1 / 17

E-Commerce and PCI DSS at University of Waterloo

E-Commerce and PCI DSS at University of Waterloo. Web Advisory Committee June 17, 2009. Agenda. Implementing E-commerce at UW Current Status and Future Plans PCI Data Security Standard Questions. Implementing A UW E-Commerce Site. Prepare an e-commerce business plan.

brad
Download Presentation

E-Commerce and PCI DSS at University of Waterloo

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. E-Commerce and PCI DSS atUniversity of Waterloo Web Advisory Committee June 17, 2009

  2. Agenda • Implementing E-commerce at UW • Current Status and Future Plans • PCI Data Security Standard • Questions

  3. Implementing A UW E-Commerce Site • Prepare an e-commerce business plan. • Obtain approval from Financial Systems Mgmt. Committee. • Organize project. • Obtain bank merchant account & Beanstream account. • Design/build application or install packaged application or configure hosted application according to standards (PCI, Bank, UW). • Integrate with Beanstream if not hosted. • Test. • Review/signoff by Finance and Security. • Go – live.

  4. Business Plan Content • Describe the products or services to be offered and the rationale for offering them via e-commerce. • Provide estimated annual transaction and dollar volume. • Describe the business process to handle the additional workload from the e-commerce function, including the accounting, maintenance, and reconciliation of general ledger accounts and the credit card operation. • Indicate whether the operation currently accepts credit cards. • Identify the hardware requirements and hardware location. • Identify the source of technical support. • Identify areas or departments that need to be involved in the development and implementation of your e-commerce initiative; examples may include Finance, Information Systems and Technology, or Procurement and Contract Services. • Identify the working group to develop the initiative.

  5. E-Commerce Site Development • Must use Beanstream for credit card processing. • Beanstream provides multiple integration methods. • UW uses Beanstream’s hosted payment page to ensure security, privacy, and for easier PCI compliance. No credit card information is stored on a UW server. • IST provides an e-commerce server to host Linux applications. • Use of other, secure servers is acceptable.

  6. Using Hosted Applications for UW E-commerce • May use a hosted shopping cart / event management site. Little experience with this at UW. • Must use Beanstream for credit card payment processing in all cases.

  7. UW E-commerce Sites • Retail Services • Housing • Residence deposits • Off campus housing landlord fees • Watcard • Parking • CEMC • Events and conferences come and go

  8. The Future UW E-commerce Sites Coming • Continuing Education • Conference Centre • Food Services

  9. The Future UW approved site hosting services • UW approved, hosted shopping cart system. • UW approved, hosted event/conference system. • Hosting will significantly reduce implementation effort for all UW participants. • Will make small volume e-commerce sites more feasible.

  10. What is PCI? • PCI = Payment Card Industry (Amex, Discover, JCB, MC, Visa) • PCI Data Security Standard (DSS) • PCI DSS v1.2 released October 2008 • 72 page document • Consistent security measures around the processing, storage, and transmission of credit card data • A nice baseline of security measures for any application

  11. Compliance: What does it take? • Depends on how credit card data is handled • SAQ = Self Assessment Questionnaire • Assessment from an external QSA • Regular network scans of e-commerce sites

  12. PCI DSS @ UW • Our acquirer requires us to be compliant with PCI DSS • All validation types apply to UW • Security measures for validation type 5 are expensive • Strategy: Eliminate cases where validation type 5 apply

  13. Compliance Strategy • E-commerce websites must not collect, transmit or store credit card information • Reduce scope: Isolate IP-based PoS terminals from the rest of the campus network • Include in more general security policies and procedures

  14. Penalties for non-compliance • Heavy fines from the acquiring bank • Bank could suspend the University’s ability to process any credit card

  15. Links • http://finance.uwaterloo.ca/ecommerce/ecommain.html • https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml • https://strobe.uwaterloo.ca/~twiki/bin/view/ISTITSec/EcommerceSystemSecurityStandards

  16. Questions ???

More Related