PCI Compliance in the University Setting

Copyright Sandie Rosko, John Chapman, Jay Maylor 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

What does PCI DSS entail?

• Build and maintain a secure network• Protect cardholder data• Maintain a vulnerability management

program• Implement strong access control measures• Regularly monitor and test networks• Maintain an information security policy

Fully understand/learn the PCI/DSS requirements

• Can’t learn everything in a one hour session

• Where can you get information???– Treasury Institute for Higher Education

– merchant provider

– card issuers

– PCI Security Standards Council Webinars

– PCI Security Standards Website• https://www.pcisecuritystandards.org/

WSU Card Configuration Prior to PCI

• Early adopters

• Freely available to departments– Applications developed by dept staff, Univ Pub.

– E-commerce applications took-off• Alumni, Foundation, Registrar, Conferences, KWSU,

Vet School, Student Visitation, CANR Publications

• Added additional services– Dept queries and downloads by merchant

– Miscellaneous charges – call center

WSU Card Environment (pre-PCI DSS)

CPM Database

Point of Sale

E-Commerce Applications Developed by Departmental Staff

Firewall

WSU Foundation

Housing and Dining

Conferences

35 Different E-commerce Applications

.

..

Vet School

Tuition PaymentsAdmission Ap FeesTranscript FeesSave-a-seat payments

CPM Server

To Credit Card

Processor (TSys)

Cybersource Software Running on WSU Server

E-Commerce Applications Developed by Central IT Staff

Point of Sale Workstations at all urban campuses(Spokane, Vancouver, Tri-Cities)

The Shock of PCI DSS

• Discussed with consultant

• Flat network – no segmentation

• Entire campus subject to PCI DSS

• Quarterly network scans of up to 15,000 computers

Three Pronged Approach to Compliance

• PCI DSS Compliant Zone for Central Applications

• Central Payment Site for Departmental Applications

• Policy to Require Compliance

PCI DSS Compliant Zone

CPMDatabase

Secure E-Commerce Zone

CPM Server

Customers

Central PaymentSite

Policies and Documentation

Router, switch and firewall standardsSoftware Development Life-CycleOWASPChange control

Tuition PaymentsAdmission Ap FeeSave-a-seat depositetc.

Security Services

Intrusion DetectionVulnerability AssessmentEvent Log MonitoringFile Integrity MonitoringTwo-factor Authentication

WSU Central Payment Card Site

• The problem – Popular centrally administered credit card payment API would be difficult to make PCI compliant

• The Solution – Provide a web based solution for departments that removes departmental servers and processing from the PCI environment

E-commerce database

Secure E-Commerce Zone

CPM Server

Departmental Applications

CustomersCentral

Payment Site

Customer initiates an

e-commerce transaction

Dept. application

initiates transaction

via web service call

Web service stores transaction in e-

commerce database

Central Payment Site Processing

Central Payment Site Processing

E-commerce Database

Secure E-Commerce Zone

CPM Server

Departmental Applications

CustomersCentral

Payment Site

Client browser

redirected to central

payment site

Token returned to

e-commerce application

E-commerce database

Secure E-Commerce Zone

CPM Server

Departmental Applications

CustomersCentral

Payment Site

Customer enters credit

card data

Transaction request retrieved from

database

Credit card charge validated by CPM

server

Central Payment Site Processing

E-commerce database

Secure E-Commerce Zone

CPM Server

Departmental Applications

CustomersCentral

Payment Site

Dept. application

informs customer of

status of credit card

charge

Dept. application retrieves status of

transaction via web service

Retrieve status of transaction from e-

commerce database

Central payment site redirects customer

browser back to dept. application

Central Payment Site Processing

WSU Central Payment Card SiteAdvantages & Issues

Advantages– Simplifies PCI compliance by making PCI footprint smaller– SOA based solution encourages department use– Encapsulation hides implementation details making changes in

the back end processing simpler

• Issues– One size does not fit all– Centralized system = centralized problems– Can’t support centrally the multitude of technical environments

and levels of expertise in the departments

PCI Policy at Washington State University

• Centralized processing simplifies our policy– Centralized web payments processing– University wide POS system

• Two options currently available– Use WSU centrally provided solutions– Outsource to PCI Compliant third-party provider

• Other options being considered– Host PCI compliant vendor package in centrally

controlled PCI environment– Allow departments to setup their own PCI compliant

environment

Central processing at University of Washington

• ….or lack there of.– No central solutions at the University of

Washington– None planned– Too great a variety of departmental needs to

try and fit under one system and/or vendor

PCI Policy at University of Washington

• Required compliance to PCI DSS of all University affiliated merchants– Requires yearly submission of PCI surveys– Requires all merchant contract agreements to be

obtained through central office– Requires all internet-facing systems to meet OWASP

(Open Web Application Security Project) standards– Includes enforcement provisions– Includes clear roles and responsibilities

Outsourcing/vendor supplied packages

• Harbor Payments– SFS

• PayPal– PayFlow Pro– PayFlow Link– PayPal Payments Standard

• VeriSign• Blackboard

– HFS

• Convio– Development

• Paciolan– UW Ticketing

• ViaKlix• ViaWarp• Virtual Merchant• Global Retail Advantage

– KUOW

PCI Myths and Urban Legends

• Implementing PCI will compromise our academic mission

• We don’t store credit card numbers therefore we are PCI compliant

• Our vendor application is PCI compliant therefore we are PCI compliant

• We outsource our credit card payments therefore we’re PCI compliant

Summary of PCI DSS at WSU

• Single PCI DSS Compliant Zone

• Central Payment Site

• Policy Requires PCI DSS Compliance

• PCI DSS Compliance is a Journey Not a Destination

• Washington State UniversityJohn Chapman

john_chapman@wsu.edu

Jay Maylor

jay@wsu.edu

• University of WashingtonSandie Rosko

sandier@u.washington.edu

Andrew Monusko

amonusko@u.washington.edu

Questions? Contact Info