Corporate Finance
Connecting the business of the University to the Real World
HES Finance Systems Network
Case Studies in University Finance
PCI DSS Compliance
Edward Eacock
Manager Financial Systems & Projects
Queensland University of Technology
5 March 2013
a university for the
real world
R
CRICOS No. 00213J
Corporate Finance
Sessional Academic Appointments
Sessional Academic Appointments
Connecting the business of the University to the Real World
What is PCI DSS Compliance?
•
The Payment Card Industry (PCI) Data Security Standard (DSS) was
developed to enhance cardholder data security and facilitate the
broad adoption of consistent data security measures globally.
•
Has been adopted by the major payment card providers;
a university for the
real world
R
CRICOS No. 00213J
Corporate Finance
Sessional Academic Appointments
Sessional Academic Appointments
Connecting the business of the University to the Real World
When is PCI DSS Applicable?
PCI DSS applies wherever account data is stored, processed or
transmitted.
Cardholder Data includes:
•Primary Account Number (PAN) *
•Cardholder Name
•Expiration Date
•Service Code
*If PAN is not stored, processed or transmitted, PCI DSS
requirements do not apply.
a university for the
real world
R
CRICOS No. 00213J
Corporate Finance
Sessional Academic Appointments
Connecting the business of the University to the Real World
Requirements to meet PCI DSS
Compliance?
•
PCI Data Security Standard – Key obligations;
•
Build and maintain a secure network.
•
Protect cardholder data.
•
Maintain a Vulnerability Management Plan.
•
Implement Strong Access Control Measures.
•
Monitor & Test Networks.
•
Maintain and Information Security Policy.
a university for the
real world
R
CRICOS No. 00213J
Corporate Finance
Sessional Academic Appointments
Sessional Academic Appointments
Connecting the business of the University to the Real World
QUT Obligations
•
QUT has been has identified as requiring PCI DSS Merchant
compliance Level 3* obligations and must;
•
•
Submit a PCI DSS Self Assessment Questionnaire D and
Attestation of Compliance
Submit results of security scans undertaken by an Approved
Scanning Vendor undertaken in accordance with the PCI DSS
Security Scanning Procedures
*Level 3 obligations are determined as an organisation that
processes 20,000 to 1 million e-commerce transactions
annually
a university for the
real world
R
CRICOS No. 00213J
Corporate Finance
Sessional Academic Appointments
Sessional Academic Appointments
Connecting the business of the University to the Real World
PCI DSS Activities to Date
•
Undertaken audits of;
•
EFTPOS Terminals at QUT
•
Payment Gateways
•
Payment Card processors
•
Networks potentially carrying payment card traffic
•
Servers potentially holding payment card data
•
Engaged assistance from Assurance & Risk Management
Services (ARMS)
Engaged assistance from Information Technology Services
Engaged assistance from a Qualified Security Assesor (QSA) to
review remediation plans and undertake Security Scans.
•
•
a university for the
real world
R
CRICOS No. 00213J
Corporate Finance
Sessional Academic Appointments
Sessional Academic Appointments
Connecting the business of the University to the Real World
PCI DSS Activities to Date
•
QUT has made the decision to remove the Card Holder Data
Environment (CDE) from the QUT data network.
The is due to the complexity of the QUT network and the cost of
maintaining a CDE in this environment.
This is a significant undertaking but will result in a simplified
structure in which to maintain PCI DSS compliance.
•
Update EFTPOS terminals to PCI DSS compliant devices and
remove them from the data network by installing dial-up lines.
a university for the
real world
R
CRICOS No. 00213J
Corporate Finance
Sessional Academic Appointments
Sessional Academic Appointments
Connecting the business of the University to the Real World
PCI DSS Activities to Date
•Payment Gateways Activities have included;
• Parking – Install a new Pay and Display Solution
•GPRS Based EFTPOS Terminals
•Payment Card Processors Activities have included;
•Outsource the risk
•Required to provide QUT with compliance notification
•Note: QUT is not deemed PCI DSS compliant until QUT is in
receipt of compliant notifications from all payment card
processors.
a university for the
real world
R
CRICOS No. 00213J
Corporate Finance
Sessional Academic Appointments
Sessional Academic Appointments
Connecting the business of the University to the Real World
PCI DSS Activities to Date
•Paper based solutions
•Identified the potential for storage of paper based payment card
information stored at QUT
•Where appropriate install stand alone dial up EFTPOS
terminals
•
Network Penetration Scanning
•
Scanning may not be required if QUT can achieve a
configuration that does not have a CDE on the QUT network.
•
PCI DSS Network scans must be undertaken by an Approved
Scanning Vendor (ASV).
a university for the
real world
R
CRICOS No. 00213J
Corporate Finance
Sessional Academic Appointments
Sessional Academic Appointments
Connecting the business of the University to the Real World
PCI DSS Discussion
Discussion Points
•
The challenge is to meet the needs of the business while
providing a PCI DSS compliant solution?
•
Defining the Credit Card Data Environment (CDE) is the most
critical PCI DSS activity?
•
What remediation must Universities do once the CDE has
been defined to become PCI DSS compliant?
•
Experience with Inconsistent interpretation of PCI DSS from
Qualified Security Assessors (QSA) and technology
providers? (At QUT this has been primarily CDE Definition)
a university for the
real world
R
CRICOS No. 00213J