PCI Compliance in the University Setting
Copyright Sandie Rosko, John Chapman, Jay Maylor 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
What does PCI DSS entail?
• Build and maintain a secure network• Protect cardholder data• Maintain a vulnerability management
program• Implement strong access control measures• Regularly monitor and test networks• Maintain an information security policy
Fully understand/learn the PCI/DSS requirements
• Can’t learn everything in a one hour session
• Where can you get information???– Treasury Institute for Higher Education
– merchant provider
– card issuers
– PCI Security Standards Council Webinars
– PCI Security Standards Website• https://www.pcisecuritystandards.org/
WSU Card Configuration Prior to PCI
• Early adopters
• Freely available to departments– Applications developed by dept staff, Univ Pub.
– E-commerce applications took-off• Alumni, Foundation, Registrar, Conferences, KWSU,
Vet School, Student Visitation, CANR Publications
• Added additional services– Dept queries and downloads by merchant
– Miscellaneous charges – call center
WSU Card Environment (pre-PCI DSS)
CPM Database
Point of Sale
E-Commerce Applications Developed by Departmental Staff
Firewall
WSU Foundation
Housing and Dining
Conferences
35 Different E-commerce Applications
.
..
Vet School
Tuition PaymentsAdmission Ap FeesTranscript FeesSave-a-seat payments
CPM Server
To Credit Card
Processor (TSys)
Cybersource Software Running on WSU Server
E-Commerce Applications Developed by Central IT Staff
Point of Sale Workstations at all urban campuses(Spokane, Vancouver, Tri-Cities)
The Shock of PCI DSS
• Discussed with consultant
• Flat network – no segmentation
• Entire campus subject to PCI DSS
• Quarterly network scans of up to 15,000 computers
Three Pronged Approach to Compliance
• PCI DSS Compliant Zone for Central Applications
• Central Payment Site for Departmental Applications
• Policy to Require Compliance
PCI DSS Compliant Zone
CPMDatabase
Secure E-Commerce Zone
CPM Server
Customers
Central PaymentSite
Policies and Documentation
Router, switch and firewall standardsSoftware Development Life-CycleOWASPChange control
Tuition PaymentsAdmission Ap FeeSave-a-seat depositetc.
Security Services
Intrusion DetectionVulnerability AssessmentEvent Log MonitoringFile Integrity MonitoringTwo-factor Authentication
WSU Central Payment Card Site
• The problem – Popular centrally administered credit card payment API would be difficult to make PCI compliant
• The Solution – Provide a web based solution for departments that removes departmental servers and processing from the PCI environment
E-commerce database
Secure E-Commerce Zone
CPM Server
Departmental Applications
CustomersCentral
Payment Site
Customer initiates an
e-commerce transaction
Dept. application
initiates transaction
via web service call
Web service stores transaction in e-
commerce database
Central Payment Site Processing
Central Payment Site Processing
E-commerce Database
Secure E-Commerce Zone
CPM Server
Departmental Applications
CustomersCentral
Payment Site
Client browser
redirected to central
payment site
Token returned to
e-commerce application
E-commerce database
Secure E-Commerce Zone
CPM Server
Departmental Applications
CustomersCentral
Payment Site
Customer enters credit
card data
Transaction request retrieved from
database
Credit card charge validated by CPM
server
Central Payment Site Processing
E-commerce database
Secure E-Commerce Zone
CPM Server
Departmental Applications
CustomersCentral
Payment Site
Dept. application
informs customer of
status of credit card
charge
Dept. application retrieves status of
transaction via web service
Retrieve status of transaction from e-
commerce database
Central payment site redirects customer
browser back to dept. application
Central Payment Site Processing
WSU Central Payment Card SiteAdvantages & Issues
Advantages– Simplifies PCI compliance by making PCI footprint smaller– SOA based solution encourages department use– Encapsulation hides implementation details making changes in
the back end processing simpler
• Issues– One size does not fit all– Centralized system = centralized problems– Can’t support centrally the multitude of technical environments
and levels of expertise in the departments
PCI Policy at Washington State University
• Centralized processing simplifies our policy– Centralized web payments processing– University wide POS system
• Two options currently available– Use WSU centrally provided solutions– Outsource to PCI Compliant third-party provider
• Other options being considered– Host PCI compliant vendor package in centrally
controlled PCI environment– Allow departments to setup their own PCI compliant
environment
Central processing at University of Washington
• ….or lack there of.– No central solutions at the University of
Washington– None planned– Too great a variety of departmental needs to
try and fit under one system and/or vendor
PCI Policy at University of Washington
• Required compliance to PCI DSS of all University affiliated merchants– Requires yearly submission of PCI surveys– Requires all merchant contract agreements to be
obtained through central office– Requires all internet-facing systems to meet OWASP
(Open Web Application Security Project) standards– Includes enforcement provisions– Includes clear roles and responsibilities
Outsourcing/vendor supplied packages
• Harbor Payments– SFS
• PayPal– PayFlow Pro– PayFlow Link– PayPal Payments Standard
• VeriSign• Blackboard
– HFS
• Convio– Development
• Paciolan– UW Ticketing
• ViaKlix• ViaWarp• Virtual Merchant• Global Retail Advantage
– KUOW
PCI Myths and Urban Legends
• Implementing PCI will compromise our academic mission
• We don’t store credit card numbers therefore we are PCI compliant
• Our vendor application is PCI compliant therefore we are PCI compliant
• We outsource our credit card payments therefore we’re PCI compliant
Summary of PCI DSS at WSU
• Single PCI DSS Compliant Zone
• Central Payment Site
• Policy Requires PCI DSS Compliance
• PCI DSS Compliance is a Journey Not a Destination
• Washington State UniversityJohn Chapman
Jay Maylor
• University of WashingtonSandie Rosko
Andrew Monusko
Questions? Contact Info