in the interpretation of the standards
         and validate our process
       • Establish a working group of stakeholders from schools and centers with active merchant accounts
              – Identify merchant accounts and perform gap/risk analysis to determine risk and priority of remediation efforts.
       • Determine difference in compliance requirements between credit card information collected on-line
         (online card services) and at point-of-sale (POS) terminals.
       • Develop remediation strategies
 – Assessment
       • Evaluate gaps against remediation strategies and determine course of action for each merchant
         account
       • Establish infrastructure to execute remediation strategy
       • Identify policies that have to be created or modified to support ongoing data security and PCI
         standards, including communication and training of personnel.
       • Identify and review third party business affiliates contracts to ensure that they provide
         documentation of PCI compliance
       • Finalize remediation schedule and milestones
 – Remediation
       •    Evaluate and select an authorized PCI compliance auditor for the annual audits
       •    Monitor and facilitate remediation efforts across schools and centers per the established schedule
       •    Develop and implement data security and PCI standards policies.
       •    Create Report on Compliance (ROC)


2/21/2010                                                PCI Project                                                      13
               Proposed Milestones
                                                                        Original    Original  Revised       Revised
                     PCI Compliance Project Milestones
                                                                       Start Date   End Date Start Date     End Date         Status      Resource
            Discovery
            Establish working group                                     11/7/2005 11/18/2005                          complete
            Develop a common interpretation of the standard             11/1/2005 12/10/2005                 3/1/2006 complete
            Validate our understanding of the standard with a
                                                                       11/21/2005 12/23/2005                 3/1/2006
            consulting expert                                                                                           complete
            Perform high level assessment across all merchant
                                                                       11/21/2005 1/16/2006 12/23/2006       3/1/2006
            accounts                                                                                                  complete
            Develop a remediation strategy                             11/21/2005 1/16/2006     2/15/2006   3/28/2006 In Progress
            Discovery Phasegate                                                   1/20/2006                 3/28/2006
            Assessment
            Perform compliance gap analysis through self
            assessment across all schools/centers merchant              3/22/2006    6/1/2006                                         Schools &
            accounts                                                                                                                  Centers
            Perform policy review and gap analysis                      3/22/2006 4/15/2006                                           Treasurer, ISC
            Perform gap analysis on 3rd party contracts                  4/1/2006 5/15/2006                                           Treasurer, OGC
                                                                                                                                      Treasurer, ISC,
            Determine ownership and responsibilities of ongoing         3/15/2006    6/1/2006                                         Audit and
            annual PCI process                                                                                          In Progress   Compliance
            Scope and cost estimate a secure operational
                                                                        3/22/2006    5/1/2006
            environment based on business need of schools/centers                                                                     TBD
            Revise/Create policies to support compliance initiative     4/15/2006 6/30/2006                                           Treasurer, ISC
            Finalize remediation schedule and milestones                 6/1/2006 6/20/2006                                           bmk
            Select a PCI compliant scan vendor                           5/1/2006 5/30/2006                                           core team
            Assessment Phasegate                                                   7/1/2006
            Remediation
            Complete execution of remediation effort to make
            systems/applications compliant (code changes, central        7/1/2006 10/15/2006                                          Schools &
            solution, outsourced solution)                                                                                            Centers
            Finalize policies (approval)                                 7/1/2006 9/15/2006                                           Treasurer, ISC
            Finalize 3rd party contracts                                 7/1/2006 9/15/2006                                           Treasurer, OGC
                                                                                                                                      Schools &
                                                                         9/1/2006 11/30/2006
            Complete self assessment across all schools/centers                                                                       Centers
            Generate compliance report identifying any outstanding
                                                                       11/15/2006 12/22/2006
            items/issues                                                                                                              core team
            Transfer ownership and infrastructure for ongoing                                                                         core team, Audit
                                                                        11/1/2006 12/22/2006
            compliance                                                                                                                and Compliance
2/21/2010                                                             PCI Project                                                               14
               Next Steps

• Schedule monthly meetings
    – Proposed – last Tuesday of the month 2:30 -4:00
• Schools/centers
    – Perform self assessment/gap analysis
    – Identify systems, hardware, infrastructure that is not in compliance across all
      merchant accounts
    – Modify systems accordingly to ensure that each merchant account is compliant
      by 10/15
• ISC, Treasurer, OGC
    – Review and identify policies that need to be changed/created to support PCI
      compliance
    – Work with schools/centers in creation of a specification and cost estimate for a
      custom compliant hosting environment
    – Facilitate gap analysis across schools and centers
    – Vendor
          • Review third party contracts and amend with compliance language
          • Letter to vendors requesting documentation of compliance


   2/21/2010                                PCI Project                              15
            Appendix A – Project Org Chart

                                       Executive Sponsor/ Owners

                                             Robin Beck
                                            Scott Douglass




                                       Project Management

                                           Michael Harris (EVP)
                                           Bill Kasenchar (ISC)




                                                                       Working Team

                                                                             Laura Sider (Annenberg policy)
                                                                             Donna Burdumy (Annenberg school)
                                                                             Chris Bradie (business Services)
                                                                             Joseph Wolk (Dental)
               Core Team                                                     Cathy DiBonaventura (Design)
                                                                             Richard Martorelli (Development)
                    Helen Kreider (Treasurer)                                Donna Rollins (DRIA)
                   Christine Senopoulos (Treasurer)                          Joe Shannon (Finance)
                   Sue Arcari (Treasurer)                                    Jerel Wohl (GSE)
                    Dave Millar (ISC)                                        Cassandra Green (ICA)
                    Jim Choate (ISC)                                         Sandy Selznick (ISC)
                    Robert Terrell (OGC)                                     Ernie Gonsalves (Law)
                                                                             Robert Puri (Library)
                                                                             Janet Lind (medicine)
                                                                             Alan Waldt (meseum)
                                                                             Jackie Lowry (nursing)
                                                                             James Duffin (pres - archive)
                                                                             Jay Goldman (pres - wxpn)
                                                                             Sharon Liu (provost - OIP)
                                                                             Margaret Porigow (provost - admi)
                                                                             Neal Hebert (sas)
                                                                             Christopher Bristow (seas)
                                                                             Lizza Robb (social policy)
                                                                             Kelly Reynolds (Vet)
                                                                             Frank Maleno (VPUL - college)
                                                                             Bill Turner (VPUL)
                                                                             Deirdre Woods (wharton)



2/21/2010                                                      PCI Project                                       16