LESSONS LEARNED ON THE WAY TO PCI COMPLIANCE The University of Western Ontario & McMaster University’s Experiences June 7th, 2011 (Sharon)

What is PCI and Why is it Important? Lessons Learned What Lies Ahead? Agenda Introductions What is PCI and Why is it Important? Lessons Learned What Lies Ahead? Sharon

Introductions Sharon Farnell, Director, Internal Audit – The University of Western Ontario Stacey Farkas – Supervisor, Financial Reporting – McMaster University Tim Russell – Project Manager, University Technology Services – McMaster University Individuals

Introductions Western McMaster 2010 - $27million in credit card sales 60 merchants McMaster 2010 - $24million in credit card sales 2011 - $25million in credit card sales - $ 16 million in INTERAC ONLINE transactions 58 merchants (Sharon) To mention? Western University Located in London, Ontario – pop. etc……. McMaster University Located in Hamilton, Ontario – pop. 500,000 20,400 full-time undergraduate students 3,025 full-time graduate students More than 1,200 full time faculty members and 6,500 staff $785 m consolidated budget

What is PCI? PCI-DSS: Payment Card Industry – Data Security Standards Standards developed by the credit card companies (Visa, M/C) to protect cardholders PCI Data security requirements apply to all members, merchants, and service providers that store, process or transmit cardholder data EVERY merchant is required to be in compliance with these standards (Sharon) To give some context for those who may not be as familiar with PCI or have had much dealings with it – I’ll quickly give us a quick and very high level summary and then why it’s important. PCI – DSS – stands for: Payment card Industry Data Security Standards – we’ll tend to shorten it and just call it PCI – but we are referring to the standards Payment Card Industry – is the major credit card companies – i.e. Visa, Mastercard, Amex – The standards were developed by them and were developed to protect cardholders It’s important to note that these Standards don’t just cover the ‘technical’ workings behind the scenes of accepting credit cards but are all encompassing, covering policies, business processes, systems, and security AND the requirements apply to all members (the credit card companies themselves), merchants (would be us- anyone accepting) and services providers (i.e. Moneris, Global Payments, the banks) Anyone who processes, stores, or transmits cardholder data All encompassing – could involve other 3rd party applications that help come in contact with credit card information When we talk about being compliant throughout the presentation – the expectation is that every merchant (if you have a merchant number and are accepting credit cards) IS COMPLIANT

What is PCI? There are 12 requirements, grouped into six categories for PCI Compliance: Build and Maintain a Secure Network (req. 1 & 2) Protect Cardholder Data (req. 3 & 4) Maintain a Vulnerability Program (req. 5 & 6) Implement Strong Access Control Measures (req. 7,8 & 9) Regularly Monitor and Test Networks (req. 10 & 11) Maintain a Policy that addresses Information Security (req. 12) (Tim) PCI DSS – the standards themselves, have 6 BROAD CATEGORIES, Which include 12 specific requirements And within those requirements there are approximately 250 items that you have to meet – every merchant has to work through some or all of these items depending on the type and LEVEL of merchant you are (we’ll talk about that in a minute) These requirements are very broad in spectrum and cover off items from the actual physical security of a piece of paper with a credit card number on it….to very technical requirements such as intrusion protection and anti-virus programs ________________________________________________________________________________ Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data – i.e. from the ecommerce transmission of data to receiving a number via fax and where it’s stored 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Program (relates more to ecommerce – i.e. intrusion protection and detection) 5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain a Policy that addresses Information Security 12. Maintain a policy that addresses information security for employees and contractors. – not just writing it and having it but making sure people are actually following it – one of our biggest challenges

Merchant Levels Merchant Level 1 2 Processing Volumes per year > 6,000,000 Visa transactions 1,000,000 to 6,000,000 Visa transactions Validation Actions Annual on-site PCI-DSS Assessment Quarterly Network Scan Annual PCI-DSS Self Assessment Questionnaire (SAQ) Validation By Qualified Security Assessor or Internal Audit if signed by Officer of the company Approved Scanning Vendor Merchant (Tim) The validation requirements vary depending on Merchant Level The next TWO charts show us the different MERCHANT LEVELS that all merchants are categorized under as defined by VISA AND why the LEVEL of merchant that you fall under is important as it determines the validation requirements that you must perform to prove your PCI DSS Compliance Universities are typically Level 4 Merchants McMaster has approximately 65 merchant accounts –- but all merchants are pooled together and McMaster looked at as one big merchant for purposes of these LEVEL definitions we are a Level 4 currently but quickly approaching Level 3 based on our volumes REGARDLESS of the level that you are defined as – you are required to be compliant at all times – the level simply determines the audit requirements that are set out by Visa and Mastercard - which are outlined on the NEXT SLIDE………….. This is something that we emphasize in all our presentations and training that we do – it’s not a one time activity – we are always required to be compliant at all times, it’s an ongoing process!

