LESSONS LEARNED ON THE WAY TO PCI COMPLIANCE

The University of Western Ontario & McMaster University’s Experiences

June 7th, 2011

Agenda

• Introductions• What is PCI and Why is it

Important?• Lessons Learned• What Lies Ahead?

Introductions

• Sharon Farnell, Director, Internal Audit – The University of Western Ontario

• Stacey Farkas – Supervisor, Financial Reporting – McMaster University

• Tim Russell – Project Manager, University Technology Services – McMaster University

Introductions

Western• 2010 - $27million in credit card sales• 2011 - $31million in credit card sales• 60 merchants

McMaster• 2010 - $24million in credit card sales• 2011 - $25million in credit card sales

- $ 16 million in INTERAC ONLINE transactions• 58 merchants

What is PCI?• PCI-DSS: Payment Card Industry – Data

Security Standards• Standards developed by the credit card

companies (Visa, M/C) to protect cardholders• PCI Data security requirements apply to all

members, merchants, and service providers that store, process or transmit cardholder data

• EVERY merchant is required to be in compliance with these standards

What is PCI?There are 12 requirements, grouped into six categories for PCI

Compliance:

• Build and Maintain a Secure Network (req. 1 & 2)

• Protect Cardholder Data (req. 3 & 4)

• Maintain a Vulnerability Program (req. 5 & 6)

• Implement Strong Access Control Measures (req. 7,8 & 9)

• Regularly Monitor and Test Networks (req. 10 & 11)

• Maintain a Policy that addresses Information Security (req. 12)

Merchant LevelsMerchant Level 1 2

Processing Volumes per year

> 6,000,000 Visa transactions

1,000,000 to 6,000,000 Visa transactions

Validation Actions •Annual on-site PCI-DSS Assessment

•Quarterly Network Scan

•Annual PCI-DSS Self Assessment Questionnaire (SAQ)

•Quarterly Network Scan

Validation By •Qualified Security Assessor or Internal Audit if signed by Officer of the company

•Approved Scanning Vendor

•Merchant

•Approved Scanning Vendor

Merchant Level 3 4

Processing Volumes per year

20,000 to 1,000,000 Visa e-commerce transactions

20,000 Visa e-commerce transactions and all other merchants, up to 1,000,000 transactions

Validation Actions •Annual PCI-DSS Self Assessment Questionnaire (SAQ)

•Quarterly Network Scan

•Annual PCI-DSS Self Assessment Questionnaire (SAQ)

•Quarterly Network Scan

Validation By •Merchant

•Approved Scanning Vendor

•Merchant

•Approved Scanning Vendor

Merchant Levels

Merchant Types• PCI Security Council Separated out Merchant Types

and introduced a SAQ for each type in 2008

Why is PCI Compliance Important? FINANCIAL RISK– fines from payment processor and/or credit card

companies– costs to notify cardholders– repayment of fraudulent charges incurred by end

consumer– audit costs by PCI assessor

LOSE THE ABILITY TO PROCESS CREDIT CARDS – CAMPUS WIDE

REPUTATIONAL RISK! OPPORTUNITY TO ENHANCE SECURITY/IT BEST

PRACTICES

Our PCI ‘Approaches’

Western• Central approach to Self Assessment

Questionnaires (SAQs).

McMaster• Centralized management with Individual merchant

responsibilities

Lessons Learned1: Collaboration of stakeholders is key2: Identify your PCI Scope and environment3: Minimize Local Payment Processing4: Centralized Merchant Approval Process5: Audit Considerations6: Don’t underestimate your time7: Breach Escalation process8: Centralized approach to PCI DSS Self Assessment Questionnaires9: Include PCI compliance in the RFP and Purchasing Process10: Funding: Who Pays for this?11: It’s a learning Journey12: Risk Management Strategies

Lesson 1 : Collaboration of Stakeholders is Key

Western: Central Bank Card Committee• Financial Services, Internal Audit, IT, Campus

Department Representatives• Chaired by AVP, Financial Services

McMaster: PCI Steering Committee• Financial Services, IT, Key Departments, Internal

Audit• Chaired jointly by AVP Administration and CIO

Lesson 2 : Identify your PCI Scope and Environment

Western• Pre-RFP Review – Evaluate Environment• IT Code Review• Interviewed all campus departments

McMaster• Had a PCI GAP analysis completed in 2008• Helped us to focus on high risk areas within the 12

requirements – action plan via PCI Steering Committee

Lesson 3 : Minimize Local Payment Processing

Western • Campus merchants are required to use Western’s

internal Payment Page• Currently migrating to an external Pay Page solution

McMaster• Steer merchants to Hosted Pay Page solutions• Place compliance on the software vendors• Moving from Type D to A merchants – less risk

