Presentation is loading. Please wait.

Presentation is loading. Please wait.

PCI Compliance in the University Setting Copyright Sandie Rosko, John Chapman, Jay Maylor 2007. This work is the intellectual property of the author. Permission.

Similar presentations


Presentation on theme: "PCI Compliance in the University Setting Copyright Sandie Rosko, John Chapman, Jay Maylor 2007. This work is the intellectual property of the author. Permission."— Presentation transcript:

1 PCI Compliance in the University Setting Copyright Sandie Rosko, John Chapman, Jay Maylor This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

2 What does PCI DSS entail? Build and maintain a secure network Protect cardholder data Maintain a vulnerability management program Implement strong access control measures Regularly monitor and test networks Maintain an information security policy

3 Fully understand/learn the PCI/DSS requirements Can’t learn everything in a one hour session Where can you get information??? –Treasury Institute for Higher Education –merchant provider –card issuers –PCI Security Standards Council Webinars –PCI Security Standards Website https://www.pcisecuritystandards.org/

4 WSU Card Configuration Prior to PCI Early adopters Freely available to departments –Applications developed by dept staff, Univ Pub. –E-commerce applications took-off Alumni, Foundation, Registrar, Conferences, KWSU, Vet School, Student Visitation, CANR Publications Added additional services –Dept queries and downloads by merchant –Miscellaneous charges – call center

5 WSU Card Environment (pre-PCI DSS)

6 The Shock of PCI DSS Discussed with consultant Flat network – no segmentation Entire campus subject to PCI DSS Quarterly network scans of up to 15,000 computers

7 Three Pronged Approach to Compliance PCI DSS Compliant Zone for Central Applications Central Payment Site for Departmental Applications Policy to Require Compliance

8 PCI DSS Compliant Zone

9 WSU Central Payment Card Site The problem – Popular centrally administered credit card payment API would be difficult to make PCI compliant The Solution – Provide a web based solution for departments that removes departmental servers and processing from the PCI environment

10 Central Payment Site Processing

11

12

13

14 WSU Central Payment Card Site Advantages & Issues Advantages –Simplifies PCI compliance by making PCI footprint smaller –SOA based solution encourages department use –Encapsulation hides implementation details making changes in the back end processing simpler Issues –One size does not fit all –Centralized system = centralized problems –Can’t support centrally the multitude of technical environments and levels of expertise in the departments

15 PCI Policy at Washington State University Centralized processing simplifies our policy –Centralized web payments processing –University wide POS system Two options currently available –Use WSU centrally provided solutions –Outsource to PCI Compliant third-party provider Other options being considered –Host PCI compliant vendor package in centrally controlled PCI environment –Allow departments to setup their own PCI compliant environment

16 Central processing at University of Washington ….or lack there of. –No central solutions at the University of Washington –None planned –Too great a variety of departmental needs to try and fit under one system and/or vendor

17 PCI Policy at University of Washington Required compliance to PCI DSS of all University affiliated merchants –Requires yearly submission of PCI surveys –Requires all merchant contract agreements to be obtained through central office –Requires all internet-facing systems to meet OWASP (Open Web Application Security Project) standards –Includes enforcement provisions –Includes clear roles and responsibilities

18 Outsourcing/vendor supplied packages Harbor Payments –SFS PayPal –PayFlow Pro –PayFlow Link –PayPal Payments Standard VeriSign Blackboard –HFS Convio –Development Paciolan –UW Ticketing ViaKlix ViaWarp Virtual Merchant Global Retail Advantage –KUOW

19 PCI Myths and Urban Legends Implementing PCI will compromise our academic mission We don’t store credit card numbers therefore we are PCI compliant Our vendor application is PCI compliant therefore we are PCI compliant We outsource our credit card payments therefore we’re PCI compliant

20 Summary of PCI DSS at WSU Single PCI DSS Compliant Zone Central Payment Site Policy Requires PCI DSS Compliance PCI DSS Compliance is a Journey Not a Destination

21 Washington State University John Chapman Jay Maylor University of Washington Sandie Rosko Andrew Monusko Questions? Contact Info


Download ppt "PCI Compliance in the University Setting Copyright Sandie Rosko, John Chapman, Jay Maylor 2007. This work is the intellectual property of the author. Permission."

Similar presentations


Ads by Google