Merchant Levels Merchant Level 3 4 Processing Volumes per year 20,000 to 1,000,000 Visa e-commerce transactions 20,000 Visa e-commerce transactions and all other merchants, up to 1,000,000 transactions Validation Actions Annual PCI-DSS Self Assessment Questionnaire (SAQ) Quarterly Network Scan Validation By Merchant Approved Scanning Vendor (Tim) Continuation of previous slide

Merchant Types PCI Security Council Separated out Merchant Types and introduced a SAQ for each type in 2008 (Tim) Picture we developed and used in our training to help understand the different types of merchants and the level of SAQ QUESTIONNAIRRE that applies to them A – is for virtual terminal transactions – explain…. i.e. our music department holding a concert and wanting to accept credit card payments OR For ecommerce sites that once the end consumer goes to purchase they are redirected to the Moneris (hosted pay page) to complete the transaction – the payment processing itself (the credit card information) stays with Moneris, on their site, in their secure environment Type A merchants are only required to answer questions and attest for 2 requirements out of the possible 12 B – for typical POS merchants – retail type environment – i.e. Parking office - have to answer 4 /12 requirements C – typical retail type POS merchant that also has some additional software/integrated – behind the scenes –i.e. bookstore D – in house or 3rd party systems where the credit card information is being processed – most complicated – have to answer all 12 requirements (240 points) i.e. Athletics and Rec – integrated Registration system or Hospitality Meal Card system – with GMC meal card integrated system The newest version of the Standard (version 2.0) has changed some of the merchant types, introducing a Type C- Virtual Terminal merchant so some re-alingment may be required for merchants.

Why is PCI Compliance Important? FINANCIAL RISK fines from payment processor and/or credit card companies costs to notify cardholders repayment of fraudulent charges incurred by end consumer audit costs by PCI assessor LOSE THE ABILITY TO PROCESS CREDIT CARDS – CAMPUS WIDE REPUTATIONAL RISK! OPPORTUNITY TO ENHANCE SECURITY/IT BEST PRACTICES (Stacey) So why is this important to us and to you?! Or why should you pay some attention to our presentation today Helps to ensure our systems are secure and reduces risk of a breach…. …if it is discovered that a security breach occurred b/c you were not compliant liability includes: First and foremost the: FINANCIAL RISK fines from payment processor (moneris) and/or credit card companies costs to notify cardholders repayment of fraudulent charges incurred by end consumer audit costs by PCI assessor – you’ll be under much more scrutinty and be required to have yearly external security audits which can be costly Could LOSE THE ABILITY TO PROCESS CREDIT CARDS – CAMPUS WIDE – not just the one merchant who caused the problem – affects ALL merchants REPUTATIONAL RISK!! – won’t be your bookstore or small department running a conference that had a breach and gets mentioned in the media – it will be the University as a whole (NOTE – as told to us when we had a security audit done that we’ll talk about later on – it’s not IF you have a breach it’s WHEN you have a breach – how you deal with it that will minimize the financial liability)

Our PCI ‘Approaches’ Western McMaster Central approach to Self Assessment Questionnaires (SAQs). McMaster Centralized management with Individual merchant responsibilities (Stacey)

Lessons Learned 1: Collaboration of stakeholders is key 2: Identify your PCI Scope and environment 3: Minimize Local Payment Processing 4: Centralized Merchant Approval Process 5: Audit Considerations 6: Don’t underestimate your time 7: Breach Escalation process 8: Centralized approach to PCI DSS Self Assessment Questionnaires 9: Include PCI compliance in the RFP and Purchasing Process 10: Funding: Who Pays for this? 11: It’s a learning Journey 12: Risk Management Strategies (Stacey) Both universities have similar lessons learned, but different approaches. There is no one right way top manage for PCI Compliance. Sharon will explain Westerns lessons on each slide and Tim and I will alternate 1: Collaboration of stakeholders is key (SF) 2: Identify your PCI Scope and environment (SF) 3: Minimize Local Payment Processing (TR) 4: Centralized Merchant Approval Process (TR) 5: Audit Considerations (TR) 6: Don’t underestimate your time (SF) 7: Breach Escalation process (SF) 8: Centralized approach to PCI DSS Self Assessment Questionnaires (TR) 9: Include PCI compliance in the RFP and Purchasing Process (TR) 10: Funding: Who Pays for this? (SF) 11: It’s a learning Journey (SF) 12: Risk Management Strategies (SF)

Lesson 1 : Collaboration of Stakeholders is Key Western: Central Bank Card Committee Financial Services, Internal Audit, IT, Campus Department Representatives Chaired by AVP, Financial Services McMaster: PCI Steering Committee Financial Services, IT, Key Departments, Internal Audit Chaired jointly by AVP Administration and CIO (Sharon) Senior management support for the process (Stacey)

Lesson 2 : Identify your PCI Scope and Environment Western Pre-RFP Review – Evaluate Environment IT Code Review Interviewed all campus departments McMaster Had a PCI GAP analysis completed in 2008 Helped us to focus on high risk areas within the 12 requirements – action plan via PCI Steering Committee (Sharon) WESTERN Prior to issuing the RFP we had an assessment done of our environment that identified areas where we needed to implement firewalls, etc that would limit the audit scope. Review of the code of our payment process resulted in the company sharing information that would move our payment processing away from Western. By implementing this process we reduce our PCI scope such that our IT environment becomes ‘out of scope”. (Stacey)

Lesson 3 : Minimize Local Payment Processing Western Campus merchants are required to use Western’s internal Payment Page Currently migrating to an external Pay Page solution McMaster Steer merchants to Hosted Pay Page solutions Place compliance on the software vendors Moving from Type D to A merchants – less risk (Sharon) (Tim) Direct merchants towards a Type A eCommerce solution where possible (Moneris Hostped Payment Page/eSelectPlus) Work with vendors on their PCI compliance and expect that form products: learning curve over last several years. Often difficult with niche (Higher Ed) solutions as the market is small or US based (Moneris is not known to them).

Lesson 4 : Centralized Merchant Approval Process Western New e-commerce merchants must be approved by Bank Card Committee PCI Compliance is a requirement McMaster Upfront Approval Process – new merchants must meet PCI DSS requirement before a merchant number is issued Merchants can be suspended if not in compliance (Sharon) (Tim) McMaster Centralized payment processor WE NEGOIATED THE CONTRACT WITH ‘PREFERRED’ SUPPLIER, NOT ‘EXCLUSIVE’ WHICH ALLOWED US TO GRANDFATHER SOME OF THE MERCHANTS WHO HAD INTEGRATED SYSTEMS (only 2 left) any new applications come through Financial Services with required sign-off’s and security scans by IT allows us to manage risk by ensuring compliance before activating the merchant #

Lesson 5 : Audit Considerations Western Limited Scope – Lower Costs Important for Auditor to apply PCI to a University setting Consistency of Auditor key Demonstration of Compliance McMaster Pre-audit in 2008 – helped to limit scope Focus on individual (Type D) merchants (Sharon) WESTERN 3-4 day process Documentation key Compensating controls re security policy and criminal checks (Tim)

Lesson 6 : Don’t Underestimate Your Time Western Six months became 2+ years IT Resources – Significant Impact – Documentation Have people to help keep on track McMaster Committee commenced work in 2006, still on-going Education and clarification of requirements took a long time (Sharon) WESTERN 3-4 day process Documentation key (Tim)

Lesson 7 : Breach Escalation Process Western Requirement of PCI-DSS Took time to get it ‘right’ McMaster Developing protocols for front-line workers and internal response Escalating communication plan dependent on nature of the breach (Sharon) (Stacey) Breach – not if but WHEN

Western Breach Protocol Perceived Breach Types of Breaches Receipts compromised POS compromised Electronic Client data compromised Missing items Technical breach Unauthorized wireless device USER UWO Police x911 UWO Finance x85432 finance@uwo.ca UWO Legal x84217 jarrett@uwo.ca UWO NSO IT SECURITY 519 661 3800 nso@uwo.ca POLICE ENGAGE CRIMINAL INVESTIGATION AND INFORM NSO IDENTIFY: INFORM AND CONTAIN, USER ASCERTAINS RISK AND NOTIFIES ACCORDINGLY TRANSACTIONAL ITEMS ON STOP OR ALERT Moneris: 1-866-319-7450 AFTER RISK ASSESSMENTS AND VENDOR NOTIFICATION, LEGAL IS INFORMED BY IPO IF NECESSARY UWO Communications NSO/CISO ASSESSES DATA RISK AND CONTAINS, NOTIFIES IPO AND FINANCE MISSING FILES, MACHINE, DATA Type 4 DEVICE THEFT OR DEVICE TAMPERING Types 1, 2, 3, 5 Legend IPO – Information Privacy Office UWO IT – Western Information Technology NSO – Network Security Officer (CISO) CISO – Campus Information Security Officer Moneris – corporate payment processor FINANCE ASSESSES FINANCIAL RISK AND NOTIFIES NSO ON DATA AND VENDORS FOR UWO IPO x84541 privacy.office@uwo.ca IPO INTERFACES WITH NSO, LEGAL AND COMM IF PRIVACY AT RISK ACT FAST! CONTAIN THE DAMAGE PRESERVE EVIDENCE DO NOT ACCESS COMPROMISED SYSTEM ITS as initiator (Sharon)