Lesson 4 : Centralized Merchant Approval Process

Western• New e-commerce merchants must be approved by

Bank Card Committee• PCI Compliance is a requirement

McMaster• Upfront Approval Process – new merchants must

meet PCI DSS requirement before a merchant number is issued

• Merchants can be suspended if not in compliance

Lesson 5 : Audit Considerations

Western• Limited Scope – Lower Costs• Important for Auditor to apply PCI to a University

setting• Consistency of Auditor key• Demonstration of Compliance

McMaster• Pre-audit in 2008 – helped to limit scope• Focus on individual (Type D) merchants

Lesson 6 : Don’t Underestimate Your Time

Western• Six months became 2+ years• IT Resources – Significant Impact – Documentation• Have people to help keep on track

McMaster• Committee commenced work in 2006, still on-

going• Education and clarification of requirements took a

long time

Lesson 7 : Breach Escalation Process

Western• Requirement of PCI-DSS• Took time to get it ‘right’

McMaster• Developing protocols for front-line workers and

internal response• Escalating communication plan dependent on nature

of the breach

Western Breach ProtocolPerceived

Breach

Types of Breaches1. Receipts compromised2. POS compromised3. Electronic Client data

compromised4. Missing items5. Technical breach6. Unauthorized wireless

device

USER

UWO Policex911

UWO Financex85432

finance@uwo.ca

UWO Legalx84217

jarrett@uwo.ca

UWO NSO IT SECURITY

519 661 3800nso@uwo.ca

POLICE ENGAGE CRIMINALINVESTIGATION AND INFORM NSO

IDENTIFY: INFORM ANDCONTAIN, USER ASCERTAINS RISK AND NOTIFIES ACCORDINGLY

TRANSACTIONAL ITEMSON STOP OR ALERTMoneris: 1-866-319-7450

AFTER RISK ASSESSMENTS ANDVENDOR NOTIFICATION, LEGALIS INFORMED BY IPO IF

NECESSARYUWO

Communications

NSO/CISO ASSESSESDATA RISK ANDCONTAINS, NOTIFIESIPO AND FINANCE

MISSING FILES, MACHINE, DATAType 4

DEVICE THEFT OR DEVICE TAMPERINGTypes 1, 2, 3, 5

LegendIPO – Information Privacy OfficeUWO IT – Western Information TechnologyNSO – Network Security Officer (CISO)CISO – Campus Information Security OfficerMoneris – corporate payment processor

FINANCE ASSESSES FINANCIALRISK AND NOTIFIES NSO ONDATA AND VENDORS FORTRANSACTIONAL ITEMS

UWO IPOx84541

privacy.office@uwo.ca

TRANSACTIONAL ITEMSON STOP OR ALERTMoneris: 1-866-319-7450

IPO INTERFACES WITH NSO, LEGAL AND COMM IF PRIVACYAT RISK

ACT FAST!

CONTAIN THE DAMAGE

PRESERVE EVIDENCE

DO NOT ACCESS COMPROMISED SYSTEM

ITS as initiator

Lesson 8 : Centralized Approach to Self Assessment Questionnaires

Western• Created own internal SAQ to be filled out by

departments• Fill out SAQ for the university as a whole centrally

McMaster• Each merchant is responsible for filling out PCI SAQ • SAQ questionnaires now automated through on-line

submission• 3rd party company for both SAQ submission and

Quarterly scanning

Lesson 9 : Include PCI Compliance in the RFP &

Purchasing processWestern• Push your knowledge to external partners /

vendorsMcMaster• Smaller companies weren’t always aware of PCI

compliance.• Integrated into Policy and Purchasing documents

Lesson 10 : Funding – Who Pays for This?

Western• Funded centrally

McMaster• Yearly internal Merchant ‘PCI Levy’

• Base charge plus volume based charge with caps• Essentially covers the cost of 1 FTE in IT and 0.5 in

Financial Services• Now covers cost of 3rd party assessor

Lesson 11 : It is a Learning Journey

Western• PCI Changes – Helps to have ‘experts’

McMaster• On-going changes: the risks change therefore the

compliance also changes• Adapt to new business processes• Learning journey for software vendors as well

Lesson 12 : Risk Management Strategies

Both Universities:• Governance and oversight • Third-party assessors and PCI advisors• Pro-active compliance by doing more than required• Migration to Hosted Payment Page• Required annual merchant training

What Lies Ahead?

Western:• Keep ahead of PCI – change approaches as you go

McMaster:• Monthly, quarterly and annual activities, based on

merchant type.PCI Security Council

• Three year cycle for standard revisions• Now possible for internal auditors to be certified

to conduct PCI audits

References

PCI Security Council: https://www.pcisecuritystandards.org/index.shtml

University of Western Ontario: http://commerce.uwo.ca/index.html

McMaster University: http://www.mcmaster.ca/bms/BMS_FS_Payment_Card

.htm

Thank you!/ Merci!

Contact Information:Sharon Farnell

sfarnell@uwo.caStacey Farkas

farkas@mcmaster.caTim Russell

trussel@mcmaster.ca