The Fork in the Road to PCI Compliance

Transcription

1 The Fork in the Road to PCI Compliance and How We Took It Purdue University April 24, 2017 Debra Wert Jefferson Hopkins

2 Yogi Berra If you come to a fork in the road, take it. Yogi Berra

3 University Environment The University has a mix of ecommerce, card present, and card not present operations at one primary and three regional campuses 35 SAQ A merchants - ecommerce uses TouchNet hosted sites or redirects 92 SAQ B merchants analog dialup terminals 11 SAQ C-VT merchants PC workstation to Internet 14SAQ D merchants non-redirected Website, Micros POS, Opera property management, multiple site Ticketmaster, multiple site Paciolan (Spectra)

4 University Network Environment

5 The Challenge End of life for CDE firewall Incorporating changing PCI DSS requirements As always, budget constraints Staff reductions in support areas Merchant requested scope expansion, wireless, remote, etc.

6 Do nothing Options to Compliance? Build a self-contained CDE that could be rolled out quickly with existing personnel at a reasonable cost that is PCI compliant Change the business process of merchants Scope reduction

7 Do Nothing Maintain non-compliant network appliances Report to acquirer as noncompliant Wait for the fines.

8 Full Replacement CDE Replace current environment with compliant network Creation of new physical server farm and multiple virtual servers POS sites connected to Data Center CDE via VPN workgroup firewall POS outbound traffic via proxy server

9

10 And the Cost?

11 High Level Worst Case Costs Infrastructure Acquisition Costs Maintenance Costs (14%) FTE* Notes Switches and Firewalls for 80 Network Client $150, $22, POS locations Network Servers $60, Switches and Firewalls for 2 $7, Data Center locations Virtual Environment $120, PCI Application Servers, System & Security $43, Management Support Infrastructure $75, Active Directory, Systems Monitoring, Systems $86, Management Licensing costs* $60, Potential Cost Backup $30, Dedicated hardware for $21, backup target Penetration Testing $25, ITCR $60, ITSP $ $68, Security Services + Pen Test Totals $520, $0.00 $308, Total Cost: $829, Set up time: 8-10 months

12 Full Outsource Designed for quick deployment Vendor manages all equipment and PCI requirements Minimal equipment and labor costs

13 Current Merchant Services Support Costs FTE Days Hours Hourly Rate Total Costs Treasury Costs ITIS - Hardware ITCR - Workstations Micros Opera ITSP Discovery Scanning $25, $45 $46, $45 $46, $45 $9, $46 $3, $42 $1,680 Salary & Wage $146,860 Fringes $42,682 Fee Remissions $975 Equipment - Captial & Non-Capital $1,200 Info Technology $15,600 Leasing & Maintenance $28,500 PCI Admin incorporated in Treasury Costs Other Expenses $500 Calumet/IPFW: Firewall review and maintenance 16 $42 $672 Supplies & Services $200 Calumet/IPFW/PNC: Rogue wireless review 8 $42 $336 Travel & Entertainment $6,800 Total IT Costs: $133,776 Treasury Total: $243,317 Treasury & IT Total $377,093 Supporting ITIS Information:

14 Full Outsource

15 Barebones CDE Designed to maintain compliancy of existing merchants as other scope options become available Relies on outsourced services and third-party agents on each workstation Vendor provided appliances located in the CDE

16

17 SneakerNet CDE Designed to support a small number of merchants for a short time in anticipation of scope reduction Updates, patches and password changes are accomplished at each computer and firewall with portable media Labor intensive to maintain and only tolerable for a brief duration

18 SneakerNet

19 SneakerNet CDE University Provided Hardware/Software Quantity Unit Cost Non-Recurring Recurring Total Workgroup Firewall - Cisco (5506-K9) 3 $ $ 2, Central Firewall w/ids - Cisco (5506-K9) 1 $ $ Unmanaged Switch - Allied (AT-FS708) 4 $ $ PC Vulnerability Scanner 1 $ 2, $ 2, Proxy Server Software: TBD 1 $ 2, $ 2, $ 8, $ 8, Services Required University Provided Hours Unit Cost Non-Recurring Recurring Workstation Build and Configuration 80 $ $ 3, Workstation Management Updates and Patching 60 $ $ 2, Desktop Support 24 $ $ 1, Proxy Server Build and Configuration 40 $ $ 1, Proxy Services Application Management 20 $ $ Firewall Build and Configuration 26 $ $ 1, Firewall OS Management Updates and Patching 28 $ $ 1, Firewall Ruleset Configuration and Management 80 $ $ 3, Firewall Ruleset Review - Bi-Annual 80 $ $ 3, Log Alert/SEIM Response and Remediation 80 $ $ 3, Internal Vulnerability Review and Remediation 80 $ $ 3, $ 9, $ 16, $ 26, Services Provided Outsource Quantity Months Non-Recurring Recurring Endoinpoint Security - File Integrity Monitoring Endoinpoint Security Anti-Virus Endoinpoint Security Policy Monitoring $ 2, Managed Compliance Monitoring 12 $ 11, Monitoring Hardware & Install $ 2, Onsite Install & Travel Expenses $ 2, VPN 12 $ 1, Penetration Testing Annual $ 25, $ 4, $ 39, $ 44, $ 22, $ 56, $ 78,804.60

