REQUEST FOR CWU PM SERVICES FOR PCI V3.1 PROJECT TABLE OF CONTENTS EXECUTIVE SUMMARY ................................................................................................................................................. 2 1. Problem Definition ......................................................................................................................................... 2 2. Addressing Problem with CWU existing tools and products (i.e. PeopleSoft) ................................................. 3 3. Organizational Impact .................................................................................................................................... 3 4. Benefits .......................................................................................................................................................... 4 5. Strategic Alignment ........................................................................................................................................ 4 6. Cost ................................................................................................................................................................ 4 7. Alternatives (add lines as necessary) .............................................................................................................. 4 8. Timing / Schedule (add lines as necessary) ..................................................................................................... 5 9. Technology Migration/Resource Identification .............................................................................................. 5 10. Product Life/Application Sunsetting or Decommissioning .......................................................................... 5 11. References ................................................................................................................................................. 6 12. Approvals ................................................................................................................................................... 6 1 EXECUTIVE SUMMARY Any organization that collects or processes payment card information (credit cards) must comply with the Payment Card Industry Data Security Standard (PCI DSS). This standard is a sweeping set of policy and infrastructure requirements for organizations who take credit card payments. CWU must scope and assess its compliance with the data security standards and take steps to remediate any outstanding requirements. This business case is requesting that a Project Manager from the CWU Project Management Office manage the PCI DSS 3.1 project. CWU successfully achieved PCI DSS 2.0 compliance this last year. Compliance with the PCI DSS means that our systems are secure, and customers can trust CWU with their sensitive payment information. This achievement demonstrates that CWU places a high valued on security and is following an industry standard that has been developed thoroughly and comprehensively. Sponsoring Department(s): Finance & Business Auxiliaries & Security Services Date of Business Case Preparation: 4/30/2015 Contact Person Name/Phone: Joel Klucking, AVP Finance & Business Auxiliaries 963-1167 Jamie Schademan, IS Security Manager 963-2951 New Product/Service/Standard If there is a draft or sample contract, please provide a copy. Renewal of Existing Product/Service – if checked, include background information. If there is a site license agreement, existing contract or new contract draft, please provide a copy. 1. Problem Definition As stated above, any organization that collects or processes payment card information (credit cards) must comply with the Payment Card Industry Data Security Standard (PCI DSS). CWU is working towards the 3.1 standard and recognizes the complexity of such an effort, and the need for enterprise level coordination and communications. This business case is requesting Project Management resources for the benefits of managing scope, schedule and communications for the PCI DSS 3.1 project. 2 2. Addressing Problem with CWU existing tools and products (i.e. PeopleSoft) As previously stated, CWU achieved PCI DSS 2.0 compliance this last year. The project to gain compliance with the 2.0 standards involved the efforts of multiple stakeholders and team members from across campus. It also revealed the need for the benefits of a Project Manager to manage such a large scale project. CWU will realize the benefits of Project Management involvement by them assisting with keeping the project on schedule, in scope and helping to manage competing priorities. Existing services are provided by CampusGuard, an outside vendor, who assists with PCI DSS Compliance through an onsite readiness assessment, vulnerability scans, and consultations. 3. Organizational Impact The PCI DSS 3.1 project requires time and efforts from the stakeholders throughout its duration. Having a Project Manager organize meetings, manage the scope & schedule, and facilitate communications will help to lower the impact the project will have on stakeholder’s schedules. Stakeholders IS Information Security Services IS Networks & Operations IS Client & Auxiliary Technology Services IS Enterprise Applications Business and Financial Affairs Merchants: o Breeze Thru Café o Catering o Conference Center o Connection Card o Controller’s Office o Copy Cat Shop o CWU Center Lynnwood o CWU Des Moines o Dining Services CWU o Foundation/Alumni o Outdoor Pursuits o Parking o Recreation Service Center o Surplus Sales o Wildcat Shop o Wildcat Shop Online o Wildcat Tickets 3 Potential Partners/Primary Users CWU has a contract with CampusGuard to provide a PCI audit, readiness review, vulnerability scanning and a customer compliance portal. They will be working with the project team throughout the project. RFP Requirements Contributors (add lines as necessary) – This section may or may not be required Department Name Not required 4. Benefits The PCI DSS 3.1 project would benefit from the services and involvement of a dedicated Project Manager (PM) by their efforts to keep the project on schedule, in scope and assist in managing competing priorities. The management services of a PM will also lessen the overall impact to stakeholder’s schedules as well as ensure the project’s success. 5. Strategic Alignment 5 Resource Development and Stewardship. 5.1 Maximize the financial resources to the university, and assure the efficient and effective operations of the university through financial stewardship. 5.4 Provide the facility and technology infrastructure and services appropriate to meet the university objectives, while maximizing sustainability and stewardship. 5.4.2 Provide facility and technology infrastructures that are accessible, safe, and secure for all visitors, students, faculty and staff. 6. Cost The time and commitment from CWU staff is the only budgeted cost to this project. 7. Alternatives (add lines as necessary) Alternative Reasons For Not Selecting Alternative Do nothing Not an option if we accept credit card payments at CWU 4 Alternative Reasons For Not Selecting Alternative No project management Risk of scope creep Increased risk of schedule overrun 8. Timing / Schedule (add lines as necessary) Task Target Date Campus Guard 7/8/2015 Merchant Reports Completed 9/2015 Completion of Campus Guard Recommendations 10/2015 Completion of Internal Sign Off on PCI 3.1 Standard 11/2015 Closing Project Documentation 12/2015 9. Technology Migration/Resource Identification None required Resource Jan Feb Mar Apr May June July Aug Sept Oct Nov Project Manager 60 60 60 60 60 60 60 60 Security Services (2 staff) IS N&O (5 staff) 120 120 120 120 120 120 120 120 40 40 40 40 40 40 40 40 IS Aux (3 staff) 40 40 40 40 40 40 40 40 Merchants (15, time per merchant) BFA (Sponsor) 7 7 7 7 7 7 7 7 4 4 4 4 4 4 5 5 Total Hours 10. Product Life/Application Sunsetting or Decommissioning None 5 Dec 11. References None provided 12. Approvals The following actions have been taken by the appropriate Sub-Council (ATAC or NonAcademic Sub-Council) and Enterprise Information System Committee (EISC): Date Action By 5/4/2015 Business Case Approved EISC Upon secured funding and approval by the Enterprise Information System Committee (EISC), Enterprise Facilities Committee, or one of the two Sub-Councils (Academic or Non-Academic), CWU procurement policies and procedures should be used to initiate a purchase. Please contact the Purchasing office at x1001 with any questions regarding the procurement process. If you have any questions, please contact Ginger McIntosh 963-1466, Sue Noce 963-2927 or Tina Short 963-2910. 6