Lesson 8 : Centralized Approach to Self Assessment Questionnaires Western Created own internal SAQ to be filled out by departments Fill out SAQ for the university as a whole centrally McMaster Each merchant is responsible for filling out PCI SAQ SAQ questionnaires now automated through on-line submission 3rd party company for both SAQ submission and Quarterly scanning (Sharon) (Tim) MCMASTER RFP for Third-Party Quarterly scanning and online SAQ submission and monitoring process As required for Level 4 (if requested by payment processor) and required for Level 3 Prepares McMaster for Level 3 merchant requirements Provides better management of the merchant SAQ submissions (over 60 each year) manual follow-up currently required

Lesson 9 : Include PCI Compliance in the RFP & Purchasing process Western Push your knowledge to external partners / vendors McMaster Smaller companies weren’t always aware of PCI compliance. Integrated into Policy and Purchasing documents (Sharon) (Tim)

Lesson 10 : Funding – Who Pays for This? Western Funded centrally McMaster Yearly internal Merchant ‘PCI Levy’ Base charge plus volume based charge with caps Essentially covers the cost of 1 FTE in IT and 0.5 in Financial Services Now covers cost of 3rd party assessor (Sharon) (Stacey) NOW WE ARE UP TO 2009 AND OUR PROJECT FUNDING FINALLY RAN OUT OUR VOLUMES CONTINUE TO GROW, AND WE STILL NEEDED ADDITIONAL RESEROURCES. AT MAC MOVING TO ACTIVITY BASED BUDGETITING, A MERCHANT VOLUME BASED FEE SEEMED THE MOST LOGICAL. LOTS OF RESISTANCE BUT WE TWEAKED IT, %’S STEPPED IT IN, DELAYED IT, MAXIMUMS FOR BIG MERCHANTS ETC Based on Pre-Assessment recommendations, planned for increased resources to manage PCI. This included the introduction of a PCI Levy: Essentially covers the cost of 1 FTE in UTS and 0.5 FTE in Financial Services Designed to reflect actual setup and operational costs and create incentives to find economies of scale Closes the resource gaps identified by Trustwave. Fee for all merchants base charge (depending on type – higher for ecommerce) $350 BASIC PLUS 1% plus a volume based charge - %of sales, $750 ECCOMERCE PLUS 1% OF SALES a ceiling of $10,000 per year for any one merchant applies.

Lesson 11 : It is a Learning Journey Western PCI Changes – Helps to have ‘experts’ McMaster On-going changes: the risks change therefore the compliance also changes Adapt to new business processes Learning journey for software vendors as well (Sharon) (Stacey) PCI Compliance is a JOURNEY not a DESTINATION We’ve walked you through how our journey – and you’ve seen how long it’s taken us to implement our policies and procedures – it does take time and sometimes feels like a moving target but the point here is that you can be compliant one day and not the next – so many different factors (including the standards themselves) that can and will change and evolve over time - AND WE’RE STILL ALL LEARNING AS WE GO – WE’RE DEFINITELY NOT THE ‘EXPERTS’!

Lesson 12 : Risk Management Strategies Both Universities: Governance and oversight Third-party assessors and PCI advisors Pro-active compliance by doing more than required Migration to Hosted Payment Page Required annual merchant training (Stacey)

What Lies Ahead? Western: McMaster: PCI Security Council Keep ahead of PCI – change approaches as you go McMaster: Monthly, quarterly and annual activities, based on merchant type. PCI Security Council Three year cycle for standard revisions Now possible for internal auditors to be certified to conduct PCI audits (Sharon) (Tim)

References PCI Security Council: University of Western Ontario: https://www.pcisecuritystandards.org/index.shtml University of Western Ontario: http://commerce.uwo.ca/index.html McMaster University: http://www.mcmaster.ca/bms/BMS_FS_Payment_Card.htm Sharon

Thank you!/ Merci! Contact Information: Sharon Farnell sfarnell@uwo.ca Stacey Farkas farkas@mcmaster.ca Tim Russell trussel@mcmaster.ca Sharon