20 Walter T. Conway If you want to be PCI compliant, go back to dial-up terminals. No, really. I mean it! Donations can be made to the Walter T. Conway, Jr. Fund at Episcopal Community Services, 165 Eighth Street, 3rd Floor, San Francisco, CA 94103, or online at

21 Scope Reduction Assessed all merchants to determine the best way to and the probability of reducing the scope of their operation Surveyed available encryption solutions and probability and timing of deployment Determined merchants that could change business processes Analog dial-up terminals ecommerce Website change to redirect

22 The Inevitability of EMV EMV is being deployed by most POS providers P2PE is being simultaneously incorporated by most POS providers Delay caused by technical complexity of EMV interfaces Acquirers were slow to on-board new POS EMV providers

23 A Sales Effort Present all options for compliancy and a recommendation Cost scenarios Time to implementation University impact

24 Mandate Either Create a new Compliant Cardholder Data Environment Or Change the Business Process and Mandate Encryption

25 Mandate Identified strategy for Scope Reduction Garnered support from Sr staff in IT/Business Requested a university wide communication from the VP s of Information Technology and Office of the Treasurer Communicated target date to implement P2pE or order analog dialup terminals.

26 Mandate High-powered patrons Senior Vice President and Assistant Treasurer Vice President for Information Technology and Chief Information Officer Mandated either encrypted solution or reversion to analog dial-up terminals Also mandated EMV

27 Mandate It is crucial for your merchant team to take immediate action to implement a solution that is EMV enabled and utilizes P2PE as quickly as possible prior to October 14, If a P2PE/EMV solution is not available from your vendor prior to that date, you will need to coordinate with Treasury Operations to order analog payment card readers as an alternative to meet compliance before December 1, 2016.

28 Merchant Response Expressed concern about impact to their operational/business processes. Sought commitment from merchant management for resources to address issue Willing to talk with Vendors and peers as to solutions available to reduce scope.

29 Investigating Solutions PUSHING POS vendors to identify P2PE solutions Working with merchants to pressure their vendors Using the PCI Listserve to coordinate efforts Educating POS vendors

30 Determining Direction Identifying the best option Working with POS vendors to provide documentation Determining if the solution can interface with our acquirer Determining a timeline Working with merchants to determine costs of solution Calming our merchants

31 The Timeline Dilemma Parking Control Oracle and MICROS and OPERA Success of Ticketmaster, Spectra, imodules PREMIS Website conversion Rack & Roll

32 Deployment Timeline Scope Reduction Estimate ACTUAL ACTUAL Projected Projected Completion Actual Completion ACTIVITY START DURATION Club Prophet (Golf) 9 8 Enterprise Facilities Management (Parking) 1 12 PREMIS Servers 1 21 MICROS 9 16 OPERA 13 8 Conqueror Qubicam AMF - Rack & Roll 25 6 Spectra (Paciolan) 1 25 United Healthcare - PUSH 1 1 QS1 - Pharmacy 1 1 Regional Bursars Touchnet Cashiering 1 1 Ticketmaster 1 V Neulion (IPFW) 1 V UDO imodules PREMIS Client 1 21 Busar Kiosks (West Lafayette) 1 M January February March April May June July August September New Cardholder Data Environment Creation V = Vendor has not specified (Card present transaction, EMV) N = Vendor has not specified (Card not present transaction) M = Dependant on management decision

33 The Procurement Process Obtained resources from Contracting team to focus on service agreements and equipment contracts. Required appropriate liability and PCIDSS compliance language in all documents. Requested vendor commitment that all solutions/equipment could be implemented within our timeline.

34 Working with the Solution Providers Chase Payment Solutions - Ingenico/Exadigm Touchnet Information Systems - Redirects Blue Fin - Spectra, Imodules Freedom Pay - Micros Ticketmaster Hardware Solution Club Prophet Shift 4 Parking 3c Payments

35 Implementation University Development Office Athletics Continuing Education and Conferences Hall of Music Retail Shops Parking Purdue Memorial Union Hotel

36 Gotchas! Timeline for upgrade of Oracle products Timeline for solution on OPERA Change of Parking application and hardware Being the FIRST implementation for some solution providers Not all solutions are P2PE validated

37 Benefits Reduced compliancy and reporting requirements Enhanced Security Greatly reduced costs of maintaining compliancy Staff hours Third-party services, scanning and penetration tests

38 Security Benefits Greatly enhanced security environment Remaining attack vectors Skimming devices and overlays (magstripe) Dishonest employee ecommerce re-directs and inline frame compromise ecommerce fraud

39 The Overlay

40 Business as Usual Focus on skimming education and prevention Focus on enhancing security of existing ecommerce Focus on device inspection and inventory Redesign compliancy process to business as usual Ongoing efforts to validate E2EE solutions and convert to P2PE when possible

41 We Started with This:

42 And Ended with This: