Transcript Credit Card Data Security Compliance Achieving PCI Compliance

Credit Card Data
Security Compliance
Achieving PCI Compliance
July 2009
Kim Ray
Billing and Payment Services
Campus Credit Card Coordinator
Karen Eft
IT Policy Manager
Office of the CIO
Kate Riley
IT Security Analyst
Information System Technology
Who Accepts Credit Cards?

Departments with a business need for:
–
–
–
–
–
Tickets Sales
Enrollment/Registration/Conference Hosting
Donations/Gifts
Gift Shops/Admission Desks/Memberships
Publication Sales
– Public Services
Overstock)
(e.g., Library, Optometry, Parking, Cal
Who Accepts Credit Cards?

Over 130+ merchant accounts with
annual sales exceeding $103
million/year
Gross Annual Credit Card Sales
$120,000,000
$100,000,000
$80,000,000
$60,000,000
$43 million/2003
$40,000,000
$20,000,000
$0
2002
2003
2004
2005
2006
2007
2008
How we Accept Credit Cards
Obtain Credit Card Number
System Application Database –
On-campus or Hosted by Vendor
Internet Gateways
UC’s Acquiring Bank:
•Issues Merchant Account Numbers
•Processes authorizations, sales, credits
How to Accept Credit Cards
Card Present
Customers making purchases in-person
– Gifts at the Berkeley Art Museum store
– Services at the Optometry Clinic
– Admission to the Botanical Gardens
– Parking pass at Parking and
Transportation
How to Accept Credit Cards
Card Not Present
Customers making purchases by phone
or mail requests
– Conference registration by mail
– Publication purchases over the phone
Accepting Credit Card Data by Fax
Prohibited in University Cash-Handling Policy
(BUS 49)
– Violation of the intent of section 4(a) in the
Uniform Commercial Code
The Campus Controller may grant a variance
– Such a request must provide detail of the
compensating controls in place to secure the
data
How we Accept Credit Cards
Obtain Credit Card Number
System Application Database –
On-campus or Hosted by Vendor
Internet Gateways
UC’s Acquiring Bank:
•Issues Merchant Account Numbers
•Processes authorizations, sales, credits
How we Accept Credit Cards
Card Not Present
Customers making purchases online
through a department’s web application
that interfaces with an Internet Gateway
– Enroll in a course with University
Extension
– Purchase a ticket for an Athletics game
– Pay a student intent to register fee
– Pay a Visiting Scholar’s fee
Department Web Application

The department has a business need to
collect and store personally identifiable
information
– Hosted: On-campus or by Vendor

Must comply with Campus Minimum
Security Standards:
– https://security.berkeley.edu/MinStds/
 Networked Devises
 Electronic Information
Campus Minimum Security
Standards
Karen Eft
IT Policy Manager
Office of the Chief Information
Officer
Campus IT Security Policy
Each member of the campus community is
responsible for the security and protection of
electronic information resources over which he
or she has control.
Resources to be protected include networks,
computers, software, and data. The physical and
logical integrity of these resources must be
protected against threats such as unauthorized
intrusions, malicious misuse, or inadvertent
compromise.
UC-wide Business & Finance
Bulletins, “IS” series
Oversight of Electronic Information:
IS-2, Inventory, Classification, and Release of
University Electronic Information
IS-3, Electronic Information Security
IS-11, Identity and Access Management
IS-12, Continuity Planning and Disaster Recovery
(http://www.ucop.edu/irc/itsec/uc/mgt_guide/guide.html)
Minimum Security Standards
Minimum
≠
minimal
Why do we put you through this?
Prevent Identity Theft
Horrible consequences for victims of identity theft.
When un-encrypted data of specific types is
“breached” we have to notify the subjects.
Incredible waste of time and effort responding to
security incidents.
Notifications can cost Millions of dollars.
Damage to reputation / good will.
Reduced level of donations or research funding.
Minimum Security Standards
 MSS
for Networked Devices
 MSS
for Electronic Information
Minimum Security Standards
for Networked Devices
1. Keep software patches current
2. Run approved anti-virus software
3. Run approved host-based firewall software
4. Use secure passwords
5. No unencrypted authentication
6. No unauthenticated email relays
7. No unauthenticated proxy services
8. Ensure physical security
9. Don’t run unnecessary services
Minimum Security Standards
for Electronic Information
( MSSEI )
1.
Notice-triggering information
High Confidentiality - apply all protective
measures listed in Attachment A
2.
Payment Card Industry Data
May not be stored without explicit
approval from UC Berkeley Billing and
Payment Services
1) MSSEI notice-triggering information:
First name OR first initial AND last name
in combination with one or more of the following:
–
–
–
–
Social Security Number,
driver's license number,
California Identification Number,
financial account number, credit or debit card
number, in combination with any required
security code, access code, or password that
would permit access to an individual's financial
account,
– medical information,
– health insurance information.
Protective Measures for high confidentiality
information:
more …
Protective Measures for high confidentiality
information (cont’d):
more ...
Protective Measures for high confidentiality
information (cont’d):
2) Payment Card Industry Data
Security Standard (PCI DSS):
Primary Account Number (PAN) (credit card
number) AND any of the following if stored,
processed, or transmitted with the PAN:
– Cardholder Name,
– Service Code,
– Expiration Date.
MSSEI:
1.
Notice-triggering information
High Confidentiality - apply all protective
measures listed in Attachment A
2.
Payment Card Industry Data
May not be stored without explicit
approval from UC Berkeley Billing and
Payment Services
Compliance:



Departmental Security Contact Policy
Guidelines and Procedures for Blocking
Network Access
Security Incident Response Procedures
Departmental Security Contact Policy
To implement this policy, each department
needs to appoint a security contact and one or
more backup contacts. Departments may agree
to share contacts for efficiency. …
Contacts need to have some familiarity with the
computers in their department and be able to
determine who a responsible technical person is;
it is not necessary for the contact to have
extensive security expertise.
Guidelines and Procedures for
Blocking Network Access
When computers pose a serious risk to campus
information system resources or the Internet,
their network connection may be blocked.
If the threat is immediate, the offending
computer(s) will be blocked immediately and
notification will be sent to the departmental
security contact(s) via email that the block has
occurred.
Security Incident Response Procedures
Berkeley Campus Plan Implementing UC Requirements
for Protection of Computerized Personal Information
1.
2.
3.
4.
5.
Definitions
Responsibilities
Incident Response Process
Notification Procedures
Reporting Requirements
Attachment A: Information Practices Act: Sections 1798.29,
1798.82, 1798.84
Attachment B: Revision to IS-3 to Cover SB 1386 Requirements
Attachment C: Draft notification text for a 1386 breach
Security Incident Response Procedures
Remove the threat.
Preserve evidence.
“Maybe” re-build the environment to resume
operations.
Determine whether a breach, then whether
notification is required.
Security Incident Repercussions

Very costly

Very intrusive upon regular operations

Damaging to the department or project,
to the Berkeley Campus, to the
University of California, to faculty, to
staff
Assistance:

[email protected]

Technical services and tools

Implementing Guidelines

Requests for Exception
Campus Minimum Security Standards
Implementing Guidelines:
1. Software patch updates: See the Software patch
updates FAQ page, which includes examples of "noncompliant" operating systems. Also see instructions for:
* Microsoft Windows Operating System
* Linux/UNIX Operating System
* Macintosh Operating System
2. Anti-virus software
* Updating Firewall/Antivirus
3. Host-based firewall software
etc., etc.
Campus Minimum Security Standards
Requests for Exception:
Departments, units, or individuals who
believe their environments require
configurations that do not comply with the
Minimum Standards may request
exceptions to the Policies.
Minimum Security Standards
 MSS
for Networked Devices
 MSS
for Electronic Information
Data Security on Campus
Kate Riley
IT Security Analyst
IST-Application Services
Attacks
This campus receives millions
attacks per day:
–Attempts to exploit unpatched
systems
–Attacks specific to application
software
–Phishing attacks
Motivation for Attacks
 Defacement
 Denial
 Data
of Service
Theft
Campus Offerings
 Restricted
Data Management (RDM)
 Scanning Tools
– AppScan
– Nessus
 Aggressive
 You
IP Distribution (AID)
Credit Card Data Security




2005: Visa and MasterCard released Payment
Card Industry: Data Security Standards
(PCI:DSS 1.0)
2008: New Standards (PCI:DSS 1.1) made
compliance with standards even more
challenging
2009: PCI:DSS 1.2 just released
University Cash-Handling Policy (BUS 49)
requires that all campus merchants comply with
PCI:DSS
Credit Card Data Security
General rules:
– Will not capture or transmit the credit card
number on the campus network
 Includes
emails, spreadsheets, printers, etc.
– Will not store credit card numbers
electronically on campus in any device
Payment Card Industry Data
Security Standards
PCI:DSS defines requirements for:
– Building and maintaining a secure network
– Protecting cardholder data
– Maintaining a vulnerability management
program
– Implementing strong access control measures
– Regularly monitoring and testing networks
– Maintaining an information security policy
Payment Card Industry Data
Security Standards

PCI:DSS requires campus merchants to
complete an annual self-assessment
questionnaire to certify your compliance
with security standards for your
merchant type
PCI Merchant Types
There are four PCI:DSS Self Assessment
Questionnaires depending on acceptance
method
SAQ-B: Sample Compliance
Total: 26 questions similar to:
– Is the card number masked when displayed?
– Are policies, procedures and practices in place to
preclude sending unencrypted card numbers by enduser messaging technologies (e.g., email, instant
message, chat)
– Is access to system components and cardholder data
limited to individuals with business need?
– Are all paper and electronic media with cardholder data
physically secure?
SAQ-D: Sample Compliance
Total: 226+ questions cover the topics of:
– Install and maintain a firewall configuration to protect data
– Do not use vendor supplied passwords for system defaults and other
security parameters
– Protect stored cardholder data
– Encrypt transmission of cardholder data across open, public networks
– Use and regularly update anti-virus software or programs
– Develop and maintain secure systems and applications
– Restrict access to cardholder data by business need-to-know
– Perform penetration testing at least once a year and after any
significant infrastructure or application upgrade or modification
3rd Party Service Agreements
– Service providers are contractually
required to adhere to the PCI:DSS
requirements
– All campus credit card operations must
have a written agreement that has been
reviewed and approved by the campus
business contract office
– No click-on agreements!
PCI Data Security Standards

PCI:DSS requirements at:
– https://www.pcisecuritystandards.org/

Merchants complying with SAQ-C or SAQD may need quarterly network scans
– The campus is working to limit the number of
SAQ-C and SAQ-D merchants


Reduces our exposure to risk
Less costly for the merchant
Campus Certification Vendor

The University contracted with Trustwave
to host the questionnaires online and to
conduct the scans
– Via their online portal trustkeeper.net

Each merchant department has a
designated administrator who oversees
PCI compliance for their merchant
accounts
Merchant Timeline - 2009
July-August:
1.
PCI:DSS Training
•
2.
PCI Administrators conduct PCI training
with all staff handling credit card data
Certify PCI:DSS Compliance
•
PCI Administrators certify compliance via
the trustkeeper.net portal
PCI:DSS Training
PCI:DSS Requirement 12.6
“Is a formal security awareness program in
place to make all employees aware of the
importance of cardholder data security?”
– 12.6.1 “Educate employees upon hire and at
least annually”
– 12.6.2 “Require employees to acknowledge in
writing that they have read and understood
the company’s security policy and procedures”
Certify PCI:DSS Compliance

PCI administrator logs into existing
merchant profile in trustkeeper.net
– Contact Billing and Payment Services
Office for PCI administrator changes
Pays for the contract extension fee via
departmental BluCard
 Completes and passes the appropriate
PCI:DSS Self-Assessment
Questionnaire

Consequences if not compliant
– Visa merchants are subject to fines, up to
$500,000 per incident, for any merchant or
service provider that is compromised and not
compliant at the time of the incident
– FDMS may also impose fines or penalties
– The campus will no longer be able to selfcertify; we will need to pay for qualified
auditors to come on-site to document our
compliance
– Managed response to any breach of sensitive
data
Campus PCI:DSS Compliance


Compliance must be documented annually
with FDMS and UCOP
Based on our campus wide activity, the
Controller’s Office must file a formal
‘Attestation of Compliance” with First Data
Merchant Services annually
If one merchant answers ‘No’ to one
question, then the entire campus fails
compliance
Campus Compliance Timeline 2009
September:
– Controllers Office files an ‘Attestation of
Compliance’ with University’s bank
If one merchant answers ‘No’ to one
question, then the entire campus fails
compliance
Other Credit Card Requirements

Payment Application Data Security
Standards (PA:DSS) applies to payment
applications that are sold, distributed or
licensed to third-parties
– Designed to help software vendors and others
develop secure payment applications that:
 Do
not store prohibited data (e.g., full magnetic
stripe, CVV2 or PIN data)
 Ensure the payment application supports compliance
with the PCI DSS
 Ensure software development processes for webbased applications follow secure coding practices
Other Credit Card Requirements

University Cash-Handling Policy (BUS 49)
requires that relationships with a third
party vendor to manage credit card
acceptance be approved by UCOP Banking
Services
– The third party’s background, capabilities,
financial condition and references are reviewed
– Contract agreements are required to meet
minimum levels of protection, regulatory
compliance, insurance, bonding, and
accurate/timely handling of credit card data as
outlined in University policy BUS-49
Obtaining PCI Compliance
Are paper records
PCI compliant?
If we control this connection is it
PCI compliant?
Is server PCI compliant?
Is application PCI compliant?
Is this connection
PCI compliant?
Is this
connection PCI
compliant?
PCI compliant UCB
Pre-Approved
Gateways
PCI compliant
PCI compliant
PCI Compliance Timeline - 2009
July-August:
– Campus departments conduct PCI training
with all staff handling credit card data
– PCI Administrators obtain and document
compliance via the trustkeeper.net portal
September:
– Controllers Office files an ‘Attestation of
Compliance’ with University’s bank
Resources/References

VISA’s List of PCI:DSS Compliant
Applications
http://usa.visa.com/download/merchants/cisplist-of-pcidss-compliant-service-providers.pdf

PA:DSS Qualified Applications
https://www.pcisecuritystandards.org/security_st
andards/vpa/

PCI:DSS
https://www.pcisecuritystandards.org
Resources/References

UC Cash-Handling Policy: BUS 49
http://www.ucop.edu/ucophome/policies/bfb/bus49.pdf

UCB Minimum Security Standards
https://security.berkeley.edu/MinStds/
Contacts
Kim Ray
[email protected]
Karen Eft
[email protected]
Technical Questions
[email protected]